Citizen Lab researchers spotted a malware operation, dubbed Group5, targeting “well connected” Syrian opposition.
The scheme is using a range of techniques to exploit Windows and Android devices, but the group behind the attacks are using tools and tactics that have not yet been observed in the Syrian conflict. Researchers said the malware's operators appear to be comfortable with tools written in Iranian Persian dialect andare using Iranian hosting companies, according to an Aug. 2 blog post..
The group has also run parts of the operation from Iranian IP space.
Researchers spotted the campaign in 2015 when a member of the Syrian opposition received a strange emailcontaining a file which redirected the recipient to a malicious site.
“From this initial message, we uncovered a watering hole website with malicious programs, malicious PowerPoint files and Android malware, all apparently designed to appeal to members of the opposition,” researchers said in the post.