Iranian hackers used two new malware to target the Middle East

Iranian Hackers Malware Middle East GRAMDOOR STARWHALE Spear Phishing Telegram

State-sponsored hackers from Iran has been operating two new malware threats called GRAMDOOR and STARWHALE to target unknown Middle Eastern entities and government. The Iranian hackers first used the malware in November last year, consisting of a simple backdoor functionality.

Studies revealed that the recent attacks against Middle Eastern entities could be associated with UNC3313. The threat group conducts surveillance and collects strategic information to aid its sponsor with military decision-making, critical intelligence, and interests.

In addition, the current attacks utilise spear-phishing campaigns for initial access and publicly remote access software and aggressive tools for lateral movement and access.

The phishing emails contain job promotion baits and trick targets into accessing a URL to download a RAR file placed on OneHub. The archive file from the phishing email contains the tool known as ScreenConnect to obtain persistence on infected systems.

The researchers also noted that the Iranian-sponsored threat group is quick on its feet in acquiring remote access by abusing the ScreenConnect and eHorus remote access tool.


After the initial attack, the Iranian hackers utilised multiple tools and tactics to compromise their targeted entity further.


The campaign includes a payload called GRAMDOOR, which exploits Telegram API for its network communications with the attacker-controlled server to avoid the detection of AV solutions and accompany the retrieval of stolen data.

On the other hand, a previously unidentified backdoor known as STARWHALE is utilised in the attack that abuses a Windows Script File to operate and gather commands from a hardcoded command-and-control server.

The following stages of the campaign included running obfuscated PowerShell commands to download extra tools and payloads, escalating privileges, and internal retrieval operation on the targeted network.

The utilisation of Telegram API for command-and-control, publicly available tools, and legitimate remote access software implies that the Iranian hackers put significant efforts in evading detection tools.

Experts recommend that users use provided IOCs for better and quick malware detection and stray protection against threats.

About the author

Leave a Reply