Threat Advisories

Top Middle East Cyber Threats – 05 May 2026

By Help AG

Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.

Handala Actors Launch Hybrid Disruption Campaign

Handala (also known as Void Manticore, Storm-0842, and BANISHED KITTEN) is conducting a campaign targeting military personnel in the region.

Personnel have received WhatsApp messages from spoofed business number warning of missile and drone strikes. In parallel, the group has also claimed via Telegram to have published personal dataof 2,379 personnel.

This activity forms part of an ongoing campaign since early 2026. In a previous incident, the group claimed it wiped over 200,000 systems across 79 countries by disrupted over 200,000 systems across 79 countries, allegedly leveraging compromised Microsoft Intune Global Administrator accounts. The affected organisation confirmed operational disruption.Handala uses multiple wiper variants, including BiBi Wiper, Hamsa (Linux), CoolWipe, and ChillWipe, and leverages the Telegram Bot Application Programming Interface (API) for command-and-control (C2).

Recommendations

Block identified Internet Protocol (IP) addresses.

Monitor Microsoft Intune and administrator accounts for abnormal reset activity.

Advise personnel to treat unsolicited WhatsApp messages with caution.

Monitor endpoints for wiper activity.

Enforce phishing-resistant Multi-Factor Authentication (MFA) for privileged accounts.

Inspect emails referencing incident recovery tools.

Restrict Telegram Bot API traffic where not required.

BlueNoroff Conducts Social Engineering Campaign Targeting Cryptocurrency Organisations

BlueNoroff conducts targeted intrusions against Web3 and cryptocurrency organisations using social engineering techniques.

Attackers send fake Zoom invitations that redirect to malicious interfaces, enabling webcam capture and execution of hidden commands. The activity includes credential theft from cryptocurrency wallets, Telegram session takeover, and persistence.

Stolen data is reused to develop more convincing lures, including deepfake content. Targets include individuals with access to cryptocurrency assets.

Recommendations

Strengthen email security with Multi-Factor Authentication (MFA) and threat protection.

Conduct phishing-focused awareness training.

Monitor for unusual PowerShell and network activity.

Deploy Endpoint Detection and Response (EDR).

Regularly review security policies.

APT-C-49 Conducts Multi-Stage Spear-Phishing Campaign

APT-C-49 (also known as OilRig or APT34) conducts spear-phishing campaigns using macro-enabled Excel files themed on regional events.

Macros trigger a multi-stage attack using compiled C# code, retrieving data from GitHub, extracting hidden content from Google Drive images, and loading modules in memory. Persistence is established through scheduled tasks, with communication over the Telegram Bot Application Programming Interface (API).

Recommendations

Block macro-enabled Excel files from untrusted sources.

Disable macros and enforce “Block macros from the Internet.”

Strengthen email filtering for phishing detection.

Monitor scripting tools and suspicious compilation activity.

Apply application allowlisting.

Detect unusual scheduled task creation.

Restrict non-essential access to GitHub, Google Drive, and Telegram.

Monitor outbound traffic for command-and-control (C2).

Deploy Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR).

Enforce least privilege and maintain patching.

Google Chrome Addresses High-Severity Sandbox Escape Vulnerability

Google Chrome releases a security update addressing a high-severity vulnerability:

CVE-2026-7359 (Chrome): A use-after-free vulnerability in ANGLE affecting versions prior to 147.0.7727.138. A remote attacker who has already compromised the renderer process could exploit this issue using a crafted HTML page to perform a sandbox escape.

Chromium rates this vulnerability as High severity.

Recommendations

Ensure all systems are patched and updated.

Spring Framework Vulnerabilities Impact Web Applications

VMware releases updates addressing three vulnerabilities in the Spring Framework:

CVE-2026-22745 (Medium): Spring Model View Controller (MVC) and WebFlux applications are exposed to denial-of-service (DoS) conditions when serving static resources on Windows systems. Specially crafted requests can keep HTTP connections open, exhausting resources.

CVE-2026-22740: WebFlux applications handling multipart requests may fail to delete temporary files, leading to disk space exhaustion.

CVE-2026-22741: Spring MVC and WebFlux applications may be vulnerable to cache poisoning when static resource caching is enabled with encoded resource resolution, allowing incorrect content to be injected into cache.

Recommendations