Current cyberthreats in the Middle East

The Middle East is a rapidly developing region with a complex economic and geopolitical landscape. The combination of high economic potential, active investment in technology, industry-wide digital transformation, and geopolitical instability attracts both threat actors focused on espionage and critical infrastructure disruption, and financially motivated cybercriminals and hacktivists¹.

This study covers the period from Q2 2025 through Q1 2026² and analyzes the regional cyberthreat landscape. The following countries were covered by the research: Bahrain, Cyprus, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Syria, the United Arab Emirates (UAE), and Yemen.

Study objectives:

• Outline the regional cyberthreat landscape based on open-source intelligence and dark web data, mapping findings against periods of geopolitical escalation and de-escalation.

• Analyze the threat landscapes of the most targeted countries in the region, identifying how they correlate with geopolitical conflicts, as well as industrial profiles and economic situation.

• Forecast future regional cyberthreats and provide actionable defense recommendations.

To map the Middle Eastern cyberthreat landscape, we used OSINT combined with dark web intelligence. Sources included three major underground forums, over 60 Telegram channels, and various data aggregators tracking website defacements, malware operations (including ransomware), and DDoS attacks.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker group activity are unable to calculate the precise number of threats.

Our incident database is updated on a rolling basis. However, some incidents may be reported online long after the actual attack took place. Therefore, this report is accurate as of the date of publication. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

1. The economic and industrial landscape partially explains threat actor motivations and targets, despite a noticeable shift toward mass-scale and politically motivated cyberattacks during periods of conflict escalation.
2. Two waves of escalation involving Iran (June–July 2025 and February–March 2026) significantly impacted the regional cyberthreat landscape. This was especially true during the heightened tensions in Q1 2026, as the conflict spread across multiple countries in the region. Notably, Q1 2026 accounted for 51% of all cyberattacks recorded during the reporting period.
3. Geopolitical tensions were accompanied by a surge in politically motivated cyberattacks. These operations can be categorized into targeted attacks (aimed at critical infrastructure and key industries) and mass-scale attacks (targeting less protected sectors such as media, research, and education).
4. Between Q2 2025 and Q1 2026, the most targeted countries in the Middle East were Israel (33%), Saudi Arabia (12%), and the UAE (11%). However, the geographic spread of the conflict in Q1 2026 brought Qatar, Kuwait, and Cyprus closer to the top of the list.
5. The sectoral distribution of cyberattacks in the region was largely shaped by Q1 2026 data. During this period, the majority of attacks targeted government institutions. The government sector accounted for 25% of attacks, followed by the industrial and retail sectors at 15% and 10%, respectively. This indicates simultaneous activity by both politically and financially motivated threat actors.
6. DDoS attacks were the most common threat, making up 42% of successful attacks. Q1 2026 drove this number up significantly, with DDoS involved in 83% of the quarter's attacks. Malware followed closely at 41% of attacks, remaining a staple for cybercriminals regardless of geopolitics. Social engineering ranked third at 22%, frequently used to deliver malware.
7. Driven by the high volume of DDoS attacks, operational disruption was the most common outcome, occurring in 60% of successful attacks. Confidential data leaks followed at 44%, remaining a consistent threat during both geopolitical escalations and periods of stability. Another 10% of incidents involve infrastructure hijacking, where attackers compromise network resources—likely due to the abundance of vulnerable IoT devices—to recruit them into botnets for launching further attacks.
8. When geopolitical tensions subside, we expect attackers to pivot back to key industries: IT in Israel; industrial and service sectors in Saudi Arabia; and retail, services, and manufacturing in the UAE. Emerging tech, such as energy facilities and sovereign AI infrastructure, will also be prime targets. For attacks on individuals, the use of generative AI will likely increase.
9. If regional conflicts escalate further, we forecast a rise in complex, targeted attacks on critical infrastructure and attempts to compromise satellite systems. Across all industries, DDoS will remain a dominant attack method.

Government initiatives, investments, and innovations in the Middle East allow us to highlight the region's main growth drivers and development vectors:

1. Diversify³ the economy to reduce reliance on oil exports. Middle Eastern countries are shifting toward high-tech industries, particularly biotechnology, quantum computing, and nuclear energy. In 2026, the region is prioritizing:

• Biotechnology: driven by the digital transformation of the healthcare industry and the creation of new drugs and vaccines. This generates demand for biopharmaceutical and genomic research and improves diagnostic quality. In 2026, Middle Eastern projects in genomics, biofuels, and diagnostics are entering the operational phase.

