Post Now

CyberShelter Threat Intelligence Alert: Iranian Cyber Operations Targeting Middle East Critical Infrastructure

Image

CyberShelter NSOC analysts warn that multiple Iranian state-aligned threat groups may launch coordinated cyber campaigns against energy, government, financial, and critical infrastructure organisations across the Middle East within the next 24–72 hours.

Advisory ID: TIA-ME-2026-001
Published: February 28, 2026
Source: CyberShelter Threat Intelligence & NSOC
Classification: ???? CRITICAL SEVERITY

Executive Summary

Following the geopolitical escalation on February 28, 2026, CyberShelter assesses the probability of Iranian-sponsored cyber operations targeting Middle East organisations within the next 24–72 hours as VERY HIGH.

Historical patterns show that major military events are frequently followed by coordinated cyber retaliation campaigns within hours.

To prepare for potential activity, CyberShelter has:

• Elevated all SOC clients to Heightened Monitoring Status
• Initiated proactive threat hunting across enterprise and OT environments
• Activated 24/7 NSOC war-footing monitoring

Active Cyber Campaign

Operation Olalampo (MuddyWater)

The most active confirmed campaign targeting the region is Operation Olalampo, attributed to the Iranian threat group MuddyWater, which operates under Iran’s Ministry of Intelligence and Security (MOIS).

This campaign uses a multi-stage attack chain combining phishing, malware loaders, and remote management tools.

Observed Attack Chain

1️⃣ Spear-phishing emails with malicious Office documents
2️⃣ Macro-enabled PowerShell / VBScript execution
3️⃣ Multi-stage loader deployment
4️⃣ Installation of remote access tools such as:

  • AnyDesk
  • Atera
  • ScreenConnect

⚠️ New development:
Actors are now exploiting public-facing Exchange servers and VPN infrastructure.

Newly Observed Malware Families

MalwareRoleDescriptionGhostFetchStage-1 DownloaderAnti-analysis evasion and environment checksGhostBackDoorBackdoorInteractive shell with registry persistenceHTTP_VIPC2 DownloaderCommunicates with codefusiontech[.]orgCHAR (Rust)Telegram BackdoorUses Telegram Bot API for command-and-control

⚠️ These malware families are signature-evasive.
Behaviour-based detection is required.

Threat Actor Landscape

Several Iranian state-aligned groups may become active against Middle East targets.

ActorAffiliationCapabilitiesRiskMuddyWaterMOISSpear-phishing, PowerShell RATs???? CriticalAPT34 / OilRigIRGCDNS tunneling, Exchange exploitation???? CriticalAPT33 / ElfinIRGCWiper malware (Shamoon / ZeroCleare)HighCyberAv3ngersIRGC-linkedOT/ICS targetingHighHacktivist groupsProxy actorsDDoS and defacementMedium-High

Expected Attack Timeline

Based on historical retaliation patterns, the following phases are likely:

TimeframeActivity0–6 HoursDDoS attacks, website defacement6–48 HoursSpear-phishing campaigns48–96 HoursDestructive malware deployment72+ HoursOT / ICS infrastructure targeting

Organisations should prepare for escalation rather than stabilization.

Indicators of Compromise (IOC)

Security teams should immediately monitor and block:

codefusiontech[.]org – Command-and-Control
whatsapp-meeting.duckdns[.]org – phishing domain
stager_51_bot – Telegram C2 bot
FMAPP.dll – malicious DLL
gshdoc_release_X64_GUI.exe – malware dropper
sh.exe – loader component

Also investigate unexpected installations of AnyDesk, ScreenConnect, or Atera.

Sector Risk Assessment – Middle East

Certain sectors face elevated risk due to geopolitical and economic importance.

???? CRITICAL RISK

  • Oil & Gas
  • Energy Infrastructure
  • Government & Defense
  • Financial Services
  • Aviation & Airports

???? HIGH RISK

  • Telecom Providers
  • Healthcare
  • IT Service Providers
  • Utilities & Water Infrastructure

Immediate Defensive Actions

Security teams should implement these actions immediately:

1️⃣ Block known malicious domains
2️⃣ Monitor Telegram API traffic for potential C2 communication
3️⃣ Hunt endpoints for suspicious malware artifacts
4️⃣ Alert on unexpected RMM software installations
5️⃣ Disable Microsoft Office macros via GPO
6️⃣ Verify offline backup availability
7️⃣ Patch Exchange, VPN, and firewall systems
8️⃣ Ensure DDoS mitigation readiness

Additional Actions

• Isolate OT/ICS networks from IT environments
• Change default PLC / SCADA credentials
• Enforce phishing-resistant MFA
• Enable Exchange audit logging
• Hunt for webshells in IIS / Exchange servers
• Increase perimeter monitoring and logging
• Brief executive leadership on cyber risk

Strategic Risk Assessment

Iranian cyber actors have consistently demonstrated the ability to conduct:

• Rapid cyber retaliation following geopolitical events
• Deployment of newly developed malware
• Advanced sandbox evasion techniques
• Destructive wiper attacks
• Telegram-based command-and-control infrastructure
• Attacks against industrial control systems (ICS)

The current threat environment for Middle East organisations remains CRITICAL.

CyberShelter Response

CyberShelter’s NSOC is operating under full war-footing monitoring with:

• Continuous IOC ingestion
• Enterprise-wide threat hunting
• Monitoring Telegram-based C2 infrastructure
• Exchange / IIS integrity validation
• Automated wiper containment playbooks
• OT segmentation monitoring for critical infrastructure clients
• 24/7 incident response readiness

Conclusion

The cyber threat landscape across the Middle East is active, evolving, and high-risk.

Organisations should shift from passive monitoring to proactive detection and containment strategies immediately.

CyberShelter remains fully operational and ready to support incident response, threat hunting, and cyber containment operations.

Need Immediate Assistance?

CyberShelter NSOC 24/7 Incident Response is available for emergency support.

Contact CyberShelter NSOC for rapid threat response.

Ashif