Evolving cyber threat landscape amid Middle East tensions

Geopolitical tensions invariably influence cyberspace, leading to an evolution in the threat landscape. The current escalation in the Middle East, which began on February 28, 2026, is anticipated to follow this pattern across the UAE. Historically, threat actors have exploited such periods to amplify influence operations, conduct opportunistic intrusion attempts, and circulate disinformation narratives. 

Key highlights

• The rise in physical hostilities including missile and drone attacks has coincided with a surge in cyber operations, predominantly originating from Iranian‑aligned actors.
• Financial services, Aviation, Energy, Telecom, and Government-linked entities remain high-probability targets due to their regional visibility and systemic importance.
• While only low‑to‑medium impact cyber incidents have been reported in the UAE and in neighbouring Gulf states including Kuwait, Saudi Arabia, and Bahrain, ongoing reconnaissance activity indicates a potential risk of broader spillover into critical infrastructure sectors.
• No major breaches have been confirmed to date, however multiple claims made by hacktivist and ransomware groups.

CPX Threat Intelligence Center actively monitoring the evolving geopolitical situation and its wider cyber implications across the region, noting an increase in hacktivist activities and targeted disruptions across allied Gulf states.  

(06 March 2026, 1700 hours): CPX Threat Intelligence Center has been closely monitoring the escalating cyber landscape amid the ongoing US-Israel-Iran conflict.

In the last 72 hours, CPX-TIC have identified a surge in activities attributed to Iran-aligned personas and collectives, including hacktivists and state-linked groups, also joined forces by pro-Russian hacktivists, and old silent hacktivist groups became active.

Overall, hacktivist groups continue to lead the charge, particularly pro-Iranian, pro-Palestinian, and pro-Russian collectives, which continue to conduct DDoS attacks, website defacements, data exfiltration, and disinformation campaigns. These activities are largely targeting Israeli, US, and allied Gulf state critical infrastructure across the government, energy, finance, transportation, and healthcare sectors.

In addition to hacktivist activity, indications of potential targeting attempts by the Iran‑nexus APT group ‘Peach Sandstorm’ against entities in the UAE. Concurrently, cybercriminal exploitation of regional uncertainty persists, with increase of fraudulent emails and smishing campaign requesting personal identifiable information (PII), financial data under the pretext of emergency registration or compensation.

The combination of continued hacktivist operations, coordinated narratives, emerging state-sponsored activity, and opportunistic scam campaigns reflects an elevated threat environment for regional entities, including within the UAE.

Threat assessment

CPX Threat Intelligence Center (CPX-TIC) assesses that the current regional geopolitical environment has resulted in an elevated cyber threat posture for the UAE, consistent with historical patterns observed during periods of heightened tension involving Iran and its regional proxies. 

Historically, Iranian state‑aligned cyber units have escalated cyber activity in parallel with kinetic or political developments, leveraging a mix of state APT operations and proxy actors. Below are some key plausible activities that can be seen during this ongoing conflict.

Observations and anticipated activities

• Increased likelihood of hacktivist‑led DDoS campaigns targeting government, and private-sector’s public‑facing services
• Elevated state‑aligned APT activity, focused on reconnaissance, credential harvesting, and cyber-espionage
• Continued use of website defacement as a low‑complexity psychological and influence tactic
• Rise in malware and ransomware campaigns, potentially operating under state tolerance or indirect coordination
• Use of proxy actors and front groups to maintain plausible deniability and obscure attribution

Recent developments in cyber space

In the last 72 hours, CPX‑TIC observed increased activity from several pro-Iranian & pro-Palestinian hacktivist collectives including Handala Hack Team, 313 Team, DieNet, and RuskiNet Group, CONQUERORS ELECTRONIC ARMY targeting entities in Israel, Jordan, and Kuwait. Additionally, pro-Russian affiliates such as NoName057(16) and the Z-PENTEST ALLIANCE have intensified their contributions to the #OpIsrael campaign by leaking data and defacing Israeli government and defense-related platforms.

On the ransomware front, the group BaqiyatLock (BQTlock) has begun recruiting hacktivist partners, offering complimentary RaaS (Ransomware‑as‑a‑Service) access specifically for operations targeting Israeli organizations, followed by cybercriminal exploitation of regional uncertainty persists with fraudulent emails and smishing messages targeting netizens in the UAE. Moreover, there have been few activities identified for state sponsored actors like Peach Sandstorm.

