Iran-linked cyber activity escalates alongside Middle East hostilities, including IP camera targeting and DDoS campaigns
Iran-attributed cyber activity increased alongside escalating Middle East hostilities, with researchers reporting intensified targeting of internet-connected IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and later specific areas in Lebanon. Check Point assessed the activity as consistent with Iranian doctrine of leveraging compromised cameras for operational support and battle damage assessment (BDA) tied to missile operations, noting that tracking camera-targeting infrastructure may provide early warning of potential follow-on kinetic activity.
Separately, Radware reported 149 Iran-linked DDoS attacks observed between Feb 28 and Mar 2, largely aimed at government entities in the Middle East, and attributed most activity to three hacktivist groups: Keymous+, DieNet, and Conquerors Electronic Army. Additional OSINT-driven infrastructure analysis described broader Iranian state-aligned clustering using indicators such as ASN patterns and TLS fingerprints to map suspected operational infrastructure, while commentary from industry sources emphasized that destructive “wiper” malware remains a key concern (citing families including ZeroCleare, Meteor, Dustman, DEADWOOD, and Apostle). A separate ransomware “monthly state” roundup and a detection-engineering newsletter were not specific to this Iran/Middle East activity and do not materially support the incident reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Check Point publishes report linking camera targeting to warfare support
On March 4, Check Point Research published its assessment that the observed targeting of Hikvision and Dahua cameras aligns with Iranian doctrine of using compromised cameras for operational support and battle damage assessment related to missile operations. The report also recommended reducing camera exposure, patching, network segmentation, strong credentials, and monitoring for suspicious access.
Hunt.io publishes analysis of 19 Iran-linked threat clusters and IOCs
Hunt.io released research mapping 19 Iran-linked threat groups using infrastructure pivots such as ASNs, TLS certificates, hashes, and open directories. The report also published a subset of derived indicators of compromise and monitoring guidance for U.S. and Israeli organizations.
Camera-targeting activity shifts focus to areas in Lebanon
On March 1, the observed IP camera targeting expanded or shifted to specific areas in Lebanon amid the ongoing Middle East conflict. Check Point linked the activity to the same broader Iran-nexus campaign targeting exposed surveillance devices.
Intensified regional targeting of Hikvision and Dahua cameras begins
Beginning on February 28, Check Point Research observed intensified scanning and exploitation attempts against Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus. The infrastructure used was attributed to Iran-nexus threat actor activity and included commercial VPN exit nodes and VPS providers.
Iran-linked infrastructure targets IP cameras in Israel and Qatar
Check Point Research observed earlier related activity on January 14–15 targeting Hikvision and Dahua IP cameras in Israel and Qatar. The activity was later assessed as consistent with Iran-nexus efforts to access exposed cameras for operational support and possible battle damage assessment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East - Check Point Research
research.checkpoint.com
Open sourceIranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
hunt.io
Open sourceIranian cyberattacks fail to materialize but threat remains acute | CSO Online
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026
Iranian Cyber-Kinetic Operations Targeting Surveillance and Communications Infrastructure
Reporting and analysis indicate **Iranian threat actors** have increasingly integrated cyber operations with kinetic objectives following the Feb. 28 U.S.-Israel strikes on Iran. Check Point Research assessed intensified targeting of **IP cameras**—notably devices from **Hikvision** and **Dahua**—across Israel and parts of the Gulf (including Qatar, Bahrain, Kuwait, the UAE, and Cyprus), with activity patterns suggesting use for operational support and *battle damage assessment* tied to missile launches; the research highlights that monitoring camera-targeting infrastructure may provide early warning of follow-on kinetic activity. Separately, commentary on Iranian cyber posture argues the apparent “quiet” is not simply loss of capability, describing a resilient, decentralized operating model and noting prior disruption to leadership and infrastructure (e.g., “Operation Epic Fury”) without eliminating Iran’s ability to conduct operations. Additional reporting described U.S. Cyber Command participation in coordinated cyber/space actions intended to disrupt Iranian communications and sensor networks during the opening phase of hostilities, and cited claims (attributed to external reporting) that compromised traffic cameras and penetrated mobile networks were used to support real-time intelligence for targeting decisions in Tehran. Other items in the set cover unrelated law-enforcement actions against cybercrime services (e.g., takedowns of **Tycoon2FA** and **LeakBase**, and a **Phobos** ransomware guilty plea), a separate report on suspected **DPRK-linked** intrusions against cryptocurrency firms, and a general discussion of ransomware market dynamics post-LockBit; these do not materially add to the Iran cyber-kinetic camera/communications targeting narrative.
Mar 31, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026