Threats Feed

An Iran-nexus threat actor conducted a sophisticated Microsoft 365 password-spraying campaign across three waves in March, primarily focusing on Israel and the UAE. Utilizing red-team tools and Tor exit nodes masquerading as Internet Explorer 10, the attackers circumvented atomic indicators to compromise weak credentials. Once successful, the actor bypassed geo-restrictions using Israeli-geolocated commercial VPNs to seamlessly log in and exfiltrate sensitive personal email data. The campaign heavily targeted local municipalities—assessed as likely supporting kinetic operations and bomb damage assessments—alongside the government, energy, aviation, maritime, and satellite sectors. Limited targeting was also observed in the US, UK, Europe, and Saudi Arabia.

Iran Ministry of Intelligence and Security (MOIS) cyber actors are executing a global malware campaign targeting Iranian dissidents, journalists, and opposition groups. Using social engineering via messaging platforms, attackers deliver first-stage malware disguised as legitimate software, such as Telegram or KeePass. Upon execution, a persistent second-stage implant establishes a command-and-control channel via Telegram bots. This allows the attackers to harvest and exfiltrate sensitive data, including screen and audio captures from active Zoom sessions. Linked to proxy groups like "Handala Hack," these operations fuel hack-and-leak campaigns and deploy custom wiper malware. The attacks ultimately aim to conduct intelligence collection and inflict reputational damage on individuals threatening the Government of Iran's narratives.

Iranian state-sponsored actor Boggy Serpens has escalated cyberespionage campaigns against energy, maritime, finance, aviation, and diplomatic sectors across the Middle East, Europe, Asia, and South America, notably targeting Israel, the UAE, and Turkmenistan. By hijacking trusted corporate and government email accounts, the group bypasses perimeter defenses to deliver highly tailored spear-phishing lures. Recent operations reveal a strategic shift toward stealth and long-term persistence. The group has modernized its toolkit using AI-assisted development, deploying sophisticated custom implants like the Rust-based BlackBeard backdoor, UDPGangster, Nuso, and LampoRAT. To evade detection, Boggy Serpens utilizes evasive C2 mechanisms, including Telegram API abuse, customized UDP traffic, and HTTP status code triggers, cementing its status as a highly adaptable and formidable threat.

Handala Hack, an Iranian MOIS-affiliated threat actor also tracked as Void Manticore, executes destructive wiping and hack-and-leak operations against targets in Israel, Albania, and the United States. They primarily target the government, telecommunications, and medical technology sectors. The group relies on compromised VPN accounts for initial access, subsequently moving laterally via RDP and the zero-trust mesh platform NetBird. Their hands-on attacks involve disabling Windows Defender and conducting extensive credential dumping via LSASS extraction and ADRecon. To maximize operational impact, Handala simultaneously deploys custom MBR and PowerShell wipers via Group Policy, leverages VeraCrypt for disk encryption, and manually deletes virtual machines, causing severe data destruction.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

In January 2026, the Iran-nexus threat actor Dust Specter launched a targeted cyber espionage campaign against Iraqi government officials, specifically impersonating the Ministry of Foreign Affairs. Utilizing compromised government infrastructure, the group deployed undocumented .NET-based malware, including the SPLITDROP dropper and the TWINTASK/TWINTALK backdoors. The operation is characterized by sophisticated DLL side-loading techniques using legitimate binaries like VLC and WingetUI. A secondary attack chain features GHOSTFORM, a consolidated RAT that employs invisible Windows forms for delayed execution and in-memory PowerShell scripts to minimize its forensic footprint. Evidence suggests the actors leveraged generative AI to streamline code development and implemented "ClickFix" social engineering tactics to compromise targets.

The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

The Prince of Persia (Infy) Iranian state-linked threat actor has conducted sustained cyber espionage operations for over a decade, targeting victims primarily in Iran, with additional infections observed across Europe, Iraq, Turkey, India, and Canada. Recent research reveals a broader operational scale than previously understood, involving multiple parallel campaigns, frequent C2 rotation, and continuous malware development. The group leveraged phishing-based initial access using malicious Excel files to deploy updated variants of Foudre and Tonnerre, including Tonnerre v50, which introduced Telegram-based command-and-control. The malware ecosystem focuses on long-term surveillance, data exfiltration, and selective victim management, demonstrating high operational maturity.

Proofpoint uncovered a new Iranian-linked activity cluster, UNK_SmudgedSerpent, which overlaps with known groups TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Active between June and August 2025, the group targeted US-based think tank and academic experts on Iranian affairs using phishing campaigns that impersonated Brookings and Washington Institute figures. The attacks began with benign email exchanges before transitioning to credential harvesting and the deployment of remote monitoring and management (RMM) tools such as PDQConnect and ISL Online. The campaign’s infrastructure and TTPs reflect Iran’s broader intelligence-collection goals and the growing overlap between its contractor-operated cyber units.

Nimbus Manticore, an Iranian threat actor overlapping with UNC1549 and Smoke Sandstorm, has intensified its espionage operations against defense manufacturing, telecommunications, and aviation sectors in Western Europe, notably Denmark, Sweden, and Portugal. The group uses spear-phishing lures posing as HR recruiters to deliver multi-stage DLL side-loading malware via fake career portals. Its evolving toolset—MiniJunk backdoor and MiniBrowse stealer—employs advanced obfuscation, code signing, and cloud-based C2 infrastructure on Azure and Cloudflare to evade detection. The campaign reflects a highly sophisticated, well-resourced actor aligned with IRGC intelligence objectives.