• Quantum computing: used to improve the discovery of new chemical compounds and manage complex energy grids, as well as to protect against cyberattacks using quantum computers, which threaten systems relying on classical encryption algorithms.

• Nuclear energy: small modular reactors are beginning to appear in the region as a more flexible and scalable alternative to large-scale reactors. Their adoption is expected to grow as major digital infrastructure projects, including hyperscale data centers, drive steady demand for a reliable, continuous power supply.

The transition to new industries and active R&D efforts may attract increased attention from other countries interested in acquiring these technologies, leading to a rise in spyware attacks in the region.

2. Sovereign AI development accompanied by the creation of Arabic language models and the localization of domestic data centers. The drive for digital sovereignty, the need for national security amidst complex geopolitics, and the demand for massive data and computing power for AI solutions have led to a trend in the Middle East to reduce reliance on cross-border digital architectures. This applies not only to data hosting but also to the localization of critical hardware capabilities.

The development of a sovereign internet is hindered by the complexities of interstate relations and a shortage of qualified specialists. Building powerful data centers requires advanced chips and GPUs, which demand the U.S. approval. For example, G42 only managed to partner with Microsoft in 2024 after cutting ties with Chinese tech firms. Geographic location can also act as a barrier to data center infrastructure and sovereign AI. This was evidenced by the outage of two Amazon Web Services (AWS) data centers in the UAE following a drone attack on March 1, 2026, during the escalation around Iran. The disruption affected a wide range of AWS services: 25 services went down completely, and 34 others experienced degraded performance. 

1. Qatar. Qatar's economy is based on oil and gas extraction. Current government diversification measures aim to increase the industrial and manufacturing sectors' contribution to the non-oil economy⁴ (up to 3.4% by 2030) and attract $100 billion in foreign direct investment.

2. UAE. Retail is thriving, accounting for 25.3% of Dubai's GDP, driven by high consumer spending and a steady influx of global capital. To diversify the economy, the state is developing non-oil sectors such as trade, tourism, finance, and real estate. Driven by an influx of wealthy tourists, the UAE invests significantly in its service sector. This makes the Emirates' economic landscape more diverse than those of other regional players, such as the oil- and gas-producing nations of Qatar and Saudi Arabia.

3. Saudi Arabia. Saudi Arabia's service sector closely resembles that of the UAE. At the same time, one of the country's key industrial corporations, Saudi Aramco, accounts for nearly 12% of global oil production, surpassing even tech giants like Apple and Microsoft in profitability. The country's industry is undergoing digital transformation using AI and Industrial IoT. According to P&S Intelligence, the Saudi Industrial IoT market will grow by 13% between 2026 and 2032, reaching $10.1 billion.

The reporting period (Q2 2025–Q1 2026) saw two acute phases of the conflict surrounding Iran: June 13–24, 2025 (though some attacks were discovered in July, affecting Q2 and Q3 data) and February–March 2026. This significantly impacted the region's cyberthreat landscape.

The June incidents primarily affected Iran and Israel, while the Q1 2026 incidents, which accompanied the U.S. and Israeli military operation launched on February 28, impacted other Middle Eastern countries involved in the conflict. The cyberattacks were mostly aimed at halting critical infrastructure operations and shaping public opinion through attacks on the media, spreading disinformation on social networks, and demonstrating the vulnerability of major state institutions.

In June 2025, major companies suffered from cyberattacks. In Iran, these were mostly financial organizations (83% of successful attacks): part of the country's largest bank's infrastructure was taken offline, $90 million was withdrawn from an Iranian cryptocurrency exchange, and clients of several banks faced problems accessing their accounts.

In Israel, two major companies faced massive data leaks: a catering and logistics company, as well as a key Israeli fintech company specializing in automated financial news videos for brokers and investors. The exposed fintech data allegedly included source code, user templates, investor briefs, custom branding files, and internal technical logs.

The primary goal of the cyberattacks on Iran was economic destabilization, aimed at preventing the country from using both traditional currency and cryptocurrency for trade and military funding. In contrast, attacks on Israeli organizations focused on psychological warfare, seeking to discredit national entities.

During the conflict's acute phase (June 13–20), over 250 hacktivist attacks, including DDoS, data leaks, and website defacements, targeted the Middle East, primarily hitting Iran and Israel. Elsewhere in the region, financially motivated ransomware groups dominated (for example, the Gunra group targeting an Egyptian healthcare firm), alongside multistage campaigns deploying remote access malware. One notable phishing campaign used the legitimate Netbird tool to compromise CFOs and financial executives across the Middle East and beyond.

