Reading view

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.

The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.

  •  

Fast16 Malware

Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet:

“…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”

Another news article.

Lots of interesting details at the links.

  •  

Crossbench MPs pressure Labor over gas export tax – as it happened

This blog is now closed

The pollies have been asked this morning whether people should consider working from home to save fuel, as conflict escalates in the Middle East.

Tehran has said it will “irreversibly destroy” essential infrastructure across the Middle East, including vital water systems, if the US follows through on Donald Trump’s threat to “obliterate” Iran’s power plants unless the strait of Hormuz is fully opened within two days.

This is like Covid style restrictions I think that are potentially being floated. I would not support that in any way, and I don’t think businesses would do so either …

If people can work from home and they want to and it works for their employers, fine, I think that’s terrific, but it doesn’t help small businesses. It certainly doesn’t help the truckers and the fishers and the farmers and the manufacturers and the miners that are relying on fuel supply.

Continue reading...

© Photograph: Mick Tsikas/AAP

© Photograph: Mick Tsikas/AAP

© Photograph: Mick Tsikas/AAP

  •  

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

Blogs

Blog

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

In this post, we examine how Iran-aligned militias and foreign terrorist organizations (FTOs) responded to the current US–Israel–Iran conflict, what their statements suggest about operational intent, and why this points to a wider risk environment for US and Israeli interests across the region.

SHARE THIS:
Default Author Image
March 19, 2026

The current phase of the US–Israel–Iran conflict is generating more than rhetorical support from militant actors aligned with Tehran. Public messaging from groups across Iraq, Lebanon, Yemen, and Gaza indicates a coordinated effort to frame the conflict as a regional, long-term confrontation rather than a contained exchange.

For threat intelligence teams, these statements matter not only because of what they say, but because of what they signal. Across multiple theaters, Iran-aligned groups are using similar language, emphasizing shared objectives, and in some cases pointing to an expanded target set that reaches beyond their traditional operating areas. Taken together, this messaging suggests continued alignment across militant networks and a heightened likelihood of retaliatory or opportunistic activity targeting US and Israeli interests.

Leadership Losses Are Being Used to Reinforce Mobilization

Several militant statements referenced the reported deaths of senior Iranian officials in strikes in Tehran, including Supreme Leader Ali Khamenei, Defense Minister Aziz Nasirzadeh, and IRGC Commander Mohammad Bagheri. These losses were framed not simply as blows against Iran, but as attacks on the broader resistance movement.

That framing is important. By portraying the strikes as an assault on a shared regional project rather than a national leadership event confined to Iran, these groups are reinforcing the rationale for broader mobilization. Statements from actors such as Akram al-Kaabi of Harakat al-Nujaba and Abdul-Malik al-Houthi of Ansarallah reflect that posture, emphasizing retaliation, readiness, and continued support for Iran.

This kind of messaging is consistent with efforts to maintain cohesion across the so-called resistance network during periods of escalation. It also helps set the informational conditions for follow-on activity by justifying future attacks as part of a collective response.

Messaging Points to a Longer Conflict Horizon

Some of the clearest signals in the reporting come from groups that described the conflict as a prolonged struggle rather than a short-lived escalation.

Kata’ib Hizballah called on fighters to prepare for a “long-term war of attrition,” while Kata’ib Sayyid al-Shuhada similarly urged readiness for a “long battle.” These statements go beyond symbolic solidarity. They suggest that at least some actors within Iran’s aligned militant ecosystem are preparing their audiences and personnel for sustained operations over time.

That distinction matters for defenders. A messaging environment centered on endurance, attrition, and regional confrontation raises the likelihood that groups will seek to maintain operational tempo across multiple fronts rather than respond with a single retaliatory action.

Militant Activity May Extend Beyond Traditional Operating Areas

Another notable feature of the reporting is the implied expansion of targeting scope.

Claims and statements referenced possible or actual activity in locations including Jordan, the Red Sea, and Israeli military sites near Haifa. This suggests that militant responses linked to the conflict may not remain confined to the actors’ most established operating environments in Iraq and Syria.

