Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed for long enough to receive a numerical TA designation. This report reflects Proofpoint Threat Research’s observations as of the date of publication and does not constitute geopolitical analysis or policy commentary.  What happened  On 28 February 2026, the US and Israel conducted strikes targeting assets inside Iran, in a campaign the US called Operation Epic Fury. According to public sourcing, the attacks targeted Iranian missiles and air defenses, other military infrastructure, and Iranian leadership. Iran responded with retaliatory missile and drone strikes in the region, targeting US embassies and military installations.  As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks. For instance, on 8 March, Proofpoint observed the Iran-aligned threat actor TA453 (Charming Kitten, Mint Sandstorm, APT42) conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this credential phishing attempt commenced prior to the beginning of the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set.  While it is unclear how wider Iranian cyber operations will continue, Proofpoint Threat Research has also observed an increase in campaigns from other state-sponsored threat actors targeting Middle East government organizations since the war began. These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan, and Hamas. The campaigns heavily relied on aspects of the conflict as topical lure content to engage the targets and often used compromised accounts belonging to government organizations to send phishing emails. Proofpoint assesses that this activity reflects a mixture of threat actors opportunistically using the war as lure content to conduct routine operations and those with an increased focus on intelligence collection targeting Middle Eastern government and diplomatic entities.  Campaign #1: UNK_InnerAmbush  In early March 2026, the suspected China-aligned threat actor UNK_InnerAmbush conducted a phishing campaign targeting Middle Eastern government and diplomatic organizations. The emails were sent from a likely compromised email address "uzbembish@elcat[.]kg" and linked to a Google Drive URL. The initial wave began on March 1, one day after the conflict began. The theme of phishing emails observed in this initial wave was Ayatollah Khamenei’s death with an attempt to share sensitive images from the US “Department of Foreign Affairs”. Later waves purported to share evidence that “Israel prepares to attack Gulf oil and gas infrastructure to frame Iran.”  Figure 1.UNK_InnerAmbush phishing email linking to archive hosted on Google Drive.  The Google Drive URL hosted a password protected ZIP or RAR archive named "Photos from the scene.rar" or "Strike at Gulf oil and gas facilities.zip". These archives contained several Microsoft Shortcut (LNK) files disguised as JPG images, which run a loader executable stored within a hidden subfolder.  A decoy image is shown to the user, and the loader executes a benign signed executable vulnerable to DLL sideloading ("nvdaHelperRemoteLoader.exe"). Upon execution, "nvdaHelperRemoteLoader.exe" loads the malicious loader DLL "nvdaHelperRemote.dll" which decrypts a Cobalt Strike payload from WinHlp.hlp and loads it into memory. The Cobalt Strike payload uses a customized malleable C&C profile and communicates with the C&C domain "support.almersalstore[.]com".  The phishing emails also contained unique tracking pixels hosted on a likely compromised website to track target engagement. These were in the format: "hxxps://deepdive.hypernas[.]com/hypernas/api/page.php?uid= <target-email-address>".  Campaign #2: TA402  In early March 2026, TA402 (Frankenstein, Cruel Jackal) targeted a Middle Eastern government entity with an email credential phishing campaign. The actor used a compromised Ministry of Foreign Affairs of Iraq sender account ("ban.ali@mofa.gov[.]iq") and an attacker-controlled account ("nqandeel04@gmail[.]com") to send the phishing emails. The emails had conflict-themed subjects referencing a potential US ground operation in Iran and a Gulf military alliance to confront Iranian threats.  The emails contained a URL that selectively served either a decoy PDF or a credential harvesting page depending on the target’s IP geolocation.  The actor-controlled site was designed to impersonate Microsoft Outlook Web Application (OWA):  "hxxps[:]//mail[.]iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>"  Figure 2. TA402 Outlook Web App (OWA) phish hosted on iwsmailserver[.]com.  If the target enters credentials, the values are sent via HTTP POST to an authentication endpoint on the same host.  