All news with #iran nexus tag

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.

🎥 Check Point Research reported a surge of attempts to compromise internet‑connected surveillance cameras across the Middle East beginning 28 February, with additional focused activity in parts of Lebanon on 1 March. The campaign targeted Hikvision and Dahua devices, scanning for known authentication‑bypass and remote‑code‑execution flaws for which patches exist. Infrastructure attributed to Iran used commercial VPN exit nodes and VPS hosts. Recommended mitigations include removing WAN exposure, enforcing strong credentials, applying firmware updates, and segmenting cameras onto a dedicated VLAN.

⚠️ Five days into the US-Israel–Iran conflict, widescale Iranian cyber retaliation has not yet materialized, but security agencies warn the danger is acute and ongoing. The UK NCSC and Canada CCCS issued broad advisories while CISA has not updated since October. Observed DDoS activity is limited, yet vendors highlight the greater risk from destructive wipers (e.g., Shamoon) and an arsenal of 15+ Iranian families. High‑profile APTs such as APT35/APT42 and APT33 remain concerning; organizations should harden OT, remove unmanaged RMM tools, implement phishing‑resistant MFA (FIDO2/WebAuthn), patch VPNs and monitor endpoints for wiper indicators.

🔍 Resecurity analysed a leaked Ariomex database covering 2022–2025 and concluded the exchange's records suggest potential sanctions evasion and large capital transfers linked to actors inside Iran. The review covered 11,826 verified users, identified 27 potential sanctions matches and found about 7,710 Iran-linked accounts, with roughly 70% of volume in Tether and Tron. Resecurity flagged mechanisms such as shell accounts, stablecoin routing and intermediary wallets and said it will assist regulators.

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

🔍 Iran’s cyber ecosystem combines state-aligned clusters, deniable operators, and hacktivists linked to IRGC and MOIS. These actors pursue espionage, disruption and destructive operations—DDoS, pseudo-ransomware, and wipers—often paired with information operations and coordinated amplification. Activity is intensifying amid the current crisis and is expected to broaden across the Middle East, the United States, and other regions.

🔒 Group-IB reports that Iranian APT MuddyWater launched Operation Olalampo, using new and updated implants to target organizations across the MENA region. Attacks beginning January 26, 2026 employed malicious Office macros to deliver downloaders like GhostFetch and HTTP_VIP, a Rust backdoor CHAR, and a second-stage implant GhostBackDoor. The campaign leverages C2 servers, a Telegram-controlled bot, and signs of AI-assisted development.

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.

🔍 SafeBreach reported that the Iranian-linked threat group Infy resumed operations on January 26, 2026, deploying new command-and-control (C2) servers and replacing infrastructure for its Foudre and Tonnerre tool families. The actor introduced Tornado v51, which supports both HTTP and Telegram-based C2 and uses a hybrid domain-generation approach combining a new DGA and blockchain-derived fixed names. Researchers observed signs the group exploited a disclosed WinRAR extraction flaw to deliver a self-extracting archive that drops a Tornado DLL and an installer that checks for Avast before establishing persistence. SafeBreach also recovered Telegram artifacts, a ZZ Stealer chain, and a malicious PyPI package used for targeted deployments.

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.

🚨 French cybersecurity firm HarfangLab uncovered a January 2026 campaign dubbed RedKitten that leverages emotionally charged, forged forensic files to deliver a .NET implant called SloppyMIO. The attack begins with a password-protected 7z archive containing malicious Excel spreadsheets that prompt users to enable macros and drop a C# payload. SloppyMIO hijacks a legitimate Windows binary to run stealthily, establishes persistence via scheduled tasks, fetches modules from GitHub and Google Drive, and uses Telegram as its command-and-control channel. Researchers noted multiple traces of LLM-assisted development and assessed the campaign as aligned with Iranian government security interests.

🔒 CloudSEK reports that Iran-linked APT MuddyWater has deployed a Rust-based implant dubbed RustyWater in a spear-phishing campaign targeting diplomatic, maritime, financial, and telecom entities across Israel and the Middle East. The campaign relies on icon-spoofed executables delivered in ZIP archives that display decoy PDFs while executing loaders which establish persistence and fetch the Rust payload. RustyWater implements anti-analysis checks, string obfuscation, randomized callbacks and standard RAT functions including file enumeration, command execution and data exfiltration, while using C2 domains that mimic legitimate services.

🛡️ CloudSEK researchers report that the Iran-linked actor MuddyWater has distributed a new Rust-based remote access tool codenamed RustyWater via spear-phishing emails containing malicious Microsoft Word documents. The lure employs icon spoofing and a VBA macro that drops a Rust implant capable of asynchronous C2, anti-analysis, registry persistence, and modular expansion. Tracked also as Archer RAT or RUSTRIC, the implant contacts a hardcoded C2 (nomercys.it[.]com) to perform file operations and execute commands. Seqrite Labs linked RUSTRIC to recent activity against IT firms, MSPs and software companies in Israel.

🔍 SafeBreach has linked renewed operations to the Iranian APT known as Infy (Prince of Persia), revealing updated Foudre downloader and Tonnerre implants active across Iran, Iraq, Turkey, India, Canada and parts of Europe. The campaign, tracked through September 2025 samples, shifts from macro-laced Excel to embedded executables and employs a DGA plus RSA-signed C2 validation. SafeBreach identified C2 folders including a 'key' directory and a Telegram integration used selectively via a tga.adr file. Analysts warn Infy remains active and dangerous to high-value targets.

🛡️ Researchers have observed renewed activity from the Prince of Persia threat actor, long linked to Iran, after an apparent 2022 hiatus. SafeBreach found updated Foudre and Tonnerre variants, a new domain generation algorithm and altered delivery using Excel files with embedded SFX payloads alongside legacy malicious macros. Select victims can now be controlled via the Telegram API, and identified targets are predominantly in Iran with some victims across Europe, Iraq, Turkey, India and Canada.