Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected IP cameras across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS infrastructure to mask origin, and the most targeted vendors were Hikvision and Dahua. Separately, Symantec reported Seedworm (MuddyWater/Temp Zagros/Static Kitten) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed Dindoor (leveraging the Deno runtime) and a Python backdoor Fakeset, with malware signed using certificates issued to “Amy Cherne” (and in some cases “Donald Gay”), and noted attempted data exfiltration using Rclone to a Wasabi cloud storage bucket.
Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags pro-Iranian/pro-Islamist hacktivist attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including Unitronics PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked APT28 phishing/malware campaign in Ukraine and a China-nexus UAT-9244 telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Ctrl-Alt-Intel claims access to a Seedworm VPS and recovered data
Help Net Security reported that the Ctrl-Alt-Intel collective claimed to have accessed a Seedworm/MuddyWater VPS in the Netherlands and recovered command-and-control tooling and victim data. The claim also described broader targeting across Israel, the Middle East, and the U.S., along with tradecraft such as password spraying, CVE exploitation, Ethereum-based C2 resolution, and multiple exfiltration channels.
Researchers publish details of Iran-linked IP camera exploitation
Reporting on Check Point's findings revealed that Iranian-aligned actors were exploiting five known vulnerabilities and exposed access paths in Hikvision and Dahua devices across the Middle East. The disclosure highlighted the risk that compromised cameras could provide real-time visual intelligence for military targeting and battle damage assessment.
Symantec discloses Seedworm campaign and new Dindoor backdoor
Symantec reported that Seedworm/MuddyWater had targeted multiple U.S. and Canadian organizations since February 2026 and identified a new Deno-based backdoor named Dindoor, along with a Python backdoor called Fakeset. The report also described attempted exfiltration using Rclone to a Wasabi bucket and attribution evidence from reused code-signing certificates.
Hacktivist groups attack Middle Eastern and pro-Western targets
ASEC said pro-Iranian and pro-Islamist hacktivist groups carried out cyber attacks against Middle Eastern and pro-Western targets. The roundup framed this as part of the threat activity observed in early March 2026.
Morpheus ransomware attacks a South Korean plating company
ASEC reported that the Morpheus ransomware operation attacked a plating company in South Korea. The incident was included in ASEC's week 1 March 2026 ransomware and dark web roundup.
Ailock ransomware resumes activity and republishes victim data
ASEC reported that the Ailock ransomware group became active again and republished data from previous victims. The roundup did not provide a more specific date than its week-one-of-March reporting window.
MuddyWater activity increases after regional escalation
Researchers said Seedworm/MuddyWater operations increased after the February 28 strikes, with existing footholds in victim networks potentially positioned for espionage, disruption, or future destructive actions.
U.S.-Israeli strikes on Iran precede increase in Iranian cyber activity
Multiple reports said Iranian cyber operations intensified after U.S. and Israeli military strikes on Iran. The cited date for the strikes was February 28, 2026, and researchers assessed some intrusions had been pre-positioned before the conflict escalation.
Iranian actors launch IP camera targeting campaign in the Middle East
Check Point researchers observed an Iran-nexus campaign targeting internet-exposed Hikvision and Dahua cameras across multiple Middle East countries starting in late February 2026. The activity was assessed as supporting intelligence collection for possible kinetic operations.
