APT35 Hackers Targeting Government, Military Organizations to Breach Login Credentials -

Post Views: 214

“Recently, APT35 hackers have started targeting government and armed forces organizations to steal confidential data.”

Concerns have been raised in government and military networks around the world in recent months due to a spike in targeted breaches ascribed to the Iranian-aligned threat organization APT35.

The effort, which was initially discovered in early 2025, uses specially designed malware to breach protected perimeters and collect user passwords.

Early signs of penetration suggest spear-phishing emails containing HTML attachments that, when opened, surreptitiously infiltrate the target environment by releasing a multi-stage payload.

According to an analysis of the attack chain, weaponized Microsoft Office documents that take advantage of CVE-2023-23397 to go around Outlook’s security architecture are frequently used as the initial vector.

The main credential-stealer module is retrieved from a distant command-and-control (C2) server by the embedded code after downloading a PowerShell stager.

The smooth shift from document exploit to covert reconnaissance and credential exfiltration was noted by Stromshield researchers during a defense ministry network compromise in April.

Once installed, the malware poses as trustworthy system operations in order to avoid detection. In order to intercept NTLM challenge-response exchanges and store hashed credentials in memory, it connects to the Windows Security Support Provider Interface (SSPI).

These hashes are then sent to the attacker’s infrastructure, where privileged accounts on valuable servers are unlocked using a mix of pass-the-hash and hash-cracking methods.

Numerous accounts within military communications networks were compromised without setting off traditional intrusion detection systems, which had a major impact.

The stager code in one recorded instance looks like the following sample, showing how the virus uses PowerShell’s SSPI hooks: –

$sspi = Add-Type -MemberDefinition @”

[DllImport(“secur32.dll”, CharSet=CharSet.Auto)]

public static extern int LsaLogonUser(

IntPtr LsaHandle, string OriginName, uint LogonType,

uint LogonPackage, IntPtr AuthenticationInfo,

uint AuthenticationInfoLength, IntPtr LocalGroups,

IntPtr SourceContext, out IntPtr ProfileBuffer,

out uint ProfileBufferLength, out uint LogonId,

out IntPtr Token, out uint Quotas, out uint SubStatus);

“@ -Name “Lsa” -Namespace “WinAPI” -PassThru

Mechanism of Infection

A two-stage downloader that first determines the victim’s surroundings is the key to the infection mechanism.

Following a successful document exploit, the initial stager checks the environment by scanning loaded kernel modules and requesting registry keys for security tools.

To prevent reverse-engineering attempts, execution stops if a known analysis sandbox is found. If not, a base64-encoded second-stage payload is decoded by the stager and written to %AppData%\Roaming\msnetcache.dll before being loaded using rundll32.exe.

Screenshot from viliam.ude-final[.]online (Source – Stormshield)

This DLL combines traffic with authentic HTTPS sessions by implementing the SSPI hook logic, intercepting credentials, and then sending HTTP GET requests to the C2 site over port 443.

All things considered, the campaign demonstrates APT35’s increasing proficiency in deeply integrating into trusted systems and using native APIs to obtain credentials without revealing obvious artifacts.

To find such covert intrusions before vital access is jeopardized, ongoing attention to detail and sophisticated behavioral monitoring are essential.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Nigerian Cybercriminal Using Language App Duped 100+ Women, Gets Arrested in Delhi