Below is the timeline of the cyber escalation from 28-February to 06-March 2026:

• February 28, 2026: Initial escalation with influence operations
• March 1, 2026: Reported DDoS attempts; cybercriminals began taking advantage of the situation
• March 2, 2026: DDoS and reconnaissance spikes, along with cloud infrastructure outages
• March 3, 2026: Pro-Russian hacktivist joined the forces and old silent hacktivist groups became active
• March 4, 2026: Pro-Iranian, pro-Palestinian, and pro-Russian collectives continue to conduct DDoS attacks, website defacements, data exfiltration, and disinformation campaigns
• March 5, 2026: Several groups amplified calls for broader retaliation, followed by cybercriminals leveraging social engineering techniques
• March 6, 2026: Hacktivist activity intensified across multiple fronts with widespread claims of DDoS attacks, data leaks, and infrastructure disruption targeting Middle East entities, alongside escalating influence messaging and cross‑group amplification

Cyber crime activities

CPX Threat Intelligence Center has identified multiple cybercriminals campaigns targeting netizens actively during the current escalation to collect personally identifiable information (PII) and financial data.

First Campaign: An ongoing smishing campaign targeting netizens by impersonating officials from Dubai Customs. The fraudulent messages claim that a parcel has been placed on hold due to the regional security situation and tightened border control measures, prompting recipients to “update their information” to meet compliance requirements and resume parcel processing.

Figure 1: Smishing message and website

Upon examining the URL included in the smishing message, CPX Threat Intelligence Center confirmed that the website is designed to harvest personally identifiable information (PII) as well as financial details, indicating a clear intention to commit fraud.

Figure 2: Analyzed website

Second Campaign: A fraudulent email campaigns circulating, in which recipients are instructed to complete an alleged “emergency registration form” and submit personal information under the guise of receiving support, compensation, or insurance coverage. 

The UAE Ministry of Interior (MOI) issued a public warning regarding emphasized that these messages are malicious and urged the public not to respond, not to share any personal data, and to remain vigilant against unsolicited communications leveraging the current security situation. This aligns with previously observed patterns of opportunistic social engineering campaigns that surge during periods of heightened geopolitical unrest.

Figure 3: MOI UAE post from X

Third Campaign: Cybercriminals specifically scammers have been actively exploiting the heightened regional uncertainty. Netizens in the UAE are receiving calls from scammer claims to be from the Ministry of Interior (MOI), asking them to confirm receipt of the national alert and requesting that they share their Emirates ID (EID) number for verification purposes. 

Official warning from MOI UAE

On March 1, 2026, the Ministry of Interior, UAE (MOI UAE) issued a warning to netizens against fraudulent calls that may originate from the number (70614213) or any other numbers, confirming that these fall under the practices of electronic fraud and impersonation.

Figure 4: MOI UAE post from X

Potential state-sponsored activity 

CPX Threat Intelligence Center also identified indications of activity linked to the Iran nexus adversary ‘Peach Sandstorm’ aka. APT33, suggesting potential targeting of entities within the UAE. Peach Sandstorm is a long standing and sophisticated adversary aligned with Iranian state interests and known for espionage, cyber sabotage, and strategic intelligence collection. The group has historically focused on environments involving sensitive technologies and critical infrastructure and is previously associated with destructive operations including the Shamoon attacks. 

Peach Sandstorm activity typically involves password spray attempts across multiple accounts using common passwords often supported by reconnaissance of personnel profiles. The group also conducts spear phishing operations using job vacancy or role specific lures delivered through staged payloads involving HTML files and PowerShell scripts. Their operations may include deployment of custom malware such as the Tickler backdoor observed against UAE satellite operators as well as wiper and backdoor tools including Shamoon and TURNEDUP or FalseFont. 

CPX TIC assesses that potential targeting may include critical infrastructure operators such as oil, gas, power generation, and industrial facilities along with government ministries and entities holding economic, energy, financial, and civil registry information. 

