Iran UAE Cyberattacks Triple: APT34, Mint Sandstorm, and the Critical Infrastructure Defense Playbook

Iran-linked cyberattacks against UAE critical infrastructure tripled from 200,000 to 600,000 breach attempts per day within weeks of the February 28, 2026 joint US-Israeli military strikes inside Iran — a surge confirmed by UAE Cyber Security Council chief Mohamed Al Kuwaiti. The driving forces are a cluster of Iranian state-sponsored APT (Advanced Persistent Threat — a nation-state-backed hacking group conducting long-term, stealthy intrusion campaigns) groups: APT34/OilRig, Mint Sandstorm, and MuddyWater, operating alongside MOIS-affiliated (Iran's Ministry of Intelligence and Security — the primary Iranian civilian intelligence agency) hacktivist fronts. This guide maps their documented TTPs (Tactics, Techniques, and Procedures — the specific attack methods used by a threat actor, catalogued in the industry-standard MITRE ATT&CK framework) to MITRE ATT&CK technique IDs, provides network-level IOCs (Indicators of Compromise — observable artifacts that signal an intrusion: malicious domains, IP addresses, and file hashes), and delivers a prioritized hardening checklist for OT (Operational Technology — the industrial control systems and embedded computers that run physical infrastructure such as power grids, water treatment plants, and pipelines) environments currently under active targeting.

// 01 Iran UAE Cyberattacks: Scale and Attribution Context

On February 28, 2026, combined US-Israeli airstrikes hit targets inside Iran, triggering an immediate escalation across the cyber domain. Within days, daily breach attempts against UAE digital infrastructure climbed from approximately 200,000 to between 600,000 and 800,000, according to UAE Cyber Security Council data cited by Dark Reading. The targets are not opportunistic: government entities, municipalities, energy-sector organizations, and private-sector companies with Gulf-region presence are all explicitly in scope.

The character of the Iran UAE cyberattacks has also shifted. The National reports that Iranian operations have evolved from short-lived disruptive campaigns — website defacements and volumetric DDoS (Distributed Denial of Service — flooding a target with traffic to take it offline) — into sustained intrusion campaigns with ransomware deployment, data exfiltration, and destructive wipers (malware designed to permanently erase data and configurations from victim systems, maximizing recovery time and operational disruption). CSIS analysis frames this as a strategic shift from episodic disruption to a sustained campaign against critical infrastructure, with explicit spillover risk to US energy infrastructure and multinational companies with Gulf operations.

The underlying risk baseline in the region is already elevated. Nozomi Networks reports that 61% of vulnerabilities in Middle Eastern organizations are rated HIGH or CRITICAL by CVSS (the Common Vulnerability Scoring System — the 0–10 industry standard scale for vulnerability severity), compared to a 48% global average. Eight percent carry an EPSS (Exploit Prediction Scoring System — a probability score estimating the likelihood a vulnerability will be exploited in the wild within 30 days) score above 1%, double the global 4% rate. Organizations operating in the Gulf are, statistically, facing a harder-to-defend vulnerability landscape even before factoring in active nation-state targeting.

// 02 APT34 (OilRig / Earth Simnavaz): Primary Threat Actor

APT34 — tracked interchangeably as OilRig, Helix Kitten, EUROPIUM, and Earth Simnavaz — is the most extensively documented Iranian threat actor operating against UAE targets. The group operates on behalf of Iran's MOIS and has been active since at least 2014, with primary focus on government, energy, finance, and telecommunications sectors across the Middle East.

Trend Micro's Earth Simnavaz research documents APT34 actively exploiting CVE-2024-30088 — a Windows Kernel race condition that allows a local attacker to escalate privileges to SYSTEM level (the highest privilege level on a Windows machine, granting complete control) — against UAE and Gulf-region targets. Post-exploitation, the group deploys the STEALHOOK backdoor, a custom remote access tool that tunnels command-and-control traffic through Microsoft Exchange servers to blend with legitimate outbound mail traffic, making detection without dedicated mail-flow analysis extremely difficult.

