{ "id": "efc912b6-4c62-4b48-9dec-e536a5e02553", "created_at": "2026-04-06T00:11:00.039287Z", "updated_at": "2026-04-10T13:11:45.462419Z", "deleted_at": null, "sha1_hash": "5309b5a117e1ab36e583e2f00afce5fba5dcabe7", "title": "Update, March 13: Talos on the developing situation in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 156604, "plain_text": "Update, March 13: Talos on the developing situation in the Middle\r\nEast\r\nBy Cisco Talos\r\nPublished: 2026-03-03 · Archived: 2026-04-05 12:55:48 UTC\r\nMonday, March 2, 2026 19:55\r\nUpdate history\r\nTalos’ assessment of the cyber attack on Stryker and the elevated threat landscape. Key findings and\r\nbackground on Handala, the Iranian-linked threat group. \r\nUpdated guidance and recommendations, IOCs, and timelines. \r\nBlog update: March 13, 2026 \r\nExecutive summary \r\nCisco Talos assesses that the recent cyber attack on the medical equipment manufacturing\r\nfirm, Stryker, likely represents an opportunistic compromise rather than a systematic shift toward targeting the\r\nhealth care sector specifically. Nevertheless, the broader threat landscape remains elevated due to ongoing military\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 1 of 10\n\noperations in Iran, necessitating that all organizations increase vigilance and strengthen their defensive capabilities\r\nagainst destructive cyber activity. \r\nKey findings \r\nCisco Talos assesses that the publicly reported cyber attack on a U.S.-based medical equipment\r\nmanufacturer, Stryker, likely does not indicate that the health care sector is at any higher or specific risk of\r\ntargeting by Iran-linked threat actors. We make this assessment with high confidence based on our\r\nunderstanding of the motivation and capability of threat groups like Handala, which have historically\r\ncompromised targets of opportunity. Talos has not observed any recent increase in systematic or elevated\r\ntargeting of health care or health care-adjacent sectors over any other industry.\r\nHandala is an Iranian threat actor, which cybersecurity firms have linked to Iran’s intelligence and security\r\nservices, that conducts disruptive and destructive cyber operations under the guise of pro-Palestinian and\r\npro-Iranian activism. The group combines low-level hacktivist activities with sophisticated techniques,\r\nincluding custom-made wiper malware and administrative tool hijacking, to execute high-impact attacks\r\nagainst global organizations. \r\nDespite our assessment that the health care sector is not at a higher risk specifically, the broader threat\r\nlandscape remains elevated across all sectors amid ongoing military operations in Iran. Consequently,\r\norganizations are encouraged to reinforce their defensive postures and remain alert to destructive threats.\r\nOrganizations should increase vigilance and evaluate their capabilities, encompassing planning,\r\npreparation, detection, and response for such an event. \r\nBackground\r\nOn March 11, 2026, the global medical technology firm Stryker was targeted in a cyber attack claimed by the\r\nIran-linked threat group Handala, resulting in a severe disruption of its worldwide operations. The group asserts it\r\ndeployed a destructive wiper attack to erase data from more than 200,000 systems — including servers, laptops,\r\nand employee mobile devices — and allegedly exfiltrated 50 terabytes of sensitive information in retaliation for\r\nrecent military actions in Iran. This claim has not been officially verified. While Stryker has acknowledged a\r\n\"global network disruption\" to its Microsoft environment and is working with security partners to restore access,\r\nreports from its major hubs in the U.S. and Ireland indicate that the attack has effectively halted production and\r\nadministrative functions, with many employees locked out of their devices.  \r\nWe assess the attack was almost certainly executed by compromising high-level administrative accounts, based on\r\nour identification of hundreds of leaked Stryker credentials on the dark web. The threat actors likely gained access\r\nto Stryker’s Microsoft Intune management console, within which they reportedly weaponized the platform's native\r\nremote wipe feature to simultaneously reset connected corporate devices. This living-off-the-land (LOTL)\r\ntechnique allowed the group to cause widespread destruction and data loss, possibly without the need for\r\ntraditional wiper malware.