What About Iran? One Word Document, Three Backdoors
Find Threat Talks on
What about Iran? One Word Document, Three Backdoor
Every major nation state has a cyber army. China, Russia, the US, Europe. But Iran? Meet Boggy Serpens, a threat group tied to Iran’s civilian intelligence service whose entire business model is breaking in, staying in, and handing the keys to whoever strikes next. Their latest operation needs exactly one booby-trapped Word document to plant three separate backdoors on your network.
Lieuwe Jan Koning hosts a live red team vs blue team session at the ON2IT SOC with analyst Yuri Wit as the “proxy Iranian” attacker and Rob Maas on defense. Every move on screen, and the exact control that stops it.
What you’ll learn
- Iran’s access broker model: Boggy Serpens breaks in, persists, and sells access to the next attacker.
- One Word document, three backdoors: Telegram bot, Rust “Ghost” backdoor, hijacked AnyDesk.
- Why the operation mostly failed, and how to spot AI-assisted malware.
Your cybersecurity experts
Rob Maas
Field CTO
ON2IT
Yuri Wit
SOC Specialist
ON2IT
Episode details
Most defenders think about nation-state threats as a single, coordinated actor. Boggy Serpens breaks that model. The group’s job is access, not exploitation. They get in, they persist, they sell. What the buyer does next is someone else’s problem, which is exactly what makes them hard to detect and harder to attribute.
The infection chain starts where it always does: a document. In this case, an Office file with macros that most organizations would still execute. From there, the payload splits three ways. The Telegram bot is the most immediately interesting because it uses infrastructure your organization almost certainly does not block. Encrypted chat traffic from a known platform does not look like command and control. That is the point. The Rust backdoor is the layer built for persistence and analyst frustration: it is deliberately structured to slow down reverse engineering and defeat standard sandbox analysis. AnyDesk is the third leg, and in some ways the most uncomfortable one, because nothing about a legitimate AnyDesk installation looks malicious. The tool is already trusted. It just isn’t working for you anymore.
The red team vs blue team format makes the layering visible in a way a slide deck cannot. Each backdoor goes live, and each one gets caught or missed based on the specific control that is or isn’t in place. Zero Trust segmentation is not just a concept here; it is the thing that stops lateral movement when the first two controls fail.
The AI angle is worth noting for teams that track adversary capability development. Parts of the malware show patterns consistent with AI-assisted code generation. The tells are subtle, and Lieuwe Jan and Rob walk through what to look for.
If you manage threat intelligence or incident response for a European organization, or if your SOC still treats Iran as a secondary concern behind China and Russia, this episode recalibrates that.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
