tunnelvision

TunnelVision is an Iranian-aligned threat actor cluster tracked by SentinelLabs, operating in the Middle East and the US. SentinelLabs assesses the cluster as potentially destructive due to activity linked to ransomware deployment. The actor is notable for heavy reliance on tunneling tools and for broad exploitation of known 1-day vulnerabilities, including Fortinet FortiOS CVE-2018-13379, Microsoft Exchange ProxyShell, Log4Shell, and VMware Horizon Log4j vulnerabilities. In VMware Horizon intrusions, activity was initiated via the Tomcat service process (ws_TomcatService.exe) and used to execute malicious PowerShell, establish reverse shells, deploy backdoors, create backdoor users, harvest credentials, and move laterally. Observed credential access methods included Procdump, SAM hive dumps, and comsvcs MiniDump. The actor also conducted reconnaissance, internal subnet RDP scanning using a publicly available port scan script, and downloaded and executed tunneling tools including FRPC, Plink, and Ngrok to tunnel RDP traffic. TunnelVision used legitimate public services during operations, including transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com, including use of webhooks to receive command output from compromised systems. SentinelLabs also reported infrastructure and malware associated with the cluster, including service-management[.]tk hosting malicious payloads, a custom backdoor that dropped InteropServices.exe and registered it as a Windows service named "InteropServices," and use of a GitHub repository named "VmWareHorizon" associated with the account protections20. SentinelLabs noted partial correlation with Microsoft’s Phosphorus activity, while also noting overlap or confusion in vendor reporting with Charming Kitten and Nemesis Kitten. SentinelLabs nevertheless tracks this activity cluster separately as TunnelVision.