Escalating Phishing Campaigns Amidst the Iran Conflict
As tensions rise in the Middle East due to the ongoing conflict in Iran, sophisticated cyber threats have emerged, particularly focusing on phishing operations aimed at governmental and policy organizations. Notable actors, specifically the groups TA453 and TA473, are exploiting developments related to the Iran war to execute specialized phishing campaigns that target a variety of organizations across the region and even beyond.
These operations are marked by a mixture of traditional espionage tactics, opportunistic credential theft, and malware insertion. The attackers frequently employ compromised government accounts and reliable cloud services to enhance their success rates. As the situation unfolds, these cyber threats present a significant risk to organizations tasked with governance and policymaking.
The current wave of cyber activity appears to have been triggered by Operation Epic Fury, a U.S.-Israeli military initiative launched on February 28, 2026, which knocked out crucial military infrastructure in Iran, including leadership figures, missile sites, and air defenses. Following this assault, Iran retaliated with missile strikes against U.S. embassies and military bases, heightening the urgency and frequency of phishing attempts.
As the conflict stretches into its second week, Iranian hacktivist groups have claimed responsibility for various disruptive cyberattacks. However, the nuances of this situation are complex. Cybersecurity company Proofpoint classifies emerging threat activities as UNK_ clusters until there is sufficient data to assign a definitive Threat Actor (TA) identifier. They clarified that their observations are based purely on technical evidence and do not reflect any geopolitical assessments.
While Iranian hacktivists have gained notoriety, other espionage-focused actors have continued their operations more discreetly, despite the Iranian government’s temporary shutdown of domestic internet services. For instance, on March 8, the group TA453, which has been linked to Charming Kitten, Mint Sandstorm, and APT42, was observed targeting a U.S. think tank with phishing attempts, illustrating that established intelligence objectives remain security risks even during crises.
In an early March campaign, a suspected China-linked group referred to as UNK_InnerAmbush targeted various Middle Eastern diplomatic and governmental organizations. Communications were initiated from a reportedly compromised embassy email address. Initially, these emails claimed to share sensitive imagery relating to an alleged death of Ayatollah Khamenei, but the themes later shifted to insinuations that Israel was preparing covert strikes on Gulf energy infrastructure.
These phishing emails contained links to archives hosted on Google Drive, designed to trick recipients into downloading files that appeared innocuous but were, in fact, malicious. When opened, these shortcuts executed a loader that exploited DLL sideloading techniques to activate a harmful payload which ultimately established a connection to a command-and-control server.
Another group, TA402, leveraged compromised accounts from the Iraqi Ministry of Foreign Affairs to send conflict-themed emails to various Middle Eastern government targets. These messages alluded to potential U.S. military incursions and a new Gulf military coalition while embedding links that redirected recipients to lookalike login pages aimed at harvesting credentials.
The new cluster named UNK_NightOwl also employed phishing strategies to amass credentials by spoofing Microsoft OneDrive. In one instance, attackers sent messages from a compromised email to Middle Eastern government entities, enticing them with fake utilities purportedly associated with the ongoing conflict.
Meanwhile, on March 5, the suspected Pakistan-aligned group UNK_RobotDreams impersonated India’s Ministry of External Affairs in communications directed toward India-based branches of Middle Eastern governmental organizations. These emails included attachments designed as decoy PDFs but redirected users to malicious sites under the guise of legitimate software installations, facilitating further infiltration.
Support from a Belarusian-aligned group, TA473, further broadened the scope of these cyber intrusions. Between March 3-5, TA473 sent phishing emails to European and Middle Eastern governmental institutions, masquerading as representatives of the European Council President.
Despite the myriad of creative lures used to exploit the conflict, Proofpoint has highlighted only one campaign from TA453 that appeared directly aligned with the timeline of the ongoing conflict. In this scenario, TA453 impersonated a research lead from the Henry Jackson Society, initially reaching out with a benign invitation to a discussion roundtable on Middle Eastern air defenses. Trust established in this communication was later exploited by sending a link to a phishing site preloaded with the target’s email address.
Together, these phishing campaigns illustrate how threat actors are agilely adapting to current events, utilizing high-profile incidents as pretexts for opportunistic espionage. By combining advanced techniques with real-time narratives stemming from the Iran war, these actors not only increase their likelihood of success but also highlight an evolving landscape of cyber threats aimed squarely at governments and diplomatic channels throughout the Middle East and beyond.
This confluence of steady-state espionage tactics with rapid-response strategies in light of escalating tensions indicates a significant shift in cyber threat dynamics. As the environment continues to develop, monitoring and mitigating these threats will be imperative for ensuring the integrity of both regional and international cyber infrastructures.