Homeland Justice Hijacks Omani MFA Mailbox In Global Spear-Phishing Blitz

(MENAFN- The Arabian Post) decoding="async" alt="" border="0" width="320" data-original-height="667" data-original-width="1000" src="https://www.trend.az/media/2025/04/17/oman_foreign_ministry.jpg" onerror="this.onerror=null;this.src='https://thearabianpost.com/assets/aparab-news-post.jpg?v3';" />

Dream Security and other cybersecurity analysts have identified a widely distributed, Iran-linked spear-phishing campaign that exploited a compromised Ministry of Foreign Affairs mailbox in Paris. The operation impersonated legitimate Omani diplomatic communication to deliver malware-laden Word documents to government, diplomatic, and multilateral institutions across Europe, Africa, Asia, the Americas, and international organisations such as the UN and World Bank. The campaign's scale, timing, and technical sophistication reflect a clear espionage agenda.

The operation, attributed to the“Homeland Justice” group aligned with Iran's Ministry of Intelligence and Security, launched in August 2025 and utilised over 100 hijacked sender addresses. It relied on encoding malicious payloads within VBA macros embedded in authentic-looking attachments. Recipients were prompted to enable macros to view what appeared to be official diplomatic content, triggering execution of a reconnaissance malware dubbed sysProcUpdate.

The macros contained anti-analysis routines-nested delay loops and hidden execution flags-that wrote a disguised executable to a log file and executed it invisibly. Once launched, sysProcUpdate harvested system metadata and communicated with a command-and-control server via HTTPS, enabling stealthy reconnaissance.

Routing through a NordVPN node in Jordan, the campaign masked its origin and enhanced deliverability by operating from a trusted Omani embassy address. That tactic, combined with precision-tailored lures referencing geopolitical topics such as“The Future of the region after the Iran-Israel war,” increased the likelihood of recipient engagement.

Findings show that“Homeland Justice Hijacks Omani MFA Mailbox” was not an isolated incident, but part of a multi-wave operation spanning multiple continents and institutions. Victims ranged from ministries and embassies in Paris to international agencies in Africa and Europe. The campaign tapped into infostealer-driven access to deploy targeted espionage.

See also Tesla Discontinues Dojo AI Supercomputer Amid Challenges

The operation exemplifies how compromised diplomatic infrastructure becomes a covert intelligence weapon when paired with old-school social engineering and advanced malware.“Homeland Justice hijacks Omani MFA mailbox”-a succinct restatement capturing the essence of the campaign's deceptive strategy.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN05092025000152002308ID1110023246