Campaign #3: UNK_RobotDreams  On 5 March 2026, a suspected Pakistan-aligned actor Proofpoint calls UNK_RobotDreams sent spearphishing emails to India-based offices of Middle East government organizations. The email was sent from an Outlook freemail address impersonating India's Ministry of External Affairs: "jscop.mea.gov.in@outlook[.]com". The email used the subject “Gulf Security Alert: Iran Retaliation Impacts” referencing the Iran war to increase credibility and urgency.  The emails delivered a PDF attachment containing a blurred decoy and a fake Adobe Reader button.  Figure 3. UNK_RobotDreams PDF attachment leading to executable hosted on defenceprodindia[.]site.  Clicking the button redirected the victim to an actor-controlled URL: "hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install". The URL implemented geofencing and served a decoy PDF to users outside the target region and an EXE payload to intended targets.  The downloaded executable ("Reader_en_install.exe") functioned as a .NET loader that used PowerShell (via "conhost.exe") to retrieve a Rust backdoor from the C&C host "endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net", which was written to a file named "VLCMediaPlayer.exe". The Rust backdoor performed host fingerprinting and communicated with command and control using the same Azure Front Door hosted infrastructure.  This campaign and infrastructure overlapped with public reporting by Bitdefender; however, Proofpoint does not currently track the activity as a named actor.  Campaign #4: UNK_NightOwl  On 2 March 2026, a suspected state-aligned actor that Proofpoint Threat Research calls UNK_NightOwl sent emails from both a likely compromised account and an attacker-owned freemail account to a government ministry in the Middle East. The compromised account appears to belong to the Ministry of Emergency and Disaster Management in Syria ("ali.mo@med.gov[.]sy"), and the freemail account was for a fake organization called War Analyse Ltd ("war.analyse.ltd@outlook[.]com"). The attackers targeted a government ministry in the Middle East and referred to the conflict in the Middle East as a lure topic with the subject “About Escalating Situation.”  The emails included a domain that spoofed Microsoft OneDrive, but the URL led to a Microsoft Outlook Web Application (OWA)-themed credential harvesting page. The URL was target-specific with a client ID showing a fake session error and prompting the target to sign in again: "hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=<redacted>" Figure 4. UNK_NightOwl OWA credential phishing site hosted on 1drvms[.]store.  If the user enters credentials and clicks the sign in button, the target is redirected to "hxxps://iran.liveuamap[.]com/", a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.  Figure 5. Redirection to iran.liveuamap[.]com after target enters credentials.  Proofpoint attributes this campaign to a new cluster called UNK_NightOwl as the observed activity does not align with any currently tracked actors.  Campaign # 5: TA473  Between 3-5 March 2026, the Belarus-aligned threat actor TA473 (Winter Vivern) sent emails to government organizations in Europe and the Middle East. These messages originated from likely compromised infrastructure and purported to be a European Council President spokesperson. The phishing emails contained a HTML attachment titled "european union statement on the situation in iran and the middle east.html". Notably, Proofpoint has not previously observed TA473 targeting Middle Eastern government organizations.  Figure 6. TA473 phishing email spoofing spokesperson for the European Council President.  The HTML file, if opened, displays a decoy image to the user and conducts HTTP request to a URL of the format "hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>". Proofpoint Threat Research was unable to retrieve any next-stage payloads at the time of analysis. Based on the HTML content, these HTTP requests were likely intended for tracking purposes rather than delivering follow-on malicious payloads.  Campaign #6: TA453  Proofpoint’s tracking of known Iranian actors has surfaced only one campaign so far since the beginning of the war. In late February into early March, Iran-aligned actor TA453 (Charming Kitten, Mint Sandstorm, APT42) used an attacker-owned freemail account "McManus.Michael@hotmail[.]com" spoofing Michael McManus, the head of research at the Henry Jackson Society, to target an individual at a thinktank in the US.  The initial thread had begun prior to the war as part of typical TA453 espionage activity with a benign email invitation sent to a target’s personal account in February. The email exchange then continued with further targets' corporate accounts after the war, suggesting that TA453 is maintaining its intelligence collection efforts during the ongoing conflict.  The email was themed around an invitation to participate in a roundtable on air defense in the Middle East. Part of the benign outreach included a OneDrive link to a benign PDF ("Air Defense Depletion & Deterrence in the Middle East.pdf") with the proposal for the roundtable to support a credible lure.  "hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd"  Figure 7. Benign OneDrive link hosting PDF proposal for Henry Jackson Society roundtable.  Once a rapport had been established with the target, the following email in the exchange included a malicious URL disguised as a link to another PDF called "Air Defense Depletion & Deterrence in the Middle East-Event Overview.pdf".  The URL used an attacker-owned domain ("transfergocompany[.]com") that then redirected to a OneDrive-themed credential phishing page hosted on the cloud-hosting service Netlify ("fileportalshare.netlify[.]app") pre-filled with the target’s email.  Figure 8. OneDrive spoofing credential phishing landing page.  Why it matters  As the conflict involving Iran and regional actors continues, the operations of Iranian threat actors remain a mix of traditional espionage and disruptive campaigns in support of war efforts. Proofpoint also observed a range of non-Iranian threat groups targeting Middle Eastern governments with conflict-themed social engineering. While several of these groups incorporated the war-themed lure content in operations that are largely consistent with typical targeting remits, others demonstrated a shift toward intelligence collection against Middle Eastern government and diplomatic entities. This likely reflects an effort to gather regional intelligence on the standing, trajectory, and broader geopolitical implications of the conflict. This suggests the conflict is being used both as a topical social engineering pretext and a driver of collection priorities for a range of state-aligned threat actors.  Indicators of compromise  UNK_InnerAmbush  Indicator   Type   Description   First Seen    uzbembish@elcat[.]kg  Email address  Sender email (likely compromised)  March 2026  fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad  SHA256  Photos from the scene.rar  March 2026  a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d  SHA256  Strike at Gulf oil and gas facilities.zip  March 2026  dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9  SHA256  _1c9fe357-a209-4c71-923f-34acd3d337a5.jpg.lnk  March 2026  4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf  SHA256  20260301_100324.jpg.lnk  March 2026  d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104  SHA256  LaunchWlnApp.exe  March 2026  b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705  SHA256  OfficeClickToRun.scr  March 2026  7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001  SHA256  nvdaHelperRemote.dll  March 2026  a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3  SHA256  nvdaHelperRemote.dll  March 2026  14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399  SHA256  WinHlp.hlp  March 2026  support.almersalstore[.]com  Hostname  Cobalt Strike C&C  March 2026  almersalstore[.]com  Domain  Cobalt Strike C&C  March 2026    TA402  Indicator   Type   Description   First Seen    ban.ali@mofa.gov[.]iq  Email address  Sender email (likely compromised)  March 2026  nqandeel04@gmail[.]com  Email address  Sender email  March 2026  hxxps://mail.iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>  URL  OWA credential phishing URL format  March 2026  iwsmailserver[.]com  Domain  TA402-controlled domain  March 2026    TA473  Indicator   Type   Description   First Seen    maria.tomasik@denika[.]se  Email address  Sender email (likely compromised infrastructure)  March 2026  hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>  URL  URL format contacted by HTML attachment  March 2026  unityprogressall[.]org  Domain  TA473-controlled domain  March 2026  72.60.90[.]32  IP address  Hosting IP address for unityprogressall[.]org  March 2026    UNK_NightOwl  Indicator  Type  Description  First Seen  war.analyse.ltd@outlook[.]com  Email address  Sender email  March 2026  ali.mo@med.gov[.]sy  Email address  Sender email (likely compromised)  March 2026  hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=[redacted]  URL  Credential harvesting page  March 2026      UNK_RobotDreams  Indicator  Type  Description  First Seen  jscop.mea.gov.in@outlook[.]com  Email address  Sender email  March 2026  hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install  URL  