Ransomware activities

• BAQIYATLOCK (BQTLock) RANSOMWARE: BQTLock is a Ransomware‑as‑a‑Service (RaaS) group that emerged around 16 July 2025. Its operations are characterized by targeted intrusions leveraging custom ransomware variants and data‑extortion tactics. The group conducts wave‑based campaigns, demands ransom payments primarily in Monero (XMR), and blends traditional financially motivated attacks with propaganda‑driven narratives. 

The ransomware developed by the group shares the same name ‘BQTLock’ and serves as the central tool of their operations. The group’s main representative is Karim Fayad (known online as ZeroDayX or ZeroDayX1), supported by Fuch0u, who frequently appears on the group’s public communication channels. BQTLock also appears to maintain close ties with pro‑Palestinian hacktivist groups, including Liwaa Mohammed, with both sides demonstrating mutual engagement across social media platforms.

Last month, the group offered free RaaS memberships to any hacktivists who could “target the Zionist entity”.

• INC RANSOM GROUP: CPX-TIC also identified that the INC Ransom group has claimed responsibility for compromising ‘Ramet Trom Ltd.’, a metalworking and machining company based in Israel, and exfiltrating approximately 1 TB of data as part of a broader extortion campaign. However, no evidence has been found to indicate whether INC Ransom’s claims are connected to the ongoing regional conflict or if the attack was opportunistic in nature. 

Figure 5: INC Ransom claim from its DLS

INC Ransom group remains highly active in the region. The group claimed several compromises affecting entities in Saudi Arabia and Bahrain throughout February 2026, and previously claimed attacks on multiple UAE based organizations in January 2026, as well as in November and September 2025.

AWS outages in UAE: Impact from regional conflict

CPX Threat Intelligence Center also observed that Amazon Web Services (AWS) experienced outages affecting data centers in the United Arab Emirates, primarily impacting at least one Availability Zone (mec1-az2) in the me-central-1 (UAE) region. This resulted in loss of power, connectivity issues, and widespread service degradation across critical cloud offerings, such as EC2, RDS, EBS, Lambda, EKS, and networking APIs.

The disruptions were caused by physical debris from a successful UAE interception of incoming projectiles amid the escalating Iran-U.S. and Israel conflict, which inadvertently damaged infrastructure supporting the AWS facilities.

AWS response and ongoing risks

AWS confirmed that restoration efforts were underway, with no confirmed data loss. However, AWS also warned customers that full restoration would take hours, underscoring the risks that physical attacks pose to cloud infrastructure in conflict zones.

Recommendations

The CPX-TIC recommends the following measures:

Defense against DDoS

• Activate emergency WAF and CDN protections on public‑facing portals, including rate limiting, bot and JavaScript challenges, and login shielding, and ensure upstream traffic scrubbing is ready.
• Implement caching and static failover pages for critical journeys such as login, search, and payments to preserve usability during pressure events. 
• Validate Anycast DNS, short TTLs, and resilient authoritative DNS, and deploy multi‑region synthetic probes to distinguish real service degradation from claim noise.
• Prepare concise runbooks to enable rapid mode switching such as reduced functionality or gray‑page responses and align communication triggers to observable telemetry.

Defense against ransomware and wiper

• Maintain immutable, offline backups with routine restore tests, and protect backup consoles behind multifactor authentication and separate administrative credentials.
• Enforce multifactor authentication and conditional access on VPN, RDP, and administrative portals, disable legacy protocols, and restrict access by source IP or ASN where feasible.
• Deploy endpoint detection and response across servers and workstations, keep internet‑facing services and high‑risk third‑party components patched, segment networks and apply least privilege, and monitor for anomalous lateral movement and mass file modification.

Defense against web defacement

• Keep CMS platforms and plugins fully updated, restrict administrative panels by IP and multifactor authentication, and remove unused plugins and themes.
• Implement file integrity monitoring and read‑only permissions for web roots where possible and maintain versioned backups for rapid restoration.
• Use a secure CI/CD process with signed artifacts, scan builds for secrets and malware, and restrict direct edits in production.
• Enforce a strict Content Security Policy and sub resource integrity where applicable, and log and alert on unexpected file writes and administrative login anomalies.

