Threats Feed

An Iran-nexus threat actor conducted a sophisticated Microsoft 365 password-spraying campaign across three waves in March, primarily focusing on Israel and the UAE. Utilizing red-team tools and Tor exit nodes masquerading as Internet Explorer 10, the attackers circumvented atomic indicators to compromise weak credentials. Once successful, the actor bypassed geo-restrictions using Israeli-geolocated commercial VPNs to seamlessly log in and exfiltrate sensitive personal email data. The campaign heavily targeted local municipalities—assessed as likely supporting kinetic operations and bomb damage assessments—alongside the government, energy, aviation, maritime, and satellite sectors. Limited targeting was also observed in the US, UK, Europe, and Saudi Arabia.

PolySwarm researchers have uncovered previously unreported cyberespionage activity by the Iranian state-sponsored threat actor OilRig (APT34). The campaign leverages a stolen Extended Validation (EV) code signing certificate from a legitimate Thai IT vendor, MOSCII Corporation, to sign malicious payloads, including the custom Karkoff backdoor. By masquerading as legitimate vendor tooling, OilRig targeted Thailand’s energy sector, specifically the Electricity Generating Authority of Thailand (EGAT). The attackers employed advanced defense evasion techniques, such as spoofing compile timestamps to 2014 and padding binaries to 10 MB to bypass automated sandbox environments. This supply chain intrusion highlights OilRig’s continued evolution in targeting critical infrastructure and government agencies through trusted vendor relationships across Southeast Asia and the Middle East.

HTTP_VIP is a downloader malware attributed to the Iranian state-aligned threat actor MuddyWater. Analyzed during the early-2026 campaign dubbed "Operation Olalampo," this tool functions primarily to establish a foothold on compromised systems. It executes system reconnaissance while employing virtualization and sandbox evasion techniques to bypass defensive analysis. Following successful execution, HTTP_VIP connects to its command and control infrastructure to retrieve secondary payloads. Notably, the threat actors utilize this downloader to deploy legitimate remote monitoring and management (RMM) software, specifically AnyDesk. The deployment of AnyDesk facilitates persistent remote access and control over the victim environments, blending malicious activity with standard administrative tools.

Iran Ministry of Intelligence and Security (MOIS) cyber actors are executing a global malware campaign targeting Iranian dissidents, journalists, and opposition groups. Using social engineering via messaging platforms, attackers deliver first-stage malware disguised as legitimate software, such as Telegram or KeePass. Upon execution, a persistent second-stage implant establishes a command-and-control channel via Telegram bots. This allows the attackers to harvest and exfiltrate sensitive data, including screen and audio captures from active Zoom sessions. Linked to proxy groups like "Handala Hack," these operations fuel hack-and-leak campaigns and deploy custom wiper malware. The attacks ultimately aim to conduct intelligence collection and inflict reputational damage on individuals threatening the Government of Iran's narratives.