SOC Prime's APT34 detection coverage and MITRE ATT&CK Group G0049 document the group's full technique set across the kill chain:

Initial Access

• T1566.001 — Phishing: Spearphishing Attachment (weaponized Office documents embedded with macro droppers)
• T1566.002 — Phishing: Spearphishing Link (credential-harvesting pages mimicking UAE government and banking portals)
• T1566.003 — Phishing: Spearphishing via Service (attacks delivered through LinkedIn and web-based services)
• T1586.002 — Compromise Accounts: Email Accounts (hijacking legitimate email accounts for internal spearphishing that bypasses sender reputation filters)

Execution

• T1059.001 — Command and Scripting Interpreter: PowerShell
• T1059.005 — Visual Basic (macro-embedded VBS droppers delivered via Office documents)
• T1203 — Exploitation for Client Execution (CVE-2024-30088 kernel exploit for privilege escalation)

Persistence

• T1137.004 — Office Application Startup: Outlook Home Page (sets a malicious URL as the homepage for Outlook mail folders via registry, causing arbitrary code execution each time the folder is opened — a persistence technique that survives password resets and endpoint reboots)
• T1543.003 — Create or Modify System Process: Windows Service (installing backdoors as Windows services)
• T1053.005 — Scheduled Task/Job (time-triggered execution to maintain access between active sessions)

Command and Control

• T1071.004 — Application Layer Protocol: DNS (DNS tunneling — encoding C2 commands inside DNS query strings — to exfiltrate data and receive instructions through firewall-allowed DNS traffic)
• T1572 — Protocol Tunneling (wrapping C2 communications in legitimate application-layer protocols to evade deep packet inspection)
• T1573.001 — Encrypted Channel: Symmetric Cryptography (encrypting C2 traffic to prevent payload inspection)

Lateral Movement

• T1021.001 — Remote Services: Remote Desktop Protocol
• T1021.004 — Remote Services: SSH
• T1570 — Lateral Tool Transfer (moving tools between compromised hosts without external downloads)

Exfiltration

• T1041 — Exfiltration Over C2 Channel
• T1048.003 — Exfiltration Over Alternative Protocol (DNS-based data exfiltration, bypassing data loss prevention tools that only inspect HTTP/HTTPS)

// 03 Mint Sandstorm and MuddyWater: Supporting Iranian Actors

Mint Sandstorm (formerly tracked as PHOSPHORUS — Microsoft rebranded the group following Iran conflict escalation) is an MOIS-linked cluster focused on spear-phishing campaigns against think tanks, academics, defense contractors, and technology companies with UAE and Gulf-adjacent targeting. The group is known for rapid weaponization of recently disclosed vulnerabilities — organizations with patching cycles exceeding 14 days are statistically within the group's exploitation window.

MuddyWater (also tracked as Seedworm, MERCURY, and Static Kitten) operates under direct MOIS oversight and was the fourth-most-active Iranian actor globally in the second half of 2025, per Nozomi Networks threat intelligence. MuddyWater prioritizes manufacturing and transportation sectors — both core components of UAE critical infrastructure. Critically, the group uses legitimate remote management tools including Atera, ScreenConnect, and SimpleHelp as C2 (command-and-control — the communication channel between malware and the attacker's server) channels. Because these tools generate traffic that is indistinguishable from authorized remote administration sessions, detection requires behavioral baselines and agent-presence audits rather than signature-based blocking.

UNC1549 (also known as Crimson Sandstorm and Tortoise Shell) targets aerospace, aviation, and defense contractors with UAE presence. The group uses job-lure social engineering — fake LinkedIn recruiting messages with offer letters that deliver malware via GitHub-hosted payloads — making initial access difficult to distinguish from routine HR activity.

// 04 Hacktivist Amplifiers: The Noise Layer

Alongside state APT operations, MOIS-affiliated hacktivist fronts conduct high-volume attacks that amplify the total breach-attempt count, absorb defender attention, and provide plausible deniability for state operations:

Handala Hack is the most prominent pro-Iran hacktivist group active in the Gulf, conducting data theft, psychological operations, and claimed infrastructure compromise operations. (See our related coverage of Handala targeting US military forces in Bahrain.)

Cyber Av3ngers / Storm-0784 (CL-STA-1128) is attributed to Iran's IRGC (Islamic Revolutionary Guard Corps — Iran's primary military force, distinct from MOIS and responsible for external offensive operations). The group has documented capability against Unitronics PLCs (Programmable Logic Controllers — embedded computers that control industrial equipment such as pumps, valves, and motors) in water treatment and manufacturing facilities. CISA (the U.S. Cybersecurity and Infrastructure Security Agency) has named this group in multiple advisories targeting US and Gulf water infrastructure.

FAD Team (Fatimiyoun Cyber Team) conducts destructive wiper operations against government and private-sector targets, deploying data-wiping malware designed to cause operational disruption with extended recovery timelines. The group targets Rockwell Automation FactoryTalk, Allen-Bradley SCADA (Supervisory Control and Data Acquisition — software systems used to monitor and control industrial processes) devices, and Unitronics PLCs.

