Threats Feed

Despite an internet shutdown following US and Israeli military strikes in late February 2026, the Iran-aligned threat actor TA453 (Charming Kitten) maintained its targeted espionage operations. Continuing an effort initiated prior to the conflict, TA453 targeted an individual at a US-based think tank. The attackers spoofed a researcher from the Henry Jackson Society, sending spearphishing emails themed around a Middle East air defense roundtable. To build rapport, the threat actor initially shared a benign document via OneDrive. Once trust was established, TA453 delivered a malicious link that redirected the target to a custom OneDrive-themed credential phishing page hosted on Netlify to harvest their credentials.

Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors, such as Void Manticore and MuddyWater, are actively integrating cybercriminal tools and affiliate networks into their state-sponsored operations. Moving beyond merely using cybercrime as a cover for deniability, these groups are leveraging commercial infostealers like Rhadamanthys, malware-as-a-service networks like CastleLoader, and the Qilin ransomware-as-a-service (RaaS) to enhance their operational reach and obfuscate attribution. Recent campaigns have targeted government and private sectors, including telecommunications, defense, energy, and medical facilities—across the Middle East, Israel, Albania, and the United States. Notably, these operations have utilized ransomware branding to execute destructive and extortion attacks against Israeli hospitals, fulfilling strategic state objectives through the criminal ecosystem.

Huntress researchers have detailed a complete attack chain attributed to the Iranian-linked APT MuddyWater, targeting an Israeli company. The intrusion began with initial access via an RDP login, followed by extensive interactive network and Active Directory reconnaissance. The threat actor demonstrated hands-on-keyboard activity, evidenced by typographical errors during command execution. To establish persistent access and bypass network controls, the attackers utilized the native Windows OpenSSH client to create reverse SSH tunnels. Subsequently, they deployed a malicious payload via DLL side-loading, leveraging the legitimate Fortemedia application (FMAPP.exe) to execute a malicious DLL (FMAPP.dll) for command-and-control communications.

The Iranian APT group Seedworm has targeted multiple organizations across the U.S., Canada, and Israel since February 2026. Leveraging custom malware, the threat actors compromised networks within the financial, aviation, software, defense, and non-profit sectors. Attackers deployed a novel JavaScript/TypeScript backdoor named Dindoor, alongside a Python-based backdoor called Fakeset. To evade detection, the group signed their payloads with digital certificates issued to "Amy Cherne" and "Donald Gay." Additionally, the attackers utilized legitimate cloud services, including Backblaze for staging and Rclone for attempted data exfiltration to Wasabi buckets. Given Seedworm’s affiliation with the Iranian Ministry of Intelligence and Security, these intrusions pose a significant espionage threat amidst current geopolitical conflicts.

In January 2026, the Iran-nexus threat actor Dust Specter launched a targeted cyber espionage campaign against Iraqi government officials, specifically impersonating the Ministry of Foreign Affairs. Utilizing compromised government infrastructure, the group deployed undocumented .NET-based malware, including the SPLITDROP dropper and the TWINTASK/TWINTALK backdoors. The operation is characterized by sophisticated DLL side-loading techniques using legitimate binaries like VLC and WingetUI. A secondary attack chain features GHOSTFORM, a consolidated RAT that employs invisible Windows forms for delayed execution and in-memory PowerShell scripts to minimize its forensic footprint. Evidence suggests the actors leveraged generative AI to streamline code development and implemented "ClickFix" social engineering tactics to compromise targets.

MuddyWater APT has conducted sustained cyberespionage campaigns across the Middle East and globally, targeting telecommunications, education, insurance, IT services, and diplomatic sectors. Affected countries include Iraq, Jordan, Egypt, Israel, Malaysia, Oman, and Turkmenistan. The threat actor’s tactics have evolved significantly, shifting from traditional spear-phishing with macro-enabled Microsoft Word documents to deploying malicious HTML files and encrypted archives. Notably, the group increasingly abuses legitimate Remote Monitoring and Management (RMM) tools, such as Syncro and Atera, as initial access vectors. By distributing properly signed installer files disguised as official communications, MuddyWater successfully evades security detection, establishing persistent, stealthy footholds for long-term intelligence collection without relying on custom malware.

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.

APT42 utilizes TAMECAT, a modular PowerShell-based backdoor, to target high-value senior defense and government officials. Israel’s National Digital Agency reports that the group employs social engineering to gain initial access. The infection chain begins with a VBScript that profiles antivirus software via WMI to determine whether to deploy PowerShell or Command Shell downloaders. TAMECAT features sophisticated capabilities, including screen capture, Chrome data collection, and Microsoft Edge remote debugging. It leverages legitimate services like Telegram and Discord for Command and Control (C2). Data is encrypted via AES and exfiltrated to domains such as glitch[.]me, demonstrating APT42's focus on stealth and persistent espionage operations.

The report analyzes the evolution of RustyStealer (also referenced as RustyWater or Archer RAT), a Rust-based post-compromise implant observed in MuddyWater-attributed activity. By correlating build artefacts, compiler metadata, dependency drift, TLSH similarity, and API-level changes, the analysis reconstructs a development timeline from early baseline builds to a more mature v2.0 architecture. Rather than linear feature growth, the samples reveal experimentation, rollback, and consolidation. A short-lived asynchronous I/O refactor was abandoned in favor of improved stability, while later versions emphasize stealth through native NT API usage, runtime string obfuscation, and restored host fingerprinting.

