Elite security researchers have identified a coordinated cyber-espionage campaign originating from groups linked to the Iranian government. The attackers are deploying a dual-track malware infrastructure designed to bypass traditional security measures on both Windows and macOS devices.
The operation relies on Cold War-era social engineering tactics, according to findings published by FayerWayer. Attackers create elaborate, AI-generated personas across LinkedIn and X to build rapport with targets over several weeks. Once trust is established, they transmit seemingly benign files that trigger the infection.
Technical sophistication in the crosshairs
Once a user opens an infected document, the malware executes its payload. On Windows systems, the attackers exploit vulnerabilities within next-generation Office macros. macOS users face a different threat: the attackers utilize stolen developer certificates to bypass Apple’s Gatekeeper security protocol.
This campaign distinguishes itself through the use of "zero-footprint" malware. Rather than writing files to a hard drive, the malicious code operates directly within the system's RAM. This allows the software to evade detection by standard antivirus programs that scan for disk-based activity.
To maintain long-term access without triggering network firewalls, the malware exfiltrates stolen data in small, encrypted packets over several months. On Windows, the primary objective is the theft of corporate and banking credentials. On macOS, the attackers prioritize gaining access to the Keychain and private communications.
Security analysts classify the current threat level as critical. The campaign highlights that no operating system remains invulnerable to state-sponsored actors. Experts now advise that the most effective defense against such targeted attacks is extreme skepticism toward unsolicited professional communications, regardless of how legitimate the sender's profile appears.