Iran's 'Peach Sandstorm' Cyberattackers Target Global Defense Network

Microsoft has observed the Iranian nation-state cyberattackers known as Peach Sandstorm attempting to deliver a backdoor to individuals working for organizations in the military-industrial sector.

In a series of messages on X, formerly Twitter, Microsoft Threat Intelligence said the Peach Sandstorm advanced persistent threat (aka APT33, Elfin, Holmium, or Refined Kitten) has been attempting to deliver the FalseFont backdoor to various organizations within the global infrastructure that enables the research and development of military weapons, systems, subsystems, and components.

Microsoft Threat Intelligence says FalseFont is a custom backdoor with a "wide range of functionalities" that allow operators to remotely access an infected system, launch additional files, and send information to its command and control servers.

FalseFont was first observed being used against targets in early November. It was not clear if there were any detections of successful infections.

Microsoft said Peach Sandstorm has consistently demonstrated interest in organizations in the satellite and defense sectors in 2023. The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting the group is continuing to improve their tradecraft.