Campaign targeting Iranian oil and gas trading

CyberOwl has observed a phishing and malware campaign that has targeting organisations involved with trading Iranian oil and gas but which has also spread to others in the trading ecosystem including maritime operators.

Attack preparation

The attacker set up a new domain vaproum[.]biz which was registered on 23 January 2025 and updated on 4 March 2025. This was used to send and receive emails.

First known attack

From open source research we identified that the vaproum[.]biz domain was used to send two phishing messages impersonating SGS (a Swiss based engineering company with operations in Iran) to Sepehr Energy Jahan Nemaye Pars Co. (an Iranian organisation trading oil and gas with links to the military) on 11 March 2025. The first message has an attached password protected rar file and the second has a gz file.

Targeting a vessel

CyberOwl observed a further instance of the campaign which was sent to the email address of a vessel captain on 17 April 2025.

This email was impersonating F. Taghipour a commercial manager at Smart Exports LLC which is another Iranian organisation involved in oil and gas trading.

The email was simple but used a number of specific terms which would have made it seem more legitimate to the vessel captain who received it.

I hope this message finds you well.

Please find attached our official Letter of Intent regarding our request for a vessel to transport.

We kindly ask you to review the LOI and share your best offer for both CVC and TC options.

We look forward to your prompt response.

Best regards,

F. Taghipour

Commercial Manager

Smartexports Company

The email had an attached zip file containing a javascript file which contained a multi-stage downloader. After the recipient opens the attachment the malware execution begins.

Malware analysis

The attached javascript file downloads and executes content from agout12.lovestoblog.com. LovesToBlog is a free hosting site which hides details of who operates the subdomains.

CyberOwl detected the attempt to launch script interpreters from an email and took action to stop the attack and protect our client. The remaining malware analysis was conducted in a lab.

The next stage downloads a jpg hosted on archive.org. The jpg contains a hidden payload which decodes to executable code. This part of the attack overlaps with a small number of other campaigns also reported from March to May 2025 but with apparently different motivations [1]. Our assumption is that the attacks are all using a shared malware-as-a-service platform but are ultimately conducted by different attackers. There are also similarities with reported attacks from 2024 that named this jpg technique as “SteganoAmor” due to the use of steganography [2].

The executable code from the jpg is loaded directly into memory to avoid detection. The code supports persistence through scheduled tasks and arbitrary command and control functions. The remote connection is to aguout12.lovestoblog.com. The final delivered malware in this case appears to be a variant of “Agent Tesla”.

Conclusions

This currently appears to be a little-known campaign that is impersonating and targeting organisations involved with Iranian oil and gas. Posts on X (formerly Twitter) suggest that one of the organisations has been recently breached by an Anonymous affiliate with the intention of exposing breaches of US sanctions on Iran [3]. Our most plausible theory is therefore that the incidents reported here are part of that Anonymous campaign.

However, the vessel where we detected this attack has no links to Iranian trading and thus the true motive may be different. At least one other campaign that used the jpg hosted on archive.org is reported to have a financially motivated objective. We have also identified impersonation of a UAE based oil & gas entity and a Chinese shipping related email lure that could indicate a wider targeting of the sector but not linked to sanctions.

Recommendations

In addition to the usual defences for phishing threats – email scanning, crew training and 24×7 monitoring – this case raises two specific issues:

The importance of considering the reputational impacts of a cyber-attack that reveals confidential information – particularly in light of a fast-changing sanctions environment.
Ensuring you have a good understanding of your business’s operations when doing a risk assessment to understand what confidential information you are protecting.

CyberOwl and DNV provide consultancy to assist with conducting a risk assessment. CyberOwl customers should enable the crew-facing warnings via the Medulla onboard dashboard to provide ongoing reinforcement of awareness training.

References

[1] https://x.com/SpiderLabs/status/1918301964296749466 X.com post by SpiderLabs reporting an overlapping campaign using a jpg on archive.org ultimately delivering Remcos Remote Access Trojan malware and with a financial lure.

[2] https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-steganography-to-target-320-orgs-globally/ Report from 2024 about use of similar jpg technique in a range of attacks focussed on Latin America.

[3] https://x.com/Simorgh_News/status/1917916927877357748 X.com post by “Si Morgh” reporting an Anonymous data breach of Sepehr Energy.

Indicators of compromise (IOCs)

Table provides indicators which might indicate an attack. All items should be treated as malicious and CyberOwl strongly advise not to directly access any of the domains or files listed.

#	IOC, description & recommendation
1	vaproum[.]biz Recently registered domain used as the reply address in phishing emails impersonating Iran-linked entities. Check email logs for any matches.
2	LOI_Vessel_Request.zip Draft Documents.rar Draft Documents.gz InquiryNo 04032025.zip Filenames of attachment that contains initial malware. Check email logs for any matches.
3	LOI_Vessel_Request.js ChineseTonanageDue.pdf.js InquiryNo 04032025.vbe Filenames of initial malware contained in archive file attached to email.
4	e4293a8a871f20b700e122619df9fc6f3dff076df4180f89a59f3f959d9140f1 62a9e4fb2ece868a564497c17991c044e6a6dc9cf8f88fe004ce2ac90a25e180 86d0add359a099061caa3450bf91bed728623f2d574eeb80956e93bbc09733fb SHA256 hashes for initial malware attached to email. Add custom hash to AV where supported.
5	aguout12.lovestoblog[.]com Subdomain of a blog site used to host elements of the malware. Check web proxy or DNS logs for any connections to this domain.
6	http://aguout12.lovestoblog[.]com/arquivo_26269d8c848344e18ffa1d8cf94172af.txt Configuration file for malware
7	https://archive.org/download/new_image_20250413/new_image.jpg Intermediate malware binary hidden in image file