Threats Feed

Iranian APT group MuddyWater deployed new versions of its Android surveillanceware DCHSpy amid the Israel-Iran conflict, targeting individuals via politically themed lures such as fake Starlink VPN apps. Distributed through Telegram and disguised as legitimate VPN or banking apps, DCHSpy harvests sensitive data including WhatsApp messages, SMS, call logs, contacts, device location, and audio. The malware compresses and encrypts exfiltrated data before uploading it to an attacker-controlled SFTP server. DCHSpy shares infrastructure with SandStrike, a tool previously used to target Baháʼí practitioners. Sectors targeted include telecommunications, defense, local government, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.

Since February 2025, the Iranian-aligned Pay2Key.I2P ransomware-as-a-service (RaaS) operation—linked to Fox Kitten APT and Mimic ransomware—has launched ideologically driven attacks against Western targets. With a strong presence on Russian and Chinese darknet forums, the group markets an advanced ransomware builder with capabilities for both Windows and Linux. The payloads use advanced evasion techniques, including dual CMD/PowerShell scripts, Themida packing, and AV bypass tools like “NoDefender.” Over $4 million in ransom payments and 51 successful attacks were recorded in four months. Targets are not specified by country or sector, but the campaign’s rhetoric and infrastructure indicate a focus on geopolitical adversaries of Iran.

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.