Verticals Targeted: Defense
Regions Targeted: Southeast Asia
Related Families: AppleChris, MemFun, Getpass
Executive Summary
A long-running espionage campaign, tracked as CL-STA-1087, is targeting Southeast Asian military organizations using custom backdoors and credential harvesting tools. The activity demonstrates sustained persistence, operational discipline, and a focus on high-value intelligence collection.
Executive Summary
Recent developments involving Iran illustrate how states with degraded or constrained cyber capabilities may shift toward signals intelligence and electronic warfare to compensate for reduced offensive cyber capacity. Following recent strikes and internet disruptions that limited Iran’s ability to coordinate sophisticated cyber operations, analysts observed a greater reliance on intelligence collection, proxy activity, and electronic-domain pressure operations. Accordingly, PolySwarm analysts chose to highlight another potential flashpoint, Cuba, which similarly lacks robust offensive cyber capability and would likely rely on signals intelligence, electronic surveillance, and electronic warfare activities in the event of escalating confrontation. Although Cuba lacks advanced offensive cyber or electronic warfare capabilities comparable to major cyber powers, the island’s geography enables monitoring of critical telecommunications, maritime routes, and military communications across the Caribbean.
Verticals Targeted: Banking, Aviation, Defense, Healthcare
Regions Targeted: US, Canada
Related Families: Dindoor, Fakeset, Stagecomp, Darkcomp
Executive Summary
Recent reporting indicates Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness. These developments represent another layer in Iran’s evolving hybrid warfare strategy. Iranian APT group MuddyWater has maintained access to multiple US organizations since early February, while Iran-linked infrastructure has targeted internet-connected surveillance cameras across the Middle East. Hacktivist group Handala has recently claimed responsibility for a destructive cyberattack against medical technology firm Stryker. Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.
Verticals Targeted: Maritime, Shipping
Regions Targeted: Middle East
Executive Summary
Recent maritime navigation anomalies in the Persian Gulf and Strait of Hormuz suggest the use of GNSS spoofing and other electronic warfare techniques disrupting vessel positioning systems and AIS tracking data. Ships have reported GPS positions drifting or appearing in multiple locations across maritime telemetry platforms. The activity coincides with radio warnings broadcast to ships transiting the Strait and may reflect Iran’s asymmetric strategy to influence maritime traffic while avoiding direct escalation. It may also indicate a temporary shift toward electronic warfare while Iranian cyber operators rebuild infrastructure following recent strikes.
Verticals Targeted: Cloud Computing
Regions Targeted: United Arab Emirates, Bahrain
Executive Summary
Iranian drone strikes damaging multiple Amazon Web Services (AWS) data centers in the United Arab Emirates and Bahrain demonstrate how modern conflicts increasingly target digital infrastructure that underpins global computing. The incident disrupted multiple AWS services and highlights the growing strategic importance and vulnerability of hyperscale cloud infrastructure.
Executive Summary
On February 28th, US and Israeli military forces conducted a coordinated and multifaceted attack on Iran. Known as Operation Epic Fury by the Americans and Operation Lion’s Roar by the Israelis, the objective was to neutralize a long-term threat and prevent the Iranian regime from obtaining nuclear missiles. As with any conflict involving Iran, practitioners monitoring the cybersecurity threat landscape expect kinetic warfare to spill over into the cyber realm and wait with bated breath to see what retaliatory attacks may occur. As of early March 2026, the conflict remains active, with ongoing strikes, regional disruptions, and uncertain regime stability.
Verticals Targeted: Financial
Regions Targeted: Argentina
Related Families: VNCSpy