Cyber Escalation in the Middle East: Disruption, Deception, and the Quest for Data
Do Son 
Telegram post from pro-Russia hacktivist groups | Image: Rapid7
A new report from Rapid7 Labs highlights a significant spike in retaliatory cyber activity targeting both regional and Western infrastructure, characterized by a mix of state-directed espionage and a “noisy layer” of hacktivism.
The campaign, which has been under continuous monitoring since early March, tracks activity involving Iran, Israel, and Western-aligned partners. While high-level threats exist, the report notes that “at present, the operational tempo is characterized more by disruption and signaling than by sustained espionage or destructive intrusions”.
Rapid7 categorizes the current threat landscape into two primary buckets:
- State-Directed Operations: Focused on espionage and data exfiltration, these operations are linked to known entities like MuddyWater/Seedworm and CyberAv3ngers. These groups are weaponizing high-impact vulnerabilities to gain initial footholds.
- Hacktivist Collectives: Groups such as Keymous+, DieNet, and NoName057(16) are generating “outsized visibility” through DDoS attacks and website defacements.
However, the report warns that much of the hacktivist noise is smoke and mirrors. “A major theme across this escalation is fabrication. Many of the breach claims circulating on Telegram and dark web forums are exaggerated or outright fake”. These actors often recycle old datasets to run psychological operations aimed at causing panic.
State-linked actors are not just making noise; they are actively exploiting critical vulnerabilities to establish persistence. Key CVEs identified in these campaigns include:
- CVE-2026-1281: A critical command injection flaw in Ivanti Endpoint Manager Mobile (EPMM) used as a zero-day by MuddyWater.
- CVE-2024-4577: An OS command injection vulnerability in PHP on Windows, tied to Void Manticore.
- CVE-2026-21514: A security bypass in Microsoft Word that allows attackers to circumvent OLE mitigations.
- CVE-2025-32433: A pre-authentication remote command execution (RCE) flaw in Erlang-based SSH servers. Threat actors can execute arbitrary root commands by sending specially crafted SSH packets, bypassing authentication entirely.
- CVE-2025-52691: An unauthenticated file upload flaw in SmarterTools SmarterMail. Attackers exploit a path traversal weakness via the guid variable to drop malicious files, such as webshells or malicious cron jobs.
- CVE-2025-9316: An unauthenticated session bypass vulnerability impacting N-able N-Central. Attackers frequently chain this with an XML External Entity (XXE) vulnerability to read highly sensitive local configuration and backup files from the host infrastructure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
