Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

New APT insight from Proofpoint ⬇️

This week, our team observed IRGC/Iraninan-aligned threat group #TA453 continue their phishing efforts despite the recent unsealing of indictments and sanctions by the U.S. government.

Specifically, Proofpoint observed TA453 masquerade as the Centre for Feminist Foreign Policy (CFFP) to target individuals associated with U.S. based universities, media companies, and politically adjacent social benefit organizations.

Today #CISA and the @FBI released a resource guide titled, “How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations.” It sets a good baseline on ways to protect against a variety of threat actors, including TA453. https://www.cisa.gov/resources-tools/resources/how-protect-against-iranian-targeting-accounts-associated-national-political-organizations

TA453 overlaps with reporting on #CharmingKitten, #MintSandstorm, #CharmingCypress and #APT42.

See our recent blog post to learn more about TA453’s malware evolution. https://ow.ly/OrXE50THoKZ

The Iran-aligned threat actor who compromised the Trump campaign's email systems is known in the cybersecurity research community as #TA453, #APT42, or #CharmingKitten.

"The group's appearance in the U.S. election is noteworthy, sources told @Reuters, because of their invasive #espionage approach against high-value targets in Washington and Israel."

Read the article for insights from Joshua Miller of Proofpoint and other experts: https://www.reuters.com/world/trump-campaigns-iranian-hackers-have-dangerous-history-deep-expertise-2024-08-23/

New APT observations from Proofpoint: Iranian threat actor #TA453 targeted a prominent religious figure with a fake podcast interview invite.

Blog: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

The July 2024 attack, which involved TA453 purporting to work for the Institute for the Study of War (ISW), was likely launched to gather intelligence.

The #malware was delivered via a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024[.]zip”.

The ZIP contained an LNK titled “Podcast Plan 2024.lnk”.

The LNK delivered the BlackSmith toolset which eventually loaded TA453’s AnvilEcho Powershell Trojan.

This campaign demonstrates that TA453 hasn't given up on using modular #PowerShell backdoors. The toolset observed in the infection chain is likely the successor of GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower.

Our blog has a full analysis of the infection chain.

TA453 uses various #socialengineering techniques to try and convince targets to engage with malicious content.

Based on extensive evidence, our analysts assess that #TA453 operates in support of intelligent collection efforts for the #IRGC.

The BlackSmith toolkit is just one sophisticated example of how TA453 attempts to streamline its malware functions to generate a full service PowerShell trojan.

It is good to be selective in choosing your LinkedIn connections. My golden rule has always been: have I worked with or met this person before, and would I work or meet with them again? With SEABORGIUM and TA453 running active spear-phishing campaigns, this is even more important.

The UK National Cyber Security Centre says that Russia-based SEABORGIUM and Iran-based TA453 actors are still using spear-phishing attacks to gather information from targeted organizations and individuals in the UK and elsewhere.

Even though the tactics, techniques, procedures, and targeting profiles are similar, these campaigns are different, and the two groups are not working together.

My top tips for you.
1. Only accept connections from people you actually know.
2. Re-evaluate your list of connections and consider whether each connection is truly part of your network.
3. Check your privacy settings.
4. Trust, but verify!

https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest

#cybersecurity #infosec #spearphishing #linkedin #SEABORGIUM #TA453

Notable deviations from #TA453's typical TTPs and targeting. Great analysis by @chicagocyber and #CristaNeedsAMastodon

https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations