Threat Research

Rising tensions between the United States, Israel, and Iran have increased the likelihood of cyber operations accompanying military activity. Iranian state-aligned threat actors have historically targeted sectors such as energy, financial services, government, and defense to weaken response capabilities before or during conflict....

A dramatic and dangerous phase in Middle Eastern geopolitics has begun with open conflict between Iran, Israel, and the United States. Last week, U.S. and Israeli forces launched Operation Lion’s Roar, targeting Iranian military and nuclear facilities. Iran responded with retaliation, escalating the conflict across the region....

Large language models (LLMs) and AI agents are increasingly integrated into browsers, search engines, and automated content-processing systems. While this expands functionality, it also introduces a new and largely unexplored attack surface....

Recent escalations between Iran, the U.S., and Israel have coincided with increased cyber threat activity across the Middle East. Destructive incidents, including kinetic attacks affecting AWS data centers in the UAE and Bahrain, have disrupted regional cloud services....

On Feb. 28, 2026, joint US–Israel strikes reduced Iran’s internet connectivity to 1–4%, disrupting leadership communications and degrading command-and-control across state networks. Security teams identified an SMS/phishing campaign distributing a trojanized Israeli Home Front Command RedAlert APK for surveillance and data exfiltration....

On 28 February 2026, U.S. and Israeli forces launched combined air and cyber attacks that disrupted Iranian communications networks and critical systems....

In January 2026, ThreatLabz identified activity by a suspected Iran-linked threat actor targeting Iraqi government officials. The team uncovered previously undocumented malware: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Analysis revealed strong overlap in tools, techniques, procedures (TTPs), and victimology with known Iran-nexus APT operations. Based on this evidence,...

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration....

MalTerminal is an AI-powered malware that uses GPT-4 to dynamically generate ransomware and other malicious code at runtime, instead of carrying a fixed payload. By creating unique scripts on demand through API calls, it evades traditional signature-based detection and static analysis....

On Feb. 28, 2026, the United States and Israel launched a joint offensive—Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In response, Iran initiated a multi-vector retaliatory campaign that has expanded into a broader trans-regional conflict. An increase in cyberattacks from activist groups outside Iran has been observed....

UNC2814, a suspected PRC-linked cyber espionage group active since 2017, conducted a large-scale global campaign targeting telecommunications and government organizations across 42 countries, impacting at least 53 confirmed victims....

New Dohdoor Malware Campaign Targets Education and Health Care outlines a phishing-driven, multi-stage attack primarily impacting U.S. education and healthcare organizations....

Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign examines how Agent Tesla continues to pose a significant threat by enabling even low-skilled actors to steal sensitive information through a refined and layered infection process....

Reynolds ransomware leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to neutralize endpoint security controls prior to file encryption. It drops a legitimately signed but vulnerable kernel driver, NSecKrnl.sys, and exploits CVE-2025-68947 to gain kernel-level privileges....

Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer describes a campaign in which threat actors shifted Atomic (AMOS) Stealer from cracked software distribution to a supply chain-style attack targeting AI agentic workflows on platforms like OpenClaw....