Iran-linked actors begin intrusions into U.S. and Canadian organizations
Researchers reported that Seedworm/MuddyWater activity inside multiple organizations began in early February 2026, affecting a U.S. bank, a U.S. airport, nonprofits in the U.S. and Canada, and the Israeli operations of a U.S. software supplier tied to defense and aerospace.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Iran-Linked Hackers Target U.S. Critical Infrastructure Amid Rising Cyber Threat Activity
cybersecuritynews.com
Open sourceLatest Iranian cyber activity amid Middle East escalation
fieldeffect.com
Open sourceIran-linked MuddyWater deploys Dindoor malware against U.S. organizations
securityaffairs.com
Open sourceIranian APT group MuddyWater targets multiple US companies | news | SC Media
scmagazine.com
Open sourceIran-linked APT targets US critical sectors with new backdoors - Help Net Security
helpnetsecurity.com
Open sourceThreat Actors Intensify Targeting of IP Cameras Across Middle East Amid Ongoing Conflict
cybersecuritynews.com
Open sourceIran intelligence backdoored US bank, airport networks • The Register
go.theregister.com
Open sourceSeedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company | SECURITY.COM
security.com
Open sourceRansom & Dark Web Issues Week 1, March 2026 - ASEC
asec.ahnlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iran-linked cyber activity escalates alongside Middle East hostilities, including IP camera targeting and DDoS campaigns
Iran-attributed cyber activity increased alongside escalating Middle East hostilities, with researchers reporting intensified targeting of internet-connected **IP cameras** across **Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus**, and later specific areas in **Lebanon**. Check Point assessed the activity as consistent with Iranian doctrine of leveraging compromised cameras for operational support and *battle damage assessment (BDA)* tied to missile operations, noting that tracking camera-targeting infrastructure may provide early warning of potential follow-on kinetic activity. Separately, Radware reported **149 Iran-linked DDoS attacks** observed between **Feb 28 and Mar 2**, largely aimed at **government entities in the Middle East**, and attributed most activity to three hacktivist groups: **Keymous+**, **DieNet**, and **Conquerors Electronic Army**. Additional OSINT-driven infrastructure analysis described broader Iranian state-aligned clustering using indicators such as **ASN patterns** and **TLS fingerprints** to map suspected operational infrastructure, while commentary from industry sources emphasized that **destructive “wiper” malware** remains a key concern (citing families including **ZeroCleare**, **Meteor**, **Dustman**, **DEADWOOD**, and **Apostle**). A separate ransomware “monthly state” roundup and a detection-engineering newsletter were not specific to this Iran/Middle East activity and do not materially support the incident reporting.
Mar 21, 2026
Iranian Cyber-Kinetic Operations Targeting Surveillance and Communications Infrastructure
Reporting and analysis indicate **Iranian threat actors** have increasingly integrated cyber operations with kinetic objectives following the Feb. 28 U.S.-Israel strikes on Iran. Check Point Research assessed intensified targeting of **IP cameras**—notably devices from **Hikvision** and **Dahua**—across Israel and parts of the Gulf (including Qatar, Bahrain, Kuwait, the UAE, and Cyprus), with activity patterns suggesting use for operational support and *battle damage assessment* tied to missile launches; the research highlights that monitoring camera-targeting infrastructure may provide early warning of follow-on kinetic activity. Separately, commentary on Iranian cyber posture argues the apparent “quiet” is not simply loss of capability, describing a resilient, decentralized operating model and noting prior disruption to leadership and infrastructure (e.g., “Operation Epic Fury”) without eliminating Iran’s ability to conduct operations. Additional reporting described U.S. Cyber Command participation in coordinated cyber/space actions intended to disrupt Iranian communications and sensor networks during the opening phase of hostilities, and cited claims (attributed to external reporting) that compromised traffic cameras and penetrated mobile networks were used to support real-time intelligence for targeting decisions in Tehran. Other items in the set cover unrelated law-enforcement actions against cybercrime services (e.g., takedowns of **Tycoon2FA** and **LeakBase**, and a **Phobos** ransomware guilty plea), a separate report on suspected **DPRK-linked** intrusions against cryptocurrency firms, and a general discussion of ransomware market dynamics post-LockBit; these do not materially add to the Iran cyber-kinetic camera/communications targeting narrative.
Mar 31, 2026
Middle East Conflict Triggers Spike in State-Linked Espionage and Malware Campaigns
Escalating conflict following **Operation Epic Fury** (US/Israel strikes inside Iran) has coincided with increased cyber activity targeting Middle East and adjacent interests. Proofpoint reported that Iran-aligned **TA453** (*Charming Kitten / Mint Sandstorm / APT42*) continued intelligence collection during the conflict, including a **credential-phishing** attempt against a US think tank observed on **8 March**, and noted additional campaigns against Middle East government organizations with suspected links to multiple state or state-aligned actors (including suspected attribution to **China, Belarus, Pakistan, and Hamas**). Despite reported Iranian internet shutdown measures after the initial strikes, espionage-focused operations were assessed as ongoing. Check Point Research separately identified China-linked activity targeting **Qatar**, using conflict-themed lures (e.g., fake “war news”/damage imagery) to deliver malware, including **PlugX** and **Cobalt Strike**, with tradecraft described as a multi-stage chain involving a compromised server and **DLL hijacking** via a legitimate application (*Baidu NetDisk*) to load the backdoor—highlighting rapid weaponization of breaking news to target **energy** and **military** sectors. Other items in the set were not part of this conflict-driven espionage theme: one report described a Russian-speaking **‘BlackSanta’** BYOVD-based “EDR killer” delivered via HR workflow abuse and steganographic images, and a weekly threat bulletin summarized unrelated breaches and research (e.g., AkzoNobel, LexisNexis, Wikimedia worm, TriZetto, and AI-related threats).
Mar 21, 2026