Threat actors linked to Iran and the TTP are targeting financial services in Europe
Given the escalating conflict between Iran, Israel, and the US, which began on February 28, 2026, European financial services organizations face a multi-directional threat landscape from both state-sponsored APTs and proxy hacktivist groups.
Key threat actors to monitor
#1: Seedworm / Muddywater (Static Kitten) – Symantec researchers identified the Iranian APT group Seedworm, which was conducting an intrusion campaign against multiple US organizations as early as February 2026, targeting entities including a US bank, software company, airports, and NGOs in the US and Canada. Directly targeting a bank shows a clear intention to compromise financial institutions. Seedworm, also tracked as Muddywater, Temp Zagros, and Static Kitten, is evaluated by CISA as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).
#2: OilRig (APT34/Helix Kitten) – OilRig primarily targets financial services, defense contractors, and energy organizations via spear-phishing and credential harvesting. OilRig specializes in cyber espionage with modular malware, PowerShell-based tools, DNS tunneling for C2, and custom backdoors like Helminth and Quadgent. In 2025, they targeted US transportation and manufacturing organizations, developing tactics following the 2019 tool leak to increase credential theft and network persistence.
#3: TA453 / Charming Kitten (Damselfly, Mint Sandstorm, Apt42) – On March 8, Proofpoint observed that TA453 conducted a credible phishing attempt against a US thinktank target. The email correspondence resulting in this effort began before the conflict, indicating that TA453 continued to prioritize intelligence collection against its traditional target set. Charming Kitten, which has been active since 2014 and is linked to the IRGC, specializes in distributing powerstar malware, exploiting Microsoft Exchange vulnerabilities, and using password-spraying to carry out espionage through spear-phishing with fake personas and compromised emails. Most recently in 2024, they targeted US election accounts and Israeli cybersecurity experts with phishing via benign PDFs for credential harvesting.
#4: TA473/Winter Wyvern (Belarus-aligned) – Between March 3-5, 2026, Belarus-aligned threat actor TA473 sent emails to government organizations in Europe and the Middle East. These messages originated from potentially compromised infrastructure and claimed to be from a spokesperson for the President of the European Council. The phishing email included an HTML attachment titled “EU Statement on the Situation in Iran and the Middle East.html.” Notably, Proofpoint has not seen TA473 targeting Middle Eastern government organizations before. The broadening of European goals makes this actor particularly relevant for European institutions.
hacktivist group
Handala: Known for conducting attacks targeting Israeli organizations and entities that support Israel by conducting phishing attacks, data theft, ransomware, extortion, and destructive attacks, including the use of custom wipers.
Diyanet: The pro-Palestinian hacktivist group Diyanet launched high-volume distributed denial-of-service attacks against US critical infrastructure sectors, including energy, finance, healthcare, and transportation, using amplification techniques and DDoS-as-a-service infrastructure to disrupt operations.
TTP for monitoring
early access
Spear-phishing (T1566): Campaigns relied heavily on aspects of the conflict as topical bait material to engage targets and often used compromised accounts belonging to government organizations to send phishing emails.
Credential Harvesting (T1056.003): Over the past year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromise as a means of gaining initial access and intelligence gathering.
Password Spraying (T1110.003): Organizations should deploy monitoring for password spraying attempts in unusual geographic locations, especially authentication failures outside of normal working hours, or across multiple user accounts from across the VPN infrastructure, including NordVPN endpoints.
execution and persistence
New backdoors – Dindoor and Fakeset: Seedworm deployed a previously unknown backdoor called Dindoor, leveraging the Deno Runtime for JavaScript and TypeScript execution, which was signed with certificates issued to “Amy Cherney”. A separate Python backdoor called Fakeset was discovered on US airport and non-profit networks, signed with certificates issued to “Amy Cherney” and “Donald Gay”.
Muddywater – New malware (Operation OlaLampo): First observed on January 26, 2026, Muddywater deployed several new malware variants, including a Rust backdoor called CHAR, which leveraged Telegram bots as a command-and-control (C2) channel. Researchers identified indicators suggesting AI-assisted malware development.
DLL Sideloading (T1574.002): A loader vulnerable to DLL sideloading (“nvdaHelperRemoteLoader.exe”) executes a benign signed executable, which then loads the malicious loader DLL “nvdaHelperRemote.dll”, decrypts the Cobalt Strike payload from WinHlp.hlp and loads it into memory.
Data Exfiltration (T1537): Attackers attempted data exfiltration from a software company by using Rclone to transfer backups to a Wasabi cloud storage bucket. Financial institutions should especially monitor unauthorized use of tools like Rclone.
Destructive Capabilities (T1485): Iran has demonstrated the capability to conduct destructive cyberattacks, including Viper malware deployments, including landmark operations such as the Shammoun attack against Saudi Arabia’s oil industry and the BBViper attack against Israeli targets.
DDoS (T1498): In DDoS attacks, groups have reportedly leveraged high-volume attacks via DDoS-as-a-Service infrastructure, including TCP RST, DNS amplification, TCP SYN flooding, and NTP amplification attacks, as well as website defacement and data breaches.
defensive recommendations
Enable multi-factor authentication on all remote access, disable legacy authentication protocols, and enforce conditional access policies based on location and device risk.
Search the environment for the presence of Deno runtime or unauthorized Python scripts, which may indicate Denoder or Fakeset infection. Monitor unauthorized use of data exfiltration tools like rclone, especially large outbound transfers to external cloud storage platforms like Wasabi or Backblaze.
Given warnings that Iranian actors may move forward to disruptive or destructive actions, organizations should validate network partitions, protect and isolate backups, test recovery procedures, and ensure there is monitoring for shadow copy deletion, large-scale job creation, suspicious administrative command execution, and attempts to disable security tooling.
Threat intelligence signatures associated with Iranian APT groups should be updated on a rolling basis, with real-time feeds enabled and newly published IOCs reviewed without delay. It is equally important to reduce the external attack surface – default credentials should be changed across all assets, especially in OT and IoT devices that often remain unattended for long periods.
For a comprehensive view of the TTPs mentioned above, visit here Feedly TTP AI Agent.
Sources and references
(1) (Security Risk Advisory) 🚩 Iranian APT seedworm deploys new backdoors on US bank, airport and software company networks – https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
(2) (Cybersecurity News) Iranian APT threats against critical infrastructure growing amid geopolitical conflict – https://cybersecuritynews.com/escalating-iranian-apt-threats-against-critical-infrastructure/
(3) (PolySwarm Main Blog) Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks – https://blog.polyswarm.io/cyber-strategy-under-fire-iranian-apt-and-proxy-retaliation-risks
(4) (Proofpoint Threat Insight) The Iran conflict has led to increased espionage activity against Middle East targets – https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets
(5) (SECURITY.COM (http://SECURITY.COM)) Seedworm: Iranian APT on US bank, airport, software company’s network – https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
(6) (Google Alert – Ransomware) Symantec reports that Iranian Seedworm hackers have infiltrated US infrastructure and defense supplies… – https://industrialcyber.co/ransomware/symantec-reports-iranian-seedwarm-hackers-infiltrate-us-infrastructure-and-defense-supply-chain-network/
(7) (Group-IB Blog) Operation Olalampo: Inside Muddywater’s Latest Campaign – https://www.group-ib.com/blog/muddywater-operation-olalampo/