Analysis of dark web forums and Telegram channels reveals that most hacktivist attacks on Iran were carried out by the cybergroup The Unknowns (accounting for 60% of listings related to breaches of Iranian companies on underground forums), followed by Predatory Sparrow and the Islamic Hacker Army (9% each). 

In Israel, the Handala Hack Team operated alongside state-sponsored groups APT35 and APT42. Handala Hack Team, an alleged hacktivist group, targeted Israeli industrial and medical organizations using phishing, data theft, extortion, and destructive wiper⁵ attacks, successfully seizing infrastructure and stealing confidential data.

Researchers assess that both APT35 and APT42 act in Iran's interests. APT35 carries out long-term, resource-intensive cyberespionage campaigns. They target military personnel, diplomats, and government officials in the Middle East and the U.S., along with the media, energy, defense, and telecom sectors. In June 2025, the group launched an AI-driven phishing campaign against Israeli journalists and cybersecurity experts. These attacks used fake Gmail login pages, Google Meet invites, and AI-generated phishing messages delivered via email and WhatsApp.⁶

APT42 also focuses on cyberespionage, targeting organizations and individuals primarily in the Middle East. In June 2025, APT42 launched phishing attacks against Israeli journalists, cybersecurity experts, and academics. They used fake Gmail login pages and Google Meet invites, and AI-generated phishing emails.

In Q1 2026, as in June 2025, attackers focused on manipulating public opinion and undermining trust in national organizations, but with a significantly expanded geographic scope.

Government institutions accounted for 45% of targeted national-level organizations in Q1 2026. Hacktivists launched DDoS attacks against government agencies in Qatar, Kuwait, Israel, and other regional countries. Cybercriminals also targeted critical infrastructure to expose vulnerabilities. For example, the Handala Hack Team breached Israel's largest healthcare network, which serves roughly half the country's population (4.8 million residents). Handala Hack Team claimed responsibility for the attack. Rather than demanding a ransom, they immediately leaked the medical records of over 10,000 patients.

To manipulate public opinion, attackers hacked a popular Iranian religious calendar app (over 5 million downloads), broadcasting messages urging the Iranian military to surrender. Major Iranian news agencies also suffered website outages.

Other regional targets included Bahrain's news agency (disabled by the Fatimion Cyber Team), a Qatari oil company, and a radio station. The DieNet group attacked Qatari government agencies, framing the breach as retaliation for state media allegedly suppressing news regarding Iranian strikes on the U.S. bases in the country.

Cyberattacks in the Middle East are steadily increasing. Due to geographic expansion, Q1 2026 accounted for 51% of all attacks during the reporting period. The relatively low number of attacks in Q2 2025 is due to the brief nature of the conflict escalation. Furthermore, because incidents were discovered across both June and July, the data is split between the second and third quarters.

Israel remained one of the top three most targeted countries throughout the reporting period, dominating the statistics in Q1 2026. However, in Q1 2026, the top three targets shifted to include Kuwait and Qatar. This geographic expansion drove a sharp increase in cyberattacks in Kuwait, Qatar, and Cyprus in Q1 2026, which rose by 10, 8, and 10 percentage points, respectively, compared to Q4 2025. 

Industry data shows that during escalations, attackers prioritized the government and transport sectors. This indicates a strategy of targeting critical information infrastructure to inflict national damage and demoralize the public by exposing vulnerabilities. Successful attacks on media organizations also spiked during both conflict periods. Furthermore, Q1 2026 saw attacks spread to previously untouched sectors, with incidents in educational and scientific institutions rising to 5%.

Consequently, threat actor activity during these escalations falls into two categories:

• Targeted operations against CII facilities and major government institutions

• Mass-scale operations against less secure sectors designed to maximize public attention This partly explains the spike in attacks against softer targets, such as universities, media outlets, and educational systems.

The region's industry breakdown reflects two main trends: conflict-driven attacks on government institutions (25% of all attacks) and attacks on industry (15%) and retail (10%) during de-escalation phases.

Interestingly, financial institutions accounted for only 8% of attacks—a stark contrast to global trends where finance usually ranks in the top three. This is likely due to delayed digital transformation in this sector, hindered by traditional business models and lack of state support that slow the adoption of automated systems. At the same time, the financial sector is heavily regulated, meaning any transformations require lengthy government approvals.

