In most attacks, the group deployed a Fast Reverse Proxy Client (FRPC) and Plink tools.
The APT35 connection
The TTPs of TunnelVision overlap with Iran-linked nation-state actor APT35, also known as Phosphorus, Nemesis Kitten, and Charming Kitten.
According to researchers, the backdoor drops an executable that has an obfuscated version of a reverse shell similar to the PowerLess backdoor used by APT35 (believed to be linked with Iran) in a recent wave of attacks.
The researchers claim that the APT35 group has used a GitHub repository ‘VmWareHorizon’ linked with an account named ‘protections20,’ which is managed by a nation-state actor.
TunnelVision APT group is active and exploiting different flaws and tracked by other vendors with multiple names. Organizations are suggested to share threat intelligence and take advantage of provided IOCs. Moreover, always make sure that used software and OS are up-to-date with the latest patches.