All news with #iran nexus tag

🔎 On May 22, 2026, Dutch investigators seized roughly 800 servers from WorkTitans B.V., a hosting provider that allegedly operated as a successor to a sanctioned ISP. The seized infrastructure supported multiple Iranian cyber espionage groups—MuddyWater, Agrius (UNC2428), and Nimbus Manticore—each using the provider for command-and-control, lure hosting, and scanning. This takedown disrupted active operations and highlights the need to evaluate hosting environments, ASNs, and passive DNS history rather than relying solely on individual IP flags.

📘 The 2026 FIFA World Cup spans 39 days across 16 host cities in three nations, creating a vast temporary tournament network layered on existing stadium and municipal infrastructure. This assessment warns of high likelihoods for disruptive intrusions, large-scale fraud and politically motivated DDoS and hack-and-leak operations. Key drivers include Iran-nexus disruptive campaigns, pro-Russian hacktivist DDoS activity and financially motivated cybercrime targeting fans and the hospitality ecosystem.

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.

🛡️ New RUSI research warns that adversaries, notably North Korea and Iran, are moving from AI-assisted to AI-enabled sanctions evasion and proliferation financing. The report highlights AI’s ability to mass-produce fraudulent documents, automate shell-company administration, and analyze blockchain flows to evade detection. Experts urge enterprises to adopt behavior-based analytics, defensive AI, stronger identity verification and updated training to counter these evolving threats.

🔒 Symantec researchers attribute a February 2026 cyber-espionage campaign to MuddyWater (Seedworm), which spent a week inside a major South Korean electronics manufacturer's network. The attackers relied on DLL sideloading of legitimate binaries — Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe — to load malicious DLLs containing ChromElevator. They used PowerShell (now invoked via Node.js loaders) for reconnaissance, credential theft, persistence and SOCKS5 tunneling, and exfiltrated data via sendit.sh.

🕵️ State-aligned Iranian operatives are posing as a ransomware affiliate to conceal espionage and cyber-sabotage, according to research by Rapid7. The group, linked to MuddyWater (aka Seedworm), impersonated the Chaos ransomware-as-a-service brand while using social engineering over Microsoft Teams—including interactive screensharing—to harvest credentials and bypass MFA. Operators used remote management tools like DWAgent for persistence and followed intrusions with extortion messaging and leak-site posts, but prioritized data exfiltration over encryption.

🛡️ Rapid7 says an Iranian government-linked APT posed as a Chaos ransomware affiliate to mask espionage and prepositioning in an intrusion in early 2026. The actor, identified as MuddyWater (aka Seedworm/Static Kitten/Mango Sandstorm), used interactive Microsoft Teams social engineering to harvest credentials and manipulate MFA. They established persistence with DWAgent and AnyDesk, exfiltrated data, and initiated extortion negotiations without deploying a ransomware payload.

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.

🚨 US Marines stationed near the Persian Gulf reported receiving chilling WhatsApp messages beginning Monday that urged them to call home and make final goodbyes. The messages were signed by the Iran-linked Handala hacking group and allegedly originated from a Bahraini phone number that was likely spoofed or hijacked. A day later, Handala posted that it had published names and phone numbers of 2,379 Marines and boasted of possessing addresses, family details and daily routines. While authorities caution that such claims may rely on scraped or recycled data rather than a fresh breach, the campaign’s intent to intimidate service members is clear.

🔍 US authorities issued an April 7 advisory warning that Iranian-affiliated APTs could be conducting infrastructural cyberattacks, citing links to 2023 water and wastewater incidents attributed to CyberAv3ngers. The article examines two prominent groups — Handala Hack Team and CyberAv3ngers — and argues they function as proxy or false-flag operations likely tied to Iran’s Ministry of Intelligence. It describes a broader pattern of gray warfare, where state actors obscure involvement to retain plausible deniability while exerting persistent pressure on adversaries.

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.

⚠️Six US agencies warn an Iranian-affiliated group has compromised internet-exposed programmable logic controllers at water, energy, and government facilities since at least March 2026. The actors used leased overseas infrastructure and legitimate Rockwell Automation configuration tools to access CompactLogix and Micro850 controllers. Victims suffered operational disruption, project file theft, altered SCADA/HMI data, and persistent remote access.

⚠ Iranian-affiliated threat actors have been exploiting internet-facing operational technology (OT) assets to target US critical national infrastructure (CNI) providers since late March, according to a CISA advisory. Attackers used vendor configuration tools such as Rockwell Automation's Studio 5000 Logix Designer to create accepted connections to PLCs and manipulated HMI/SCADA displays. Observed inbound traffic used ports 44818, 2222, 102, 22 and 502 and included deployment of Dropbear SSH for remote access. Agencies urge immediate log review, segmentation, and removal of direct internet exposure for PLCs.

🔒 Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across U.S. critical infrastructure, including energy, water and government facilities. U.S. agencies warn attackers used third-party hosted infrastructure and Rockwell Automation tools to connect to CompactLogix and Micro850 PLCs, deploy Dropbear SSH, extract project files, and manipulate HMI/SCADA displays, causing degraded functionality and disruption. Organizations are advised to remove internet exposure, enforce multi-factor authentication, place firewalls or proxies in front of PLCs, disable unused features, keep devices up to date, and monitor for anomalous traffic.

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.

🔒 Check Point reports an ongoing Iran-nexus password-spraying campaign against Microsoft 365 tenants, primarily impacting Israel and the U.A.E. in three waves on March 3, 13 and 23, 2026. The actor employed Tor exit nodes and commercial VPN infrastructure (AS35758) and used tools and techniques resembling Gray Sandstorm to scan, attempt logins, and exfiltrate mailbox content. Organizations are advised to enforce MFA, apply conditional access by geography, and monitor sign-in and audit logs for signs of compromise.

🔒 Check Point Research identified an Iran-linked password-spraying campaign targeting Microsoft 365 cloud environments carried out in three waves on March 3, March 13, and March 23. The campaign primarily focused on Israel and the UAE, affecting more than 300 organizations in Israel and over 25 in the UAE. Activity tied to the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. These attempts seek account takeover and cloud footholds, highlighting the need for strengthened access controls and faster detection.

🔒 In the March 2026 edition Tony Anscombe reviews several high-impact incidents and trends that should shape organizational defenses. He summarizes the reported Stryker intrusion claimed by the Iran-linked Handala group, new research from the Google Threat Intelligence Group showing a rise in data theft tied to ransomware, Instagram's plan to stop encrypting private messages in May, and a Europol-led takedown of the Tycoon 2FA phishing platform. Watch the video for practical lessons and related coverage.

⚠️ The FBI confirmed that Iran-linked hackers accessed the personal email account of FBI Director Kash Patel and published private photos and what appears to be his CV. The pro-Iranian hacktivist group Handala posted a selection of personal and work correspondence, with reporters verifying some items from Patel's Gmail account. The FBI said no classified or government systems were compromised and has taken steps to mitigate risks; strong, unique passwords and multi-factor authentication are advised.