Iran-linked APT34 group has targeted a U.S. -based research company that provides services to businesses and government organizations. The attackers used a phishing document masquerading as an employee satisfaction survey for employees at the US government contractor Westat. The recent campaign appears similar to the one observed by FireEye in July 2019 when hackers were posing as a researcher from Cambridge to infect victims with three new malware. The C2 domain (manygoodnews[.]com) is still active and was created 4 months ago, experts added that a certificate was issued for the website.”]
Source: https://securityaffairs.co/wordpress/97067/apt/apt34-westat-survey.html