Overview:
- Phish Tale of the Week
- Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel
- Curing: New io_uring Linux Rootkit Evades System Call-Based Detection
- How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that we should join some sort of stock trading group where they share “trusted analyst signals.” It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to fall for this phish:
- The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently sign up for any information regarding a “Daily Exchange Trend Overview.” On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
- The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Typical daily income: 1K-5K.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
- The final warning sign for this email is the wording; in our case the smisher uses the incomplete sentence “Daily Exchange Trend Overview Mitigate your risks.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
- Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
- Do not give out personal or company information over the internet.
- Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel
Iran-linked hacking group UNC2428 has been implicated in a highly targeted phishing campaign that delivered a new backdoor malware, MURKYTOUR, under the guise of a job opportunity with a major Israeli defense contractor. The social engineering operation, observed in October 2024, is part of an ongoing series of cyber-espionage attacks that leverage deception and custom-built malware to compromise victims in Israel.
According to Google-owned threat intelligence firm Mandiant, the Iranian threat actor UNC2428 orchestrated a multi-stage attack by posing as recruiters from Rafael Advanced Defense Systems, a prominent Israeli defense company. The group directed victims to a fake website mimicking Rafael’s legitimate domain and asked them to download an application tool—RafaelConnect.exe—which appeared to facilitate the job application process.
In reality, RafaelConnect.exe was a trojanized installer called LONEFLEET. It featured a realistic-looking graphical user interface (GUI) that requested personal information and a résumé upload. Behind the scenes, it executed MURKYTOUR, a custom malware implant that provided persistent access to the victim’s system. Mandiant confirmed the use of LEAFPILE, a launcher used to initiate MURKYTOUR silently while keeping the victim engaged with the fake application.
“The use of legitimate-looking GUIs helps these Iranian threat actors reduce suspicion during installation,” Mandiant stated in its 2025 M-Trends report. “By mimicking the exact look and feel of recruitment portals, the malware deployment becomes seamless.”
The techniques used by UNC2428 closely resemble tactics previously attributed to Black Shadow, a group linked to Iran’s Ministry of Intelligence and Security (MOIS). Israel’s National Cyber Directorate has associated Black Shadow with multiple campaigns targeting sectors such as finance, healthcare, transportation, academia, and government services.
Mandiant emphasizes that UNC2428 is just one of several Iran-backed hacking clusters targeting Israeli interests throughout 2024.
Other Active Iranian Threat Groups in 2024
One notable Iranian threat group, Cyber Toufan, emerged with a wiper malware named POKYBLIGHT, used against Israeli-based systems. The wiper campaign appeared to focus on data destruction and operational disruption.
Mandiant also tracked UNC3313, another Iran-affiliated espionage group, which distributed malware like JELLYBEAN and CANDYBOX through phishing lures themed around training and webinars. UNC3313 is known to rely heavily on remote monitoring and management (RMM) tools—nine different ones to date—to maintain access while evading traditional detection mechanisms.
These tactics mirror those of MuddyWater (aka Static Kitten), a well-known Iranian cyber-espionage group with similar infrastructure and techniques.
In a separate campaign observed in July 2024, Mandiant discovered that Iranian hackers distributed a .NET-based backdoor dubbed CACTUSPAL by disguising it as a legitimate installer for Palo Alto Networks’ GlobalProtect VPN software. Once launched, the malware stealthily verified its process and connected to a command-and-control (C2) server, establishing persistent access.
Meanwhile, UNC1549—another Iranian threat actor—has adapted its tactics by embedding malicious infrastructure into cloud-based environments. Hosting C2 nodes and payloads on popular cloud platforms, they have been able to disguise malicious activity as normal enterprise traffic.
“These methods allow Iranian APTs to fly under the radar by blending into enterprise network behavior,” said Mandiant. “Typosquatting and domain reuse are now combined with advanced cloud-native deception.”
The group APT42, also known as Charming Kitten, is notorious for credential harvesting. They create highly convincing fake login pages for platforms like Google, Yahoo, and Microsoft, often redirecting users through services such as Google Sites and Dropbox to create credible landing pages. Their phishing tactics often involve rapport-building with victims, posing as trusted contacts or employers.
Across all Iranian operations documented by Mandiant in 2024, over 20 unique malware families were identified—including custom backdoors, droppers, and downloaders. Among these, DODGYLAFFA and SPAREPRIZE have been used by APT34 (also known as OilRig) in operations aimed at Iraqi government systems.
Iran-backed cyber operations are intensifying in scale and technical sophistication, particularly against Israeli interests. These operations demonstrate an evolving threat model, one that blends stealthy malware, deception, and cloud-based infrastructure.
Mandiant warns that organizations operating in the region should remain on high alert. “Iran-nexus threat actors will continue adjusting their strategies to align with geopolitical interests,” the firm stated. “Defenders should expect more sophisticated lures, stealthier malware, and faster deployment cycles in 2025 and beyond.”
To read more about this article, click here.
Curing: New io_uring Linux Rootkit Evades System Call-Based Detection
A new proof-of-concept Linux rootkit called Curing reveals a dangerous blind spot in many popular runtime security tools by abusing the Linux io_uring interface to operate without triggering system calls. This evasion tactic highlights a growing risk for Linux environments relying on syscall-based monitoring for threat detection.
Introduced in Linux kernel 5.1 in 2019, io_uring is an asynchronous I/O mechanism designed to improve performance by reducing context switches. It enables communication between user space and the kernel through shared submission and completion queues, allowing applications to perform I/O without the overhead of traditional system calls.
While this boosts performance, it also presents a security problem: actions executed through io_uring can avoid detection from tools that rely on system call hooks.
The Curing rootkit, developed as a proof-of-concept by security researchers at ARMO, establishes a backchannel with a command-and-control (C2) server and executes commands entirely through io_uring. This allows it to avoid generating system calls altogether, making its activity invisible to tools that depend on syscall-based detection.
According to ARMO, this represents a major visibility gap in Linux runtime security.
“This mechanism allows a user application to perform various actions without using system calls,” ARMO explained. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”
Popular Linux runtime security tools such as Falco and Tetragon are not equipped to detect threats like Curing. These tools rely on system call hooks to monitor runtime behavior, and because io_uring operations do not use system calls, they go unnoticed.
This limitation underscores the need for more advanced detection methods that go beyond syscall monitoring and incorporate deeper visibility into kernel-level operations.
Google previously flagged io_uring as a potential security concern. In 2023, the company began restricting its use across Android, ChromeOS, and internal production systems due to its ability to support powerful exploitation techniques.
Traditional rootkits often rely on intercepting system calls or modifying kernel modules. Curing demonstrates that attackers no longer need to use these techniques to remain stealthy. By using io_uring, malware can operate entirely outside the detection scope of many current endpoint security tools.
“System calls aren’t always guaranteed to be invoked,” said ARMO’s Head of Security Research Amit Schendel. “io_uring, which can bypass them entirely, is a great example. It represents a powerful tool for attackers and a blind spot for defenders.”
To read more about this article, click here.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
