CyberOwl has completed an investigation into a developing cyber campaign that’s impersonating players in Iranian oil and gas trade and targeting vessel captains directly.
As stated, CyberOwl has observed a phishing and malware campaign that has targeting organisations involved with trading Iranian oil and gas but which has also spread to others in the trading ecosystem including maritime operators.
The attacker set up a new domain vaproum[.]biz which was registered on 23 January 2025 and updated on 4 March 2025. This was used to send and receive emails.
From open source research it was identified that the vaproum[.]biz domain was used to send two phishing messages impersonating SGS (a Swiss based engineering company with operations in Iran) to Sepehr Energy Jahan Nemaye Pars Co. (an Iranian organisation trading oil and gas with links to the military) on 11 March 2025. The first message has an attached password protected rar file and the second has a gz file.
Targeting a vessel
CyberOwl observed a further instance of the campaign which was sent to the email address of a vessel captain on 17 April 2025. This email was impersonating F. Taghipour a commercial manager at Smart Exports LLC which is another Iranian organisation involved in oil and gas trading. The email was simple but used a number of specific terms which would have made it seem more legitimate to the vessel captain who received it.
The email had an attached zip file containing a javascript file which contained a multi-stage downloader. After the recipient opens the attachment the malware execution begins.
Malware analysis
The attached javascript file downloads and executes content from agout12.lovestoblog.com. LovesToBlog is a free hosting site which hides details of who operates the subdomains. CyberOwl detected the attempt to launch script interpreters from an email and took action to stop the attack and protect the client. The remaining malware analysis was conducted in a lab. The next stage downloads a jpg hosted on archive.org.
The jpg contains a hidden payload which decodes to executable code. This part of the attack overlaps with a small number of other campaigns also reported from March to May 2025 but with apparently different motivations. CyberOwl’s assumption is that the attacks are all using a shared malware-as-a-service platform but are ultimately conducted by different attackers.
There are also similarities with reported attacks from 2024 that named this jpg technique as “SteganoAmor” due to the use of steganography. The executable code from the jpg is loaded directly into memory to avoid detection. The code supports persistence through scheduled tasks and arbitrary command and control functions. The remote connection is to aguout12.lovestoblog.com. The final delivered malware in this case appears to be a variant of “Agent Tesla”.
This currently appears to be a little-known campaign that is impersonating and targeting organisations involved with Iranian oil and gas. Posts on X (formerly Twitter) suggest that one of the organisations has been recently breached by an Anonymous affiliate with the intention of exposing breaches of US sanctions on Iran. The most plausible theory is therefore that the incidents reported here are part of that Anonymous campaign.
However, the vessel where the attack was detected has no links to Iranian trading and thus the true motive may be different. At least one other campaign that used the jpg hosted on archive.org is reported to have a financially motivated objective. CyberOwl has also identified impersonation of a UAE based oil & gas entity and a Chinese shipping related email lure that could indicate a wider targeting of the sector but not linked to sanctions.
Recommendations
In addition to the usual defences for phishing threats – email scanning, crew training and 24×7 monitoring – this case raises two specific issues:
- The importance of considering the reputational impacts of a cyber-attack that reveals confidential information – particularly in light of a fast-changing sanctions environment.
- Ensuring you have a good understanding of your business’s operations when doing a risk assessment to understand what confidential information you are protecting.
According to Marlink’s global maritime cyber threat report, during the second half of 2024, (H2) there had been an evolution in cyber threats, as malicious actors have adopted increasingly efficient, structured, and business-like approaches to cybercrime. Cybercriminals have streamlined their tactics, enhanced their operational efficiency and have adopted emerging technologies to expand their attack capabilities.
