The PolySwarm Blog

Verticals Targeted: Semiconductors, Artificial Intelligence, Cloud, Biotechnology, Healthcare, Critical Infrastructure, Telecommunications, Aerospace, Defense
Regions Targeted: US, Taiwan, Japan, South Korea, UK, Germany, France, Israel, Singapore, Australia

Related Families: CanisterWorm

Executive Summary

Using PolySwarm’s knowledge graph, PolyKG, PolySwarm analysts have identified previously unreported OilRig activity leveraging a stolen Entrust Extended Validation (EV) code signing certificate issued to Thai IT vendor MOSCII Corporation. The certificate was used to sign multiple malware samples, including the Karkoff backdoor, alongside additional undetected payloads with minimal antivirus coverage. The use of a legitimate vendor certificate and EGAT-themed naming potentially suggests a supply chain intrusion targeting Thailand’s energy sector. This activity highlights a continued evolution in OilRig tradecraft, combining trusted infrastructure abuse with low-detection tooling to enable stealthy, persistent access.

Verticals Targeted: Defense
Regions Targeted: Southeast Asia
Related Families: AppleChris, MemFun, Getpass

Executive Summary

A long-running espionage campaign, tracked as CL-STA-1087, is targeting Southeast Asian military organizations using custom backdoors and credential harvesting tools. The activity demonstrates sustained persistence, operational discipline, and a focus on high-value intelligence collection.

Executive Summary

Recent developments involving Iran illustrate how states with degraded or constrained cyber capabilities may shift toward signals intelligence and electronic warfare to compensate for reduced offensive cyber capacity. Following recent strikes and internet disruptions that limited Iran’s ability to coordinate sophisticated cyber operations, analysts observed a greater reliance on intelligence collection, proxy activity, and electronic-domain pressure operations. Accordingly, PolySwarm analysts chose to highlight another potential flashpoint, Cuba, which similarly lacks robust offensive cyber capability and would likely rely on signals intelligence, electronic surveillance, and electronic warfare activities in the event of escalating confrontation. Although Cuba lacks advanced offensive cyber or electronic warfare capabilities comparable to major cyber powers, the island’s geography enables monitoring of critical telecommunications, maritime routes, and military communications across the Caribbean.

Verticals Targeted: Banking, Aviation, Defense, Healthcare
Regions Targeted: US, Canada
Related Families: Dindoor, Fakeset, Stagecomp, Darkcomp

Executive Summary

Recent reporting indicates Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness. These developments represent another layer in Iran’s evolving hybrid warfare strategy. Iranian APT group MuddyWater has maintained access to multiple US organizations since early February, while Iran-linked infrastructure has targeted internet-connected surveillance cameras across the Middle East. Hacktivist group Handala has recently claimed responsibility for a destructive cyberattack against medical technology firm Stryker. Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.

Verticals Targeted: Maritime, Shipping
Regions Targeted: Middle East

Executive Summary

Recent maritime navigation anomalies in the Persian Gulf and Strait of Hormuz suggest the use of GNSS spoofing and other electronic warfare techniques disrupting vessel positioning systems and AIS tracking data. Ships have reported GPS positions drifting or appearing in multiple locations across maritime telemetry platforms. The activity coincides with radio warnings broadcast to ships transiting the Strait and may reflect Iran’s asymmetric strategy to influence maritime traffic while avoiding direct escalation. It may also indicate a temporary shift toward electronic warfare while Iranian cyber operators rebuild infrastructure following recent strikes.

Verticals Targeted: Cloud Computing
Regions Targeted: United Arab Emirates, Bahrain

Executive Summary

Iranian drone strikes damaging multiple Amazon Web Services (AWS) data centers in the United Arab Emirates and Bahrain demonstrate how modern conflicts increasingly target digital infrastructure that underpins global computing. The incident disrupted multiple AWS services and highlights the growing strategic importance and vulnerability of hyperscale cloud infrastructure.