Executive Summary

Amid a regional conflict, multiple state-aligned threat actors have intensified cyber-espionage operations against government and diplomatic targets across the Middle East. Research from Proofpoint has identified several distinct campaigns leveraging the conflict as a thematic lure to compromise high-value targets. The activity involves a mix of known and newly identified threat groups with suspected links to the governments of China, Iran, and Belarus, as well as Hamas-aligned actors. These groups are using sophisticated social engineering, often amplified by the use of compromised government email infrastructure, to conduct strategic intelligence gathering. This convergence of multiple threat actors on a single geopolitical hotspot highlights the role of cyber operations as an integrated part of modern statecraft and conflict.

Threat Overview

The report details a complex web of overlapping campaigns, all seeking to exploit the regional instability for intelligence gains.

Key Threat Actors and Campaigns:

• UNK_InnerAmbush (Suspected China-aligned): This actor targeted Middle Eastern governments in early March 2026. They used a compromised email account to send phishing lures related to regional leaders, directing victims to a malicious Google Drive URL.
• TA402 / Frankenstein (Iran-aligned): This group used a compromised email account from the Iraqi Ministry of Foreign Affairs to target entities with lures referencing a potential U.S. military operation in Iran. This demonstrates the use of one compromised government entity to target others.
• TA473 / Winter Vivern (Belarus-aligned): This actor, not previously known for targeting the Middle East, was observed attacking government organizations in the region between March 3-5, 2026. This expansion of their target scope is a significant development.
• TA453 / Charming Kitten (Iran-aligned): This well-known group continued its typical espionage activities, targeting a U.S.-based think tank focused on the region.
• Hamas-aligned actors: Also observed participating in the general increase of espionage activity.

The common thread is the use of the ongoing conflict as a powerful social engineering theme, making emails about military operations, diplomatic statements, or regional leaders highly likely to be opened by their intended targets.

Technical Analysis

The campaigns primarily rely on spear phishing as the initial access vector.

• Initial Access: T1566.002 - Spearphishing Link. The actors use carefully crafted emails with links to malicious documents or credential harvesting pages. The use of compromised government accounts (a form of T1199 - Trusted Relationship) dramatically increases the effectiveness of these phishing attempts.
• Resource Development: The use of legitimate services like Google Drive for hosting malware or redirecting users is an example of T1583.003 - Acquire Infrastructure: Cloud Infrastructure.
• Execution & Persistence: While not detailed, subsequent stages would involve deploying backdoors or info-stealers to maintain access (T1059 - Command and Scripting Interpreter) and establish persistence (T1547 - Boot or Logon Autostart Execution).
• Collection: The ultimate goal is T1592 - Gather Victim Host Information and T1005 - Data from Local System for exfiltration.

Impact Assessment

The collective impact of these campaigns is the widespread theft of sensitive government and diplomatic intelligence by multiple state actors. This intelligence can be used to:

• Gain advantage in diplomatic negotiations.
• Predict military or political actions.
• Undermine regional stability.
• Identify and track individuals of interest (dissidents, intelligence officers, etc.).

The targeting of a U.S. think tank by TA453 shows that the impact is not confined to the Middle East, as adversaries seek to understand and influence U.S. foreign policy.

Detection and Response

• Email Security: Enhance email security gateways to detect phishing attempts, even from trusted or previously compromised senders. Look for suspicious links, mismatched sender names/addresses, and threat intelligence feeds for known malicious domains.
• Identity and Access Management: Monitor for anomalous login activity, especially for government email accounts. A single account sending phishing emails to multiple other government entities is a major red flag.
• User Training: Train diplomatic and government staff to be extremely cautious of emails related to the conflict, even if they appear to come from a legitimate source. Encourage verification of unexpected requests through separate communication channels.

Mitigation

• Multi-Factor Authentication (MFA): Enforce MFA on all government email accounts to make them more resilient to compromise.
• Threat Intelligence Sharing: Foster robust threat intelligence sharing between allied governments and cybersecurity partners to quickly identify and block campaigns from actors like TA473 as they expand their targeting.
• Endpoint Protection: Use EDR solutions to detect and block post-exploitation activity, such as the execution of backdoors or reconnaissance commands.