Threat Advisories

Top Middle East Cyber Threats – 19 May 2026

By Help AG

Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.

MuddyWaterAPT Group Uses Ransomware as Cover for Targeted Espionage

Rapid7 investigated an intrusion initiated through social engineering conducted via Microsoft Teams. The threat actor harvested credentials and established persistence using remote management tools, including DWAgent. The activity initially resembled a Chaos ransomware incident; however, forensic analysis attributed the operation to MuddyWater (Seedworm), an Advanced Persistent Threat group. The intrusion involved deployment of a custom Remote Access Trojan (RAT) named Game.exe, masquerading as a legitimate Microsoft WebView2 component. Post-compromise activity prioritised persistence, remote access, and data exfiltration.

Recommendations:

Deliver social engineering awareness training, with a focus on identifying suspicious activity across platforms such as Microsoft Teams.

Enforce Multi-Factor Authentication (MFA) and monitor for unusual login activity or bypass attempts.

Deploy Endpoint Detection and Response (EDR) solutions to detect malicious payloads and suspicious behaviour.

Keep systems and software up to date through timely patching.

Apply network segmentation to limit the impact of any potential compromise.

Subscribe to threat intelligence feeds for Indicators of Compromise (IoCs) and emerging threats.

Conduct regular security assessments and penetration testing.

Prioritise monitoring for anomalous activity such as unexpected remote access or data exfiltration, rather than relying solely on signature-based detection.

Government Entities Targeted inProxyShell-Driven Espionage Campaign

A state-linked threat actor conducted a large-scale espionage campaign targeting multiple government entities across the Middle East, with the Ministry of Justice and Legal Affairs (MJLA) identified as the primary victim. The attackers exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), deployed ASP.NET webshells, and used PowerShell and Structured Query Language (SQL) commands to move laterally, escalate privileges, and exfiltrate data.

Stolen data reportedly included user records, judicial case information, registry hives (system configuration data), and national identity records. The campaign employed a Python-based Command-and-Control (C2) infrastructure, reverse shells, SOCKS5 proxying, and privilege escalation tools such as GodPotato.

Recommendations:

Audit internet-facing Microsoft Exchange servers and apply patches for ProxyShell vulnerabilities if not already in place.

Scan web servers for ASP.NET webshells, particularly under DotNetNuke (DNN) /Portals/0/ paths.

Harden DotNetNuke Content Management System (CMS) deployments and audit membership tables for signs of unauthorised access.

Review scheduled tasks across endpoints for suspicious entries mimicking legitimate software update processes.

Enable PowerShell logging and script block logging to detect unauthorised command execution.

Monitor EDR telemetry for GodPotato and reflective loading techniques.

Apply network segmentation to limit lateral movement between environments.

Review outbound traffic on non-standard ports (8000, 8001, 8002) for beaconing behaviour.

Monitor Windows registry hive files (Security Account Manager (SAM) and SYSTEM) for unauthorised staging under C:\Windows\Temp.

Microsoft Releases Security Fixes for AgentPackage Manager (APM)

Microsoft has released three security fixes for its APM tool, all addressed in version 0.13.0:

CVE-2026-46383 (Medium) – A flaw in archive extraction on Windows (versions prior to 0.13.0) allows unsafe handling of tar files during legacy bundle probing, potentially enabling an attacker to write files outside the intended directory via malicious archive entries.

CVE-2026-45539 (High) – Versions 0.5.4 to 0.12.4 are vulnerable to symlink-based file injection during package installation, allowing an attacker to plant unintended files into project directories by manipulating symbolic links.

CVE-2026-44641 (High) – Prior to version 0.8.12, improper validation of plugin paths allows an attacker to traverse directory boundaries or supply absolute paths, enabling unauthorised file access during plugin installation.

Recommendation:

Update to version 0.13.0 (or 0.8.12 for the plugin path issue) immediately.

Google Chrome Addresses Three Medium-Severity Flaws

Google Chrome version 148.0.7778.168 resolves three security vulnerabilities:

CVE-2026-8528 (Medium) – Inadequate input validation in Chrome’s Site Isolation allowed a remote attacker with an already-compromised renderer process to break out of the browser’s sandboxing boundary via a specially crafted webpage.

CVE-2026-8563 (Medium) – Insufficient policy enforcement in Chrome’s IFrame Sandbox on Windows allowed a remote attacker to bypass intended navigation restrictions via a specially crafted webpage.

CVE-2026-8566 (Medium) – Insufficient policy enforcement in Chrome’s Payments component on Android allowed a remote attacker to circumvent access controls via a specially crafted webpage.

Recommendation:

Ensure all systems are updated to Chrome version 148.0.7778.168 or later.

VMware Patches High-Severity Privilege Escalation Flaw in Fusion

VMware has released a fix for a high-severity vulnerability in VMware Fusion:

CVE-2026-41702 (High) – A Time-of-Check Time-of-Use (TOCTOU) vulnerability in a Set User Identifier (SETUID) binary operation allows a local non-administrative user to escalate privileges to root on affected systems.