IntroductionThreat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings. ThreatLabz identified over 8,000 newly registered domains with keywords tied to the Middle East political situation and conflict-themed events. Most of these domains currently have no content but they may be weaponized or used in threat campaigns in the near future. Analysis of the active domains revealed several trends, including conflict monitoring sites, conflict-themed meme-coins, short-lived storefronts selling conflict-related merchandise, general blogs and conflict-themed games, and scam or betting-related Progressive Web Apps (PWAs). ThreatLabz will continue monitoring newly registered domains and currently inactive domains for emerging threat campaigns. In this blog, ThreatLabz examines multiple cases, including a conflict-themed lure designed to look like a PDF about missile strikes in Bahrain, a malware chain that uses a conflict-themed lure to deliver the LOTUSLITE backdoor via DLL sideloading, and a fake news blog campaign that redirects users to StealC malware. We also detail fake government and payment phishing sites designed to collect victim data, donation and online storefront scams that route payments to suspicious destinations, and meme-coin promotions consistent with pump-and-dump schemes. RecommendationsGiven the recent threat campaigns targeting the Middle Eastern countries discussed in this blog, ThreatLabz recommends the following best practices to help strengthen an organization’s defenses and reduce the risk of compromise.Minimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access.Prevent initial compromise: Inspect all traffic inline to automatically stop zero-day exploits, malware, or other sophisticated threats.Enforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.Block unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests.Eliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.Stop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.Deploy active defenses: Leverage deception technology with decoys to detect hands-on-keyboard activity from compromised endpoints and block access to real applications containing the attack.Cultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect employees from compromise.Test your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in security program. Organizations should request that service providers and technology partners do the same and share the results of these reports with the organization’s security team.OverviewIn Cases 4 and 5, ThreatLabz observed Persian-language comments embedded in page sources and associated code. While these artifacts are not definitive attribution, they may provide useful context about the operator’s working environment and suggest a potential Iran-aligned threat actor. In the remaining campaigns covered in this blog, ThreatLabz did not observe the same code-level indicators; however, we did see threat actors capitalizing on the conflict in the Middle East by leveraging themes like Iran and geopolitical developments to drive engagement.Case 1: Suspected targeted attack in the Gulf Cooperation Council (GCC) region On March 1, 2026, ThreatLabz observed a ZIP archive containing files related to the Middle East conflict. The archive included a Windows shortcut (LNK) file that, when opened, downloaded a malicious Windows Compiled HTML Help (CHM) file from a threat actor-controlled server. The CHM file was then used to deploy a shellcode loader, a highly obfuscated shellcode, and eventually a backdoor. As part of the lure, the attack dropped a decoy PDF containing images of missile strikes.The Arabic text in the PDF translates to “Iranian missile strikes against US base in Bahrain”. The figure below shows the decoy PDF file used in this attack.Figure 1: PDF lure referencing Iranian missile strikes against a US base in Bahrain.The following sections summarize the observed attack flow and the files involved.Stage 1The ZIP archive contains an LNK file named photo_2026-03-01_01-20-48.pdf.lnk. The LNK’s target command
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: