Tehran-linked hackers have masqueraded as job recruiters to court software engineers in the aviation industry, part of a broader intelligence-gathering operation that also touched a U.S. oil and gas firm and organizations in Israel and the United Arab Emirates, according to researchers at Palo Alto Networks’ Unit 42 who briefed CNN.

The campaign, unfolding amid heightened military tensions between the United States, Israel, and Iran since late February, relied on two familiar—but effective—social engineering levers: fake job postings and booby-trapped video conferencing software. In at least one instance, the operatives posed as representatives of a U.S. airline to win trust before delivering malware, Unit 42 said.

While the scope of the targeting suggests a wide net, Unit 42 told CNN its data does not indicate successful compromises at the aviation or energy companies in question. Investigators believe other entities were breached as part of the same global effort, but declined to identify them.

What the hackers appear to want

Access to aviation and energy networks can yield high-value operational and strategic insights without the need for destructive attacks. Intelligence gleaned from airline systems could, for example, help reconstruct travel patterns or flight manifests tied to the Middle East. Inside an oil and gas firm, espionage operators might study how companies are navigating supply, pricing, and logistics amid a volatile market—information that can inform sanctions evasion, economic planning, or diplomatic strategy.

It’s the kind of asymmetric activity U.S. intelligence officials have warned about in the wake of strikes involving the U.S., Israel, and Iran: espionage and influence campaigns calibrated to collect sensitive data, preserve regime situational awareness, and create leverage without escalating to overt cyber sabotage.

How the lure worked

The operation reportedly blended professional networking approaches with malicious tooling:

• Recruitment pretext: Attackers approached engineers with tailored job opportunities, a tactic that exploits career mobility in the tech and aerospace sectors.
• Trojanized conferencing apps: Victims were nudged to install or update video meeting software that had been altered to carry hidden payloads. The benign interface masked a backdoor capable of persistence and data collection.
• Brand impersonation: In at least one case, a U.S. airline’s identity was spoofed to lend credibility—an increasingly common tactic in state-backed social engineering.

This style of operation leverages trust in everyday workflows. Video conferencing tools are ubiquitous; recruiters often ask candidates to hop on a call or review materials. By weaponizing routine steps, adversaries lower suspicion and sidestep traditional email-filtering defenses.

Who was in the crosshairs

According to Unit 42, the targeting included:

• Software engineers and technical staff in the aviation sector
• A U.S. oil and gas company
• Organizations in Israel and the United Arab Emirates

Researchers emphasized they have not seen evidence that the aviation or energy firms initially flagged were successfully breached. However, they assess that some victims in the wider campaign did suffer compromises, details of which were not disclosed.

Why this matters now

State-aligned actors have long used social engineering to fill intelligence gaps, but the current geopolitical environment raises the stakes. Cyber operations that quietly capture corporate communications, supplier relationships, movement data, or market plans can pay outsized dividends during a crisis. For Iran, preserving decision advantage—understanding opponents’ logistics and intentions—can be as valuable as battlefield effects.

Defensive steps for aviation and energy firms

Socially engineered malware delivery is hard to halt with a single control. Enterprises in high-risk verticals should layer people, process, and technology defenses:

• Validate recruiters and roles: Require candidates and employees to confirm job opportunities via official company domains and known HR contacts. Treat unsolicited offers—especially those asking to install software—as high risk.
• Software acquisition hygiene: Only download conferencing and collaboration tools from verified vendor sites or managed enterprise stores. Block sideloaded installers and unsigned packages on endpoints.
• Endpoint hardening: Enforce application allowlisting, disable or restrict script interpreters where possible, and monitor for DLL sideloading, process injection, and unusual child processes from conferencing apps.
• Identity and access: Apply phishing-resistant MFA, just-in-time access, and device posture checks. Limit engineer privileges and segregate developer, testing, and production environments.
• Network detection: Inspect egress traffic for anomalous beaconing, domain generation patterns, and newly registered domains that mimic brands. Quarantine suspicious traffic from collaboration apps to a monitored segment.
• User education: Run targeted simulations for recruiting scams and “meeting invite” lures. Train staff to report requests to install tools outside normal channels.
• Incident readiness: Pre-stage playbooks for social engineering-led intrusions, including rapid triage of conferencing apps, memory forensics, and revocation of tokens and OAuth grants tied to collaboration platforms.

The bigger picture

Job-themed lures, brand impersonation, and trojanized installers are now staple tradecraft across multiple governments and financially motivated crews. Even when initial attempts fail, repeated outreach can eventually find a distracted target. The Unit 42 findings underscore that espionage operators are investing in patient, convincing pretexts that blend seamlessly with legitimate hiring and collaboration workflows.

For defenders, the lesson is clear: assume that trusted tools and familiar business processes can be turned against you. Treat recruitment outreach and conferencing software with the same scrutiny historically applied to suspicious attachments—and tighten controls so a single misstep doesn’t become an enterprise-wide foothold.