Threats Feed

In January 2026, the Iran-nexus threat actor Dust Specter launched a targeted cyber espionage campaign against Iraqi government officials, specifically impersonating the Ministry of Foreign Affairs. Utilizing compromised government infrastructure, the group deployed undocumented .NET-based malware, including the SPLITDROP dropper and the TWINTASK/TWINTALK backdoors. The operation is characterized by sophisticated DLL side-loading techniques using legitimate binaries like VLC and WingetUI. A secondary attack chain features GHOSTFORM, a consolidated RAT that employs invisible Windows forms for delayed execution and in-memory PowerShell scripts to minimize its forensic footprint. Evidence suggests the actors leveraged generative AI to streamline code development and implemented "ClickFix" social engineering tactics to compromise targets.

MuddyWater APT has conducted sustained cyberespionage campaigns across the Middle East and globally, targeting telecommunications, education, insurance, IT services, and diplomatic sectors. Affected countries include Iraq, Jordan, Egypt, Israel, Malaysia, Oman, and Turkmenistan. The threat actor’s tactics have evolved significantly, shifting from traditional spear-phishing with macro-enabled Microsoft Word documents to deploying malicious HTML files and encrypted archives. Notably, the group increasingly abuses legitimate Remote Monitoring and Management (RMM) tools, such as Syncro and Atera, as initial access vectors. By distributing properly signed installer files disguised as official communications, MuddyWater successfully evades security detection, establishing persistent, stealthy footholds for long-term intelligence collection without relying on custom malware.

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.