Threats Feed

Despite an internet shutdown following US and Israeli military strikes in late February 2026, the Iran-aligned threat actor TA453 (Charming Kitten) maintained its targeted espionage operations. Continuing an effort initiated prior to the conflict, TA453 targeted an individual at a US-based think tank. The attackers spoofed a researcher from the Henry Jackson Society, sending spearphishing emails themed around a Middle East air defense roundtable. To build rapport, the threat actor initially shared a benign document via OneDrive. Once trust was established, TA453 delivered a malicious link that redirected the target to a custom OneDrive-themed credential phishing page hosted on Netlify to harvest their credentials.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

The Iranian APT group Seedworm has targeted multiple organizations across the U.S., Canada, and Israel since February 2026. Leveraging custom malware, the threat actors compromised networks within the financial, aviation, software, defense, and non-profit sectors. Attackers deployed a novel JavaScript/TypeScript backdoor named Dindoor, alongside a Python-based backdoor called Fakeset. To evade detection, the group signed their payloads with digital certificates issued to "Amy Cherne" and "Donald Gay." Additionally, the attackers utilized legitimate cloud services, including Backblaze for staging and Rclone for attempted data exfiltration to Wasabi buckets. Given Seedworm’s affiliation with the Iranian Ministry of Intelligence and Security, these intrusions pose a significant espionage threat amidst current geopolitical conflicts.

In January 2026, the Iran-nexus threat actor Dust Specter launched a targeted cyber espionage campaign against Iraqi government officials, specifically impersonating the Ministry of Foreign Affairs. Utilizing compromised government infrastructure, the group deployed undocumented .NET-based malware, including the SPLITDROP dropper and the TWINTASK/TWINTALK backdoors. The operation is characterized by sophisticated DLL side-loading techniques using legitimate binaries like VLC and WingetUI. A secondary attack chain features GHOSTFORM, a consolidated RAT that employs invisible Windows forms for delayed execution and in-memory PowerShell scripts to minimize its forensic footprint. Evidence suggests the actors leveraged generative AI to streamline code development and implemented "ClickFix" social engineering tactics to compromise targets.