CyberShelter Critical Advisory: Iranian IRGC-Linked APT Targets UAE Aerospace & Defence Sector

CyberShelter threat intelligence analysts have identified a sophisticated cyber-espionage campaign targeting the UAE’s aerospace, defence, and government ecosystem, leveraging VHD-delivered malware and spear-phishing themed around regional space industry events.

Advisory ID: TIA-UAE-2026-023
Published: 4 March 2026
Source: CyberShelter Threat Intelligence & NSOC
Classification: ???? CRITICAL SEVERITY

Executive Overview

CyberShelter Threat Intelligence has identified an active cyber-espionage campaign targeting strategic organizations within the UAE, including aerospace, defence contractors, and government entities.

The activity has been attributed with high confidence to Peach Sandstorm (APT33), an Iranian state-aligned threat group associated with the Islamic Revolutionary Guard Corps (IRGC).

The campaign, tracked as CandleStone, uses spear-phishing emails referencing the Abu Dhabi Space Debate to distribute malicious archives containing Virtual Hard Disk (VHD) containers, allowing attackers to bypass Windows security protections.

CyberShelter analysts warn that APT33 historically shifts from espionage operations to destructive cyber attacks, meaning this activity could represent an early stage of more disruptive operations.

Strategic Context

Why This Campaign Matters to the UAE

The UAE has rapidly positioned itself as a global aerospace innovation hub, highlighted by initiatives such as the Hope Probe Mars Mission and expanding defence technology programs.

These strategic developments have made UAE aerospace and defence organizations high-value intelligence targets for state-aligned cyber actors seeking technological advantage and geopolitical leverage.

Primary Target Sectors

SectorRisk LevelReasonAerospace & Defence???? CRITICALStrategic technology and intelligence targetingGovernment???? CRITICALNational policy and security intelligenceEnergy & Utilities???? HIGHHistorical Iranian targeting patternsAviation???? HIGHInfrastructure and supply chain leverage

Attack Chain Overview

The CandleStone campaign follows a structured multi-stage intrusion lifecycle designed to establish persistent access within enterprise environments.

StageActivity1Compromise of victim mailbox or targeted spear-phishing2Email themed around Abu Dhabi Space Debate3Delivery of malicious archive containing VHD container4Execution of malicious shortcut triggering DLL sideloading5Deployment of CandleStone backdoor6Command-and-control communication and data exfiltration

Malware Toolkit Used in the Campaign

The attackers deploy a toolkit designed for persistence, reconnaissance, and credential harvesting across enterprise systems.

MalwareFunctionCapabilityPhoenix v4Remote Access TrojanFull system control with WinHTTP C2FakeUpdateLoaderEncrypted memory injectionChromium StealerCredential theftDecrypts browser credentials using DPAPI

Delivery Mechanism: VHD-Based Security Bypass

Attackers use Virtual Hard Disk (VHD) containers to bypass Windows security protections known as Mark-of-the-Web (MotW).

When users mount the VHD file, Windows treats the files as local content, preventing security warnings normally triggered for internet downloads.

Files Observed in the Campaign

FileDescriptionConferences and Materials.zipInitial phishing archiveConference Resources and Material.vhdVirtual disk containerdxgi.dllCandleStone backdoor payload

CandleStone Backdoor Technical Behavior

Once executed, the backdoor performs system reconnaissance and establishes encrypted communication with attacker infrastructure.

Host Reconnaissance Data Collected

Hostname and logged-in username
IPv4 and IPv6 network addresses
System architecture details
Running processes

Command-and-Control Communication

EndpointPurpose/sound/agentsInitial beacon/sound/tickets/allCommand polling

Communication occurs over HTTP on port 443, blending with legitimate encrypted traffic.

Command-and-Control Infrastructure

Threat actors leveraged UAE-themed typosquatting domains and aged infrastructure to evade reputation-based security filters.

DomainPurposehealth-beauty-skin-care[.]comPrimary C2 serverabudhabspacedebate[.]comPhishing domainabudhbispacedebate[.]comTyposquatting domainhuammings[.]comCampaign infrastructure

Threat Actor Profile

Peach Sandstorm (APT33)

APT33 is an Iranian state-aligned cyber espionage group linked to the IRGC, active since 2013.

AttributeDetailsAlso Known AsAPT33, Elfin, Magnallium, Refined KittenObjectiveStrategic cyber espionageKnown MalwareShamoon, StoneDrill, DropShotPrimary TargetsAerospace, defence, energy, government

MITRE ATT&CK Mapping

TacticTechniqueDescriptionInitial AccessT1566.001Spearphishing attachmentsDefense EvasionT1553.005Mark-of-the-Web bypassDefense EvasionT1574.002DLL side-loadingCommand & ControlT1071.001Web protocol communication

Indicators of Compromise (IOC)

Organizations should immediately monitor and block the following indicators.

IndicatorTypeContexthealth-beauty-skin-care[.]comDomainPrimary C2abudhabspacedebate[.]comDomainPhishing infrastructure209.182.225.152IPAttack infrastructuredxgi.dllFileCandleStone backdoor

Immediate Defensive Actions

Organizations operating in strategic sectors should take the following actions immediately.

1️⃣ Block identified campaign domains
2️⃣ Restrict mounting of VHD/ISO disk images via GPO policies
3️⃣ Hunt for dxgi.dll loaded by ApplicationFrameworkHost.exe
4️⃣ Monitor endpoints for LNK execution from mounted disk images

Strategic Security Measures

Conduct retrospective log analysis for the past 180 days
Deploy YARA rules detecting CandleStone malware behavior
Monitor ASN 395092 infrastructure activity
Improve sandbox detonation for disk image files
Increase employee awareness regarding conference-themed phishing

CyberShelter Strategic Assessment

The CandleStone campaign demonstrates a significant evolution in Iranian cyber operations, combining:

VHD-based delivery mechanisms
Pre-aged attack infrastructure
DLL sideloading persistence techniques

Given APT33’s history of transitioning from espionage to destructive cyber operations, this campaign should be treated as a high-priority threat to UAE strategic sectors.

CyberShelter NSOC continues active monitoring and threat hunting across enterprise environments.

???? URGENT: Initiate incident response procedures immediately if indicators are detected.

Need Immediate Assistance?

CyberShelter NSOC provides 24/7 incident response, threat hunting, and advanced cyber defense support.

Contact CyberShelter NSOC immediately for assistance.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

CyberShelter Critical Advisory: Iranian IRGC-Linked APT Targets UAE Aerospace & Defence Sector