December 22, 2023 at 11:52AM
Microsoft observed Iranian nation-state cyberattackers Peach Sandstorm delivering FalseFont backdoor to individuals within the military-industrial sector, aiming for global infrastructure supporting military research. FalseFont allows remote access, file execution, and data transmission to control servers. It was first observed in early November, and the group’s ongoing improvements suggest continued interest in satellite and defense sectors.
From the meeting notes, it’s clear that Microsoft has observed the Iranian nation-state cyberattackers, known as Peach Sandstorm, attempting to deliver a backdoor to individuals working for organizations in the military-industrial sector.
The backdoor, named FalseFont, is a custom backdoor with a wide range of functionalities, allowing operators to remotely access infected systems, launch additional files, and send information to its command and control servers. Despite being first observed in November, it is not clear if there were any detections of successful infections.
Microsoft has noted that Peach Sandstorm has consistently demonstrated interest in organizations in the satellite and defense sectors in 2023. The development and use of FalseFont is consistent with Peach Sandstorm’s activity observed by Microsoft over the past year, indicating the group’s continuous efforts to improve their tradecraft.