Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to disruptive and destructive operations in the wake of the US/Israel military campaign dubbed Operation Epic Fury, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed MOIS-affiliated groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of internet-connected IP cameras using known, exploitable vulnerabilities; the same reporting pointed to increased activity from MuddyWater and the Void Manticore/Handala persona, including indications of pre-positioned access ahead of the kinetic operations.
Separate threat-intelligence reporting described China-nexus actors rapidly pivoting in the same geopolitical window, including activity against Qatari entities shortly after the initial strikes: Camaro Dragon attempted to deploy a PlugX variant using conflict-themed lures, and another intrusion attempt used DLL hijacking to deliver Cobalt Strike, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed APT28 Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian NoName057(16) DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking BlackSanta BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
KELA reports Iran reviving Pay2Key and using pseudo-ransomware
By March 31, 2026, KELA reported that Iran was reviving the Pay2Key ransomware operation as a state-backed tool against high-impact U.S. targets, including recruiting affiliates from Russian cybercriminal forums. The report also described Iran's use of 'pseudo-ransomware,' including Agrius's Apostle malware, to disguise destructive or wiper-like attacks as financially motivated ransomware.
Check Point publishes Qatar campaign findings and IOCs
On March 11, 2026, Check Point Research publicly reported the Qatar-focused Chinese-nexus activity and released indicators of compromise. The company also advised organizations to strengthen baseline defenses such as EDR and MFA.
FBI-led operation removes PlugX from thousands of devices
A recent FBI-led effort deleted PlugX malware from thousands of devices globally. Despite that disruption, Check Point noted that PlugX remains in active use by Chinese-nexus actors.
Second campaign hits Qatar with Rust loader and Cobalt Strike
A separate campaign targeting Qatari entities used password-protected archives and low-quality AI-generated lures impersonating the Israeli government. The intrusion delivered a previously unseen Rust-based loader that hijacked an NVDA component and ultimately deployed Cobalt Strike.
Camaro Dragon targets Qatar with PlugX-themed intrusion
Check Point reported one intrusion attributed to Camaro Dragon against a Qatari entity that attempted to deploy a PlugX variant. The attack used conflict-themed email lures and an infection chain that abused DLL hijacking of a legitimate Baidu NetDisk binary.
First U.S.-Israeli strike in Iran triggers rapid targeting shift
Shortly after the first U.S.-Israeli strike in Iran, Chinese-nexus threat actors were observed rapidly pivoting toward Qatari entities. Check Point assessed the near-immediate focus on Qatar as unusual for China-backed groups and potentially tied to intelligence collection during the regional crisis.
Iranian-nexus actors increase targeting of IP cameras
Reporting noted increased Iranian-linked exploitation of Hikvision and Dahua IP cameras using known vulnerabilities. Analysts warned this access could support post-strike observation or even kinetic operations.
Handala claims destructive attack against Stryker
The Void Manticore persona 'Handala' was reported as claiming a large-scale wipe and data theft incident against Stryker, potentially involving compromise of Microsoft Intune and defacement of Microsoft Entra login pages. The campaign was described as part of a destructive trend using wipers such as BiBi Wiper and Cl Wiper.
MuddyWater pre-positions access and expands regional operations
In the period after the strikes, MuddyWater was reported as having pre-positioned access and using backdoors including Dindoor and Fakeset, while also conducting the MENA-focused 'Operation Olalampo' using a Telegram bot for command and control. The activity was cited as part of the broader Iranian cyber response.
Iranian-linked actors shift to disruptive cyber operations
Following Operation Epic Fury, reporting described Iranian-linked activity moving beyond primarily espionage into more coordinated disruptive and destructive attacks against Western, Israeli, and regional targets, including critical infrastructure. MOIS-affiliated actors were also assessed as increasingly blending cybercriminal and hacktivist infrastructure to complicate attribution.
U.S. and Israel launch Operation Epic Fury against Iran
On February 28, 2026, U.S. and Israeli military operations referred to as Operation Epic Fury began. Subsequent reporting tied a surge in regional cyber activity to these strikes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations
darkreading.com
Open sourceIranian-linked actors are engaging in disruptive attacks | Tenable®
tenable.com
Open sourceChinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Middle East Conflict Triggers Spike in State-Linked Espionage and Malware Campaigns
Escalating conflict following **Operation Epic Fury** (US/Israel strikes inside Iran) has coincided with increased cyber activity targeting Middle East and adjacent interests. Proofpoint reported that Iran-aligned **TA453** (*Charming Kitten / Mint Sandstorm / APT42*) continued intelligence collection during the conflict, including a **credential-phishing** attempt against a US think tank observed on **8 March**, and noted additional campaigns against Middle East government organizations with suspected links to multiple state or state-aligned actors (including suspected attribution to **China, Belarus, Pakistan, and Hamas**). Despite reported Iranian internet shutdown measures after the initial strikes, espionage-focused operations were assessed as ongoing. Check Point Research separately identified China-linked activity targeting **Qatar**, using conflict-themed lures (e.g., fake “war news”/damage imagery) to deliver malware, including **PlugX** and **Cobalt Strike**, with tradecraft described as a multi-stage chain involving a compromised server and **DLL hijacking** via a legitimate application (*Baidu NetDisk*) to load the backdoor—highlighting rapid weaponization of breaking news to target **energy** and **military** sectors. Other items in the set were not part of this conflict-driven espionage theme: one report described a Russian-speaking **‘BlackSanta’** BYOVD-based “EDR killer” delivered via HR workflow abuse and steganographic images, and a weekly threat bulletin summarized unrelated breaches and research (e.g., AkzoNobel, LexisNexis, Wikimedia worm, TriZetto, and AI-related threats).
Mar 21, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026
Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of **hybrid operations** that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward **living-off-the-land** methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness. The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially **banking and fintech**. One report highlights **Handala/Void Manticore** as emblematic of the disruptive trend, while another ties **MuddyWater** to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as `CVE-2017-7921` and `CVE-2021-33044`. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
May 14, 2026