Middle East Conflict-Themed Cyber Campaigns
Overview:
Security researchers have observed an increase in cyber threats that use the ongoing Middle East geopolitical conflict as a lure to trick users. Threat actors are creating malicious files, fake news websites, phishing portals, and scam websites related to the conflict.
Researchers identified over 8,000 newly registered domains using conflict-related keywords, which may be used for phishing, malware distribution, scams, and misinformation campaigns. Some of the active campaigns deliver malware such as LOTUSLITE backdoor and StealC information-stealing malware.
These campaigns use social engineering techniques such as conflict-themed documents, fake government websites, fake donation pages, and malicious downloads to compromise victims.
Who Will Be Affected:
The campaign mainly targets:
- Government organizations
- Businesses and enterprises
- Individuals searching for news related to the conflict
- Users downloading files from unknown websites
- Organizations in the Middle East and GCC region, though the attack techniques can affect users globally.
- Any user who opens malicious files, visits fake websites, or downloads files from untrusted sources may become a victim.
How It Affects:
Attackers use multiple techniques to infect systems and steal sensitive information. In some cases, victims are tricked into downloading malicious ZIP files that contain harmful LNK shortcut files. When the user opens these files, they download additional malware from attacker-controlled servers.
Attackers may also use a technique called DLL sideloading, where legitimate software is used to load a malicious DLL file, resulting in the installation of the LOTUSLITE backdoor on the system. Additionally, threat actors create fake news websites related to the Middle East conflict that redirect users to download malware such as the StealC infostealer.
Some campaigns involve phishing websites, including fake government portals that attempt to steal user credentials. Attackers also operate online scams, such as fake donation pages or fraudulent online stores that request payments through cryptocurrency or payment applications. In other cases, websites promote fake meme coins as part of cryptocurrency pump-and-dump scams. If these attacks are successful, attackers may install malware on victim systems, steal sensitive information and credentials, maintain persistent access to compromised devices, and potentially launch further attacks within the affected network.
Indicators of Compromise (IOCs)
| IOC Type | Indicator |
| MD5 Hash | 098BC0DD6A02A777FABB1B7D6F2DA505 |
| C2 IP | 80.97.160[.]190 |
| C2 IP | 172.81.60[.]97 |
| Domain | media.hyperfilevault2[.]mom |
| Domain | arch2.maxdatahost1[.]cyou |
| Domain | arch.megadatahost1[.]lol |
| Domain | media.megafilehost2[.]sbs |
| Domain | media.megadatahost1[.]lol |
| Domain | arch2.megadatahost1[.]lol |
| Domain | media.maxdatahost1[.]cyou |
| Redirect Domain | flourishingscreencousin[.]com |
| Redirect Domain | holidayslettucecircumvent[.]com |
| URL | www.e-kflower[.]com/_prozn/_skin_mbl/home/KApp.rar |
| URL | www.e-kflower[.]com/_prozn/_skin_mbl/home/KAppl.rar |
Recommendations:
- Block all identified malicious domains, IP addresses, and URLs at the organizational level.
- Add the published malware file hashes to endpoint security and EDR blocklists to prevent execution.
- Check for suspicious behaviours such as DLL sideloading, malicious ZIP downloads, and unusual registry Run key modifications.
- Implement Multi-Factor Authentication (MFA) for critical services and accounts.
- Conduct security awareness training to educate employees about phishing emails and malicious downloads related to global news events.
Reference Link: