{
	"id": "d532ec1b-5021-4a2a-b660-a358dda377f6",
	"created_at": "2026-04-06T00:09:00.094399Z",
	"updated_at": "2026-04-10T03:36:01.607959Z",
	"deleted_at": null,
	"sha1_hash": "970b6ceaaeab6e8fb93ea9a3957bafcf0c83b4fa",
	"title": "CYBER THREAT LANDSCAPE REPORT – UNITED ARAB EMIRATES (UAE) - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1162228,
	"plain_text": "CYBER THREAT LANDSCAPE REPORT – UNITED ARAB\r\nEMIRATES (UAE) - CYFIRMA\r\nArchived: 2026-04-02 12:32:58 UTC\r\nPublished On : 2025-10-08\r\nExecutive Summary\r\nIn 2025, the United Arab Emirates (UAE) experienced a significant surge in cybercriminal activity, particularly in\r\nthe dark web ecosystem. Threat actors targeted critical government institutions, financial services, and digital\r\nplatforms, resulting in multiple high-profile data breaches. Sensitive information, including personally identifiable\r\ninformation (PII), financial data, and corporate records, was exposed and offered for sale on underground forums.\r\nRansomware activity also surged, with Russia-linked groups such as Everest, Medusa, and Embargo leading\r\nattacks against UAE entities. The evolving threat landscape highlights the urgency for enhanced cybersecurity\r\nmeasures, robust regulatory compliance, and proactive threat intelligence initiatives.\r\nKey Findings\r\nGovernment and Public Sector Breaches\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 1 of 10\n\nDubai’s Ports, Customs, and Free Zone Corporation (PCFC) experienced a leak of 1.94 TB of data,\r\nincluding passports and Emirates IDs.\r\nDubai Municipality systems, including JIRA tickets and Confluence documents, were compromised and\r\nmade available on dark web forums.\r\nFinancial Sector Exposure\r\nEmirates NBD, Commercial Bank of Dubai, and other financial institutions had customer databases, credit\r\ncard, and brokerage information leaked.\r\nInsurance platforms such as Lookinsure were targeted, with CRM and transaction data exposed, enabling\r\nrisks of identity theft, financial fraud, and synthetic identity attacks.\r\nDigital Services Breaches\r\nDigital Dubai Pulse records of 22,000 individuals were compromised, exposing personal and professional\r\ndetails.\r\nDark Web Market Trends\r\nCybercriminal forums actively facilitated the sale of stolen data, typically ranging from USD 257 to USD\r\n50,000 per database.\r\nGovernment and financial sectors were the most frequently targeted, followed by airlines and digital\r\nservice providers.\r\nRansomware Threat Landscape\r\nEverest ransomware was the most active in 2025, with Medusa and Embargo also conducting significant\r\nattacks.\r\nCommon tactics included phishing, privilege escalation, lateral movement, double extortion, and use of AI-enhanced malware for evasion.\r\nSmaller ransomware groups (e.g., DragonForce, Devman, Gunra) contributed to the broader threat\r\nlandscape.\r\n“The authenticity of these breaches remain unverified at the time of reporting, as the claims originates solely from\r\nthe threat actor.\r\nMajor Dark Web Incidents of 2025\r\nDubai’s Ports, Customs and Free Zone Corporation (PCFC) data is on sale\r\nOn September 10, 2025, CYFIRMA tracked activity on a popular Russian-speaking cybercriminal forum, where a\r\nthreat actor known as “Kazu” claimed to have gained unauthorized access to the Government of Dubai’s Ports,\r\nCustoms, and Free Zone Corporation (PCFC). The actor allegedly leaked 1.94 TB of data and is reportedly selling\r\nsensitive information, including passports, Emirates IDs, and other personally identifiable information (PII). The\r\nthreat actor has demanded USD 50,000 and instructed interested parties to contact them via Tox, Signal, or\r\nTelegram. The exposure of such data presents a significant risk, as it may be leveraged for targeted social\r\nengineering, phishing campaigns, and other follow-on malicious activities.\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 2 of 10\n\nDatabase of an Insurance platform Operating in the UAE is on Sale\r\nOn August 11, 2025, a threat actor identified as “0kb” attempted to sell unauthorized access to the Customer\r\nRelationship Management (CRM) system of Lookinsure, an insurance aggregator and digital platform\r\nheadquartered in the United Arab Emirates. The access was advertised for $4,000. According to the actor’s claims,\r\nthe compromised data included loan documents, payment transaction records, insurance information, customer\r\nprofiles containing full names, phone numbers, Emirate IDs, nationalities, and other sensitive details.\r\nThis compromise enables targeted phishing and social-engineering, identity theft and synthetic-identity fraud,\r\naccount takeover and SIM-swap attacks, financial/insurance fraud, extortion, and resale of customer data —\r\nposing high regulatory, financial, and reputational risk.