\r\nHandala: A state-linked threat group \r\nThe Handala group, also known as the Handala Hack Team, first emerged in December 2023, positioning itself as\r\na pro-Palestinian hacktivist collective. Despite its hacktivist branding, leading cybersecurity firms assess the group\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 2 of 10\n\nas a persona operated by Void Manticore (also known as Storm-0842 or Banished Kitten), a threat actor affiliated\r\nwith the Iranian Ministry of Intelligence and Security (MOIS). This persona possibly allows the Iranian\r\ngovernment to conduct destructive cyber operations while maintaining a degree of plausible deniability. \r\nThe group’s operational history is defined by a rapid escalation from symbolic attacks to high-impact destructive\r\ncampaigns. Initially, Handala focused almost exclusively on Israeli targets, claiming to have breached military\r\nweather servers, intercepted security feeds in Jerusalem, and compromised Telegram accounts allegedly\r\nassociated with high-profile officials like former Prime Minister Naftali Bennett in \"Operation Octopus.\" By 2025\r\nand early 2026, the group expanded its scope to target Western organizations perceived as supporting Israel,\r\nculminating in the massive March 2026 attack on the medical technology giant Stryker. \r\nHandala’s tactics, techniques, and procedures (TTPs) blend state-sponsored capabilities with opportunistic\r\nhacktivist methods. They primarily gain initial access by accessing valid accounts, often through spear-phishing\r\ncampaigns that exploit current events (such as the 2024 CrowdStrike outage) or by searching dark web sources for\r\nleaked credentials. Once inside, they often use hands-on-keyboard techniques to move\r\nlaterally, reportedly demonstrating the ability to hijack administrative tools like Microsoft Intune to trigger remote\r\nfactory resets on thousands of corporate devices simultaneously. Their arsenal includes custom-built wiper\r\nmalware, such as Hatef (for Windows) and Hamsa (for Linux), often delivered via multi-stage loaders to evade\r\ndetection. The group has also reportedly used commercial infostealer malware such as Rhadamanthys, according\r\nto industry reporting. To maximize psychological impact, they frequently pair these destructive acts with hack-and-leak operations, defacing victim websites and leaking sensitive data on their Telegram and dark web\r\nchannels. \r\nRecommendations for protection  \r\nDefend against destructive malware \r\nDestructive malware, often leveraged by Iranian threat actors, can present a direct threat to an organization’s daily\r\noperations, impacting the availability of critical assets and data. Disruptive cyber attacks against organizations in a\r\ntarget country may unintentionally spill over to organizations in other countries. Organizations should increase\r\nvigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an\r\nevent. Refer to CISA’s best practices for responding to destructive malware, outlined on pages 5 – 9 of their 2022\r\nalert.  \r\nGeneral best practices \r\nAdhere to security fundamentals \r\nAn influx of threat actors of varying skill levels to this threat space may lead to unsophisticated methods being\r\nused to compromise victims, as we often see during times of conflict. Defenders should ensure security\r\nfundamentals are being adhered to, such as robust patching for known vulnerabilities, visibility into end-of-sale\r\n(EoS)/end-of-life (EoL) devices in your network with a plan to upgrade, and requiring multi-factor authentication\r\n(MFA) for remote access and on critical services. Patches for critical vulnerabilities that allow for remote code\r\nexecution or denial-of-service on externally facing equipment should be prioritized. Organizations can also\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 3 of 10\n\nimplement a patch management program that enables a timely and thorough patching cycle. Talos’ top security\r\npractices, including those to guide MFA deployment, can be found in our 2024 Year in Review report.\r\nBlog update: March 10, 2026\r\nExecutive summary\r\nOn Feb. 28, 2026, the United States and Israel launched coordinated strikes against Iranian military and leadership\r\ntargets, prompting Iranian missile and drone retaliation across the Middle East. Cisco Talos is closely monitoring\r\nthe evolving cyber threat landscape associated with the conflict and collecting tactics, techniques, and procedures\r\n(TTPs); threat actor identifiers; and other intelligence to help inform defensive efforts and maintain situational\r\nawareness.