Subtle Snail operators deploy the MINIBIKE backdoor via DLL sideloading to gain persistent, high-privilege access. The malware stages in Public Users Documents using CopyFile2 and BITS, enforces single-instance execution with a UUID mutex, and builds a unique USERID from username, hostname, and DLL timestamp for HTTP POST C2 over WinHTTP. Modular components include an LCG-obfuscated keylogger that writes encrypted extended0.log files, a browser stealer that uses a Chrome-App-Bound decryption tool with process hollowing, and a CredUI-based Outlook/Winlogon prompt that saves stolen credentials. Operators use Azure-proxied domains for C2, automated chunked exfiltration, WinRAR archiving, and anti-analysis techniques including control flow flattening and dynamic API resolution. Targeted sectors include telecommunications organizations.

Iran-aligned threat actor linked to the MOIS group Homeland Justice conducted a large-scale spear-phishing campaign in August 2025, using a compromised mailbox of the Omani Ministry of Foreign Affairs to target embassies, consulates, and international organizations worldwide. The malicious Word attachments, disguised as official diplomatic notices, executed VBA macros that decoded and dropped the sysProcUpdate malware. Targets included diplomatic and government institutions across Europe, the Middle East, Africa, Asia, and the Americas, notably during sensitive ceasefire negotiations. The operation aimed at espionage and reconnaissance, leveraging obfuscation, sandbox evasion, and encrypted C2 communication with screenai.online.

Since February 2025, the Iranian-aligned Pay2Key.I2P ransomware-as-a-service (RaaS) operation—linked to Fox Kitten APT and Mimic ransomware—has launched ideologically driven attacks against Western targets. With a strong presence on Russian and Chinese darknet forums, the group markets an advanced ransomware builder with capabilities for both Windows and Linux. The payloads use advanced evasion techniques, including dual CMD/PowerShell scripts, Themida packing, and AV bypass tools like “NoDefender.” Over $4 million in ransom payments and 51 successful attacks were recorded in four months. Targets are not specified by country or sector, but the campaign’s rhetoric and infrastructure indicate a focus on geopolitical adversaries of Iran.

BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.

A sophisticated spear-phishing campaign targeted CFOs and finance executives in banking, energy, insurance, and investment sectors across the UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. Disguised as a Rothschild & Co recruiter, the attackers used Firebase-hosted phishing pages protected by custom CAPTCHAs to deliver multi-stage payloads. Victims who executed malicious VBS scripts unknowingly installed NetBird and OpenSSH, granting attackers persistent, encrypted remote access through hidden admin accounts and RDP activation. Trellix researchers identified infrastructure overlaps with previous nation-state campaigns but withheld attribution.

Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

Team82's research details the IOCONTROL malware, a custom-built cyberweapon used by Iran-linked attackers, specifically the CyberAv3ngers group. The malware targets a range of industrial control systems (ICS) and Internet of Things (IoT) devices, notably impacting fuel management systems in Israel and the US. IOCONTROL's functionality includes communication via the MQTT protocol and features such as arbitrary code execution and self-deletion. The analysis reveals the malware's infrastructure, including its command-and-control server and the methods used to evade detection. The report concludes that IOCONTROL represents a significant threat to critical infrastructure, highlighting the ongoing geopolitical conflict.

A phishing campaign is exploiting sensational fake news about an assassination attempt on US President-elect Donald Trump by an Iranian sniper. The campaign poses as The New York Times using the email address newyork-times@nycmail[.]com. Victims who click on the embedded link are redirected to an ESET-imitation phishing site, where they are prompted to enter corporate domain credentials. This campaign is an example of attackers using major global events, such as political elections, to amplify their efforts. The use of urgency and sensational headlines highlights the need for vigilance in verifying information.

Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Threat actors are targeting users in the Middle East with malware disguised as the Palo Alto GlobalProtect VPN tool. Delivered likely through phishing, the malware employs a two-stage infection chain initiated via a malicious setup.exe. It uses advanced command-and-control (C2) infrastructure, including newly registered domains like “sharjahconnect” and the Interactsh project for beaconing. Written in C#, the malware supports remote PowerShell execution, file download/exfiltration, and AES-encrypted communications. It also features sandbox evasion, system information gathering, and beaconing mechanisms to track infection stages. This campaign highlights significant threats to organizations in the region, particularly those reliant on VPN-based remote access.

Between April and July 2024, Iranian state-sponsored group Peach Sandstorm deployed a custom backdoor called Tickler in intelligence-gathering operations against satellite, communications, oil and gas, and government sectors in the US and UAE. Their tactics included password spray attacks and LinkedIn-based social engineering. Tickler malware leveraged Azure infrastructure for command-and-control (C2) and utilized DLL files for persistence. Peach Sandstorm also accessed compromised Active Directory accounts to further exploit targeted environments. Their evolving tradecraft demonstrates a persistent focus on the intelligence sector, including higher education, government, and defense.