TA455
Intelligence Profile
TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims. They employ spearphishing tactics with malicious ZIP files containing the executable “secur32[.]dll” and disguise their C2 communications within the traffic of reputable services like Cloudflare and GitHub. The group intentionally mimics the TTPs of the North Korean Lazarus group to mislead investigators and complicate attribution. Their multi-stage infection strategy enhances the likelihood of success while evading detection.
Threat Analysis
TA455 is a advanced-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, TA455 likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Known Campaigns
TA455 is a espionage threat actor attributed to Iran. TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims. They employ spearphishing tactics with malicious ZIP files containing the executable “secur32[.]dll” and di...