Thursday, April 17, 2025
HomeCyber Security NewsTA456 - Iranian Hackers Attack Defense Contractors with Malware To Exfiltrate Sensitive...

TA456 – Iranian Hackers Attack Defense Contractors with Malware To Exfiltrate Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

The security researchers at Proofpoint have uncovered that the Iranian Hacking group, TA456 which is also known as “Tortoiseshell” and “Imperial Kitten” has recently executed several targeted attacks on defense contractors with malware.

On Facebook, the hackers of this group mimicked themselves as aerobics instructors simply to fool the defense contractors and then compromise their systems to exfiltrate sensitive data.

Here during the ongoing cyber espionage, the hackers mainly targeted the employees of the contractor companies working in the US aerospace defense; especially those who are involved in the operations in the Middle East.

- Advertisement - Google News

In 2019 the hackers created a Facebook and Instagram profile of “Marcella Flores” and by exploiting this fake profile the hackers mimicked as an aerobics instructor.

Marcella Flores is none other than an imaginary character that is used by the hackers for their illicit activities. 

Here at this stage the threat actors took their time and spent months establishing contact with their targets, correspondence with them by mail and in private messages, before moving on to attempts to infiltrate malware.

Malware and Campaign

The cybersecurity experts at Proofpoint have reported & dubbed the malware as, “Lempo,” it’s the updated version of the “Liderc.” Lempo is basically a VBS (Visual Basic Script) that is dropped by an Excel macro.

This VBS identifies the host in several ways by exploiting the built-in Windows commands, and then by using Microsoft’s CDO (Collaboration Data Objects) it exfiltrates the data.

Apart from this, the threat actors who created and abused the fake profile has also used the following things to trick their victims and make them believe they are real:-

  • Email
  • Private messages
  • Social Media Profiles
  • Photographs
  • Flirty personal messages

While as part of their espionage operation the hackers have also used those emails to send their victims links to OneDrive which led them to with a document with a survey related to diet, or a video file, as part of their long-standing correspondence.

Information and records collected by Lempo

  • Date and time 
  • Computer and usernames 
  • System information via WMIC os, sysaccount,  environment, and computer system commands 
  • Antivirus products located in the “SecurityCenter2” path 
  • Drives 
  • Tasklist 
  • Software and version 
  • Net users and user details 

Moreover, on the victim’s Windows computer the malware provides endurance to attackers which enables them to search and steal all the confidential data present on the compromised system. Through which easily an attacker can execute sophisticated spy campaigns.

However, at this moment the fake profile with the name, “Marcella Flores” was deactivated by the threat actors. According to the reports, in this spy campaign, the hackers of this group targeted more than 200 military defense, and aerospace companies in the US, UK, and Europe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...