Iranian threat group targets aerospace workers with fake job lures
An attack that’s been active since September 2023 called the “Iranian Dream Job Campaign” was discovered in which the Iranian threat actor TA455 — aka UNC1549 — has been targeting the aerospace industry by offering fake jobs.
In a Nov. 12 blog post, researchers from ClearSky Cyber Security said the campaign delivered the SnailResin malware, which activates the SlugResin backdoor. The ClearSky researchers attribute the malware programs to a subgroup of the Iranian group Charming Kitten, also known as APT35 by Mandiant.
What’s interesting in this case is that some researchers detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group.
“The similar ‘Dream Job’ lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran,” wrote the ClearSky researchers.
These industry-specific, job-themed social engineering attacks from TA455 demonstrate an AI-enabled evolution in attack precision, making it economical to target sectors like aerospace where specialized talent and valuable intellectual property converge, explained Stephen Kowski, Field CTO at SlashNext Email Security.