Delivery URL  March 2026  defenceprodindia[.]site  Domain  UNK_RobotDreams-controlled domain  March 2026  hxxps://endpoint1-b0ecetbuabcdg9cp.z01.azurefd[.]net:443/download.php?file=cnVzdHVwaW5pdA  URL  Azure Front Door staging URL  March 2026  endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net  Hostname  Azure Front Door staging and C&C hostname  March 2026  9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47  SHA256  gulf_disruption_advisory_march2026.pdf  March 2026  a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390  SHA256  Reader_en_install.exe  March 2026  ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de  SHA256  VLCMediaPlayer.exe  March 2026      TA453  Indicator  Type  Description  First Seen  McManus.Michael@hotmail[.]com  Email address  Sender email  February 2026  hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd  URL  Delivery URL  March 2026  16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be  PDF  Benign lure PDF  March 2026  transfergocompany[.]com  Domain  TA453-controlled domain  March 2026 

Key findings  Tycoon 2FA is one of the most popular phishing-as-a-service (PhaaS) platforms currently used by threat actors, and highest volume adversary-in-the-middle (AiTM) phishing threat in Proofpoint data.  Tycoon 2FA infrastructure was disrupted by public and private partners, including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI, and additional European law enforcement partners.  The Tycoon 2FA disruption and associated lawsuit naming the creator will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity.    Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity and supported Microsoft’s action with data, including malicious domains and information related to Tycoon 2FA campaigns.  Overview  Tycoon 2FA operates as an AitM phishing kit. Its primary function is to harvest usernames, passwords, and Microsoft 365 and Gmail session cookies. Attackers use these cookies to circumvent multifactor authentication (MFA) access controls during subsequent authentication. That allows them to achieve full account takeover (ATO) and gain unauthorized access to a user’s accounts, systems and cloud services—even those that have MFA as an additional security measure.  According to Proofpoint threat data, in 2025, 99% of organizations experienced account takeover attempts, and 67% experienced a successful account takeover. Of these, 59% of taken over accounts had MFA enabled. While not all MFA bypassing ATO campaigns are attributable to Tycoon 2FA, Tycoon 2FA is the highest volume AiTM phishing threat in Proofpoint visibility. Tycoon 2FA threat volumes vary based on actor activity, and in February 2026, Proofpoint observed over three million messages associated with Tycoon 2FA.   Tycoon 2FA infrastructure, including domains and servers, was disrupted in collaboration with private and public partners including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI. In coordination with Europol, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out a seizure of infrastructure and other operational measures. Microsoft and co-plaintiff Health-ISAC also filed a lawsuit against the alleged Tycoon 2FA creator, Saad Fridi, and unnamed associates. The disruption and associated civil filing in the United States Southern District of New York will have a significant impact on Tycoon 2FA operations and overall threat activity.   Proofpoint supported Microsoft’s action with threat data from our visibility, including malicious domains and information related to Tycoon 2FA campaigns, and provided a declaration for the suit.   In addition to the disruption, the following splash page was displayed on the seized Tycoon 2FA domains:    Figure 1. Tycoon 2FA splash page.  Tycoon 2FA campaign details  Tycoon 2FA relies on attacker-controlled infrastructure to host the phishing webpages. Using a synchronous proxy the platform allows the interception of victims’ entered credentials. The credentials are then relayed to the legitimate service for a transparent, successful login, prompting MFA requests. The resulting session cookies are relayed back to the threat actors.    Tycoon 2FA is sold as a phishing-as-a-service (PhaaS), meaning that threat actors purchase access to the phishing tool and then they can customize it to suit their specific needs. The kit can be used multiple times through the duration of the subscription. Tycoon 2FA is used by multiple different threat actors, and sold by one main individual. It has been sold on Telegram since 2023 and was initially distributed via the “Saad Tycoon Group” channel.  