Iran-linked group aims malware at aerospace industry through fake job recruiters

Suspected Iranian hackers impersonated recruiters on LinkedIn to target the aerospace industry in a new espionage campaign, researchers have found.

So-called “fake worker” schemes are typically associated with North Korean threat actors. However, the Israel-based cybersecurity company ClearSky has attributed this latest campaign to the Iranian operation tracked as TA455, likely a subgroup of the Iranian government cyberwarfare group Charming Kitten.

Researchers suggest that TA455 either impersonated Pyongyang-backed hackers to mask its activities or that North Korea shared attack methods and tools with Iran.

During the campaign, which has been active since at least September 2023, the hackers used fake recruiting websites and LinkedIn profiles to distribute seemingly legitimate documents containing malicious files, including the SnailResin malware, which activated the SlugResin backdoor.

Both tools were previously attributed by Microsoft to a subgroup of Charming Kitten, also tracked as APT35. Some researchers have also attributed these malicious files to the North Korean state-sponsored groups Kimsuky and Lazarus, marking another similarity between the two campaigns.

According to earlier research by Google-owned Mandiant, suspected Iranian hackers previously targeted the aerospace, aviation and defense industries in Israel, the United Arab Emirates and possibly Turkey, India and Albania.

LinkedIn profiles of the "recruiters" identified in the current campaign are "newer versions" of those previously reported by Mandiant, according to ClearSky’s report.

Although Iran-backed hackers primarily pose a threat to the Middle East, this year they have also been observed targeting Eastern Europe, “likely influenced by the ongoing geopolitical tensions surrounding Iran’s alliances and interests, particularly against entities perceived as oppositional to Iranian geopolitical aims,” researchers said.

The latest campaign by the Iran-linked group is similar to previous campaigns backed by the regime. However, the hackers have adapted to bypass current security measures. For example, to conceal its infrastructure, TA455 relied on traffic from legitimate online services like Cloudflare, GitHub and Microsoft Azure Cloud.

“The hackers’ use of fake recruiter profiles associated with fabricated companies further strengthens the deception, making it more likely for victims to engage with their malicious links and attachments,” ClearSky said. “This exploitation of a trusted platform allows them to bypass traditional security measures that might flag suspicious emails or websites.”