New Cyber Threat Targets Azerbaijan and Israel Diplomats, Stealing Sensitive Data

A previously unknown threat actor has been attributed to a spate of attacks targeting Azerbaijan and Israel with an aim to steal sensitive data.
The attack campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The activity is being tracked under the moniker Actor240524.
"Actor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to avoid overexposure of attack tactics and techniques," the cybersecurity company said in an analysis published last week.
The attack chains commence with the use of phishing emails bearing Microsoft Word documents that, upon opening, urge the recipients to "Enable Content" and run a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader ("MicrosoftWordUpdater.log").
In the next step, ABCloader acts as a conduit to decrypt and load a DLL malware called ABCsync ("synchronize.dll"), which then establishes contact with a remote server ("185.23.253[.]143") to receive and run commands.

"Its main function is to determine the running environment, decrypt the program, and load the subsequent DLL (ABCsync)," NSFOCUS said. "It then performs various anti-sandbox and anti-analysis techniques for environmental detection."
Some of the prominent functions of ABCsync are to execute remote shells, run commands using cmd.exe, and exfiltrate system information and other data.
Both ABCloader and ABCsync have been observed employing techniques like string encryption to cloak important file paths, file names, keys, error messages, and command-and-control (C2) addresses. They also carry out several checks to determine if the processes are being debugged or executed in a virtual machine or sandbox by validating the display resolution.
Another crucial step taken by Actor240524 is that it inspects if the number of processes running in the compromised system is less than 200, and if so, it exits the malicious process.
ABCloader is also designed to launch a similar loader called "synchronize.exe" and a DLL file named "vcruntime190.dll" or "vcruntime220.dll," which are capable of setting up persistence on the host.
"Azerbaijan and Israel are allied countries with close economic and political exchanges," NSFOCUS said. "Actor240524's operation this time is likely aimed at the cooperative relationship between the two countries, targeting phishing attacks on diplomatic personnel of both countries."
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
LowInsufficient Site Isolation Against Spectre Vulnerability
MediumELMAH Information Leak
InformationalSec-Fetch-Mode Header Has an Invalid Value
InformationalSec-Fetch-User Header is Missing
InformationalSec-Fetch-Site Header is Missing
MediumBuffer Overflow
InformationalInformation Disclosure - Information in Browser localStorage
CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
HighCWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-1192 Improper Identifier for IP Block used in System-On-Chip (SOC)
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
HighCWE-647 Use of Non-Canonical URL Paths for Authorization Decisions
Free online web security scanner