Sustained Red Deer Phishing Attacks Impersonate Israel Post, Drop RATs

The missed package phishing messages, likely the work of a hacking-for-hire group, bounds into inboxes, bearing ASyncRAT.

Israeli engineering and telecommunications companies have been targeted with a sustained phishing message campaign that is convincingly impersonating Israels postal service.
Research by Perception Point
found the phishing email typically appears to be a missed delivery note containing an HTML link. When clicked, it downloads and opens an .html file attachment on the users browser. This html file then opens an ISO image file that contains an obfuscated Visual Basic script, which ultimately downloads a modified version of the
AsyncRAT malware
.
Named Operation Red Deer, due to the fact that the logo for the Israel Postal Company (aka Israel Post) is a red deer — this technique was initially spotted being used in a campaign in April 2022, but last month a similar campaign was spotted wherein the malware version and SSL certificate that was used were the same.
Several other campaigns in the activity cluster were also detected, including one last June and another last October, where Igal Lytzki, incident response analyst at Perception Point, says the volume of phishing emails was significantly higher than on other days.
Perception Point called the campaign a sustained and clandestine operation” which targeted numerous organizations from diverse industries, but all based in Israel.
Lytzki says that hundreds of emails related to this particular campaign were detected and quarantined before being delivered, and that theyve been directed at employees in varying positions and at different levels of seniority, not solely executive and leadership positions.
He also added that the level of care to make the lures look genuine is notable, including the addition of elements such as the logo, correlation of colors, and additional information about the post offices opening hours. This is a surprising tactic that reveals the depth of sophistication and investment put into this attack, he notes.
The attacks were attributed to the
Aggah threat group
, due to the choice of malware, order-related phishing messages, and use of Losh Crypter obfuscated PowerShell scripts. Lytzki says there is no clear evidence of any state-sponsorship or national identity for Aggah, but there is a striking similarity between Aggahs tactics, techniques, and procedures (TTPs) and another threat group known as
Gorgon Group
, a state-sponsored group under the Pakistani government .
He adds, Aggah has targeted a variety of countries for espionage, information gathering, and financial gain. I believe that the evidence suggests that this hacking group is for hire, contracting with other governments to launch malicious campaigns on their behalf.
Also, in the past,
Aggah
has conducted attacks which were primarily focused on organizations within Middle Eastern countries.
The Gorgon Group,
meanwhile, does not just focus on financial fraud and cybercrime, but also conducts attacks against government organizations and has been linked to attacks against Russia, Spain, the United Kingdom, and the United States.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sustained Red Deer Phishing Attacks Impersonate Israel Post, Drop RATs