Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week
Fresh research demonstrates the sophistication and capability of state-sponsored threat actors to compromise diverse targets


New research has shown the flexibility of threat actors to rapidly iterate attack patterns in order to bypass security controls.
An investigation from security firm Proofpoint into a recent attack targeting a nuclear security expert at a US-based think tank revealed how well-resourced attackers change tactics on the fly to compromise different machines.
After realizing their initial payload wouldn’t work on a Mac, they quickly pivoted to new techniques known to work on targets who used Apple hardware.
The sophisticated operation saw skilled threat actors devise a seemingly benign email chain with the high-profile target and continue the conversation over the course of weeks to build trust and rapport, exploiting that to launch further attacks.
How the attack unfolded
The mid-May 2023 attack came from TA453, an Iranian state-affiliated threat actor, also tracked under the monikers: Charming Kitten; APT42; Mint Sandstorm; and Yellow Garuda, and saw them posing as members of the Royal United Services Institute (RUSI).
Using a multi-persona approach, the attackers - known for conducting espionage operations - started an email chain with the target seemingly seeking feedback on a project titled ‘Iran in the Global Security Context’.
The attackers sent multiple messages from different accounts, all referencing each other to generate a feeling of authenticity - a technique seen before in email hijacking campaigns.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
After a single seemingly benign interaction, a malicious Google Script macro was delivered, intended to direct the target to a Dropbox URL. The URL hosted a password-encrypted .rar file, which contained a dropper masquerading as a PDF but was actually a Windows LNK file.
RELATED RESOURCE
The business value of Zscaler Data Protection
Understand how this tool minimizes the risks related to data loss and other security events
Using LNK files has been a hallmark of cyber attacks since Microsoft blocked VBA macros by default last year. Exploiting VBA macros had for years been the go-to method for installing malware using maliciously crafted Microsoft 365 files.
Proofpoint said, “Using a .rar and LNK file to deploy malware differs from TA453’s typical infection chain of using VBA macros or remote template injection”.
“The LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider.”
However, the target was using an Apple computer, meaning that the delivered file would not run. The file it attempted to deliver was a newly identified PowerShell-based backdoor called GorjolEcho.
Once it realized GorjolEcho would not execute on macOS, TA453 then pivoted to re-launch the attack at a later date using a ported version of the backdoor that worked on Apple hardware.
The attackers continued the same seemingly innocent email conversation with the target and roughly a week after the initial Windows-based attempt, they relaunched the attack with the Apple-ported backdoor.
In this case, the malware was delivered via a password-protected ZIP file masquerading as a RUSI VPN solution and shared drive.
After some interactions with the threat actor, the user would be persuaded to open the file. A series of bash scripts would have then installed a backdoor, dubbed NokNok.
Proofpoint judged that this was intended to serve as a foothold for further instruction and was almost certainly a port of the PowerShell backdoor.
The incident serves as a reminder of the adaptability of the threat actors. In this instance, LNK files were sent instead of Microsoft Word documents with macros, and swiftly ported to macOS when the opportunity arose.
The state of Mac malware
As Apple hardware has become progressively more popular in the enterprise, it has become correspondingly more of a target for threat actors.
That said, according to Apple management specialist Jamf, in 2022 there was a drop in new malware infections.
In its 2023 State of Malware report, Malwarebytes noted that while Mac malware was rare, it did exist. 11% of machines with detection events were infected by malware.
However, Michael Covington, VP of portfolio strategy at Jamf, told ITPro that 2023 had been a very active period for Apple security.
He said: “In the first half of the year, we saw some noteworthy developments in the threat landscape indicating that attacks against Apple devices were changing, both in terms of intensity and purpose”.
“During this time, we saw the first real instance of ransomware emerge that was built specifically to target macOS. We also saw new malware in distribution, attributed to state-sponsored attackers, that used novel evasion techniques to avoid detection and bypass built-in platform protections to take root.”
Covington also noted the rise of cryptojacking threats aimed at Apple processors and the continued evolution of spyware being used against high-risk individuals - primarily in government and media, but also commended Apple’s actions to address active exploits.
He also warned of the risk posed by gullible or distracted users, particularly with regard to phishing attacks.
Proofpoint’s research is evidence of the adaptability of threat actors, their ability to respond to changes in the environment, and the continually evolving threat landscape.
Joshua Miller of Proofpoint said: “TA453’s capability and willingness to devote resources into new tooling to compromise its targets exemplifies the persistence of state-aligned cyber threats”.
“The threat actor’s continued efforts to iterate their infection chains to bypass security controls demonstrate how important a strong community-informed defense is to frustrate even the most advanced adversaries.”

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITPro, CloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.
Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.
-
HPE boosts Aruba, GreenLake security
News Tech giant hopes to help enterprises battle against rise of "sophisticated" cloud threats
By Nicole Kobie
-
Lenovo promotes Per Overgaard to general manager for ISG EMEA
News Overgaard will spearhead Lenovo's Infrastructure Solutions Group as organizations continue to invest in AI and advanced infrastructure
By Daniel Todd
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
News Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.
By Solomon Klappholz
-
Phishing campaign targets developers with fake CrowdStrike job offers
News Victims are drawn in with the promise of an interview for a junior developer role at CrowdStrike
By Solomon Klappholz
-
Malware being pushed to businesses by search engines remains a pervasive threat
News High-profile malvertising campaigns in recent months have surged
By Ross Kelly
-
The top malware and ransomware threats for April 2023
News New ransomware gangs and malware abound as hackers continue to evolve their tactics
By Connor Jones
-
CISA: Phishing campaign targeting US federal agencies went undetected for months
News Threat actors used legitimate remote access software to maliciously target federal employees
By Rory Bathgate