Threats Feed

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

Israel’s National Cyber Directorate issued a public warning about an active spear-phishing campaign targeting individuals in security and defense-related sectors in Israel. The operation uses WhatsApp messages that impersonate a well-known organization and employ conference-themed lures to appear legitimate. Victims are redirected via shortened links, including msnl[.]ink, to a spoofed website designed to harvest personal and professional credentials, with some cases involving malicious file delivery. Infrastructure analysis links the activity to APT42, also known as Charming Kitten, based on reusable URL-shortening infrastructure and historical overlaps rather than lure content alone.

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

The Prince of Persia (Infy) Iranian state-linked threat actor has conducted sustained cyber espionage operations for over a decade, targeting victims primarily in Iran, with additional infections observed across Europe, Iraq, Turkey, India, and Canada. Recent research reveals a broader operational scale than previously understood, involving multiple parallel campaigns, frequent C2 rotation, and continuous malware development. The group leveraged phishing-based initial access using malicious Excel files to deploy updated variants of Foudre and Tonnerre, including Tonnerre v50, which introduced Telegram-based command-and-control. The malware ecosystem focuses on long-term surveillance, data exfiltration, and selective victim management, demonstrating high operational maturity.