Defense firms targeted with dangerous new malware, Microsoft warns

A white padlock on a dark digital background.
(Image credit:

Iranian state-sponsored hackers are targeting defense contractors worldwide with information-stealing malware, experts at Microsoft have warned.

According to the team, a group called APT33 (AKA Peach Sandstorm, HOLMIUM) is going after companies that research and develop military weapons systems and other gear, with a new piece of malware called FalseFont.

"Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector," the company said.


There are more than 100,000 companies in this industry, BleepingComputer added.

While Microsoft didn’t detail exactly how Peach Sandstorm was dropping FalseFont to target endpoints, it’s safe to assume the usual methods: phishing emails, social engineering, and unpatched device vulnerabilities. Microsoft said that FalseFont can grant its operators access to compromised systems, giving them the ability to execute files and steal sensitive data.

The backdoor is still being developed, they added.

"The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft," the company concluded. FalseFont was first spotted in early November this year. 

To protect against such attacks, organizations in the DIB sector are advised to reset their passwords, revoke session cookies, and secure accounts, RDP, and Windows Virtual Desktop endpoints, with multi-factor authentication (MFA). 

APT33 has been around for years, and TechRadar Pro has reported on its activities numerous times in these past couple of years. The group has allegedly been active for a decade and was spotted this September targeting thousands of organizations all over the world with password spray attacks.

"Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate to thousands of environments," Microsoft’s researchers said at the time. "Throughout 2023, Peach Sandstorm has consistently demonstrated interest in US and other country's organizations in the satellite, defense, and to a lesser extent, pharmaceutical sectors."

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.