However, finance remained a top target in some countries. In Iran, attacks on financial institutions peaked during the June–July 2025 escalation. In the UAE, the region's largest financial hub, finance remained a top-three target throughout the reporting period, likely spurred by the country's Financial Infrastructure Transformation program and the development of a digital dirham.

An analysis of quarterly trends highlights how the Middle East conflict, which expanded geographically in Q1 2026, impacted the sectoral landscape of cyberattacks. Notably, the share of attacks targeting government institutions surged by 40 percentage points in Q1 2026 compared to the previous quarter. 

Here is a breakdown of the top three most targeted industries and what makes them so valuable to cybercriminals.

Government institutions are prime targets for both state-sponsored and financially motivated actors due to their strategic importance and vast data reserves.

Taking a government website offline via DDoS is a highly visible form of ideological protest, heavily promoted by hacktivists on Telegram and dark web forums.

Listings offering databases and access to government infrastructure are also widespread on the dark web. For instance, a database belonging to a Qatari state paramilitary organization was sold on a dark web forum for $5,000. The leak contained employees' full names, email addresses, work, home, and mobile phone numbers, fax numbers, job titles, departments, and citizenship statuses.

Similarly, mail server data from a Bahraini investigative body, including 50 user emails, was priced at $2,500.

Overall, 85% of attacks on Middle Eastern government institutions aimed to disrupt core operations.

The industrial sector is highly targeted globally, and the Middle East's attack surface is growing as automation increases. The high cost of downtime and data compromise attracts financially motivated ransomware groups, while foreign APTs seek espionage or sabotage opportunities.

In December 2025, CRIL (Cyble Research and Intelligence Labs) researchers uncovered a phishing campaign targeting the industrial sector in the Middle East (Saudi Arabia) and Europe (Italy and Finland). The primary goal is to steal sensitive industrial data and compromise user credentials. According to CRIL researchers, criminals used a variety of attack vectors, including malicious Office documents (exploiting the CVE-2017-11882 vulnerability), malicious SVG files, and ZIP archives containing LNK shortcuts. All vectors use a single standard loader to deliver infostealers designed to steal browser credentials, cryptocurrency wallets, and industrial data.

Israel (48%) and Saudi Arabia (16%) were the most frequently targeted countries in this sector. Because many Israeli incidents occurred during the Q1 2026 escalation, it appears that during quieter periods, cybercriminals shift their focus to Saudi Arabia, a leading regional industrial power.

The UAE, the region's largest trade hub, absorbed 70% of all attacks on trade organizations, primarily affecting major real estate platforms. These attacks were carried out by the Coinbase Cartel ransomware group, which used valid vendor accounts and stolen credentials to breach networks.

In addition to the Coinbase Cartel, the Blacknevas ransomware group targeted the UAE, compromising a major import and retail company operating in the Middle East. The attackers claimed they managed to access the company's internal infrastructure and coerce an IT employee into cooperating, enabling them to exfiltrate confidential data from the organization's SQL and SAP systems. These systems may contain bank account details, trade secrets, personal data of both clients and employees, production plans, and financial reports.

The Iran-Israel conflict altered cyberattack trends, making DDoS attacks the most prevalent threat, accounting for 42% of successful attacks. These attacks are a common tactic among hacktivists due to their high visibility, scalability, and impact on public sentiment.

Quarter-over-quarter data reveals a massive spike in DDoS attacks, jumping 80 percentage points from Q4 2025. The conflict's geographical scope has also expanded. While DDoS attacks against Iranian and Israeli organizations in mid-2025 were balanced by other regional incidents, by Q1 2026, disruptive attacks had become a widespread issue across the entire Middle East.

Computers, servers, and network equipment are the most frequent attack targets, comprising 63% of all affected assets. These attacks primarily involve regional DDoS campaigns that take servers offline, or malware attacks where threat actors infiltrate the network, establish persistence, and execute payloads for data encryption, harvesting, and exfiltration. Web resources rank second (49%), also driven by the high volume of DDoS attacks.

Below is a breakdown of the primary methods of cyberattacks targeting Middle Eastern organizations.

DDoS attacks give threat actors a cheap, low-effort way to put pressure on organizations. Unsurprisingly, geopolitical escalation almost always triggers a wave of large-scale denial-of-service attacks. These attacks produce immediate, visible results while making attribution harder, since they are often launched through botnets distributed around the world.

