A recently identified Iranian threat actor, operating under the campaign name Peach Sandstorm (formerly Holmium, APT33, Elfin, and Refined Kitten), has focused its efforts on organizations within the Defense Industrial Base (DIB) sector. Microsoft’s Threat Intelligence team has revealed that this campaign aims to deploy a never-before-seen backdoor named FalseFont.

FalseFont is a custom backdoor equipped with a range of functionalities, providing operators with the ability to remotely access infected systems, launch additional files, and transmit information to its command-and-control (C2) servers. Microsoft first recorded the use of this implant in early November 2023.

According to Microsoft, this recent activity aligns with Peach Sandstorm’s previous tactics, showcasing an ongoing evolution in the threat actor’s tradecraft. In a September 2023 report, Microsoft linked Peach Sandstorm to password spray attacks conducted globally between February and July 2023. The targeted sectors included satellite, defense, and pharmaceutical industries, with the ultimate goal of facilitating intelligence collection in support of Iranian state interests. Peach Sandstorm has been active since at least 2013.

This disclosure follows the Israel National Cyber Directorate’s (INCD) accusations against Iran and Hezbollah for an unsuccessful attempt to target Ziv Hospital. The hacking crews named Agrius and Lebanese Cedar were implicated in this incident. INCD also revealed details of a phishing campaign employing a fake advisory for a security flaw in F5 BIG-IP products. This advisory serves as a decoy, delivering wiper malware on both Windows and Linux systems.

The lure for this targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8), discovered in late October 2023. The full scale of this campaign is currently unknown, emphasizing the persistent and evolving nature of cyber threats originating from Iranian-linked actors.