Iran Conflict Drives Heightened Espionage Activity Against Middle East Targets

    Thursday, March 12, 2026 In: Threat Research Print

    Date: 03/12/2026

    Severity: Critical

    Summary

    On 28 February 2026, the US and Israel launched strikes inside Iran in a campaign named Operation Epic Fury, targeting missiles, air defenses, military infrastructure, and leadership assets. Iran retaliated with missile and drone attacks against US embassies and military bases across the region. As the conflict entered its second week, multiple Iranian hacktivist groups claimed responsibility for disruptive cyber operations. Iranian espionage-linked threat groups remain active despite the government shutting down internet access after the initial strikes. On 8 March, the Iran-aligned group TA453 (Charming Kitten/APT42) attempted credential phishing against a US think tank, continuing an intelligence campaign that began before the conflict.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    support.almersalstore.com

    almersalstore.com

    transfergocompany.com

    https://mail.iwsmailserver.com/owa/auth/logon.aspx?uid=<target_specific_uuid>

    iwsmailserver.com

    https://unityprogressall.org/imagecontent/getimgcontent.php?id=<target-email-address>

    unityprogressall.org

    https://iran.dashboard.1drvms.store/errors/sessionerrors/expire?client=[redacted]

    https://defenceprodindia.site/server.php?file=Reader_en_install

    defenceprodindia.site

    https://endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net:443/download.php?file=cnVzdHVwaW5pdA

    https://1drv.ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd

    endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net

    IP Address : 

    72.60.90.32

    Hash : 

    fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad 

    a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d 

    dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9 

    4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf 

    d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104 

    b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705 

    7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001 

    a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3 

    14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399

    9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47

    a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390

    ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de

    16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be

    Email Address : 

    uzbembish@elcat.kg

    ban.ali@mofa.gov.iq 

    nqandeel04@gmail.com 

    maria.tomasik@denika.se

    war.analyse.ltd@outlook.com 

    ali.mo@med.gov.sy 

    jscop.mea.gov.in@outlook.com

    McManus.Michael@hotmail.com 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://defenceprodindia.site/server.php?file=Reader_en_install" or url like "https://defenceprodindia.site/server.php?file=Reader_en_install" or siteurl like "https://defenceprodindia.site/server.php?file=Reader_en_install" or domainname like "https://unityprogressall.org/imagecontent/getimgcontent.php?id=<%>" or url like "https://unityprogressall.org/imagecontent/getimgcontent.php?id=<%>" or siteurl like "https://unityprogressall.org/imagecontent/getimgcontent.php?id=<%>" or domainname like "support.almersalstore.com" or url like "support.almersalstore.com" or siteurl like "support.almersalstore.com" or domainname like "https://1drv.ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd" or url like "https://1drv.ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd" or siteurl like "https://1drv.ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd" or domainname like "almersalstore.com" or url like "almersalstore.com" or siteurl like "almersalstore.com" or domainname like "transfergocompany.com" or url like "transfergocompany.com" or siteurl like "transfergocompany.com" or domainname like "defenceprodindia.site" or url like "defenceprodindia.site" or siteurl like "defenceprodindia.site" or domainname like "https://mail.iwsmailserver.com/owa/auth/logon.aspx?uid=<%>" or url like "https://mail.iwsmailserver.com/owa/auth/logon.aspx?uid=<%>" or siteurl like "https://mail.iwsmailserver.com/owa/auth/logon.aspx?uid=<%>" or domainname like "unityprogressall.org" or url like "unityprogressall.org" or siteurl like "unityprogressall.org" or domainname like "iwsmailserver.com" or url like "iwsmailserver.com" or siteurl like "iwsmailserver.com" or domainname like "https://iran.dashboard.1drvms.store/errors/sessionerrors/expire?client=[redacted]" or url like "https://iran.dashboard.1drvms.store/errors/sessionerrors/expire?client=[redacted]" or siteurl like "https://iran.dashboard.1drvms.store/errors/sessionerrors/expire?client=[redacted]" or domainname like "https://endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net:443/download.php?file=cnVzdHVwaW5pdA" or url like "https://endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net:443/download.php?file=cnVzdHVwaW5pdA" or siteurl like "https://endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net:443/download.php?file=cnVzdHVwaW5pdA" or domainname like "endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net" or url like "endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net" or siteurl like "endpoint1-b0ecetbuabcdg9cp.z01.azurefd.net"

    Detection Query 2 :

    dstipaddress IN ("72.60.90.32") or srcipaddress IN ("72.60.90.32")

    Detection Query 3 :

    sha256hash IN ("a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d","fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad","dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9","4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf","d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104","b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705","7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001","a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3","14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399","9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47","a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390","ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de","16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be")

    Detection Query 4 :

    sender in ("uzbembish@elcat.kg","ban.ali@mofa.gov.iq","nqandeel04@gmail.com","maria.tomasik@denika.se","war.analyse.ltd@outlook.com","ali.mo@med.gov.sy","jscop.mea.gov.in@outlook.com","McManus.Michael@hotmail.com") or From In ("uzbembish@elcat.kg","ban.ali@mofa.gov.iq","nqandeel04@gmail.com","maria.tomasik@denika.se","war.analyse.ltd@outlook.com","ali.mo@med.gov.sy","jscop.mea.gov.in@outlook.com","McManus.Michael@hotmail.com") or recipient In ("uzbembish@elcat.kg","ban.ali@mofa.gov.iq","nqandeel04@gmail.com","maria.tomasik@denika.se","war.analyse.ltd@outlook.com","ali.mo@med.gov.sy","jscop.mea.gov.in@outlook.com","McManus.Michael@hotmail.com")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets


    Tags

    Threat ActorIranAPTUnited StatesIsraelThe Middle EastDefense Industrial BaseTA453PhishingMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.