The report analyzes a newly observed MuddyWater malware sample that exposes extensive build and development artifacts due to improper binary stripping. Delivered via a malicious Word document containing VBA macros, the payload reconstructs and executes a Rust-based executable on disk. Analysis of leftover strings reveals detailed insights into the actor’s development environment, including a Windows-based build host, MSVC Rust toolchain, local Cargo usage, and a recurring username embedded in build paths. These artifacts indicate locally compiled tooling with minimal release hardening and weak OPSEC. The findings highlight how developer mistakes can provide durable fingerprints for clustering, campaign tracking, and long-term threat hunting, beyond traditional infrastructure indicators.

CloudSEK identified a spearphishing campaign attributed to the MuddyWater APT group targeting diplomatic, maritime, financial, telecom, education, and shipping sectors across the Middle East, including Turkmenistan, the UAE, and regional maritime organizations. The operation uses impersonated government and telecom emails to deliver malicious Word documents embedding obfuscated VBA macros. These macros drop and execute a Rust-based implant dubbed RustyWater, which provides asynchronous HTTP C2, registry persistence, anti-analysis features, and modular post-compromise capabilities. The shift from PowerShell and VBS loaders to a Rust RAT marks a significant evolution in MuddyWater’s tooling toward stealthier, long-term espionage operations.

Israel’s National Cyber Directorate issued a public warning about an active spear-phishing campaign targeting individuals in security and defense-related sectors in Israel. The operation uses WhatsApp messages that impersonate a well-known organization and employ conference-themed lures to appear legitimate. Victims are redirected via shortened links, including msnl[.]ink, to a spoofed website designed to harvest personal and professional credentials, with some cases involving malicious file delivery. Infrastructure analysis links the activity to APT42, also known as Charming Kitten, based on reusable URL-shortening infrastructure and historical overlaps rather than lure content alone.

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

The Prince of Persia (Infy) Iranian state-linked threat actor has conducted sustained cyber espionage operations for over a decade, targeting victims primarily in Iran, with additional infections observed across Europe, Iraq, Turkey, India, and Canada. Recent research reveals a broader operational scale than previously understood, involving multiple parallel campaigns, frequent C2 rotation, and continuous malware development. The group leveraged phishing-based initial access using malicious Excel files to deploy updated variants of Foudre and Tonnerre, including Tonnerre v50, which introduced Telegram-based command-and-control. The malware ecosystem focuses on long-term surveillance, data exfiltration, and selective victim management, demonstrating high operational maturity.

UDPGangster is a UDP-based backdoor used in recent MuddyWater cyber espionage campaigns targeting Turkey, Israel, and Azerbaijan. The attacks rely on phishing emails delivering malicious macro-enabled Word documents that decode and execute the payload. Once installed, the malware establishes persistence, performs extensive anti-analysis and sandbox evasion checks, and communicates with its C2 over non-standard UDP channels to execute commands, exfiltrate files, and deploy additional payloads. Related samples and shared infrastructure, including overlap with the Phoenix backdoor, confirm MuddyWater attribution across these regionally focused intrusions.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

Leaked internal documents reveal a highly structured APT35 (Charming Kitten) operation run as a quota-driven, bureaucratic intelligence unit within the IRGC IO. The materials detail coordinated, long-term cyber-espionage campaigns targeting Lebanon, Kuwait, Turkey, Saudi Arabia, South Korea, and domestic Iranian entities, with a strong focus on diplomatic, governmental, telecom, energy, and large commercial mail systems. Operators used ProxyShell, Ivanti exploits, credential replay, HERV phishing, and persistent mailbox monitoring to harvest GALs, credentials, and sensitive communications. The leak exposes end-to-end workflows: reconnaissance, exploitation, credential theft, HUMINT-focused collection, and centralized KPI reporting, confirming a mature, state-managed espionage apparatus.

Amazon’s threat intelligence team has identified a growing trend in which nation-state actors integrate cyber operations directly into kinetic warfare. The research highlights Imperial Kitten and MuddyWater, two Iranian-linked groups that used cyber intrusions to support physical attacks. Imperial Kitten compromised AIS maritime systems and CCTV feeds to track vessels later targeted by Houthi missile strikes. MuddyWater accessed live CCTV streams in Jerusalem, providing real-time intelligence ahead of Iran’s June 2025 missile attacks. These cases show a shift toward cyber-enabled kinetic targeting, where digital reconnaissance directly informs physical military objectives, reshaping modern conflict across the Middle East’s maritime and urban environments.

UNC1549, a suspected Iran-nexus threat group, has conducted sustained cyber espionage campaigns since mid-2024 targeting the aerospace, aviation, and defense sectors across the Middle East and connected partner ecosystems. The group gained initial access through targeted spear-phishing and exploitation of trusted third-party relationships, including breakouts from Citrix and VMWare VDI environments. Once inside, UNC1549 deployed custom malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, and POLLBLEND, heavily relying on DLL search order hijacking, reverse SSH tunnels, and Azure-based C2. Their operations focused on long-term persistence, credential theft (including DCSync attacks), stealthy lateral movement, and extensive data collection from high-value defense networks.

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Proofpoint uncovered a new Iranian-linked activity cluster, UNK_SmudgedSerpent, which overlaps with known groups TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Active between June and August 2025, the group targeted US-based think tank and academic experts on Iranian affairs using phishing campaigns that impersonated Brookings and Washington Institute figures. The attacks began with benign email exchanges before transitioning to credential harvesting and the deployment of remote monitoring and management (RMM) tools such as PDQConnect and ISL Online. The campaign’s infrastructure and TTPs reflect Iran’s broader intelligence-collection goals and the growing overlap between its contractor-operated cyber units.

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.