According to a May 1, 2025 report by cybersecurity firm FGIR, the compromise began at least two years ago when the attackers leveraged stolen VPN credentials to infiltrate the organization’s network. FGIR, which later assisted with remediation efforts starting in late 2024, revealed that within a week of initial access, the attackers had deployed web shells on two externally facing Microsoft Exchange servers and subsequently upgraded these backdoors to enhance stealth and persistence.

The threat actors identified as part of the Iran-linked Lemon Sandstorm group continued expanding their foothold by adding new capabilities, installing persistence mechanisms, and deploying five custom attack tools. Notably, the attackers appeared more focused on establishing long-term access than on immediate data exfiltration.

Initial Breach through VPN Access:

The intrusion began on May 15, 2023, when the attackers used stolen domain administrator credentials to access the organization’s SSL VPN infrastructure, specifically targeting two on-premises Microsoft Exchange servers (EXCH-1 and EXCH-2). The credentials worked on the first login attempt, with no prior failed logins or indications of recent password changes, strongly suggesting that the credentials were pre-validated.

On May 20, 2023, at 08:00 UTC, the adversary reconnected via VPN and launched a series of SMB brute-force attacks and network scans from the VPN-connected endpoint. The scanning activity focused on externally facing servers, while the brute-force attempts targeted key domain administrator accounts to escalate privileges. However, limited VPN log retention hindered efforts to trace the attacker’s source IP address.

Establishment of Web Shell-Based Access:

Approximately five hours after reconnecting via VPN, the adversary established a Remote Desktop Protocol (RDP) session with EXCH-1 and deployed a simple web shell named default.aspx. This shell accepted POST requests, writing files to attacker-specified paths via the fg field, with file contents decoded from base64-encoded data in the gh field. Access was confirmed using GET requests, and the same shell was subsequently deployed on EXCH-2, likely as a test for endpoint-level restrictions.

On May 21, 2023, at 07:00 UTC, a more advanced web shell, UpdateChecker.aspx, was deployed on both Exchange servers. This shell incorporated multiple obfuscation techniques, including character code substitution, nested loops, junk functions, and AES-encrypted variable names, significantly complicating detection, and analysis. It became the primary method of remote access during the early stages of the intrusion.

Credential Harvesting Mechanisms:

On June 18, 2023, the attackers created a scheduled task named EDP Policy on SERV-4 and SERV-5, placed in Microsoft\Windows\AppID\ to mimic the legitimate EDP Policy Manager. It extracted files from domain controller paths, outputting XML files with epoch timestamps and base64-encoded credentials to a web directory.

Two DLLs, synapy.dll and synapx.dll, were deployed as password filters (T1556.002) on domain controllers to harvest credentials via LSA authentication, with confirmed exfiltration occurring six times over 13 months until removal on August 29, 2024. The attackers also ran Mimikatz (m.exe) on EXCH-1 and EXCH-2, and used PowerShell to enable RDP logins with local admin accounts by modifying the LocalAccountTokenFilterPolicy.

HanifNet Backdoor Deployment:

On August 6, 2023, a scheduled task named CleanupTemporay (note the misspelling) was created under Microsoft\Windows\ApplicationData\ on SERV-6, mimicking the legitimate cleanupTemporarystate task. It executed mast.exe, a .NET backdoor dubbed HanifNet, located in C:\Program Files\Python39\DLLs\.

HanifNet, an unsigned executable, included namespaces H4N1F_Agent_V2_ and H4N1F_Crypto, and communicated with its C2 server via a config file processed by the GetConfig function. Though unobfuscated, it posed as a Microsoft utility with the description “System Update Health Services.” The name “hanif” (Farsi for pre-Islamic monotheists) and metadata linked the tool to Iranian threat activity.

Consolidation and Advanced Persistence:

From April 30 to November 22, 2024, adversaries strengthened their foothold by deploying additional web shells and the NeoExpressRAT backdoor for persistence. They used proxy tools (plink, Ngrok, ReverseSocks5, glider) to bypass network segmentation and chain access.

The attackers targeted email exfiltration and interacted with virtualization infrastructure, chaining four proxy tools to penetrate deeper into critical national infrastructure (CNI) segments, as shown in Figure 2. Additional backdoors, Havoc and HXLibrary, were deployed via scheduled tasks, ensuring long-term access. The network, comprising hundreds of endpoints, included both virtualized and dedicated servers, with OT networks targeted through reconnaissance and credential collection.

Remediation and Adversary Countermeasures:

From November 23 to December 13, 2024, initial remediation triggered a surge in adversary activity. New backdoors (MeshCentral and SystemBC) and additional web shells were deployed to maintain access to critical segments. Attackers exploited a vulnerable web server and launched targeted phishing campaigns for credential harvesting.

Containment efforts from December 14, 2024 eradicated adversary access, but the attackers attempted re-entry via persistent mechanisms, server exploits, and phishing. The victim’s segmented network, with OT isolation, prevented a confirmed OT breach, though adversaries gained a foothold in OT-related segments.

Malware and TTP Analysis:

The intrusion involved five unreported malware clusters: HanifNet (backdoor), RemoteInjector (loader), NeoExpressRAT (backdoor), HXLibrary (backdoor), and CredInterceptor (credential access). These utilized open-source frameworks (e.g., Havoc) and low-complexity web shells.

Key TTPs included RDP/SMB lateral movement using compromised VPN credentials, web shell deployment for remote execution, proxy chaining to bypass firewalls, and phishing for credential harvesting. The report highlights that these established TTPs, not novel malware, represent the greatest risk, as they are commonly used across multiple threat actors.

Network Topology and Adversary Navigation:

The victim’s infrastructure included hundreds of endpoints, such as external web servers, an on-premises Exchange server, database servers, and application servers, with partial virtualization. Network segmentation and trust relationships were strong, particularly for the OT network, which was isolated by multiple layers.

Adversaries targeted OT systems through reconnaissance, credential collection, and network scanning, gaining a foothold in OT-related segments but not breaching the OT network. Proxy chaining (e.g., plink, Ngrok, ReverseSocks5, glider) enabled lateral movement across segments, showcasing sophisticated navigation of the victim’s network topology.

Attribution and Historical Context:

The intrusion was attributed to an Iranian state-backed group, likely Lemon Sandstorm, based on TTP overlaps with past campaigns and the use of Farsi-derived names (e.g., “hanif”). Traces of the compromise dated back to May 2021, indicating a multi-year operation.

The adversary’s focus on CNI sectors (transportation, energy, telecommunications) and use of sophisticated proxy chaining highlighted their strategic intent for espionage and prepositioning amid geopolitical tensions.

Conclusion:

The intrusion was a prolonged, multi-year operation targeting critical national infrastructure (CNI) sectors, with a focus on transportation, energy, and telecommunications, indicating strategic espionage and prepositioning efforts amid geopolitical tensions. The use of advanced persistence techniques, including proxy chaining and multiple backdoors, demonstrated the adversary’s sophisticated approach to maintaining access. The attackers relied heavily on credential harvesting and lateral movement through phishing and RDP/SMB exploitation. The operation is likely attributed to the Iranian state-backed group, Lemon Sandstorm, due to TTP overlaps and Farsi-derived names, highlighting its alignment with broader Iranian cyber objectives.