What happens when outdated VPNs become silent doors to your most secure networks?
A devastating breach has exposed just how fragile national infrastructure can be, especially when targeted by persistent, state-sponsored attackers with patience and purpose.
Between May 2023 and February 2025, a highly coordinated cyber-espionage campaign by the Iranian threat group Lemon Sandstorm (also known as Rubidium, Pioneer Kitten, and UNC757) quietly embedded itself into the operational heart of a Middle Eastern nation’s critical infrastructure. And they did it using flaws most organizations still ignore: outdated VPNs and under-monitored malware.
VPN Vulnerabilities: The Real Backdoors
Lemon Sandstorm gained initial access using stolen credentials and known vulnerabilities in popular VPN services, including:
- Fortinet
- Pulse Secure
- Palo Alto Networks
From there, they used web shells, remote access trojans (RATs), and custom implants to extend their control across internal systems, avoiding detection while adapting to the victim’s countermeasures.
Malware Arsenal: A Breakdown of the Tools
This wasn’t just a one-tool hit job. It was an evolving operation. Here’s a look at their tech stack:
- Havoc – A C2 framework used for command execution and lateral movement.
- HanifNet – A custom NET-based command retriever.
- HXLibrary – A stealthy IIS module fetching C2 data from Google Docs.
- NeoExpressRAT – A backdoor communicating via Discord.
- SystemBC – A commodity malware often used before ransomware hits.
- CredInterceptor – Used to extract credentials directly from Windows LSASS.
- DarkLoadLibrary – An open-source loader for launching payloads like SystemBC.
- RecShell, DropShell – Web shells for reconnaissance and file uploads.
Each tool played a role in extending persistence, stealing sensitive data, and preparing for deeper infiltration.
Operational Technology (OT): The Hidden Target
While the hackers never fully breached the OT environment, all signs indicate that it was the endgame.
Reconnaissance scans and lateral movement strategies targeted systems adjacent to the OT network—systems that, if compromised, could open the door to water, power, and energy control mechanisms.
The attackers’ use of chained proxies and custom implants revealed their deep understanding of network segmentation and how to circumvent it. In later stages, they layered four proxy tools just to maintain internal access, a level of persistence you don’t see in smash-and-grab attacks.
Timeline of the Attack: 4 Distinct Phases
- Initial Access (May 2023 – April 2024): Stolen credentials, VPN flaws, and early backdoors like Havoc and HXLibrary.
- Foothold Consolidation (May 2024 – November 2024): Deeper web shell deployment, credential harvesting, and virtualization infrastructure attacks.
- Containment Evasion (November 2024 – December 2024): After detection, new backdoors (MeshCentral Agent, SystemBC) were deployed.
- Reentry Attempts (December 2024 – Present): Use of Biotime vulnerabilities (CVE-2023-38950/51/52) and Microsoft 365 spear-phishing to regain access.
What This Means for Tech Teams
- Outdated VPNs are not harmless, they are ticking time bombs.
- Open-source C2 tools like Havoc and MeshCentral are being weaponized in real-world infrastructure attacks.
- Just patching isn’t enough. You need visibility into who’s already inside.
How to Protect Your Stack Now
- Run an immediate VPN audit, focus on SSL VPNs and endpoint logging.
- Monitor for open-source C2 traffic, especially outbound pings to GitHub-style URLs or Discord domains.
- Segment your networks and watch for chained proxies; this is how sophisticated actors move laterally unnoticed.
- Don’t just respond to alerts, reverse-engineer them. Assume persistence and look for deeper implants.
The takeaway? Modern attacks aren’t loud. They’re patient, tailored, and invisible, until it’s too late. If you think you’re not a target, it just means you’re not watching closely enough.