FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure

FortiGuard Incident Response investigated a long-term Iranian state-sponsored intrusion against Middle Eastern critical national infrastructure that persisted from at least May 2023 to February 2025 (with activity traced back to 2021). Attackers gained initial access via stolen VPN credentials, deployed web shells and novel backdoors (HanifNet, HXLibrary, NeoExpressRAT, Havoc), used proxy chaining and loaders to bypass segmentation and execute in-memory payloads, exfiltrated targeted email data, and attempted re-entry after containment by exploiting web application vulnerabilities and phishing; the report includes IOCs, TTP analysis, and defensive recommendations.