CyberOwl raises alarm on phising and malware campaign

From open source research it was identified that the vaproum[.]biz domain was used to send two phishing messages impersonating SGS (a Swiss based engineering company with operations in Iran) to Sepehr Energy Jahan Nemaye Pars Co. (an Iranian organisation trading oil and gas with links to the military) on 11 March 2025. The first message has an attached password protected rar file and the second has a gz file.

Targeting a vessel

CyberOwl observed a further instance of the campaign which was sent to the email address of a vessel captain on 17 April 2025. This email was impersonating F. Taghipour a commercial manager at Smart Exports LLC which is another Iranian organisation involved in oil and gas trading. The email was simple but used a number of specific terms which would have made it seem more legitimate to the vessel captain who received it.

The email had an attached zip file containing a javascript file which contained a multi-stage downloader. After the recipient opens the attachment the malware execution begins.

Malware analysis

The attached javascript file downloads and executes content from agout12.lovestoblog.com. LovesToBlog is a free hosting site which hides details of who operates the subdomains. CyberOwl detected the attempt to launch script interpreters from an email and took action to stop the attack and protect the client. The remaining malware analysis was conducted in a lab. The next stage downloads a jpg hosted on archive.org.

The jpg contains a hidden payload which decodes to executable code. This part of the attack overlaps with a small number of other campaigns also reported from March to May 2025 but with apparently different motivations. CyberOwl’s assumption is that the attacks are all using a shared malware-as-a-service platform but are ultimately conducted by different attackers.

There are also similarities with reported attacks from 2024 that named this jpg technique as “SteganoAmor” due to the use of steganography. The executable code from the jpg is loaded directly into memory to avoid detection. The code supports persistence through scheduled tasks and arbitrary command and control functions. The remote connection is to aguout12.lovestoblog.com. The final delivered malware in this case appears to be a variant of “Agent Tesla”.

This currently appears to be a little-known campaign that is impersonating and targeting organisations involved with Iranian oil and gas. Posts on X (formerly Twitter) suggest that one of the organisations has been recently breached by an Anonymous affiliate with the intention of exposing breaches of US sanctions on Iran. The most plausible theory is therefore that the incidents reported here are part of that Anonymous campaign.

However, the vessel where the attack was detected has no links to Iranian trading and thus the true motive may be different. At least one other campaign that used the jpg hosted on archive.org is reported to have a financially motivated objective. CyberOwl has also identified impersonation of a UAE based oil & gas entity and a Chinese shipping related email lure that could indicate a wider targeting of the sector but not linked to sanctions.

According to Marlink’s global maritime cyber threat report, during the second half of 2024, (H2) there had been an evolution in cyber threats, as malicious actors have adopted increasingly efficient, structured, and business-like approaches to cybercrime. Cybercriminals have streamlined their tactics, enhanced their operational efficiency and have adopted emerging technologies to expand their attack capabilities.