// 05 Indicators of Compromise

The following IOCs are sourced from Unit 42's April 2026 Iranian threat brief and Nozomi Networks APT tracking. Block or monitor these across email gateways, DNS resolvers, proxy logs, and EDR (Endpoint Detection and Response) telemetry.

Malicious Domains — Phishing and Credential Harvesting

| Domain | Type | Associated Activity | |——–|——|———————| | emiratescryptobank[.]com | Domain | UAE-themed investment fraud / credential theft | | emiratesinvestunion[.]com | Domain | Financial institution impersonation phishing | | emiratespost[.]traz[.]top | Domain | UAE postal service impersonation | | dubai-polices[.]ae-finesquery[.]com | Domain | UAE government / police impersonation | | bankiran[.]bet | Domain | Banking credential harvesting |

Malware Hosting Infrastructure

| Domain | Type | Notes | |——–|——|——-| | alpha.filehost36[.]sbs | Domain | StealC infostealer dropper hosting | | hyperfilevault1[.]xyz | Domain | Malware payload hosting | | media.megafilehost2[.]sbs | Domain | Malware payload hosting |

Malware Hash

| Hash | Algorithm | File | Notes | |——|———–|——|——-| | 83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72 | SHA-256 | RedAlert APK | Malicious replica of UAE emergency notification app; delivers mobile surveillance payload |

Suspicious IP Addresses (C2 / Scanning Infrastructure)

| IP Address | Source | |————|——–| | 37.1.213.152 | Nozomi Networks APT activity tracking | | 184.75.210.206 | Nozomi Networks APT activity tracking | | 162.0.230.185 | Nozomi Networks APT activity tracking |

// 06 Critical Infrastructure Defense: OT/ICS Hardening Checklist

Iran-linked actors have demonstrated specific OT targeting capability. Cyber Av3ngers has compromised Unitronics PLCs at water utilities; FAD Team targets FactoryTalk and Allen-Bradley SCADA systems. The Unit 42 brief documents active interest in ICS devices connected to energy, water, and manufacturing networks. (For context on how exposed OT interfaces become attack entry points, see our analysis of exposed VNC servers in ICS/OT environments.)

Apply the following controls in priority order.

Tier 1 — Immediate (Within 24 Hours)

1. Audit your external attack surface. Identify every internet-facing asset: VPN gateways, RDP (Remote Desktop Protocol — the Windows remote access service, commonly exposed on port 3389) endpoints, OT HMIs (Human-Machine Interfaces — the graphical consoles operators use to monitor and control industrial equipment), web applications, and historian servers. Use Shodan or Censys to verify what is visible externally. Any OT asset reachable directly from the public internet must be taken offline or placed behind a VPN with MFA (Multi-Factor Authentication) immediately.

2. Rotate default and weak credentials on all OT devices. Iranian actors exploit default credentials on PLCs and SCADA components before attempting any vulnerability exploitation. Run a credential audit against all OT devices using manufacturer default credential lists (available from ICS-CERT advisories). Enforce 16-character randomly generated passwords for all privileged accounts; disable shared service accounts.

3. Block the IOC list at the network perimeter. Push the domains and IPs listed above to DNS sinkholes (network configurations that redirect malicious domain lookups to a controlled, non-routable IP to prevent malware callbacks), firewall deny rules, and SIEM (Security Information and Event Management — a platform that aggregates and correlates security log data for threat detection) watchlists.

4. Verify patch status for CVE-2024-30088. This Windows Kernel race condition EoP (Elevation of Privilege) vulnerability is actively exploited by APT34 in UAE campaigns. Confirm the patch is applied across all Windows endpoints — particularly OT jump servers and engineering workstations — using the Microsoft Security Response Center advisory to identify the correct KB for your Windows version. Verify installation:

# List recent security updates to confirm CVE-2024-30088 patch is present
Get-HotFix | Where-Object {$_.Description -eq "Security Update"} |
    Sort-Object InstalledOn -Descending |
    Select-Object HotFixID, InstalledOn |
    Format-Table -AutoSize

Cross-reference the output KB numbers against the Microsoft advisory. If the applicable KB is absent, apply it before any other remediation step.

Tier 2 — Within 72 Hours

5. Segment IT and OT networks. A flat network connecting corporate IT and industrial OT segments is the single biggest force multiplier for any attacker who achieves initial access via a phishing email. Deploy a DMZ (Demilitarized Zone — a network segment that intermediates between IT and OT, preventing direct host-to-host communication) with unidirectional data diodes or strict stateful firewall rules. ISA/IEC 62443 (the international industrial cybersecurity standard published jointly by the International Society of Automation and the International Electrotechnical Commission) mandates zone-and-conduit segmentation as a baseline architectural control. At minimum, OT engineering workstations should not have unrestricted outbound internet access.

