Threats Feed

HTTP_VIP is a downloader malware attributed to the Iranian state-aligned threat actor MuddyWater. Analyzed during the early-2026 campaign dubbed "Operation Olalampo," this tool functions primarily to establish a foothold on compromised systems. It executes system reconnaissance while employing virtualization and sandbox evasion techniques to bypass defensive analysis. Following successful execution, HTTP_VIP connects to its command and control infrastructure to retrieve secondary payloads. Notably, the threat actors utilize this downloader to deploy legitimate remote monitoring and management (RMM) software, specifically AnyDesk. The deployment of AnyDesk facilitates persistent remote access and control over the victim environments, blending malicious activity with standard administrative tools.

Iran Ministry of Intelligence and Security (MOIS) cyber actors are executing a global malware campaign targeting Iranian dissidents, journalists, and opposition groups. Using social engineering via messaging platforms, attackers deliver first-stage malware disguised as legitimate software, such as Telegram or KeePass. Upon execution, a persistent second-stage implant establishes a command-and-control channel via Telegram bots. This allows the attackers to harvest and exfiltrate sensitive data, including screen and audio captures from active Zoom sessions. Linked to proxy groups like "Handala Hack," these operations fuel hack-and-leak campaigns and deploy custom wiper malware. The attacks ultimately aim to conduct intelligence collection and inflict reputational damage on individuals threatening the Government of Iran's narratives.

Despite an internet shutdown following US and Israeli military strikes in late February 2026, the Iran-aligned threat actor TA453 (Charming Kitten) maintained its targeted espionage operations. Continuing an effort initiated prior to the conflict, TA453 targeted an individual at a US-based think tank. The attackers spoofed a researcher from the Henry Jackson Society, sending spearphishing emails themed around a Middle East air defense roundtable. To build rapport, the threat actor initially shared a benign document via OneDrive. Once trust was established, TA453 delivered a malicious link that redirected the target to a custom OneDrive-themed credential phishing page hosted on Netlify to harvest their credentials.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.