A large-scale spear-phishing operation has been uncovered after attackers compromised a Ministry of Foreign Affairs of Oman mailbox to deliver malicious emails to diplomatic missions worldwide.

The campaign was detailed in August 2025 by Israeli cybersecurity company Dream, which reported that “analysis of the Homeland Justice campaign reveals it was multi-wave and operated on a larger scale than initially apparent. From a dataset of 270 emails, 104 unique compromised addresses were leveraged.”

Emails were sent from a compromised @fm.gov.om account and routed through a NordVPN exit node in Jordan (212.32.83.11) to hide their origin. Messages were framed as urgent diplomatic updates, carrying Microsoft Word documents that contained hidden VBA macros. Once enabled, the code-installed malware is designed to collect system information and establish persistence on infected machines.

The attack sequence wrote its payload to C:UsersPublicDocumentsManagerProc.log before copying itself to C:ProgramDatasysProcUpdate.exe and modifying Windows registry DNS parameters. Collected system data was then sent to a command-and-control server at screenai.online/Home/.

The Hacker News described the operation as both “coordinated” and “multi-wave,” noting its reach across Europe, Africa, Asia, the Middle East, and the Americas.

ClearSky analysts noted continuity with earlier campaigns, stating that “similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania,” with moderate confidence that the same operators were involved.

The activity has been attributed to a group known as Homeland Justice, which researchers attribute to being linked with Iran’s Ministry of Intelligence and Security. The scope of targeting suggests a global espionage effort timed around sensitive diplomatic exchanges.