Threats Feed

Leaked internal documents reveal a highly structured APT35 (Charming Kitten) operation run as a quota-driven, bureaucratic intelligence unit within the IRGC IO. The materials detail coordinated, long-term cyber-espionage campaigns targeting Lebanon, Kuwait, Turkey, Saudi Arabia, South Korea, and domestic Iranian entities, with a strong focus on diplomatic, governmental, telecom, energy, and large commercial mail systems. Operators used ProxyShell, Ivanti exploits, credential replay, HERV phishing, and persistent mailbox monitoring to harvest GALs, credentials, and sensitive communications. The leak exposes end-to-end workflows: reconnaissance, exploitation, credential theft, HUMINT-focused collection, and centralized KPI reporting, confirming a mature, state-managed espionage apparatus.

Amazon’s threat intelligence team has identified a growing trend in which nation-state actors integrate cyber operations directly into kinetic warfare. The research highlights Imperial Kitten and MuddyWater, two Iranian-linked groups that used cyber intrusions to support physical attacks. Imperial Kitten compromised AIS maritime systems and CCTV feeds to track vessels later targeted by Houthi missile strikes. MuddyWater accessed live CCTV streams in Jerusalem, providing real-time intelligence ahead of Iran’s June 2025 missile attacks. These cases show a shift toward cyber-enabled kinetic targeting, where digital reconnaissance directly informs physical military objectives, reshaping modern conflict across the Middle East’s maritime and urban environments.

UNC1549, a suspected Iran-nexus threat group, has conducted sustained cyber espionage campaigns since mid-2024 targeting the aerospace, aviation, and defense sectors across the Middle East and connected partner ecosystems. The group gained initial access through targeted spear-phishing and exploitation of trusted third-party relationships, including breakouts from Citrix and VMWare VDI environments. Once inside, UNC1549 deployed custom malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, and POLLBLEND, heavily relying on DLL search order hijacking, reverse SSH tunnels, and Azure-based C2. Their operations focused on long-term persistence, credential theft (including DCSync attacks), stealthy lateral movement, and extensive data collection from high-value defense networks.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.