\r\nOn March 8 2026, Iran’s government selected Mojtaba Khamenei, the son of the late leader, as the new Supreme\r\nLeader; signaling a continuity of the regime’s hardline policies. Talos assesses that, for the duration of this\r\nconflict, pro-Iranian cyber actors will likely continue targeting entities allied with the U.S. and Israel, primarily\r\nthose located in the Middle East, with low-level attacks like denial-of-service (DoS), web defacements, and data\r\nleak campaigns. Furthermore, while the degree to which Iran's state-sponsored offensive capabilities have been\r\ndegraded remains ambiguous, the regime maintains a historical capability and intent to execute disruptive\r\nransomware and destructive wiper malware attacks against critical infrastructure (CI).\r\nOutlook\r\nCyber operations are likely to play a supporting but strategically significant role in the ongoing conflict involving\r\nIran, Israel, and the U.S. Given Iran’s inability to match U.S. and Israeli conventional military capabilities, Tehran\r\nhas historically relied on cyber operations conducted by both state-linked actors and aligned proxy groups as an\r\nasymmetric means of retaliation and influence. This pattern is again evident in the current conflict, with Iranian-aligned groups employing network-based intrusions to target adversary infrastructure and advance strategic\r\nobjectives.\r\nU.S. and Israeli operations reportedly compromised segments of Iran's information systems, yet the distributed\r\nnature of Iran's electronic warfare program across numerous agencies and proxies has likely provided a level of\r\ndistributional resilience against these disruptions. While these targeted strikes likely slowed the overall operational\r\ntempo and forced a further shift in how capabilities are allocated across decentralized units, Iran likely retains\r\nsome of its offensive online capacity and will likely continue leveraging digital intrusions as an asymmetric\r\ncountermeasure.\r\nTimeline\r\nThough select hacktivist operations are highlighted below, hundreds of attacks have been claimed by numerous\r\ncollectives since the beginning of the conflict. Talos cautions against accepting these claims at face value,\r\nemphasizing that defenders should independently verify them since older leaks and previously public information\r\ncan be used to influence perceptions. The timeline below highlights higher-profile and more credible incidents.\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 4 of 10\n\nFebruary\r\nBetween February and March 2026, the Iranian advanced persistent threat (APT) group Seedworm,\r\nwho we track as MuddyWater (aka Temp Zagros, Static Kitten), targeted networks of multiple U.S.\r\ncompanies, including a bank, airport, and non-profit, as well as the Israeli operations of a U.S.\r\nsoftware company. Seedworm deployed a previously unknown custom backdoor, named Dindoor,\r\nwhich leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. They also\r\ndeployed a Python backdoor named Fakeset.\r\nThroughout February, Talos observed tools associated with Seedworm in the energy, education, and\r\ngovernment sectors in Western countries. The tools include the aforementioned Dindoor, Fakeset, a\r\nbackdoor named Darkcomp, and Stagecop (the loader for Darkcomp). A list of indicators of\r\ncompromise (IOCs) associated with these tools can be found in the IOC section.\r\nFebruary 28\r\nHacktivist group Sylhet Gang-SG claimed to have launched DDoS attacks targeting several entities,\r\nincluding: the Port of Los Angeles in the U.S.; the Qatari government’s online portal, Ministry of\r\nForeign Affairs, Ministry of Education, Ministry of the Interior, and Government Communications\r\nOffice; Bahrain's airport and Information and eGovernment Authority; and the Abu Dhabi Civil\r\nDefense Authority in the United Arab Emirates (UAE).\r\nBetween February 28 and March 2, 2026, a coordinated surge of 149 hacktivist-attributed DDoS\r\nattacks targeted 110 organizations across 16 countries, occurring in the immediate aftermath of the\r\nU.S.–Israel military campaign against Iran.\r\nBeginning on February 28, Iranian cyber actors significantly increased efforts to exploit internet-connected surveillance cameras in Israel and several Gulf states, leveraging known vulnerabilities to\r\ngain unauthorized access to live video feeds. Researchers assess the campaign likely sought to\r\nprovide real-time situational awareness, reconnaissance, and battle damage assessment to support\r\nIranian or proxy military operations.\r\nMarch 1\r\n\"Handala Hack,” a hacktivist persona linked to Iran’s Ministry of Intelligence and Security (MOIS),\r\nclaimed to compromise Jordan Modern Oil \u0026 Fuel Services Co. Ltd. at the “mgc-gas[.]jo” website.\r\nThe Islamic Cyber Resistance in Iraq (aka 313 Team) claimed to have launched DDoS attacks\r\ntargeting the official portal of the Jordanian government at “jordan[.]gov[.]jo” and the Kuwait\r\nArmed Forces website at “kuwaitarmy[.]gov[.]kw”.