Iran War Bait Fuels TA453, TA473 Phishing Campaigns

TA453, TA473, and several emerging threat clusters are exploiting breaking news about the Iran war to run highly targeted phishing campaigns against governments and policy organizations across the Middle East and beyond.

These operations blend traditional espionage with opportunistic credential theft and malware delivery, often abusing compromised government accounts and trusted cloud services to increase their success rates.

The current wave of activity follows Operation Epic Fury, the 28 February 2026 US‑Israeli strike campaign against Iranian leadership, missiles, air defenses and other military infrastructure, and Iran’s subsequent missile and drone retaliation on US embassies and bases.

As the war moves through its second week, Iranian hacktivist personas have claimed disruptive attacks.

Proofpoint classifies still‑developing activity as UNK_ clusters until there is enough data to assign a full TA identifier, and the company stresses that its reporting reflects technical observations rather than geopolitical analysis or policy views.

At the same time, espionage‑focused actors continue more quietly despite Iran’s temporary domestic internet shutdown.

On 8 March, TA453 (Charming Kitten, Mint Sandstorm, APT42) was observed attempting to phish a US think tank, underscoring that long‑running intelligence priorities remain intact amid the crisis.

China‑linked UNK_InnerAmbush

In early March, suspected China‑aligned cluster UNK_InnerAmbush targeted Middle Eastern government and diplomatic entities with emails sent from a likely compromised embassy account, “uzbembish@elcat[.]kg”.

Initial lures claimed to share sensitive photos related to Ayatollah Khamenei’s supposed death, later shifting to claims that Israel was preparing covert strikes on Gulf oil and gas infrastructure.​

Links pointed to Google Drive archives named “Photos from the scene.rar” or “Strike at Gulf oil and gas facilities.zip” that contained LNK files masquerading as JPG images.

Opening these shortcuts executed a loader that abused DLL sideloading in a benign signed binary (“nvdaHelperRemoteLoader.exe”) to load a malicious DLL (“nvdaHelperRemote.dll”) and decrypt a Cobalt Strike beacon from a help file, which then called back to “support.almersalstore[.]com”.

Unique tracking pixels hosted on a compromised site logged when specific target email addresses opened the lure.​

TA402 (Frankenstein, Cruel Jackal) leveraged a compromised Iraqi Ministry of Foreign Affairs address and an attacker‑controlled Gmail account to send conflict‑themed emails to a Middle Eastern government victim.

Messages referenced a potential US ground incursion and a new Gulf military alliance, and embedded links that either displayed a decoy PDF or redirected to an Outlook Web App lookalike page on “mail[.]iwsmailserver[.]com/owa/auth/logon.aspx?uid=”, depending on the recipient’s IP geolocation.​

New cluster UNK_NightOwl similarly pursued credentials, spoofing Microsoft OneDrive to Middle East government targets using a compromised Syrian emergency ministry email and a fake “War Analyse Ltd” Outlook account.

Victims were funneled to an OWA‑style phishing page on “iran.dashboard.1drvms[.]store/…”, and after submitting passwords were redirected to the legitimate conflict‑tracking site iran.liveuamap[.]com to reduce suspicion.​

On 5 March, suspected Pakistan‑aligned UNK_RobotDreams sent “Gulf Security Alert: Iran Retaliation Impacts” emails to India‑based offices of Middle East government organizations, impersonating India’s Ministry of External Affairs from “jscop.mea.gov.in@outlook[.]com”.

Attached PDFs displayed a blurred decoy with a fake Adobe Reader button that, when clicked, redirected to “defenceprodindia[.]site/server.php?file=Reader_en_install”.

That site used geofencing, serving only decoys to off‑region visitors while delivering a .NET loader (“Reader_en_install.exe”) to intended victims, which then pulled a Rust‑based backdoor via PowerShell from Azure Front Door‑hosted infrastructure and saved it as “VLCMediaPlayer.exe”.

Belarus‑aligned TA473 (Winter Vivern) ran a parallel campaign between 3–5 March, emailing European and Middle Eastern government entities from likely compromised infrastructure while posing as a spokesperson for the European Council President.

TA453’s persistent espionage focus

Amid the flurry of war‑themed lures, Proofpoint has so far documented only one Iran‑aligned TA453 campaign directly tied to the conflict timeline.

Using the freemail address “McManus.Michael@hotmail[.]com” to impersonate a Henry Jackson Society research lead, TA453 engaged a US think tank target with an invitation to a Middle East air defense roundtable and shared a benign OneDrive‑hosted PDF proposal to build rapport.

Once trust was established, TA453 sent a malicious link to “transfergocompany[.]com”, which redirected to a Netlify‑hosted, OneDrive‑branded credential harvesting page at “fileportalshare.netlify[.]app” pre‑filled with the victim’s email address.

The operation mirrors TA453’s long‑standing tradecraft of slow‑burn social engineering and credential theft around sensitive regional policy themes, adapted here to the live Iran conflict narrative.

Across these campaigns, adversaries repeatedly weaponize breaking Iran war developments as high‑credibility pretexts while leaning on compromised government accounts, consumer freemail, and reputable cloud platforms to bypass defenses.

This mix of steady espionage and rapidly spun‑up conflict‑themed operations suggests the war is both a social engineering lure and a driver of updated collection priorities for multiple state‑aligned threat actors watching the region.

Some actors, such as TA453, appear to be using the crisis mainly as topical cover for routine espionage, while others, including UNK clusters and TA473, signal a broader pivot toward collecting intelligence on Middle Eastern governments and diplomatic channels.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.