SOC Prime Bias: Critical

25 Mar 2026 16:16 UTC

Iran Conflict Drives Surge in Espionage Activity Across Middle East Targets

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Iran Conflict Drives Surge in Espionage Activity Across Middle East Targets
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Proofpoint reported a rise in espionage and phishing activity tied to Iranian, Chinese, Pakistani, Belarusian, and other state-aligned threat actors after the February 2026 strikes in Iran. Adversaries used conflict-themed lures to go after government ministries, diplomatic organizations, and think tanks across the Middle East and the United States. These operations relied on credential phishing, malicious LNK files, DLL sideloading, and Cobalt Strike payloads delivered through compromised email accounts and cloud-hosted infrastructure. Detection efforts should prioritize malicious Office shortcuts, fake OneDrive-style login pages, and suspicious use of known malware loaders.

Investigation

Proofpoint tracked six separate campaigns — UNK_InnerAmbush, TA402, UNK_RobotDreams, UNK_NightOwl, TA473, and TA453 — that used email compromise, weaponized archives, and malicious links to deliver loaders that eventually launched Cobalt Strike. The researchers catalogued indicators including email addresses, domains, URLs, filenames, and file hashes. Where possible, the report also mapped the observed infrastructure to previously documented public reporting.

Mitigation

Organizations should require MFA for email and cloud platforms, block known malicious domains and URLs, and monitor for LNK execution and unexpected DLL loading activity. Email security controls should inspect attachments for LNK and archive-based delivery, while threat hunting should emphasize Cobalt Strike beacon behavior and unusual PowerShell execution.

Response

If a suspicious LNK, malicious archive, or Cobalt Strike beacon is identified, isolate the host, collect volatile evidence, and begin incident response immediately. Block related command-and-control domains and IP addresses, reset compromised accounts, and perform a full forensic investigation to identify any persistence mechanisms.

Attack Flow

Detections

Suspicious Binary / Scripts in Autostart Location (via file_event)

SOC Prime Team
25 Mar 2026

Suspicious Files in Public User Profile (via file_event)

SOC Prime Team
25 Mar 2026

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)

SOC Prime Team
25 Mar 2026

Suspicious Extracted Files from an Archive (via file_event)

SOC Prime Team
25 Mar 2026

Possible NvdaHelperRemote DLL Side-Loading Attempt (via image_load)

SOC Prime Team
17 Mar 2026

Suspicious CURL Usage (via cmdline)

SOC Prime Team
25 Mar 2026

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)

SOC Prime Team
25 Mar 2026

Possible Google Docs Domain Being Resolved By Uncommon Process (via dns_query)

SOC Prime Team
25 Mar 2026

Virtual Hard Disk File was Created (via file_event)

SOC Prime Team
25 Mar 2026

IOCs (HashSha256) to detect: Iran conflict drives heightened espionage activity against Middle East targets

SOC Prime AI Rules
17 Mar 2026

IOCs (SourceIP) to detect: Iran conflict drives heightened espionage activity against Middle East targets

SOC Prime AI Rules
17 Mar 2026

IOCs (DestinationIP) to detect: Iran conflict drives heightened espionage activity against Middle East targets

SOC Prime AI Rules
17 Mar 2026

Detection of Suspicious Execution of nvdaHelperRemoteLoader.exe and VLCMediaPlayer.exe [Windows Process Creation]

SOC Prime AI Rules
17 Mar 2026

Detection of C&C Domains Associated with UNK_InnerAmbush and UNK_RobotDreams Campaigns [Windows Network Connection]

SOC Prime AI Rules
17 Mar 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary has obtained a compromised copy of nvdaHelperRemoteLoader.exe embedded with a malicious DLL (evil.dll). They place the binary in C:Temp and create a shortcut that points to it, triggering execution via a scheduled task (T1546.009). Simultaneously, they abuse the signed binary VLCMediaPlayer.exe (T1218) to launch a PowerShell payload that performs host fingerprinting. Both binaries are launched directly to ensure the process‑creation event contains the exact executable name required by the rule.

  • Regression Test Script:

    # -------------------------------------------------
    # Simulation script – triggers both detections
    # -------------------------------------------------
    # Set execution folder
    $binPath = "C:Temp"
    
    # 1. Deploy malicious nvdaHelperRemoteLoader.exe (placeholder copy)
    $nvdaSrc = "C:ToolsMocksnvdaHelperRemoteLoader.exe"   # <-- replace with real sample
    Copy-Item -Path $nvdaSrc -Destination "$binPathnvdaHelperRemoteLoader.exe" -Force
    
    # 2. Deploy malicious VLCMediaPlayer.exe (placeholder copy)
    $vlcSrc = "C:ToolsMocksVLCMediaPlayer.exe"           # <-- replace with real sample
    Copy-Item -Path $vlcSrc -Destination "$binPathVLCMediaPlayer.exe" -Force
    
    # 3. Execute nvdaHelperRemoteLoader.exe (simulating DLL sideloading)
    Write-Host "Launching nvdaHelperRemoteLoader.exe ..."
    Start-Process -FilePath "$binPathnvdaHelperRemoteLoader.exe" -WindowStyle Hidden
    
    # 4. Execute VLCMediaPlayer.exe to run a fingerprinting PowerShell one‑liner
    $psCmd = "Get-WmiObject Win32_OperatingSystem | Select-Object Caption,Version"
    Write-Host "Launching VLCMediaPlayer.exe with PowerShell payload ..."
    Start-Process -FilePath "$binPathVLCMediaPlayer.exe" `
        -ArgumentList "-I dummy --dummy-arg `"powershell -Command `$psCmd`" `" `
        -WindowStyle Hidden
    
    Write-Host "Simulation complete. Verify alerts in your SIEM."
  • Cleanup Commands:

    # Stop any lingering test processes
    Get-Process -Name "nvdaHelperRemoteLoader","VLCMediaPlayer" -ErrorAction SilentlyContinue |
        Stop-Process -Force
    
    # Remove the test binaries
    Remove-Item -Path "C:TempnvdaHelperRemoteLoader.exe","C:TempVLCMediaPlayer.exe" -Force -ErrorAction SilentlyContinue
    
    Write-Host "Cleanup finished."