\r\nHacktivist user “RipperSec” claimed to have launched a DDoS attack targeting the Israeli drone\r\nservices provider at “propeller-drones[.]com”.\r\n“Investigation Anonymous” posted on their Telegram channel what they claim is an archive of\r\nleaked data of Israeli Defense Forces (IDF) personnel, including records from IDF training\r\nprograms and personnel management systems.\r\nPro-Palestinian hacktivist group DieNet claimed to have launched DDoS attacks targeting several\r\nentities in the Middle East, including the Sharjah airport in the UAE, the Riyad and Al Rajhi banks\r\nin Saudia Arabia, the Oman government, and the Ras Al Khaimah airport in the UAE.\r\nMarch 2\r\nThe Iranian APTIran hacktivist group claimed on its Telegram channel to have compromised the\r\nstate‑owned food security agency Jordan Silos and Supply General Co. at the “josilos[.]com”\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 5 of 10\n\nwebsite. The breach allegedly occurred about a month earlier.\r\nThe Russia-aligned hacktivist group NoName057(16) pledged its solidarity with the Iranian regime\r\nin the ongoing armed conflict and claimed it started a DDoS attack campaign against Israel-based\r\nentities under the designator #OpIsrael. Targets include websites of political parties, local\r\nauthorities, and telecommunications companies.\r\nMarch 8\r\nIran’s government selected Mojtaba Khamenei, the son of the late leader, as the new Supreme\r\nLeader, signaling a continuity of the regime’s hardline policies. He was considered the preferred\r\ncandidate of the Islamic Revolutionary Guards Corps (IRGC), one of the most powerful political\r\nand military organizations in Iran, created to protect the regime's ideology and power.\r\nRecommendations\r\nDefend against destructive malware\r\nDestructive malware, which Iranian threat actors often leverage, can present a direct threat to an organization’s\r\ndaily operations, impacting the availability of critical assets and data. Disruptive cyberattacks against\r\norganizations in a target country may unintentionally spill over to organizations in other countries. Organizations\r\nshould increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and\r\nresponse for such an event. Refer to CISA’s best practices for responding to destructive malware, outlined on\r\npages 5 - 9 of their 2022 alert. \r\nLimit publicly available data \r\nThe current conflict may prompt increased intelligence-gathering activity from cyber actors seeking to identify\r\nand exploit valuable targets. Espionage-focused actors often perform reconnaissance on targets’ resources with the\r\nintent of gaining further information about their networks. Organizations should therefore consider minimizing the\r\namount and sensitivity of data that is available to external parties. This can include scrubbing user email addresses\r\nand contact lists from public websites, which can be used for social engineering; sharing only necessary data with\r\nthird parties; and monitoring and limiting third-party access to the network. Active scanning efforts can also be\r\nidentified by monitoring network traffic for sources associated with botnets and adversaries, based on threat\r\nintelligence.  \r\nEnhance DDoS and website defacement protections\r\nA more active hacktivist landscape inherently increases the threat of DDoS and website defacement attacks. To\r\nimprove defenses against DDoS attacks, organizations should ensure they have a business continuity plan in place,\r\nassess their external attack surfaces, and confirm that critical systems have healthy, usable backups. For website\r\ndefacement/redirect protection, ensure that websites are protected against the most commonly exploited security\r\nvulnerabilities, all forms or user inputs do not allow the injection of code into internal systems, secure application\r\ndatabases, and limit file uploads and the use of add-ons and plugins.\r\nAdhere to security fundamentals  \r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 6 of 10\n\nAn influx of threat actors of varying skill levels to this threat space may lead to unsophisticated methods being\r\nused to compromise victims, as we often see during times of conflict. Defenders should ensure security\r\nfundamentals are being adhered to, such as robust patching for known vulnerabilities and requiring multi-factor\r\nauthentication (MFA) for remote access and on critical services. Patches for critical vulnerabilities that allow for\r\nremote code execution or DoS on externally facing equipment should be prioritized. Organizations can also\r\nimplement a patch management program that enables a timely and thorough patching cycle. Talos’ top security\r\npractices, including those to guide MFA deployment, can be found in our 2024 Year in Review report.