Iran-linked hackers posed as job recruiters to target software engineers in the aviation, oil, and gas sectors, using fake job postings and malware-laced videoconferencing tools in an espionage campaign aimed at workers with access to critical systems, cybersecurity researchers said Friday.
The campaign targeted engineers connected to the aviation sector, a U.S. oil and gas company, and organizations in Israel and the United Arab Emirates, according to a report from researchers at Palo Alto Networks’ Unit 42.
The researchers said they did not believe the aviation or oil and gas companies identified in the operation were breached, but warned that stolen credentials and harvested information could be used to reach other targets.
The hackers allegedly impersonated recruiters and, in at least one case, an American airline advertising a “Senior Programmer” role. Unit 42 researchers said some of the language in the fake job listings appeared to have been generated with artificial intelligence, giving the operation a more polished corporate tone.
The scheme illustrates a growing pattern among state-linked hackers where they target people instead of networks. By approaching software engineers through job lures, attackers can seek access to credentials, internal tools, source code, or cloud systems without having to break directly through perimeter defenses.
“The most critical evolution in the group’s recent campaign uses a technique called AppDomainManager hijacking. This hijack method manipulates the initialization phase of .NET applications to proactively disable the application’s own security mechanisms via a legitimate configuration file. The disabled security in these apps left the targeted entities vulnerable to the deployed multi-functional RATs,” Unit 42 wrote.
The campaign is part of the war involving the United States, Israel, and Iran. U.S. officials have warned that Iranian cyber activity against critical infrastructure has escalated since the start of the conflict, including attempts against industrial systems and other sensitive networks.
Federal agencies have also warned about Iran-linked actors exploiting industrial control technology. In April, the Cybersecurity and Infrastructure Security Agency and partner agencies said Iranian-affiliated actors were targeting programmable logic controllers used in critical infrastructure environments.
Aviation and energy companies are especially attractive targets because they sit at the intersection of commerce, national security, and geopolitics. Even limited access to an engineer’s account could help hackers map internal systems, identify suppliers, or prepare future intrusions.
Jeffrey Troy, president and CEO of the Aviation Information Sharing and Analysis Center, told CNN the activity was not unexpected. “We expected attacks as a consequence of the war,” he said.
Unit 42 has tracked Iranian state-sponsored groups, including Boggy Serpens, which it describes as a cyberespionage actor aligned with Iran’s Ministry of Intelligence and Security. The company says such groups seek intelligence, operational disruption, and advantages tied to regional conflicts, especially involving Israel.
Click Here For The Original Source.
