All news with #iran nexus tag

📧 The FBI confirmed that the Iran-linked Handala group breached the personal Gmail account of Director Kash Patel and published watermarked photos, documents, and email correspondence. The bureau said the material appears historical, is not recent, and does not include government information. The FBI added it has taken precautions to mitigate potential fallout. Handala claimed the attack was retaliation after domain seizures and a $10 million reward.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🛡️ The FBI has attributed a sustained campaign of targeted malware and hack-and-leak operations to the Iranian-linked threat actor Handala, noting activity against dissidents, journalists and opposition groups dating to autumn 2023. The group claimed responsibility for a wiper attack on US medtech firm Stryker and used a multi-stage payload that disguises itself as legitimate Windows applications. Investigators observed social engineering lures, PowerShell-based evasion, and a Telegram-based command-and-control channel enabling remote access and data exfiltration, and urged standard hardening and reporting measures.

🧨 The TeamPCP group is deploying a geopolitically targeted wiper that seeks out Iranian systems and either destroys host data or implants a persistent backdoor on Kubernetes nodes. Aikido researchers link the campaign to the earlier CanisterWorm and Trivy supply-chain incidents, noting identical C2 infrastructure and the same /tmp/pglog drop path. When Iran indicators (timezone/locale) and Kubernetes are detected, the malware creates a privileged DaemonSet named Host-provisioner-iran that mounts the host root and runs Alpine containers called "kamikaze" to delete top-level directories and force a reboot. If Kubernetes is present but the host is not identified as Iranian, it deploys host-provisioner-std to write a Python backdoor and install it as a systemd service; variants also propagate via SSH or unauthenticated Docker APIs.

🚨 A financially motivated group known as TeamPCP deployed a self‑propagating worm called CanisterWorm that spreads through poorly secured cloud control planes and conditionally executes a destructive wiper on systems set to Iran’s timezone or Farsi locale. The actors leveraged exposed Docker APIs, misconfigured Kubernetes clusters, Redis servers and the React2Shell vector, and inserted credential‑stealing code into official Trivy releases via compromised GitHub Actions. Researchers observed the group using ICP canisters to host payloads and noted the malicious builds were active only intermittently, leaving uncertainty about the extent of successful data destruction.

🔐 The FBI warns that Iranian-linked actors, including Handala and a state-associated Homeland Justice group, are using Telegram as command-and-control infrastructure in Windows malware campaigns. Attackers employ social engineering to install malware that exfiltrates screenshots and files from journalists, dissidents, and opposition groups worldwide. The alert followed the seizure of four clearnet domains and references prior disruptive operations such as Handala's attack on Stryker.

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.

🔒 The FBI has seized two clearnet domains used by the Iranian-linked hacktivist group Handala after its destructive cyberattack on medical device maker Stryker. A seizure banner cites a Maryland court warrant and says the domains facilitated malicious cyber activities; DNS now points to FBI name servers. Handala acknowledged the seizures and said it will rebuild resilient infrastructure. Microsoft and CISA issued guidance to help organizations secure Intune and Windows domains against similar compromises.

🔒 The Council of the European Union has sanctioned three companies and two individuals from China and Iran for cyberoperations that targeted devices and critical infrastructure. The measures name Integrity Technology Group (linked to the Raptor Train botnet), Anxun Information Technology (i‑Soon) and Iranian firm Emennet Pasargad. Listed parties face asset freezes and prohibitions on accessing funds, and natural persons are subject to travel bans through EU territory.

🔒Boggy Serpens (aka MuddyWater) is a persistent Iranian cyberespionage group that has shifted from noisy spear phishing to tailored, long-term intrusion campaigns targeting diplomatic, maritime, energy and financial sectors. The actor exploits hijacked trusted accounts and blurred-document macros to bypass reputation filters and deploys AI-assisted and Rust-based implants such as BlackBeard, LampoRAT, UDPGangster and Nuso. Defenders should enforce strict macro controls and layered protections including Cortex XDR and Advanced WildFire to detect behavioral anomalies and limit long-term persistence.

🔒 Iranian-aligned threat actors are shifting from bespoke destructive wipers to weaponizing privileged identities and native management features. Rather than deploying novel binaries, attackers compromise high-privilege accounts and use legitimate MDM/RMM or cloud consoles to push remote-wipe and factory-reset commands at scale. This living-off-the-land approach bypasses traditional endpoint telemetry and enables rapid, high-impact disruption across managed tenants. Defenders must prioritize identity resilience, Zero Trust, and immutable backups to maintain survivability.

🔒 Unit 42 warns of elevated risk from destructive wiper operations attributed to the Iranian-linked Handala Hack actor, which has used phishing and compromised Microsoft Intune administrative access to delete servers and devices and disrupt operations. The actor, first seen in late 2023 and also tracked as Void Manticore, COBALT MYSTIQUE and Storm‑1084/0842, is assessed as a state-directed front for Iran’s MOIS. Mitigations focus on eliminating standing privileges (JIT, PIM), hardening Entra ID and Intune admin roles, enforcing conditional access and hardware MFA, reducing session lifetimes and ensuring immutable offline backups.

🛡️ Stryker reported a large-scale disruption after thousands of employee devices were remotely wiped and many users were unable to log in, saying the issue appears contained to its internal Microsoft environment and that there is no indication of malware at this time. The pro-Iranian group Handala claimed responsibility and employees reported seeing its logo on affected machines. Analysts say the pattern is consistent with a compromise of Microsoft Intune and Entra-based admin controls, which would permit remote wiping without deploying traditional malware, and recommend tightened admin verification and credential protections.

🔒 The war in the Middle East has expanded cyber risk globally, from physical strikes on AWS data centers to waves of Iran-aligned cyber activity. Within hours of kinetic operations, hacktivists and state-aligned APTs mobilized, using DDoS, defacement, wipers and supply-chain compromises. Organizations should prioritize inventorying internet-facing assets, enforcing phishing-resistant MFA, auditing MSP and cloud dependencies, and preparing offline backups. The guidance focuses on pragmatic hardening where adversaries historically find weak spots.

🚨 Pro-Iranian group Handala claimed it wiped over 200,000 devices and exfiltrated 50TB of data from medical device maker Stryker, asserting offices in 79 countries were forced to close. Stryker confirmed a cyber incident causing global disruption to its Microsoft environment but said there is no indication of ransomware and that it believes the incident is contained. Experts warned the attack appears to have leveraged enterprise management tools such as Microsoft Intune, suggesting a credential compromise and tactics consistent with Iranian state-linked activity.

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.