The claim by Rijal al-Bas al-Shadid of a drone strike on Muwaffaq Salti Air Base in Jordan is one example. Hezbollah’s claim of a strike south of Haifa is another. Together, these claims reinforce the broader picture presented in the messaging: a conflict environment in which Iran-aligned groups are attempting to demonstrate reach across multiple geographies and domains.

Even where operational claims remain difficult to verify independently, the messaging itself is still analytically significant. It helps illustrate how these groups want the conflict to be understood — as regional, coordinated, and capable of generating pressure well beyond a single front.

Responses Across the Network Reflect Coordinated Alignment

The organizational responses themselves show a high degree of consistency in tone and framing.

Hezbollah, Hamas, and the Houthis

Hezbollah claimed a strike on the Mishmar HaCarmel missile defense site south of Haifa using missiles and drone swarms, presenting the operation as a legitimate response within the broader confrontation. Although Hezbollah is actively engaged in countering the Israeli ground offensive into Southern Lebanon, the group could still pose a regional threat. Al-Qassam Brigades issued a eulogy for Iranian leadership figures and indicated that their deaths would intensify resistance rather than weaken it. Ansarallah declared full readiness for further military developments and signaled preparedness to target US bases and Israeli interests across the region.

Iraqi Militias and FTOs

Harakat al-Nujaba condemned the strikes and called for military retribution. Kata’ib Hizballah emphasized long-term attritional conflict. Saraya Awliya al-Dam declared maximum readiness and stated that it was prepared to target US military sites inside and outside Iraq. Kata’ib Sayyid al-Shuhada warned that US presence in the Middle East would lose any safe foothold as the conflict develops.

Specialized and Emerging Actors

Rijal al-Bas al-Shadid claimed a retaliatory drone attack in Jordan. Shabab al-Wa’ad al-Sadiq Forces announced its formation as a new entity aligned with Iran and the resistance axis. Ajnad Beit al-Maqdis used its first official statements to announce allegiance to al-Qaeda, tying that move to the current conflict and broader anti-US and anti-Israel narratives.

Taken together, these responses highlight not just ideological alignment, but messaging discipline. Similar themes appear across multiple organizations: retaliation for leadership losses, preparation for sustained conflict, and a shared portrayal of the United States and Israel as part of a unified adversarial front.

What This Means for Threat Intelligence Teams

From an intelligence perspective, the most important takeaway is not any single statement or claim. It is the degree of coordination visible across the messaging environment.

Flashpoint analysts assess that the current US–Israel–Iran conflict is generating aligned signaling among multiple militant organizations across the Middle East. This messaging indicates continued support for potential operations targeting US and Israeli interests and will likely contribute to increased militant activity across Iraq, Lebanon, Gaza, Yemen, and surrounding areas.

For security and intelligence teams, that means monitoring should extend beyond traditional flashpoints and beyond one-for-one retaliation models. The current environment suggests a broader risk picture shaped by networked militant cooperation, narrative synchronization, and the possibility of operations emerging across several theaters at once.

Supporting Security Teams with Threat Intelligence

Understanding how Iran-aligned militant networks communicate, coordinate, and signal intent is critical for anticipating how conflict dynamics may translate into real-world activity.

Flashpoint provides primary source intelligence that helps security teams track emerging threats, identify shifts in adversary behavior, and contextualize risk across regions and domains. From monitoring militant group messaging to analyzing operational indicators, our intelligence enables organizations to move from reactive response to informed, proactive defense.To learn how Flashpoint can support your team with real-time intelligence and analysis, schedule a demo.

Begin your free trial today.

The post Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict appeared first on Flashpoint.

  •  

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

  •  

Hacked App Part of US/Israeli Propaganda Campaign Against Iran

Wired has the story:

Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store.

The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help has arrived’ at 9:52 am Tehran time, shortly after the first set of explosions. No party has claimed responsibility for the hacks.

