An extensive cyber-espionage operation targeting the global aerospace, defence, and aviation industries in Israel, the UAE, Turkey, and Albania through a scheme known as the ‘Dream Job’ campaign. Orchestrated by an advanced Iranian threat group, TA455 — an affiliate of the notorious ‘Charming Kitten’ (aka APT35 and Smoke Sandstorm) — the campaign employs sophisticated social engineering tactics, posing as job recruiters to lure high-value targets.
The campaign’s modus operandi involves creating fake recruiter profiles on LinkedIn and job sites, offering prestigious-sounding positions in the aerospace and defence sectors to appeal to potential victims. Once a victim is interested, they are tricked into downloading files containing the malware SnailResin, which grants attackers access to their systems.
Using a DLL side-loading technique, TA455 can execute malicious code under the guise of trusted applications, making detection significantly more challenging. Once activated, SnailResin enables access to the victim’s data and collects critical information, including IP addresses and system details, to facilitate a staged infiltration process.
In addition, TA455’s phishing strategy has been carefully crafted to target highly specialised professionals. Fake LinkedIn profiles tied to non-existent companies, such as ‘Careers 2 Find,’ have been created to legitimise these fictitious recruiters. The profiles use tactics to bypass initial suspicion, adding credibility to the job offers that ultimately deliver the malicious ZIP files.
Notably, the malware inside these files has been designed to evade antivirus detection — only five antivirus programs flagged it as dangerous, with some even misidentifying it as North Korean malware from the Kimsuky group.
To evade detection, TA455 has taken great care to mask its infrastructure by embedding its malware distribution within legitimate online services like GitHub and Cloudflare. By using platforms such as GitHub to host C2 servers, TA455 obscures its communications, embedding these addresses in otherwise unremarkable text files. This technique not only conceals the attacker’s infrastructure but also makes it difficult for cybersecurity teams to distinguish between legitimate and malicious activity.
Furthermore, TA455 uses Cloudflare to hide the actual location of its servers. One of the malicious domains identified, careers2find[.]com, hosted the SnailResin malware disguised as a job offer ZIP file. The domain was registered just four months before the malware’s deployment, suggesting that TA455 meticulously plans each attack and frequently rotates its infrastructure to avoid detection.
Further investigation revealed that the attacker used encoded communications to transmit sensitive C2 server data back to Iran while obscuring their tracks by alternating IP addresses and domains. This multi-stage infection chain begins with a spear-phishing email containing malicious job-related files, such as a PDF file that provides ‘safe browsing’ instructions to encourage the victim to open the infected attachment.
Experts recommend including heightened vigilance in digital recruiting practices, staff training on recognising phishing attempts and deploying enhanced security around LinkedIn and job recruitment platforms.
In the News: New PowerShell malware attack uses Chisel for network infiltration