\r\nGuidance on securing critical infrastructure\r\nNetwork security teams should proactively monitor their traffic for APT-associated IP addresses. It is highly\r\nrecommended to implement the hardening guidelines found in CISA’s ST10-001 documentation and the\r\nCybersecurity Resources Road Map, as these provide a foundational framework for securing network\r\ninfrastructure against unauthorized access. Any traffic originating from malicious sources — particularly attempts\r\nto access remote work services like VPNs, webmail, or administrative interfaces for network hardware — should\r\nbe treated as a confirmed threat. Furthermore, be aware of the risk posed by the technique identified as MITRE\r\nATT\u0026CK T0835. This involves the manipulation of Programmable Logic Controllers (PLCs), where an adversary\r\nalters the device's input/output data. This can cause the controller to ignore safety protocols or perform unintended\r\nphysical actions, effectively breaking the link between digital control and physical reality. IRGC-affiliated threat\r\nactors have in the past exploited in multiple sectors in the U.S.\r\nIOCs\r\nThe IOCs are also available on our GitHub repository here.\r\nSeedworm domains/URLs:\r\nhxxps://iuumfgrrnuhb[.]zhivachkapro[.]com/pobor\r\nhxxp://terymar[.]com/install/Spf.ps1\r\nElvenforest[.]s3.us-east-005.backblazeb2[.]com\r\nUppdatefile[.]com\r\nGitempire[.]s3.us-east-005.backblazeb2[.]com\r\nMoonzonet[.]com\r\nSerialmenot[.]com\r\nSeedworm Loader Script:\r\n29b777e7c5470d557e34f3b7b76d2ee291c2dfe7fbaee72821b53eb50a4062c8\r\nSeedworm SHA256 associated with Dindoor:\r\n0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542\r\n1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1\r\n2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043\r\n2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 7 of 10\n\n42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f\r\n7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4\r\n7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef\r\nb0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0\r\nbd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a\r\nc7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e\r\nSeedworm SHA256 associated with Fakeset:\r\n077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de\r\n15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84\r\n2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6\r\n4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be\r\n64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb\r\n64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1\r\n94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444\r\na4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377\r\na5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c\r\nddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888\r\n74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d\r\nSeedworm SHA256 associated with Darkcomp:\r\n1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6\r\n3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90\r\nSeedworm SHA256 associated with Stagecomp:\r\n24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14\r\na92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0\r\nOriginal Blog - March 2, 2026\r\nCisco Talos continues to monitor the ongoing conflict in the Middle East. As always, we will be watching closely\r\nfor any cyber-related incidents that are tied to the conflict. At this time we have not seen any significant cyber\r\nimpacts, with some small incidents such as web defacements and small-scale distributed-denial-of-service (DDoS)\r\nattacks occurring. As with any highly fluid or dynamic situation, we are focused on providing our customers with\r\nhighly accurate and timely intelligence and information.\r\nIranian groups involved in this conflict have historically operated primarily in the espionage, destructive attack,\r\nand hack-and-leak landscapes. We expect these, along with the mentioned activity, to be the most likely avenues\r\nin the near term.\r\nPlease see the following Talos research into regional actors in this area:\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 8 of 10\n\nMuddy Water, multiple campaigns\r\nShrouded Snooper\r\nOutlook on cyber activity\r\nThe data has thus far supported the belief that this will be a regional war with a large focus on kinetic activity, but\r\nthat can change, we’ll continue to monitor and will update accordingly. Currently there does not appear to be any\r\nsignificant increase in cyber activity associated with state-sponsored or state-affiliated groups.