Analysis Summary

A sophisticated cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group, spanned from May 2023 to February 2025, with possible initial compromise as early as May 2021. The attackers gained access using stolen VPN credentials, which facilitated the deployment of multiple web shells and backdoors across the victim's network. These backdoors allowed the adversaries to establish persistence and move laterally within the network, bypassing network segmentation through open-source proxying tools. This gave them access to sensitive systems, potentially including operational technology (OT) environments.l

According to the Researcher, the attackers deployed an evolving set of tools throughout the intrusion, including both publicly available and custom-developed malware. Notable among these were the novel backdoors, HanifNet, HXLibrary, and NeoExpressRAT, each providing the attackers with advanced capabilities such as command execution, file operations, and system discovery. The introduction of new malware and infrastructure in phases indicated the growing sophistication of the attack, with the adversaries continually adjusting their tactics to maintain and expand their foothold within the targeted infrastructure.

The threat actors demonstrated remarkable persistence, even after initial containment efforts. They attempted to regain access by exploiting previously unknown vulnerabilities in the ZKTeco ZKBioTime software and by launching phishing campaigns to steal administrator credentials. The attackers also employed the custom NeoExpressRAT backdoor to maintain access, evading detection by using encrypted communication channels and custom obfuscation routines. The malware blended with legitimate Windows processes and used system directories to store configuration files and exfiltrated data, further complicating detection and analysis efforts.

NeoExpressRAT, a Golang-based backdoor, was the most sophisticated tool used in this campaign. It created a hidden directory structure within the Windows environment to store configuration and exfiltrated data, blending its activity with legitimate system processes. The backdoor communicated with the command and control (C2) server using encrypted channels to evade network monitoring. Its use of legitimate system directories for storage made it difficult for traditional security measures to detect the malware. This technique highlights the advanced capabilities of state-backed threat groups targeting critical infrastructure, underscoring the need for enhanced detection and mitigation strategies against such sophisticated intrusions.

Impact

• Sensitive Information Theft
• Security Bypass
• Privilege Escalation
• Unauthorize Access
• Gain Access

Indicators of Compromise

Domain Name

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately revoke compromised VPN credentials and enforce password resets for all accounts. Implement multi-factor authentication (MFA) to prevent unauthorized access.
• Use threat hunting and EDR tools to identify and remove all deployed web shells, backdoors, and persistence mechanisms across the environment.
• Reassess and tighten segmentation between IT and OT networks. Restrict lateral movement using access control lists (ACLs) and zero-trust architecture principles.
• Apply security updates and patches, especially for third-party systems like ZKTeco ZKBioTime, to mitigate exploitation of known or zero-day vulnerabilities.
• Deploy detection rules for known malware such as NeoExpressRAT, HanifNet, and HXLibrary. Monitor system directories (e.g., AppData\Local\Microsoft\Windows\SystemConfig) for suspicious hidden files.
• Review all scheduled tasks and look for obfuscated or misleading task names that mimic legitimate Windows processes.
• Use deep packet inspection and behavioral analytics to detect encrypted C2 communications and custom obfuscation techniques.
• Conduct regular security awareness training to help users identify and report phishing attempts aimed at stealing administrator credentials.
• For high-impact systems showing signs of deep compromise, consider full isolation and rebuilding from trusted sources to eliminate backdoors.
• Work with cybersecurity experts to analyze attacker TTPs and continuously update defenses based on evolving threat intelligence.