Fortinet’s FortiGuard team recently detected and uncovered a highly sophisticated cyber-espionage campaign targeting critical network infrastructure in the Middle East. The investigation, which began in late 2024, revealed that the intrusion had been ongoing for years – from May 2023 to February 2025 – with evidence suggesting that the attackers first gained access as early as May 2021.
The campaign was attributed to an Iranian state-sponsored group, known in the cybersecurity community as “Lemon Sandstorm.” Their operations focused on espionage and maintaining long-term access to vital systems in critical national infrastructure such as energy, transportation, and telecommunications.
The attackers initially gained entry using stolen login credentials to access the victim organization’s VPN system. Once inside, they quickly established access by deploying a range of web shells on public-facing servers and installing several custom backdoors. These included malware families like Havoc, HanifNet, HXLibrary, and later NeoExpressRAT. The backdoors were designed to run automatically and allowed the attackers to maintain control over the network even if some of their tools were to be discovered and/or removed.
According to Fortinet’s report, the campaign unfolded in four different phases. In the first phase, the attackers focused on establishing a solid foothold, which was dated back to May 2023 and lasted until April 2024. “The adversary used stolen credentials to access the victim’s SSL VPN, deploying web shells on public-facing servers and installing Havoc, HanifNet, and HXLibrary backdoors. They then stole credentials and moved laterally using RDP and PsExec,” the company said.
The threat actors used their access to move laterally across the network, leveraging legitimate tools such as Remote Desktop Protocol (RDP) and PsExec to escalate privileges and reach more sensitive areas. They also created simple web shells with names like “default.aspx” and more advanced, heavily obfuscated ones such as “UpdateChecker.aspx.” As a result, these web shells gave them remote command capabilities and were cleverly disguised to avoid detection.
As the attackers consolidated their position in what was said to be the second phase (April 2024 – November 2024), they deployed additional web shells and backdoors, including NeoExpressRAT, and began using open-source proxy tools like plink and Ngrok. These tools helped them bypass network segmentation, allowing them to move between otherwise isolated parts of the network. During this phase, they also targeted the victim’s email systems and virtualization infrastructure, exfiltrating sensitive data while remaining hidden.
When the victim organization began remediation efforts, the attackers responded aggressively. In the third phase that was termed “Initial Remediation and Adversary Response (November 2024 – December 2024),” the victim deployed even more persistence mechanisms, including MeshCentral and SystemBC backdoors, and focused on maintaining access to deeper network segments, particularly those associated with operational technology (OT). Although there was evidence that the attackers reached systems within restricted network segments, there was no conclusive proof that they breached the core OT environment itself.
The final phase of the intrusion saw the organization implement a comprehensive containment plan by finally removing the attacker’s access. However, the attackers still attempted to regain entry through previously established backdoors, exploiting vulnerable web applications, and launching targeted phishing campaigns to harvest new credentials.
According to Fortinet’s report, “The victim successfully removed adversary access. In response, attackers attempted to re-enter via vulnerabilities in web applications and launched targeted phishing campaigns to steal credentials. Multiple failed access attempts were detected.” This persistence highlights the determination and resources available to state-sponsored groups.
Throughout the campaign, the attackers used a combination of custom malware and well-known open-source tools. Their methods included lateral movement via RDP and SMB, deployment of web shells for remote command execution, and the use of proxy tools to circumvent network segmentation. They also engaged in targeted credential harvesting through phishing.
The victim’s network was large and complex, with hundreds of endpoints and a mix of virtualized and dedicated hardware. Despite effective network segmentation and multiple layers of security, the attackers managed to maintain a presence for years by chaining together different proxy tools and persistence mechanisms. Their activity was methodical and patient, which signified a long-term strategy rather than a smash-and-grab approach.
Fortinet’s findings highlight the evolving tactics of state-sponsored threat actors. Rather than relying on new or highly complex malware, these groups are increasingly using established techniques and legitimate tools to blend in with normal network activity. This makes detection much more difficult and stresses the need for organizations to focus on defending against common attack methods, not just the latest malware variants.
To defend against such threats, Fortinet recommends organizations monitor for unusual credential use, regularly scan for hidden web shells, restrict the use of common IT tools that can be abused for lateral movement, and adopt behavior-based detection systems. These measures, combined with robust network segmentation and continuous monitoring, can help organizations detect and respond to advanced persistent threats more effectively.