\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 3 of 10\n\nDatabase of Emirates NBD Offered For Sale\r\nOn July 6, 2025, a threat actor on a popular Chinese forum claimed to have leaked a database associated with\r\nEmirates NBD. The actor allegedly exposed the credit holder data of 700,000 including first names, last names,\r\nmobile numbers, email address and card details. The leak was reportedly offered for USD 430.\r\nDatabase of UAE – Commercial Bank of Dubai Credit Card Data Offered For Sale\r\nOn August 29, 2025, a threat actor on a popular Chinese forum claimed to have leaked a database associated with\r\nCommercial Bank of Dubai Credit Card Data. The actor allegedly exposed the client details including first names,\r\nlast names, and email address. The leak was reportedly offered for USD 420.\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 4 of 10\n\nDatabase of Emirates NBD Brokerage Offered For Sale\r\nOn September 1, 2025, a threat actor on a popular Chinese forum claimed to have leaked a database associated\r\nwith Emirates NBD brokerage (Emaar Investments). The actor allegedly exposed the client details including first\r\nnames, last names, email address and card details. The leak was reportedly offered for USD 2575.\r\nDatabase of Digital Dubai Pulse Offered For Sale\r\nOn July 9, 2025, a threat actor using the alias “auen_greyfall” claimed to have leaked a database of 22,000 records\r\nfrom Dubai Pulse. The leaked database includes first names, last names, designations, and addresses. The threat\r\nactor instructed interested parties to contact them via their TOX ID.\r\nDatabase of Dubai Municipality Offered For Sale\r\nOn July 29, 2025, a threat actor named “Gravity” claimed to have gained unauthorized access to the systems of\r\nDubai Municipality (https[:]//dm.gov.ae). The threat actor managed to gain access to all JIRA tickets, confluence\r\ndocuments, and a few miscellaneous screenshots.\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 5 of 10\n\nDark Web Threats Statistics\r\nThe dark web serves as a central underground hub where hackers and threat actors actively communicate and\r\ntrade information. Our analysis of dark web activity focused on identifying trends related to targeted countries and\r\nindustries.\r\nThe CYFIRMA research team detected several posts from different threat actors targeting enterprises in the UAE.\r\nThe majority of these posts involved the sale of customer databases and unauthorized access to the networks of\r\nUAE-based organizations.\r\nGovernment institutions and financial services emerged as the most frequently targeted sectors, followed by the\r\nairline industry. These findings highlight the increasing risks faced by critical sectors in the UAE and emphasize\r\nthe need for enhanced cybersecurity measures.\r\nMajor Ransomware Incidents in UAE – 2025\r\nOn May 26, 2025, Mediclinic Group, a South Africa–based healthcare company that also operates in the United\r\nArab Emirates, was targeted by the Everest ransomware group. The attackers claim to have obtained 4GB of the\r\ncompany’s internal data, including the personal information of approximately 1,000 employees.\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 6 of 10\n\nOn July 20, 2025, a U.S.-based company named TransCore, which operates in Dubai, was affected by the\r\nCrypto24 ransomware group. The group claimed to have breached the internal network of TransCore’s Dubai\r\noffice. More than 200 GB of internal data was exfiltrated, including in-development source code, complete file\r\nsets from active and archived client projects, internal financial records, and a large volume of unprotected\r\ncustomer data. The stolen information includes clear violations of multiple NDAs, exposing confidential third-party materials and client information.\r\nTop Ransomware Gangs Targeting United Arab Emirates\r\nEverest Ransomware:\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 7 of 10\n\nEverest ransomware is a Russia-linked ransomware-as-a-service (RaaS) operation active since 2020.\r\nIt typically spreads through phishing campaigns, malicious downloads, exploit kits, and exposed RDP\r\nservices.\r\nOnce inside, the threat actor performs lateral movement, network scanning, and privilege escalation before\r\nencrypting files with the “.everest” extension.\r\nThe malware disables security/recovery tools, exfiltrates sensitive data, and employs double extortion\r\ntactics by threatening to leak data on its Tor-based site.\r\nEmbargo Ransomware:\r\nEmbargo ransomware, a Ransomware-as-a-Service (RaaS) group that emerged in April 2024, has quickly\r\nbecome a significant cybercrime threat, linked to over USD 34 million in transactions.\r\nThe group uses Rust-based malware, double extortion tactics, and advanced defense evasion.\r\nIts sophistication possibly enhanced by AI and subdued branding help it operate effectively while evading\r\ndetection.\r\nMedusa Ransomware:\r\nMedusa ransomware is a Russia-linked ransomware operation active since late 2022.\r\nIt spreads via initial access brokers, phishing campaigns, and exploiting public-facing vulnerabilities.