Some Tycoon 2FA users are leveraging “ATO Jumping” whereby the actor compromises an initial email account, uses the compromised sender to broadly distribute Tycoon 2FA URLs, and attempts further account takeover (ATO) activities. Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise.  Tycoon 2FA infections can lead to a variety of malicious activities including theft of private data including financial information, personally identifiable information, proprietary business information; full account takeover and access to M365 hosts that can be sold to additional threat actors; and potentially lead to follow-on malware compromises including ransomware.  Proofpoint has regularly tracked actors using the Tycoon 2FA phishing kit since 2024. We observe Tycoon 2FA distributed via email campaigns. A campaign is a time-bound set of related activity that is clustered by indicators of compromise (IOCs) such as senders, URLs, attachments, Tycoon 2FA configuration, etc. Tycoon 2FA campaigns vary in terms of scale; some include just a handful of messages; some include millions of messages. Campaign timelines can range from one day to one week.  Tycoon 2FA distribution depends on the criminals’ preferred method of email spam. Emails may contain malicious links, QR codes, SVGs, or attachments with URLs. In all cases, a user is redirected to an actor-controlled URL that displays a unique CAPTCHA resolution that, if solved, will direct to an attacker-controlled site impersonating a Microsoft or Google login portal. In many cases, the threat actor will display a target organization’s Azure Active Directory branding to further the social engineering component and trick a user into thinking they are entering their credentials into a real corporate site.   Figure 2. Email lure observed in late January 2026 with a PDF attachment containing a QR code leading to Tycoon 2FA.  Figure 3. Example CAPTCHA used by Tycoon 2FA, January 2026.   Figure 4. Tycoon 2FA landing page with the target organization’s logo redacted, January 2026.  Tycoon 2FA campaigns are typically opportunistic and target a broad range of organizations and often leverage compromised accounts to spread their phishing kits. Proofpoint has observed Tycoon 2FA distributed via compromised accounts from various industries including legal, real estate, healthcare, government, education, construction, and technology, as well as personal emails such as Gmail addresses.  Tycoon 2FA customers manage their campaigns via a panel provided by the Tycoon 2FA creator. The panel landing pages have changed slightly since 2023, but overall, the general URL structure and landing page functionality has remained the same.   Figure 5. Tycoon panel login screen, February 2026.   The current panel (as of February 2026) also requires a CAPTCHA.  Impact  The majority of tracked Tycoon 2FA campaigns impact North America, mainly the U.S. and Canada, with additional activities targeting many European countries including Germany, Spain, France, and the UK. According to Microsoft, Tycoon 2FA enabled cybercriminals to access almost 100,000 organizations, including schools, hospitals, non-profits, and public institutions.  Based on Proofpoint’s visibility, the following is an example of industries that were targeted in observed Tycoon 2FA campaigns in our threat data, and the percent of campaigns in which they appeared. (Individual campaigns impact multiple different targets).  Vertical  Percent of Tycoon 2FA Campaigns  Aerospace  73%  Business Services  82%  Defense  64%  Education  75%  Energy  78%  Financial Services  84%  Government  79%  Healthcare  83%  Hospitality  76%  Manufacturing  83%  Real Estate  77%  Technology  85%  Utilities  76%    Disruption  On 4 March 2026, Microsoft announced a lawsuit and disruption action against the Tycoon 2FA creator and multiple unnamed associates. Proofpoint supported the civil filing by providing a declaration regarding Tycoon activity, including infrastructure and campaign details. Microsoft seized 330 control panel domains associated with Tycoon 2FA. This action will have a significant impact on operations, disrupting ongoing criminal activity.    Successful account takeovers can cause significant harm to compromised organizations including financial and reputational damage, loss of proprietary data, and potentially lead to follow-on attacks like ransomware that can have destructive and potentially organizational damaging consequences.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with the Tycoon 2FA disruption, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware and phishing threats. Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity.   Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world.