Iranian Cyber Operations Shift Toward Identity Abuse and Broader Hybrid Targeting
Iranian state-aligned and affiliated cyber activity has expanded beyond traditional disruptive malware into a broader campaign of hybrid operations that combines espionage, reconnaissance, credential abuse, and destructive effects. Reporting describes a tactical shift from bespoke wipers toward living-off-the-land methods, including the compromise of highly privileged identities and the use of legitimate enterprise administration capabilities to issue remote-wipe actions at scale. At the same time, Iranian operators and aligned personas have been linked to sustained access into US organizations in sectors including banking, aviation, defense-adjacent industries, and healthcare, while also targeting internet-connected surveillance infrastructure in the Middle East for intelligence collection and battlefield awareness.
The activity is unfolding alongside a wider surge in hostile traffic associated with the regional conflict, with major increases in infrastructure scanning, automated reconnaissance, credential harvesting, and DDoS preparation against critical businesses, especially banking and fintech. One report highlights Handala/Void Manticore as emblematic of the disruptive trend, while another ties MuddyWater to persistent footholds in US networks and notes exploitation of camera vulnerabilities such as CVE-2017-7921 and CVE-2021-33044. Together, the reporting indicates that Iranian cyber operations remain active and adaptive, using proxy infrastructure, compromised identities, and exposed edge devices to sustain pressure on commercial and strategic targets without relying solely on custom malware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Gurucul publishes IOCs and detection guidance for Seedworm campaign
On 2026-05-14, Gurucul published additional technical details on the Iran-linked Seedworm espionage campaign, including infrastructure indicators, file hashes, and detection queries for threat hunting. The report also elaborated on the malware chain using signed Fortemedia and SentinelOne binaries, a node.exe-based implant, PowerShell reconnaissance, SAM theft, privilege escalation, and SOCKS5 tunneling.
MuddyWater-linked campaign hits Middle East critical sectors
By 2026-04-17, a multi-stage campaign with tradecraft consistent with MuddyWater was reported targeting Middle Eastern aviation, energy, and government organizations. The activity combined large-scale vulnerability scanning, credential harvesting, and confirmed data exfiltration, indicating successful follow-on intrusions beyond reconnaissance.
Check Point reports Iran-linked M365 password-spraying campaign
On 2026-03-23, suspected Iran-linked operators were assessed to have conducted three waves of password-spraying attacks against Microsoft 365 accounts at hundreds of organizations, with the heaviest targeting against municipalities in Israel and additional victims in the UAE. Check Point said the activity also hit technology, transportation, logistics, healthcare, and manufacturing organizations, and may have supported Iranian kinetic operations by enabling post-strike bomb-damage assessment.
Unit 42 reports Handala-style remote wipe of 200,000+ devices
On March 16, 2026, Palo Alto Networks Unit 42 described a recent operation under the Void Manticore/Handala persona in which attackers allegedly compromised highly privileged identities and issued legitimate remote-wipe commands to more than 200,000 devices globally. The report framed this as part of a broader shift in Iranian state-aligned operations from custom wipers to identity abuse and enterprise management platform misuse.
Akamai observes cybercrime surge after start of Iran war
After the start of the Iran war, Akamai reported overall malicious cyber activity rose 245 percent, with banks, fintech and other critical businesses heavily targeted. The most common activity included infrastructure scanning, botnet-driven discovery, automated reconnaissance, credential harvesting and reconnaissance preceding DDoS attacks.
Handala allegedly abuses Intune to attack Stryker
On March 11–12, 2026, Handala allegedly used pre-existing access and abused Microsoft Intune remote-wipe functionality in an attack on Stryker. The incident was cited as an example of Iranian-aligned operators activating previously established access for disruptive effect.
Symantec links MuddyWater to espionage campaign hitting South Korean manufacturer
In February 2026, MuddyWater conducted a cyber-espionage intrusion at a major South Korean electronics manufacturer as part of a broader campaign against at least nine organizations across multiple countries and sectors. Symantec said the operators used DLL sideloading, ChromElevator, PowerShell and Node.js-based tooling, and exfiltrated data via sendit.sh, indicating a focus on intellectual property theft, government espionage, and downstream network access.
Handala claims destructive attack on Stryker
In early 2026, the Iran-aligned hacktivist group Handala claimed responsibility for a destructive attack on medical technology company Stryker. The claimed operation involved large-scale data theft and system wiping.
Iran-linked infrastructure exploits Hikvision and Dahua cameras
In early 2026, Iran-linked infrastructure was observed exploiting internet-connected Hikvision and Dahua surveillance cameras across the Middle East. The activity was described as supporting intelligence, surveillance and reconnaissance during regional hostilities and battlefield awareness.
MuddyWater maintains footholds in U.S. and Canadian organizations
In early 2026, Iran-linked operators associated with MuddyWater were reported to have maintained covert access in multiple organizations in the United States and Canada. Affected sectors included banking, aviation, defense-related entities and other organizations, with malware such as Dindoor, Fakeset, Stagecomp and Darkcomp used for persistence and possible data exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign | Community Portal | Gurucul
community.gurucul.com
Open sourceIranian hackers targeted major South Korean electronics maker
bleepingcomputer.com
Open sourceExperts: Amplification of opportunistic cyberattacks central to Iran’s strategy | brief | SC Media
scworld.com
Open sourceIran’s cyber threat may be less ‘shock and awe’ than ‘low and slow,’ officials say | The Record from Recorded Future News
therecord.media
Open sourceFootholds, Live Feeds, and Lifelines: Iranian Cyber Operations Surviving, Not Thriving
blog.polyswarm.io
Open sourceAstaara on Iranian cyber capability - 12 March 2026
westpandi.com
Open sourceCybercrime up 245% since the start of the Iran war • The Register
go.theregister.com
Open sourceSpecial Report: Latest Iran Cyber Threat Analysis
cyberwarrior76.substack.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iranian MOIS-Linked Threat Actors Increasingly Leverage Cybercrime Tools and Infrastructure
Check Point Research reported that **Iranian Ministry of Intelligence and Security (MOIS)-linked actors** are increasingly moving beyond simply *posing* as cybercriminals and are instead **directly engaging with the cybercrime ecosystem**—using criminal tooling, services, and operational models to support state objectives while complicating attribution. The activity is highlighted in operations tied to **Void Manticore** (including the *Handala Hack* persona) and **MuddyWater**, where researchers observed repeated overlaps with criminal tools and infrastructure, suggesting an affiliate-style or service-consumption model that improves resilience and capability. Reporting on the research noted that **Void Manticore** has incorporated the commercially sold infostealer **Rhadamanthys** (marketed on cybercrime forums) into campaigns, including phishing activity targeting Israeli entities; the infostealer has been paired with custom wipers and lure themes such as impersonated **F5 updates** and even messages spoofing the **Israeli National Cyber Directorate (INCD)**. The same coverage reiterated that **MuddyWater** continues MOIS-aligned espionage activity and is also associated with cybercrime-style tooling and services, reinforcing the assessment that Iranian state operators are increasingly blending state tradecraft with criminal malware, infrastructure, and monetized services rather than relying solely on false-flag “ransomware” or hacktivist branding.
Apr 14, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
Mar 21, 2026