Fortinet’s FortiGuard Labs Incident Response (FGIR) team uncovered a prolonged cyber intrusion targeting critical national infrastructure in the Middle East, attributed to a state-sponsored threat actor. The campaign, active from at least May 2023 to February 2025, with indications dating back to May 2021, involved extensive espionage and suspected network prepositioning to ensure long-term strategic access. Attackers initially breached the network using stolen VPN credentials, then maintained persistence through multiple web shells and backdoors, including Havoc, HanifNet, HXLibrary, and NeoExpressRAT. They circumvented network segmentation using open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5.
The researchers detailed that the attack progressed in multiple waves, with the adversary gradually deploying new malware and infrastructure. They used custom loaders to execute Havoc and SystemBC directly in memory, avoiding disk-based detection. Alongside publicly available tools, the attackers leveraged novel backdoors, HanifNet, HXLibrary, and NeoExpressRAT, which enabled command execution, file manipulation, and system reconnaissance.
The adversary deliberately avoided U.S.-based infrastructure, instead utilizing virtual private servers (VPS) hosted by non-U.S. providers. Persistence was achieved through using scheduled tasks that mimicked legitimate Windows processes, helping the malware blend into the system environment.
Furthermore, the attackers targeted virtualization infrastructure, conducting detailed reconnaissance to map network configurations and identify key assets. Following containment efforts, they attempted to regain access by exploiting vulnerabilities in ZKTeco ZKBioTime software, issues not previously observed in the wild. They also launched targeted phishing campaigns using compromised third-party email accounts to harvest administrator credentials.
The FortiGuard Labs report detailed that the victim organization had a highly segmented network, including a restricted OT (operational technology) environment. “While no confirmed disruption to OT systems was found, FGIR observed targeted reconnaissance and credential harvesting, indicating strong adversary interest in these systems. The attackers moved from IT to restricted segments by chaining proxy tools and implants to bypass segmentation,” it added.
The report detailed that the attack unfolded in four distinct phases. In phase one, the FortiGuard Labs noted that adversaries focused on establishing a foothold and initial operations between May 2023 and April 2024. The adversary initially gained access to the victim’s network using stolen credentials to log into the SSL VPN. Once inside, they deployed web shells on public-facing servers and installed multiple backdoors, including Havoc, HanifNet, and HXLibrary. These tools enabled the attackers to steal additional credentials and move laterally across the network using Remote Desktop Protocol (RDP) and PsExec.
In phase two, they consolidated their foothold between April and November last year. During this phase, the attackers introduced additional persistence mechanisms, most notably the NeoExpressRAT backdoor. They used chained proxy tools such as plink and Ngrok to bypass network segmentation. The adversary exfiltrated targeted email data and began interacting with the organization’s virtualization infrastructure, indicating an intent to expand their reach within the environment.
Move on to phase three, the hackers look to initial remediation and adversary response between November and December 2024. In response to the victim’s initial containment efforts, the adversary significantly increased their activity. To maintain access, they deployed new web shells and introduced SystemBC and MeshCentral. Their focus shifted toward penetrating deeper segments of the critical national infrastructure network, likely in an attempt to retain strategic control.
In the fourth phase, the FortiGuard Labs observed that the attackers responded to containment efforts from December onward, continuing their attempts to regain access up to the present. By this phase, the victim had successfully removed the adversary’s access from the network. In retaliation, the attackers attempted to regain entry by exploiting vulnerabilities in web applications and launching targeted phishing campaigns aimed at stealing administrator credentials.
Despite these efforts, FortiGuard Labs highlighted that multiple reentry attempts were detected and ultimately failed. State-sponsored cyber adversaries continue to target and compromise critical infrastructure networks, aiming to maintain persistent access. Organizations should prioritize several defensive measures to mitigate these risks.
First, they should enhance credential security by enforcing multi-factor authentication (MFA) for VPN and privileged accounts, alongside implementing strict password policies that include regular credential rotation. Strengthening network segmentation and monitoring is also critical, as it can help restrict lateral movement. Adopting a zero-trust architecture with layered access controls further bolsters this defense.
Additionally, organizations should improve endpoint and web security by conducting routine integrity checks on web-facing services. Implementing application allowlisting can also prevent unauthorized execution of software. Deploying behavioral analytics and endpoint detection and response (EDR) solutions will enable the detection of anomalies in real time, while regular penetration testing and third-party security reviews help identify vulnerabilities.
Finally, organizations need to ensure incident response preparedness. This includes developing and testing cybersecurity playbooks specifically designed for state-sponsored threats and deploying rapid detection and containment capabilities to address potential intrusions.
In conclusion, the FortiGuard Labs report noted that the investigation highlights the persistent and evolving nature of state-backed cyber threats targeting Middle Eastern critical national infrastructure. The adversary demonstrated advanced tactics to deeply embed themselves, evade detection, and sustain long-term access.
“Despite containment efforts, the adversary has continued efforts to regain access, indicating a long-term strategic interest in this environment,” it added. “Organizations must remain vigilant, continuously refining their detection and response strategies to defend against sophisticated, state-sponsored cyber campaigns.”
