Beware: The Job Offer of Your Dreams Could Be Malware Sent by Iranian Hackers.

Recently, it has been detected that state-sponsored Iranian actors are targeting aerospace professionals through fraudulent job offers. This campaign aims to install backdoors in the victims' systems as well as exfiltrate valuable information. The threat group known as TA455 has developed fake recruitment sites and fictitious profiles on social media platforms like LinkedIn to approach their targets, urging them to download files during the onboarding process.

Among these files is the malware SnailResin, which acts as a loader for the SlugResin backdoor. This malware is capable of performing data exfiltration, establishing command and control (C2) communication, and maintaining persistence on compromised systems. The campaign, dubbed "Dream Job," began in September 2023, although it may have started earlier.

TA455 is linked to the Islamic Revolutionary Guard Corps of Iran (IRGC) and exhibits similarities to other groups such as APT35 and TA453. In addition to the aerospace sector, this group has also been detected attacking defense entities and governments in regions of the Middle East, Europe, and the United States, mainly seeking to carry out cyber espionage activities to obtain sensitive information for geopolitical intelligence purposes.

What is particularly interesting is that this campaign reflects the style of the Lazarus attackers, a North Korean-sponsored group known for employing tactics of fake job offers in some of its most destructive campaigns, particularly in the cryptocurrency sector. ClearSky experts point out that it is unclear whether TA455 is imitating Lazarus, hiding behind its activity, or if there is any cooperation between the two.

As a result, individuals are advised to be cautious when receiving new job offers, especially if they sound too good to be true.