Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates

    Wednesday, March 4, 2026 In: Threat Research Print

    Date: 03/04/2026

    Severity: Critical

    Summary

    Recent escalations between Iran, the U.S., and Israel have coincided with increased cyber threat activity across the Middle East. Destructive incidents, including kinetic attacks affecting AWS data centers in the UAE and Bahrain, have disrupted regional cloud services. Threat monitoring indicates heightened activity from groups such as HydraC2, Handala, Sicarii, and the state-linked Muddy Water APT, which is conducting a campaign known as Operation Olalampo targeting the META region. Iran is likely to employ cybercriminal-style tactics—including DDoS attacks, ransomware followed by data wiping, and destructive malware—while leveraging long-term network access for espionage and retaliatory cyber operations.

    Indicators of Compromise (IOC) List

    URLs/Domain

    whatsapp-meeting.duckdns.org

    stager_51_bot

    api.telegram.org

    codefusiontech.org

    Hash

    62ED16701A14CE26314F2436D9532FE606C15407

    Filename

    FMAPP.dll

    Processname

    gshdoc_release_X64_GUI.exe

    sh.exe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "codefusiontech.org" or siteurl like "codefusiontech.org" or url like "codefusiontech.org" or domainname like "api.telegram.org" or siteurl like "api.telegram.org" or url like "api.telegram.org" or domainname like "whatsapp-meeting.duckdns.org" or siteurl like "whatsapp-meeting.duckdns.org" or url like "whatsapp-meeting.duckdns.org" or domainname like "stager_51_bot" or siteurl like "stager_51_bot" or url like "stager_51_bot"

    Detection Query 2 :

    sha1hash IN ("62ED16701A14CE26314F2436D9532FE606C15407")

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4688" and processname IN ("gshdoc_release_X64_GUI.exe","sh.exe")

    Detection Query 4 :

    technologygroup = "EDR" and processname IN ("gshdoc_release_X64_GUI.exe","sh.exe")

    Detection Query 5 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname IN ("FMAPP.dll","gshdoc_release_X64_GUI.exe","sh.exe")


     

    Detection Query 6 :

    technologygroup = "EDR" and objectname IN ("FMAPP.dll","gshdoc_release_X64_GUI.exe","sh.exe")

    Detection Query 7 :

    resourcename = "Sysmon" and eventtype = "7" and imageloaded IN ("FMAPP.dll")

    Detection Query 8 :

    technologygroup = "EDR" and imageloaded IN ("FMAPP.dll")

    Reference:

    https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates


    Tags

    Threat ActorAPTIranUnited StatesIsraelThe Middle EastUAEMuddyWaterDDoSRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.