\r\nAny possible impacts will likely be from sympathetic groups like hacktivists, some of whom have already\r\nlaunched website defacement and DDoS campaigns in support of Iran. Additionally, cyber criminals are likely to\r\ntake advantage of the war to try and increase their scope of infections through the use of lures and other social\r\nengineering avenues. Users are reminded to be vigilant when clicking links and opening documents, as it is\r\ncommon for criminals to leverage these conflicts as cover for monetary gain.\r\nTalos is well-versed in monitoring wartime environments with our ongoing work in Ukraine and across the globe.\r\nWe will remain vigilant looking to identify any cyber related activity relevant to the region. If and/or when more\r\nrelevant information becomes available, we will update this blog accordingly.\r\nGuidance\r\nRecommendations for organizations are currently focused on security hygiene, to include having multi-factor\r\nauthentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring you\r\nhave proper monitoring in place to ensure you are prepared for any collateral impacts as they arise.\r\nSince this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners\r\nand third-party suppliers in the region will be paramount. Additional inspection or controls may be warranted to\r\ninsulate potential larger impacts to the wider organization.\r\nEmployee awareness: Beware of \"hacktivist\" lures\r\nWarn employees against clicking on unsolicited links related to the Middle East conflict, whether news or\r\nhumanitarian. These are often infostealers or backdoors in disguise and meant to take advantage of\r\nemotions.\r\nIncrease the frequency of phishing simulations that use current geopolitical lures to keep staff vigilant\r\nagainst social engineering.\r\nThird-party risk assessment\r\nMap your dependencies. Identify any vendors, service providers, or developers located in or heavily\r\nconnected to the Middle East conflict zone.\r\nEnforce strict MFA for all third-party access and conduct \"zero-trust\" audits on any administrative tools\r\nthat have deep access to your environment.\r\nMitigate \"nuisance\" attacks and defacements\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 9 of 10\n\nProtect your public-facing brand. Use a Content Delivery Network (CDN) with robust DDoS mitigation\r\nand ensure all web content management systems (CMS) are fully patched.\r\nAs always, ensure all software has been updated to the latest versions to minimize the attack surface and ensure\r\nyou have a robust patching process. Many updated software versions have improvements in security and visibility\r\ncapabilities that can help in cyber defense.\r\nSource: https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nhttps://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/" ], "report_names": [ "talos-developing-situation-in-the-middle-east" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-10T02:00:03.58886Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5245f2ea-fd7e-4b43-ada3-d9eb41923dd2", "created_at": "2024-11-03T02:00:03.635546Z", "updated_at": "2026-04-10T02:00:03.731596Z", "deleted_at": null, "main_name": "RipperSec", "aliases": [], "source_name": "MISPGALAXY:RipperSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dafc166f-0946-4870-9f6e-46ce02d2a40f", "created_at": "2024-11-13T13:15:31.105216Z", "updated_at": "2026-04-10T02:00:03.752358Z", "deleted_at": null, "main_name": "SYLHET GANG-SG", "aliases": [], "source_name": "MISPGALAXY:SYLHET GANG-SG", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d51a1b-38b1-4cfb-bee0-cad7ad2b9651", "created_at": "2025-05-29T02:00:03.196955Z", "updated_at": "2026-04-10T02:00:03.852653Z", "deleted_at": null, "main_name": "DieNet", "aliases": [ "Shiite_Harvest" ], "source_name": "MISPGALAXY:DieNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72e0be44-1b83-4ce9-bb67-ac14b3c3a402", "created_at": "2026-03-24T02:00:04.632404Z", "updated_at": "2026-04-10T02:00:03.98996Z", "deleted_at": null, "main_name": "313 Team", "aliases": [], "source_name": "MISPGALAXY:313 Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "24286a10-f789-4cc1-bae6-0bc324cdf9fa", "created_at": "2026-03-24T02:00:04.644523Z", "updated_at": "2026-04-10T02:00:03.99475Z", "deleted_at": null, "main_name": "APTIran", "aliases": [], "source_name": "MISPGALAXY:APTIran", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5309b5a117e1ab36e583e2f00afce5fba5dcabe7.pdf", "text": "https://archive.orkl.eu/5309b5a117e1ab36e583e2f00afce5fba5dcabe7.txt", "img": "https://archive.orkl.eu/5309b5a117e1ab36e583e2f00afce5fba5dcabe7.jpg" } }