Zscaler Uncovers 8,000+ Domains and APT Backdoors Exploiting Middle East Tensions
Do Son 
StealC delivery flow | Image: Zscaler ThreatLabz
Zscaler ThreatLabz is currently tracking a significant surge in cybercriminal operations that capitalize on the elevated political climate in the Middle East, ranging from targeted espionage to opportunistic financial scams.
The scale of this activity is immense. ThreatLabz has identified over 8,000 newly registered domains featuring keywords tied directly to the Middle East political situation and conflict-themed events. While many of these domains currently lack content, researchers warn they may be “weaponized or used in threat campaigns in the near future”.
Attackers are using a diverse array of hooks to snare victims, often tailoring their content to blend into regional developments.
- Targeted GCC Attacks: In March 2026, researchers observed a ZIP archive disguised as photos of missile strikes in Bahrain. This attack utilized a complex chain involving a Windows shortcut (LNK) file and a malicious Compiled HTML Help (CHM) file to ultimately deploy a backdoor.
- The LOTUSLITE Backdoor: Threat actors associated with Mustang Panda have been seen rapidly weaponizing themes tied to active geopolitical events. Using lures named “Iran Strikes U.S. Military Facilities Across Gulf Region.exe,” they deploy the LOTUSLITE backdoor via DLL sideloading.
- Fake News Blogs: Malicious “news” sites are being used to distribute StealC malware. These sites can detect a visitor’s device type—whether a smartphone or desktop—to serve the most effective payload. As the report states:”The victim visits the fake news blog site… The JavaScript fetches and runs a remote script [to collect] cookies and device details”.
Beyond espionage, the conflict has birthed a wave of scams designed to harvest data or steal funds directly from concerned citizens.
- Government Impersonation: Fraudulent replicas of the US Social Security Administration (SSA) portal have been discovered. These sites trick users into downloading PDQConnect, a legitimate remote management tool that threat actors can use to gain full system access.
- Payment Phishing: Scammers are targeting regional users with fake payment sites, such as a fraudulent Kvish 6 toll payment gateway in Israel. These pages collect license details and IP addresses before prompting for credit card information.
- Donation and Merchandise Scams: Researchers have found numerous fake humanitarian relief sites and storefronts selling “support” apparel. These often route payments to suspicious cryptocurrency wallets rather than verified charities.
To protect against these opportunistic campaigns, ThreatLabz emphasizes that organizations must go beyond basic awareness. Key recommendations include:
- Minimize the Attack Surface: Make vulnerable apps and VPNs “invisible to the internet” so attackers cannot gain an initial foothold.
- Enforce Least Privilege: Restrict permissions based on identity and context, ensuring users only access the specific resources they need.
- Cultivate a Security Culture: Because many breaches begin with a single compromised account, “prioritizing regular cybersecurity awareness training can help reduce this risk”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
