< ciso
brief />
Tag Banner

All news with #iran nexus tag

80 articles · page 3 of 4

Stryker Offline After Wiper Malware Hits Global Systems

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.
read more →

Iran-linked Hackers Claim Wiper Attack on Medtech Firm

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.
read more →

X Suspended 800M Accounts in 2024; Manipulation Remains

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.
read more →

Iran-linked MuddyWater Targets US Firms with New Backdoors

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.
read more →

Iran-linked MuddyWater intrusions hit U.S., Israeli targets

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.
read more →

Dust Specter Targets Iraqi Officials with Novel Malware

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.
read more →

Surge in Camera Attacks Linked to Iranian Actors Regionwide

🎥 Check Point Research reported a surge of attempts to compromise internet‑connected surveillance cameras across the Middle East beginning 28 February, with additional focused activity in parts of Lebanon on 1 March. The campaign targeted Hikvision and Dahua devices, scanning for known authentication‑bypass and remote‑code‑execution flaws for which patches exist. Infrastructure attributed to Iran used commercial VPN exit nodes and VPS hosts. Recommended mitigations include removing WAN exposure, enforcing strong credentials, applying firmware updates, and segmenting cameras onto a dedicated VLAN.
read more →

Iranian Cyberattacks Largely Absent So Far, Risks Remain

⚠️ Five days into the US-Israel–Iran conflict, widescale Iranian cyber retaliation has not yet materialized, but security agencies warn the danger is acute and ongoing. The UK NCSC and Canada CCCS issued broad advisories while CISA has not updated since October. Observed DDoS activity is limited, yet vendors highlight the greater risk from destructive wipers (e.g., Shamoon) and an arsenal of 15+ Iranian families. High‑profile APTs such as APT35/APT42 and APT33 remain concerning; organizations should harden OT, remove unmanaged RMM tools, implement phishing‑resistant MFA (FIDO2/WebAuthn), patch VPNs and monitor endpoints for wiper indicators.
read more →

Leaked Ariomex Database Suggests Iranian Sanctions Evasion

🔍 Resecurity analysed a leaked Ariomex database covering 2022–2025 and concluded the exchange's records suggest potential sanctions evasion and large capital transfers linked to actors inside Iran. The review covered 11,826 verified users, identified 27 potential sanctions matches and found about 7,710 Iran-linked accounts, with roughly 70% of volume in Tether and Tron. Resecurity flagged mechanisms such as shell accounts, stablecoin routing and intermediary wallets and said it will assist regulators.
read more →

Iran-linked Actor Targets Iraqi Government Officials

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.
read more →

Threat Brief: March 2026 Iran-Related Cyber Escalation

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.
read more →

UK NCSC Issues Warning on Iranian Cyberattack Risks

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.
read more →

Google Warns Iran Will Launch Global Cyber-Attacks

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.
read more →

Hybrid Middle East Conflict Sparks Global Cyber Surge

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.
read more →

Iran's Cyber Capabilities: What Defenders Should Know

🔍 Iran’s cyber ecosystem combines state-aligned clusters, deniable operators, and hacktivists linked to IRGC and MOIS. These actors pursue espionage, disruption and destructive operations—DDoS, pseudo-ransomware, and wipers—often paired with information operations and coordinated amplification. Activity is intensifying amid the current crisis and is expected to broaden across the Middle East, the United States, and other regions.
read more →

MuddyWater Targets MENA with New Rust Backdoor CHAR

🔒 Group-IB reports that Iranian APT MuddyWater launched Operation Olalampo, using new and updated implants to target organizations across the MENA region. Attacks beginning January 26, 2026 employed malicious Office macros to deliver downloaders like GhostFetch and HTTP_VIP, a Rust backdoor CHAR, and a second-stage implant GhostBackDoor. The campaign leverages C2 servers, a Telegram-controlled bot, and signs of AI-assisted development.
read more →

Google: Hackers Abusing Gemini AI Across All Attack Stages

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.
read more →

Infy Hackers Resume Operations with New C2 Infrastructure

🔍 SafeBreach reported that the Iranian-linked threat group Infy resumed operations on January 26, 2026, deploying new command-and-control (C2) servers and replacing infrastructure for its Foudre and Tonnerre tool families. The actor introduced Tornado v51, which supports both HTTP and Telegram-based C2 and uses a hybrid domain-generation approach combining a new DGA and blockchain-derived fixed names. Researchers observed signs the group exploited a disclosed WinRAR extraction flaw to deliver a self-extracting archive that drops a Tornado DLL and an installer that checks for Avast before establishing persistence. SafeBreach also recovered Telegram artifacts, a ZZ Stealer chain, and a malicious PyPI package used for targeted deployments.
read more →

RedKitten: Iran-linked campaign targets activists and NGOs

🔍 HarfangLab detected a Farsi-speaking, Iran-aligned campaign codenamed RedKitten in January 2026 that targets NGOs and individuals documenting recent human rights abuses. The operation begins with a Farsi-named 7‑Zip archive containing macro-laced Excel files; embedded VBA macros, which analysts say show signs of LLM generation, drop a C# implant via AppDomainManager injection. The backdoor, SloppyMIO, uses GitHub and Google Drive for steganographic configuration retrieval and leverages Telegram for command-and-control, supporting multiple modules to run commands, collect and exfiltrate files, deploy payloads and establish persistence.
read more →

AI-assisted 'RedKitten' Malware Targets Iranian Protesters

🚨 French cybersecurity firm HarfangLab uncovered a January 2026 campaign dubbed RedKitten that leverages emotionally charged, forged forensic files to deliver a .NET implant called SloppyMIO. The attack begins with a password-protected 7z archive containing malicious Excel spreadsheets that prompt users to enable macros and drop a C# payload. SloppyMIO hijacks a legitimate Windows binary to run stealthily, establishes persistence via scheduled tasks, fetches modules from GitHub and Google Drive, and uses Telegram as its command-and-control channel. Researchers noted multiple traces of LLM-assisted development and assessed the campaign as aligned with Iranian government security interests.
read more →