Full Report
An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future
Analysis Summary
# Threat Actor: Lemon Sandstorm
## Attribution & Identity
**Attribution:** Iranian state-sponsored threat group.
**Known Aliases and Associated Groups:** Rubidium, Parisite, Pioneer Kitten, UNC757.
**Active Since:** At least 2017.
## Activity Summary
Lemon Sandstorm has been attributed to a long-term cyber intrusion targeting a Critical National Infrastructure (CNI) entity in the Middle East, spanning nearly two years (May 2023 to February 2025). The activity focused on extensive espionage and network prepositioning. The group has also been previously linked to deploying ransomware against entities in the U.S., Israel, Azerbaijan, and the UAE.
The recent CNI intrusion unfolded in four stages:
1. **Establishment (May 2023 – April 2024):** Gaining initial access via stolen credentials to an SSL VPN, dropping web shells, and deploying Havoc, HanifNet, and HXLibrary backdoors.
2. **Consolidation (April 2024 – November 2024):** Planting more web shells, deploying NeoExpressRAT, using plink and Ngrok for deeper access, performing targeted email exfiltration, and moving laterally to virtualization infrastructure.
3. **Post-Containment (November 2024 – December 2024):** Deploying MeshCentral Agent and SystemBC in response to victim remediation efforts, along with more web shells.
4. **Re-infiltration Attempts (December 2024 – Present):** Attempting to regain access by exploiting known Biotime vulnerabilities (CVE-2023-38950, CVE-2023-38951, CVE-2023-38952) and spear-phishing 11 employees for Microsoft 365 credentials.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting known vulnerabilities in VPN solutions (Fortinet, Pulse Secure, Palo Alto Networks); using stolen login credentials for SSL VPN access; spear-phishing for M365 credentials.
- **Persistence & Execution:** Dropping web shells (RecShell, DropShell); deploying multiple backdoors (Havoc, HanifNet, HXLibrary, NeoExpressRAT, SystemBC, MeshCentral Agent).
- **Defense Evasion:** Using chained proxies (consistently chaining four different proxy tools in later stages); leveraging open-source tools (Havoc C2, MeshCentral RMM).
- **Credential Access:** Deploying CredInterceptor DLL to harvest credentials from LSASS process memory.
- **Lateral Movement:** Moving to virtualization infrastructure; utilizing plink and Ngrok to burrow deeper.
- **Command and Control (C2):** Using custom implants; HXLibrary fetches C2 from Google Docs; NeoExpressRAT likely uses Discord for follow-on communications.
- **Action on Objectives:** Extensive reconnaissance; suspected network prepositioning for strategic advantage.
- **Exploitation:** Exploiting known Biotime vulnerabilities.
**Specific CVEs/Tools:** CVE-2023-38950, CVE-2023-38951, CVE-2023-38952.
## Targeting
**Sectors:** Critical National Infrastructure (CNI), Aerospace, Oil and Gas, Water, Electric sectors. Operational Technology (OT)-adjacent systems were a key focus area.
**Geography:** Middle East (primary focus of the reported intrusion), United States, Europe, Australia, Israel, Azerbaijan, United Arab Emirates (UAE).
**Victims:** One unidentified CNI entity in the Middle East; various entities targeted in past ransomware campaigns.
## Tools & Infrastructure
**Malware Families Used:**
* **Backdoors/Frameworks:** Havoc (C2 framework), NeoExpressRAT, SystemBC (precursor to ransomware), MeshCentral Agent (RMM).
* **Custom/Unique Malware:** HanifNet (.NET executable backdoor), HXLibrary (.NET IIS module backdoor), CredInterceptor (LSASS credential dumping DLL), RemoteInjector (loader), RecShell (reconnaissance web shell), DropShell (file upload web shell), DarkLoadLibrary (SystemBC loader).
**Infrastructure (Defanged):** apps.gist.githubapp\[.\]net, gupdate\[.\]net (C2 infrastructure linked via shared usage).
## Implications
Lemon Sandstorm demonstrates a persistent, multi-year espionage focus against high-value CNI targets, specifically showing interest in OT-adjacent networks. The group exhibits resilience, adapting its toolset and changing attack vectors (from initial VPN exploitation to specific zero-day vulnerability exploitation CVE-2023-38950 series) when remediation occurs. The hands-on-keyboard nature suggests dedicated, coordinated operational teams within the influence of the Iranian government. The network prepositioning indicates a long-term strategic threat for future disruption or exploitation.
## Mitigations
- Immediately investigate and patch vulnerabilities related to Biotime (CVE-2023-38950, CVE-2023-38951, CVE-2023-38952).
- Review and restrict access to SSL VPNs, potentially requiring stronger multifactor authentication, especially for external access used by legacy systems.
- Monitor for early-stage persistence tools like web shells and open-source C2 frameworks like Havoc and tools like Ngrok being used internally.
- Implement enhanced detection capabilities for LSASS memory access to identify the use of tools like CredInterceptor.
- Conduct thorough security auditing around OT-adjacent network segments, as these appear to be key reconnaissance targets.
- Harden Microsoft 365 environments to counter spear-phishing attempts targeting employee credentials.