The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Footholds, Live Feeds, and Lifelines: Iranian Cyber Operations Surviving, Not Thriving

Mar 16, 2026 2:42:32 PM / by The Hivemind posted in Threat Bulletin, Critical Infrastructure, Iran, MOIS, MuddyWater, Cyber Warfare, CVE-2021-33044, Handala, IRGC, IP cameras, CVE-2017-7921

0 Comments

Verticals Targeted: Banking, Aviation, Defense, Healthcare
Regions Targeted: US, Canada
Related Families: Dindoor, Fakeset, Stagecomp, Darkcomp

Executive Summary

Recent reporting indicates Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness. These developments represent another layer in Iran’s evolving hybrid warfare strategy. Iranian APT group MuddyWater has maintained access to multiple US organizations since early February, while Iran-linked infrastructure has targeted internet-connected surveillance cameras across the Middle East. Hacktivist group Handala has recently claimed responsibility for a destructive cyberattack against medical technology firm Stryker. Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.

Read More

MuddyWater Targets MENA Governments With Phoenix Backdoor

Nov 3, 2025 2:09:14 PM / by The Hivemind posted in Threat Bulletin, MuddyWater, Phishing Campaign, credential stealers, cyber espionage, Middle East targeting, VBA macros, FakeUpdate injector, Iran APT, Phoenix Backdoor, RMM tools

0 Comments

Verticals Targeted: Government
Regions Targeted: Middle East, North Africa
Related Families: Phoenix, FakeUpdate

Executive Summary

A sophisticated phishing operation has been attributed to the Iran-linked APT MuddyWater, deploying an updated Phoenix backdoor to conduct espionage against government and international entities. The campaign leverages compromised mailboxes and macro-enabled Word documents to deliver custom injectors and persistence mechanisms, highlighting the group's reliance on trusted channels for initial access.

Read More

MuddyWater Using New Backdoor to Target Middle East

Jul 22, 2024 1:09:20 PM / by The Hivemind posted in Threat Bulletin, Middle East, Static Kitten, MuddyWater, MuddyRot, BugSleep

0 Comments

Related Families: MuddyRot aka BugSleep
Verticals Targeted: Transportation, Government, Media, Travel

Executive Summary

Iran nexus threat actor group MuddyWater was recently observed using a new backdoor to target entities in the Middle East. Dubbed MuddyRot by Sekoia and BugSleep by Check Point Research, the backdoor appears to indicate a shift in MuddyWater’s TTPs.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More