Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

APT35 Sızıntısı: Siber casusluktan fiziksel suikast planlarına
#apt35 #CharmingKitten #İran #nationstate

https://webrecord.media/apt35-sizintisi-siber-casusluktan-fiziksel-suikast-planlarina/

0day Browser RCE von Charming Kitten / APT35 oder schlechte Berichterstattung?

Angeblich wurde auf einen Link geklickt und dadurch™ der Rechner infiziert.

https://archive.is/QkX57

#Berlin #Badenberg #CharmingKitten #apt35

New APT insight from Proofpoint ⬇️

This week, our team observed IRGC/Iraninan-aligned threat group #TA453 continue their phishing efforts despite the recent unsealing of indictments and sanctions by the U.S. government.

Specifically, Proofpoint observed TA453 masquerade as the Centre for Feminist Foreign Policy (CFFP) to target individuals associated with U.S. based universities, media companies, and politically adjacent social benefit organizations.

Today #CISA and the @FBI released a resource guide titled, “How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations.” It sets a good baseline on ways to protect against a variety of threat actors, including TA453. https://www.cisa.gov/resources-tools/resources/how-protect-against-iranian-targeting-accounts-associated-national-political-organizations

TA453 overlaps with reporting on #CharmingKitten, #MintSandstorm, #CharmingCypress and #APT42.

See our recent blog post to learn more about TA453’s malware evolution. https://ow.ly/OrXE50THoKZ

The Iran-aligned threat actor who compromised the Trump campaign's email systems is known in the cybersecurity research community as #TA453, #APT42, or #CharmingKitten.

"The group's appearance in the U.S. election is noteworthy, sources told @Reuters, because of their invasive #espionage approach against high-value targets in Washington and Israel."

Read the article for insights from Joshua Miller of Proofpoint and other experts: https://www.reuters.com/world/trump-campaigns-iranian-hackers-have-dangerous-history-deep-expertise-2024-08-23/

Our team just released a report on #CharmingKitten/#APT35: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

We discovered a new malware family called Cyclops, written in Go. It launches a local web server which exposes a REST API used to control the malware. The port is forwarded to the C2 via SSH.

We believe Cyclops was developed as a replacement for the (burnt) BellaCiao implant.
There seem to be very few samples in existence and we'd be curious to know if anyone else can find some. Suspected area of activity is the Middle-East since December 2023.

Reverse-engineering was a challenge due to the malware expecting mashalled objects from the network. How do you figure out their expected structure with Golang when there's no constructor? If there's any interest, I may write a separate blog post or thread on the subject.

IOCs and more in the full post. Enjoy!