\r\nOnce inside, operators perform lateral movement, privilege escalation, and credential dumping before\r\nencrypting files with the “.MEDUSA” extension.\r\nThe group exfiltrates sensitive data and uses double extortion, threatening to leak data on its dark web blog\r\nwhile pressuring victims through public platforms like Telegram and X.\r\nIn 2025, ransomware activity in the UAE was led by Everest, which recorded the highest number of incidents,\r\nmaking it the most active group of the year. Medusa and Embargo followed, both showing notable levels of\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 8 of 10\n\nattacks against UAE targets.\r\nOther groups including DragonForce, Devman, Gunra, Braincipher, Crypto24, Funksec, Lynx, and Ransomhub\r\neach registered fewer incidents but still contributed to the overall ransomware threat landscape.\r\nOverall, the 2025 data highlights Everest as the dominant ransomware gang, while also showing that the UAE\r\nfaced threats from a diverse set of smaller but persistent actors.\r\nConclusion\r\nThe UAE’s cyber threat landscape in 2025 demonstrates a critical need for vigilance across all sectors. The\r\ncombination of targeted data breaches, dark web data trafficking, and ransomware attacks highlights the persistent\r\nrisk to national security, financial stability, and public trust. Government and private organizations must recognize\r\nthat cyber threats are not isolated incidents but part of a coordinated, global ecosystem of criminal activity.\r\nRecommendations\r\nStrengthen Cybersecurity Infrastructure\r\nImplement multi-layered security measures, including endpoint detection and response (EDR), network\r\nsegmentation, and zero-trust architecture.\r\nRegularly patch and monitor critical systems to reduce vulnerability exposure.\r\nEnhance Threat Intelligence and Monitoring\r\nContinuously monitor dark web forums and underground marketplaces for early warning of potential\r\nbreaches.\r\nIntegrate threat intelligence feeds into incident response protocols to anticipate emerging threats.\r\nImprove Data Protection and Compliance\r\nEncrypt sensitive data both at rest and in transit.\r\nEnsure compliance with UAE data protection regulations and international cybersecurity standards.\r\nEmployee Awareness and Training\r\nConduct regular cybersecurity awareness programs focusing on phishing, social engineering, and safe data\r\nhandling.\r\nPromote a culture of reporting suspicious activity and incidents promptly.\r\nIncident Response and Business Continuity\r\nDevelop and regularly test comprehensive incident response plans, including ransomware-specific\r\nplaybooks.\r\nEstablish rapid recovery and backup systems to minimize operational and reputational impact.\r\nCollaborative Cybersecurity Initiatives\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 9 of 10\n\nEncourage public-private partnerships for information sharing on cyber threats.\r\nParticipate in regional and global cyber defence collaborations to enhance preparedness against\r\nsophisticated threat actors.\r\nSource: https://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nhttps://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/research/cyber-threat-landscape-report-united-arab-emirates-uae/"
	],
	"report_names": [
		"cyber-threat-landscape-report-united-arab-emirates-uae"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6608b798-f92b-42af-a93f-d72800eeb3a3",
			"created_at": "2023-11-30T02:00:07.292Z",
			"updated_at": "2026-04-10T02:00:03.482199Z",
			"deleted_at": null,
			"main_name": "DragonForce",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonForce",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758",
			"created_at": "2025-07-24T02:05:00.538379Z",
			"updated_at": "2026-04-10T02:00:03.657424Z",
			"deleted_at": null,
			"main_name": "GOLD FLAME",
			"aliases": [
				"DragonForce"
			],
			"source_name": "Secureworks:GOLD FLAME",
			"tools": [
				"ADFind",
				"AnyDesk",
				"Cobalt Strike",
				"FileSeek",
				"Mimikatz",
				"SoftPerfect Network Scanner",
				"SystemBC",
				"socks.exe"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "13623ffb-4701-4f3d-bf32-8826346433ac",
			"created_at": "2024-12-21T02:00:02.850766Z",
			"updated_at": "2026-04-10T02:00:03.784245Z",
			"deleted_at": null,
			"main_name": "FunkSec",
			"aliases": [],
			"source_name": "MISPGALAXY:FunkSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d3a027b4-6a97-44c9-8caf-f3a62241ceba",
			"created_at": "2026-01-23T02:00:03.297223Z",
			"updated_at": "2026-04-10T02:00:03.935556Z",
			"deleted_at": null,
			"main_name": "Kazu",
			"aliases": [],
			"source_name": "MISPGALAXY:Kazu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/970b6ceaaeab6e8fb93ea9a3957bafcf0c83b4fa.pdf",
		"text": "https://archive.orkl.eu/970b6ceaaeab6e8fb93ea9a3957bafcf0c83b4fa.txt",
		"img": "https://archive.orkl.eu/970b6ceaaeab6e8fb93ea9a3957bafcf0c83b4fa.jpg"
	}
}