An attack that’s been active since September 2023 called the “Iranian Dream Job Campaign” was discovered in which the Iranian threat actor TA455 — aka UNC1549 — has been targeting the aerospace industry by offering fake jobs.
In a Nov. 12 blog post, researchers from ClearSky Cyber Security said the campaign delivered the SnailResin malware, which activates the SlugResin backdoor. The ClearSky researchers attribute the malware programs to a subgroup of the Iranian group Charming Kitten, also known as APT35 by Mandiant.
What’s interesting in this case is that some researchers detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group.
“The similar ‘Dream Job’ lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran,” wrote the ClearSky researchers.
These industry-specific, job-themed social engineering attacks from TA455 demonstrate an AI-enabled evolution in attack precision, making it economical to target sectors like aerospace where specialized talent and valuable intellectual property converge, explained Stephen Kowski, Field CTO at SlashNext Email Security.
“We've seen historically these job campaigns were generalized and focused on university settings, where students eagerly seeking opportunities become prime targets for malicious actors using weaponized PDFs and harmful compressed archives,” said Kowski. “Modern security solutions capable of real-time detection of malicious content are crucial, as traditional email security often fails to catch these highly targeted attacks that masquerade as legitimate job offers and professional networking attempts.”
Sarah Jones, cyber threat intelligence research analyst at Critical Start, said advanced persistent threat actors, including state-sponsored groups, have frequently used job-themed social engineering tactics to target individuals and organizations.
“These campaigns exploit the natural human desire for career advancement and new opportunities,” said Jones. “Threat actors craft convincing job postings, set up seemingly legitimate front companies, and engage targets through professional channels like LinkedIn.”
Tom Hegel, principal threat researcher at SentinelOne, added that these attackers target employees through personal channels like LinkedIn and personal email, often bypassing enterprise defenses.
“Since job hunting is personal, employees may not disclose these interactions to their employer, increasing vulnerability,” said Hegel. “In a competitive job market, these lures can be especially tempting. To counteract this, organizations should educate their employees on the risks of engaging with unsolicited job offers and emphasize caution with social media interactions, where attackers can easily impersonate legitimate contacts with malicious intent. This attack technique is not unique to North Korea or Iran.”
