Iranian hackers
-
Three former Google engineers indicted over alleged trade secret theft, files reportedly sent to Iran
Three San Jose residents, including two former Google engineers, were indicted on charges of stealing trade secrets related to processor security and cryptography and transferring files to unauthorized locations including Iran, the Justice Department said.
-
Iran-linked APT Infy resurfaces with updated Foudre and Tonnerre malware
SafeBreach and other researchers reported renewed activity by the Iranian APT known as Infy (Prince of Persia), documenting updated Foudre and Tonnerre malware, use of a domain generation algorithm for C2 resilience, and a Telegram-based channel in recent campaigns affecting targets in the Middle East, India, Canada and Europe.
-
Iran-linked MuddyWater group deploys MuddyViper backdoor against Israeli targets
Researchers say Iranian-linked MuddyWater has used a new MuddyViper backdoor, delivered via a Fooder loader, to target Israeli organisations across multiple sectors and to harvest credentials and browser data.
-
Amazon finds Iran-linked hackers using cyber reconnaissance to aid physical attacks
Amazon’s threat intelligence team reported that Iran-linked hackers conducted digital reconnaissance, including targeting ship AIS and CCTV, to support physical attacks—a trend the company calls cyber-enabled kinetic targeting.
-
Mandiant ties UNC1549 to long-running campaign using TWOSTROKE and DEEPROOT against aerospace and defence
Google-owned Mandiant linked a cluster it tracks as UNC1549 to a campaign from late 2023 through 2025 in which suspected Iranian espionage actors used backdoors including TWOSTROKE and DEEPROOT to target aerospace, aviation and defence organisations by exploiting third-party credentials, VDI breakouts and targeted phishing.
-
Israel agency says Iran-linked APT42 ran espionage campaign targeting officials and family members
Israel’s National Digital Agency says an Iran-linked threat actor known as APT42 has been running a campaign called SpearSpecter since early September 2025 that uses personalised social engineering to target senior officials and their family members and deploys a PowerShell backdoor for persistent access.
-
Iran-linked MuddyWater used compromised email to deliver Phoenix backdoor to 100+ MENA government targets, Group-IB says
Group-IB says Iran-linked MuddyWater used a compromised mailbox accessed via NordVPN to phish MENA organisations, deploying weaponised Word documents that installed the Phoenix v4 backdoor across more than 100 government targets and hosting RMM tools and a browser credential stealer on its C2 infrastructure.
-
Iranian-linked hackers expand European operations with fake job portals and new malware, researchers say
Security researchers say Iranian government-backed attackers are targeting Western Europe with fake job portals and new Minibike malware, including MiniJunk and MiniBrowse, delivered through a multi-stage DLL sideloading chain. The operation focuses on Denmark, Portugal, and Sweden and appears linked to broader Iran-aligned threat activity.
-
Iranian-aligned group linked to multi-wave spear-phishing targeting embassies worldwide, researchers say
An Iran-linked threat group is behind a coordinated, multi-wave spear-phishing campaign targeting embassies and consulates worldwide, using VBA macro payloads to deploy malware, according to researchers.
-
New Android Spyware Linked to Iranian Ministry Targets Dissidents Amid Evolving Middle East Tensions
Security researchers have uncovered four new samples of Android spyware linked to Iran’s Ministry of Intelligence, posing a significant threat to dissidents amid rising tensions with Israel. The malware, disguised as VPN apps, exploits recent geopolitical developments to surveil activists and journalists.