6. Enable DNS query logging and alert on tunneling patterns. APT34 uses DNS tunneling (T1071.004) to exfiltrate data and maintain C2 communications through firewall-allowed DNS traffic. Configure your DNS resolver to log all outbound queries, then alert on:

• Hostnames exceeding 50 characters in the subdomain portion
• Query rates exceeding 100 requests per minute to the same second-level domain
• Any query resolving to the IOC IPs listed above

# BIND9: enable query logging for DNS tunneling detection
logging {
    channel query_log {
        file "/var/log/named/queries.log" versions 5 size 50m;
        severity info;
        print-time yes;
    };
    category queries { query_log; };
};

For Windows environments, enable DNS debug logging via dnscmd /config /logLevel 0x6101 and ingest logs into your SIEM for correlation.

7. Deploy Sigma detection for APT34 Outlook Home Page persistence (T1137.004). The STEALHOOK backdoor and related APT34 implants register malicious URLs as Outlook folder home pages via registry modification, causing code execution each time the folder is opened. Detect this with:

title: APT34 Outlook Home Page Persistence (T1137.004)
status: experimental
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    EventType: SetValue
    TargetObject|contains:
      - 'OutlookWebViewInboxURL'
      - 'OutlookWebViewSent ItemsURL'
      - 'OutlookWebViewDeleted ItemsURL'
      - 'OutlookWebViewCalendarURL'
  condition: selection
falsepositives:
  - Legitimate Outlook customization by enterprise administrators (rare)
level: high
tags:
  - attack.persistence
  - attack.t1137.004

Feed this rule into your SIEM. Alert on any match and correlate with parent process — legitimate Outlook configuration is typically performed by administrative tooling, not by outlook.exe or PowerShell directly.

8. Monitor OT engineering workstations for anomalous ICS tool execution. Iranian actors pivot from compromised IT hosts to OT engineering workstations — the Windows machines used to program and configure PLCs. Deploy behavioral monitoring that alerts on:

• Execution of FactoryTalk.exe, RSLinx.exe, or Studio 5000 from unexpected parent processes (e.g., spawned by PowerShell or a browser)
• CIP (Common Industrial Protocol — the communication standard used by Rockwell Automation Allen-Bradley PLCs) traffic originating from hosts that are not registered as engineering stations in your asset inventory
• Unexpected program download events to PLCs, detectable via ICS-aware network monitoring tools such as NSA GRASSMARLIN or Nozomi Networks

Tier 3 — Ongoing

9. Maintain offline backups of all PLC programs and OT configurations. Wiper malware deployed by FAD Team and Cyber Av3ngers specifically targets PLC ladder logic, historian databases, and HMI project files to maximize recovery time and operational disruption. Store a complete offline, air-gapped (physically disconnected from all networks) copy of all PLC programs, engineering configurations, historian snapshots, and HMI project files. Test restoration procedures quarterly.

10. Subscribe to machine-readable Iranian APT threat intelligence feeds. Unit 42's active 2026 brief, Nozomi Networks OT threat intelligence, and CISA's Iranian threat advisories provide near-real-time IOC updates. Automate IOC ingestion into your SIEM and firewall via STIX/TAXII (Structured Threat Information eXpression / Trusted Automated eXchange of Intelligence Information — the industry-standard formats for sharing machine-readable threat intelligence between platforms) feeds. Block-list updates should propagate to network controls within 15 minutes of ingestion, not 24 hours.

// 07 Conclusion

Iran UAE cyberattacks surged to 600,000–800,000 breach attempts per day following the February 2026 military escalation — not a temporary spike but a sustained campaign by professionally organized state APT groups with confirmed OT targeting capability. APT34/OilRig and its Earth Simnavaz cluster represent the primary threat, with active exploitation of CVE-2024-30088 and STEALHOOK backdoor deployment confirmed in regional campaigns; Mint Sandstorm, MuddyWater, and Cyber Av3ngers amplify the attack surface across energy, water, and manufacturing verticals. Security teams responsible for UAE and Gulf-region infrastructure should treat the Tier 1 checklist above as immediate action items — specifically patching CVE-2024-30088, auditing external OT exposure, and pushing the IOC block-list to network controls today.

Subscribe to the CiphersSecurity weekly threat digest for IOC updates as the campaign evolves →