Threat Insights: Malware targets Iranian oil and gas and spreads to other maritime operators

 

CyberOwl, a DNV Company, discovers a phishing and malware campaign against shipping industry exploiting ‘hidden’ information.

A recent investigation led by CyberOwl, a DNV company, discovered a sophisticated phishing and malware campaign targeting organisations involved in the trading of Iranian oil and gas, which has also spread to others in the trading ecosystem, including maritime operators. The campaign, which was active between March and May 2025, demonstrates a growing trend in the use of steganography to evade detection and deliver malware payloads. 
 

Anatomy of the attack 

The campaign began with phishing emails using a newly registered domain, vaproum[.]biz, impersonating legitimate persons and businesses present in Iran, including a Swiss-based engineering company. These emails contained zip file attachments with embedded JavaScript-based multi-stage downloaders. After the recipient opened the attachment, the malware execution began.  

Once executed, the script retrieved a JPG image hosted on archive.org. This image contained a hidden payload, which was decoded and executed directly in memory, thereby bypassing detection.  

This technique, named “SteganoAmor”, leverages steganography to conceal malicious code within seemingly benign media files. The final delivered payload was a variant of the “Agent Tesla” malware, capable of stealing and exfiltrating data from infected machines. 
 

Attribution and threat landscape


The “SteganoAmor” method was observed in a limited number of campaigns from March to May 2025 that also shared similarities with reported attacks from 2024. While the tactics and tooling point towards a shared malware-as-a-service (MaaS) platform, CyberOwl’s analysis suggests that the actors behind each campaign are different. 

The use of steganography in this context is particularly concerning. It reflects a shift toward more covert and technically advanced delivery methods, making detection and attribution more challenging. 
 

Why it’s a threat


Steganography allows adversaries to hide malicious code in plain sight, within images, audio, or video files, making detection significantly harder.  

This campaign highlights the increasing sophistication of threat actors targeting critical infrastructure, including energy-related sectors, particularly in geopolitically sensitive regions. 
 

Mitigation measures 
To defend against threats utilizing steganography, organisations should adopt a multi-layered approach: 

  • Strengthen human defenses: Equip employees with the knowledge to spot and report phishing attempts. Regular training, combined with simulated phishing exercises, can significantly reduce risk.
  • Deploy smart technical controls: Use advanced email filtering, endpoint detection and response solutions, and behavioural analytics to detect and block malicious content before it reaches users.
  • Stay geopolitically aware: Understand how regional tensions and sanctions may intersect with your business operations and threat exposure. Tailor your threat models accordingly. 
  • Dig deeper: For further details, indicators of compromise, and more, please refer to the CyberOwl report. 
 

Looking ahead 

This phishing and malware campaign underscores the evolving nature of cyber threats facing critical infrastructure industries. By combining deception, technical sophistication, and geopolitical nuance, attackers are pushing the boundaries of traditional malware delivery. Organisations must remain vigilant, informed, and proactive in their defence. 

As threat actors become more sophisticated in their use of various techniques, defenders must stay ahead by adopting layered security strategies and investing in threat intelligence. At DNV Cyber, we remain dedicated to monitoring these developments and providing our customers with actionable insights. 

Contact CyberOwl

 

Subscribe to DNV Cyber Threat Intelligence Updates 

Sign up for regular complementary threat insights from DNV Cyber directly to your inbox. Find out what is included in the latest update.  

Our threat intelligence service provides deeper insights and curates intelligence specifically for your business 

7/4/2025 8:50:00 AM