Defense with IOCs and TTPs

• Proactively monitor and block the shared Indicators of Compromise (IOCs) across security controls.
• Conduct targeted threat hunting for the associated Tactics, Techniques, and Procedures (TTPs).
• Given the elevated regional threat environment, early detection of reconnaissance, access‑building, and disruption‑focused activity is critical to reducing risk and preventing potential impact.

Defense against cybercriminals

• Organizations and netizens are advised to exercise heightened vigilance when handling unsolicited communications or financial requests related to the ongoing developments. Always remember no government official/entities do not request personal or financial information via telephone calls or unknown links. 

Defense against cloud infrastructure

Monitor AWS Service Health Updates

• Continuously follow the official AWS Health Status dashboard for real‑time updates on outage resolution, service restoration progress, and any region‑specific advisories. This ensures timely awareness of recovery milestones and potential downstream impacts on dependent services.

Defense against Hacktivist Claims on access to ICS/SCADA Devices

• Validate ICS/SCADA Asset Inventory
  • Conduct an immediate review of your organization's ICS/SCADA asset inventory to identify any Unitronics Vision‑series or ELMI remote-control devices deployed within your environment. Ensure these devices are accurately logged, monitored, and risk‑scored.
• Apply Latest Security Patches
  • Verify that all identified ICS/SCADA devices particularly Unitronics PLCs and ELMI‑manufactured control systems, are updated to the most recent firmware and security patches. Patch gaps in these devices can expose critical operational environments to compromise.
• Strengthen Monitoring & Hardening
  
  • Ensure continuous monitoring for anomalous activity targeting PLCs, remote management interfaces, and industrial protocols. Where possible, enforce network segmentation, disable unused services, and tighten access control to reduce attack surface.

Defense against Peach Sandstorm

• Enforce MFA across all systems, especially privileged accounts, to counter APT33's primary attack vector of password spray attacks that target weak credentials. 
• Deploy behavioural email filtering with sandboxing to detect APT33's sophisticated spear phishing campaigns using job vacancy themes and social engineering lures. 
• Isolate critical infrastructure and SCADA systems from corporate networks to prevent APT33's lateral movement and limit damage from their destructive capabilities. 
• Implement EDR with behavioural monitoring to detect APT33's custom malware (Tickler, TURNEDUP) through unusual process behaviours that evade traditional antivirus. 
• Maintain immutable, offline backups with rapid recovery procedures to ensure business continuity against APT33's destructive Shamoon wiper attacks that can destroy hundreds of systems. 

Hunting Queries for Peach Sandstorm

Hunting for Malicious Signed File

DeviceFileCertificateInfo | where Signer in~ ("Panzhihua Bada Technology Co., Ltd.")

Suspicious DLL Side-Loading

DeviceImageLoadEvents
| where FileName in~ ("dxgi.dll", "umpdc.dll", "dwrite.dll", "feclient.dll", "iumbase.dll", "wininet.dll","dui70.dll","secur32.dll","winhttp.dll","wtsapi32.dll","userenv.dll","xmllite.dll","iviewers.dll","sspicli.dll","manifest.dll","LockHostingFramework.dll","dwmapi.dll","unbcl.dll","cabinet.dll")
| where FolderPath !contains "System32" and FolderPath !contains "syswow64" and FolderPath !contains "WinSxS" and FolderPath !contains "SoftwareDistribution"

Suspicious DLL File Creation

DeviceFileEvents
| where FileName in~ ("dxgi.dll", "umpdc.dll", "dwrite.dll", "feclient.dll", "iumbase.dll", "wininet.dll","dui70.dll","secur32.dll","winhttp.dll","wtsapi32.dll","userenv.dll","xmllite.dll","iviewers.dll","sspicli.dll","manifest.dll","LockHostingFramework.dll","dwmapi.dll","unbcl.dll","cabinet.dll")
| where FolderPath !contains "System32" and FolderPath !contains "syswow64" and FolderPath !contains "WinSxS" and FolderPath !contains "SoftwareDistribution"

Suspicious RDP and SSH Connections

DeviceNetworkEvents
| where RemotePort in ("3389", "22")
| where InitiatingProcessFileName in~ ("DataExchangeHost.exe", "LockAppHost.exe", "efsui.exe", "BioIso.exe", "presentationhost.exe", "setup.exe","CameraSettingsUIHost.exe","miiserver.exe","VGAuthService.exe","MigAutoPlay.exe")