Middle East Conflict Triggers Spike in State-Linked Espionage and Malware Campaigns
Escalating conflict following Operation Epic Fury (US/Israel strikes inside Iran) has coincided with increased cyber activity targeting Middle East and adjacent interests. Proofpoint reported that Iran-aligned TA453 (Charming Kitten / Mint Sandstorm / APT42) continued intelligence collection during the conflict, including a credential-phishing attempt against a US think tank observed on 8 March, and noted additional campaigns against Middle East government organizations with suspected links to multiple state or state-aligned actors (including suspected attribution to China, Belarus, Pakistan, and Hamas). Despite reported Iranian internet shutdown measures after the initial strikes, espionage-focused operations were assessed as ongoing.
Check Point Research separately identified China-linked activity targeting Qatar, using conflict-themed lures (e.g., fake “war news”/damage imagery) to deliver malware, including PlugX and Cobalt Strike, with tradecraft described as a multi-stage chain involving a compromised server and DLL hijacking via a legitimate application (Baidu NetDisk) to load the backdoor—highlighting rapid weaponization of breaking news to target energy and military sectors. Other items in the set were not part of this conflict-driven espionage theme: one report described a Russian-speaking ‘BlackSanta’ BYOVD-based “EDR killer” delivered via HR workflow abuse and steganographic images, and a weekly threat bulletin summarized unrelated breaches and research (e.g., AkzoNobel, LexisNexis, Wikimedia worm, TriZetto, and AI-related threats).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Proofpoint and Check Point publicly disclose conflict-themed espionage activity
On 2026-03-10, public reporting from Proofpoint and Check Point detailed a surge in espionage operations exploiting the Iran conflict as lure content. The disclosures linked the activity to several state-aligned actors and described malware including PlugX, Cobalt Strike, and a Rust-based backdoor loader.
Multiple state-aligned actors intensify espionage against Middle East targets
Proofpoint reported heightened campaigns against Middle East government and diplomatic organizations by actors aligned with or suspected to be linked to China, Belarus, Pakistan, and others. The activity used compromised government email accounts, credential-harvesting pages, archives, LNK files, loaders, and in some cases Cobalt Strike via DLL sideloading.
TA453 continues credential phishing despite Iranian internet shutdown
Proofpoint observed Iran-aligned TA453 continue credential-phishing against a US think tank target even after the conflict started and despite an Iranian internet shutdown. The engagement had begun before the conflict and persisted afterward, showing operational continuity during the crisis.
Separate Qatar oil and gas campaign deploys Rust loader and Cobalt Strike
A parallel campaign targeted Qatar’s oil and gas sector with a password-protected archive and a new Rust-based loader that hid malicious code inside an NVDA component to evade detection. The intrusion chain ultimately deployed Cobalt Strike for deeper access.
Camaro Dragon uses fake missile-strike lure to deploy PlugX in Qatar
One infection chain used a decoy file claiming to show photos of an Iranian missile strike near a US base in Bahrain, then retrieved additional payloads from a hacked server. The attackers used DLL hijacking with a legitimate Baidu NetDisk application to execute the PlugX backdoor, enabling file theft, keystroke logging, and screen capture.
China-linked campaigns begin targeting Qatar after conflict outbreak
Check Point reported that China-nexus operations targeting Qatar started on 2026-03-01, one day after Operation Epic Fury began. The campaigns rapidly pivoted to use Middle East conflict themes as social-engineering bait during heightened regional tensions.
US and Israeli strikes inside Iran launch Operation Epic Fury
Proofpoint reported that US and Israeli strikes inside Iran began on 2026-02-28 under the name Operation Epic Fury. The conflict and Iran’s subsequent regional retaliation became the basis for later war-themed cyber lures and espionage activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026
Iran-linked cyber activity escalates alongside Middle East hostilities, including IP camera targeting and DDoS campaigns
Iran-attributed cyber activity increased alongside escalating Middle East hostilities, with researchers reporting intensified targeting of internet-connected **IP cameras** across **Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus**, and later specific areas in **Lebanon**. Check Point assessed the activity as consistent with Iranian doctrine of leveraging compromised cameras for operational support and *battle damage assessment (BDA)* tied to missile operations, noting that tracking camera-targeting infrastructure may provide early warning of potential follow-on kinetic activity. Separately, Radware reported **149 Iran-linked DDoS attacks** observed between **Feb 28 and Mar 2**, largely aimed at **government entities in the Middle East**, and attributed most activity to three hacktivist groups: **Keymous+**, **DieNet**, and **Conquerors Electronic Army**. Additional OSINT-driven infrastructure analysis described broader Iranian state-aligned clustering using indicators such as **ASN patterns** and **TLS fingerprints** to map suspected operational infrastructure, while commentary from industry sources emphasized that **destructive “wiper” malware** remains a key concern (citing families including **ZeroCleare**, **Meteor**, **Dustman**, **DEADWOOD**, and **Apostle**). A separate ransomware “monthly state” roundup and a detection-engineering newsletter were not specific to this Iran/Middle East activity and do not materially support the incident reporting.
Mar 21, 2026