It happened so fast that this is most likely a government operation. I can easily envision both the US and Israel having hacked the app previously, and then deciding that this is a good use of that access.

  •  

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)

Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders.

The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42.

  •  

Iranian “Dream Job” Campaign 11.24

ClearSky Cyber Security research identified a campaign named “Iranian Dream Job campaign”, in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake jobs. 

The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. ClearSky attributes both malware programs to a subgroup of Charming Kitten. 

However, some cyber research companies detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group. 

The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran. 

The Iranian “Dream Job” campaign has been active since at least September 2023. Mandiant had previously reported on suspected Iranian espionage activity targeting aerospace, aviation, and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE), as well as Turkey, India, and Albania. 

The LinkedIn profiles of the fake recruiters in our report seem to be newer versions of the profiles Mandiant previously reported. For example, ClearSky discovered a profile associated with a fake company called “Careers 2 Find,” which previously worked for “1st Employer,” a fake recruiting website highlighted by Mandiant. 

How the Campaign Works

TA455 uses fake recruiting websites and LinkedIn profiles to distribute a ZIP file containing malicious files. The ZIP file, which includes legitimate files, is downloaded from a domain impersonating a job recruiting website. Victims are given a detailed PDF guide on how to “safely” access the website in order to prevent them from making “mistakes” that might “prevent infection”. Once the ZIP file is downloaded, the victim clicks on a highlighted EXE file. The EXE loads the malicious DLL file “secur32[.]dll” via DLL side loading. The malware checks the victim’s IP address and downloads information from a GitHub account that contains the C&C server domain address.

For the full version of our report:

  •  

“Homeland Justice” targets Albanian organizations with “No-justice” wiper

This blog post will elaborate on “Homeland justice” group’s background and provide an in-depth analysis of the tools used in the current attack, including reverse engineering of the NACL executable – dubbed “No-Justice Wiper”

Read the Full report: No-Justice Wiper

  •  

Fata Morgana: Watering hole attack on shipping and logistics websites

ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten).

The Infected sites collect preliminary user information through a script. We have discovered several details that suggest this script is used for malicious purposes.

Read the Full report: Fata Morgana Watering hole report

  •  

Lyceum suicide drone

ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with
medium-high confidence.
The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.

This indicates an attacker-controlled at least two IP’s on the same range.
The downloaded file is a reverse shell that impersonates an Adobe update.
The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence.
There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed.
Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten3.

Read the full report: https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf

  •  

EvilNominatus Ransomware

As part of our monitoring of malicious files in current use, we detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that we associated with the EvilNominatus ransomware, initially exposed at the end of 2021. It seems that the ransomware’s developer is a young Iranian, who bragged about its development on Twitter.

At this point, we have no details regarding any victims of this ransomware. We publish this research due to the malware’s unique method of operation, and the low number of AV engines capable of detecting it.

The original BAT file the research is based on was only detected by two AV engines on VirusTotal. Another BAT file that was discovered later, which shares characteristics with the first one, wasn’t detected by any AV engines. Other files that were either generated by the BAT files or communicated with them to carry out attacks were detected by multiple AV engines. Therefore, we assess that the tool’s general level of risk is low at this point.

Read the full report:

  •  

New Iranian Espionage Campaign By “Siamesekitten” – Lyceum

At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten (also named Lyceum/Hexane) is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them to impersonate the company and their HR personnel. We believe that this infrastructure was built to lure IT experts and penetrate their computers to gain accesses to the company’s clients.

This campaign is similar to the North Korean “Job seekers” campaign, employing what has become a widely used attack vector in recent years – impersonation. Many attack groups are executing this type of campaign, such as the North Korean Lazarus campaign we exposed in the summer of 2020 (Dream Job) and the Iranian OilRig campaign (APT34) that targeted Middle Eastern victims in the first quarter of 2021.

In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “Milan”. Details of both versions are included in our report.

This report summarizes our findings regarding the latest Siamesekitten attacks and reviews the attack patterns and malware used in this campaign.

Read the full report:

  •  
❌