Attackers often brag about successful DDoS campaigns on Telegram and dark web forums. For example, in October 2025, a DDoS attack temporarily knocked a Yemeni government website offline.

In Q1 2026, DDoS attacks made up 83% of all cybersecurity incidents, affecting both the main parties to the conflict and other countries in the Middle East. Victims included transport and energy organizations in Cyprus, a Jordanian government website, and the web portals of two Saudi government entities.

Malware remains one of the most prominent global threats because it is versatile and highly effective at every stage of the kill chain. During the period analyzed, the most common malware types were ransomware (30%), remote access trojans/tools (RATs) (27%), and spyware (19%).

Although ransomware is usually used by financially motivated cybercriminals to generate profit, threat groups are increasingly using it as a geopolitical tool during conflicts. Core industries can be brought to a standstill, valuable data can be stolen or permanently destroyed—especially as ransomware is increasingly deployed as a wiper—and public confidence can be shaken by perceived weaknesses in national infrastructure. As a result, ransomware can cause technological, financial, and reputational damage to a country at the same time.

Examples of financially motivated attacks include the Tengu group targeting a key healthcare organization in Saudi Arabia's Al-Qassim region and INC Ransom attacking a major IT provider in the UAE. In both cases, the attackers threatened to leak roughly 200 GB of sensitive medical, financial, and corporate email data.

The Handala group deployed ransomware against an Israeli energy company during the geopolitical flare-up in Q1 2026. Handala posted on X, formerly Twitter, that "massive cyberattacks" were imminent, and added several hours later that "the destruction of cyber infrastructure is already in full swing." The post was later deleted. In this case, the objective was clearly infrastructure sabotage rather than financial gain.

Remote access malware (25%), which ranked just behind ransomware, is widely used to deploy ransomware and wipers, execute commands, conduct espionage, and steal data. Trading and brokerage firms in the UAE, Jordan, and Lebanon were affected by this type of malware.

Spyware, which accounted for 18% of malware attacks, is used by both hacktivists and financially motivated groups. For example, an August 2025 campaign using PXA Stealer collected data from more than 4,000 IP addresses worldwide. The campaign affected organizations in 62 countries, with Israeli entities being the main victims in the Middle East.

Threat actors rely heavily on social engineering both in peacetime and during geopolitical conflicts. The rapid development of AI in the Middle East has further accelerated these attacks. For example, in Q1 2026, HarfangLab researchers uncovered the AI-driven RedKitten campaign, which targeted Iranian protesters. The attackers used deepfake videos on social media to build trust before delivering modular malware through supposedly secure communication channels.

Social engineering is often used as the initial access vector for malware attacks. A cyberespionage campaign attributed to MuddyWater targeted users in Israel, Turkey, and Azerbaijan and deployed the UDPGangster backdoor. The malware was distributed through malicious Microsoft Word documents containing embedded VBA macros, which executed the payload once enabled. It was designed to bypass traditional network defenses, using anti-analysis techniques to avoid detection and evade sandboxes.

In August 2025, a global phishing campaign used fake voicemail messages and purchase orders to deliver the UpCrypter downloader. The attackers sent carefully crafted emails containing links to convincing phishing pages, tricking victims into downloading malicious JavaScript files that later dropped UpCrypter. Although the campaign was global, organizations in Egypt were hit hardest in the Middle East.

Despite the Middle East's rapid digitalization, many sectors still rely on legacy security systems, giving attackers opportunities to exploit long-known vulnerabilities in outdated infrastructure. The spread of IoT devices, which are often the weakest point in network security, further expands the attack surface.

During conflicts, vulnerabilities become strategic assets for reconnaissance and leverage. Anonymous Syria Hackers intensified their #OP_IRAN campaign, claiming to have breached an Iranian e-commerce platform and stolen PayPal credentials, usernames, personal email addresses, and bcrypt-hashed passwords.

The most common consequence of cyberattacks against Middle Eastern organizations during this period was business disruption (60%).

Unsurprisingly, this was largely driven by attacks during active phases of conflict, particularly in Q1 2026. Business disruption incidents increased by 57 percentage points compared with Q4 2025.

Data leaks ranked second (44%), driven partly by aggressive ransomware activity and partly by poor cyberhygiene. The use of compromised resources to carry out further attacks ranked third (10%), largely because of mass compromises and device infections by large-scale botnets with multinational command-and-control (C2⁷) infrastructure.

Disabling corporate systems is a classic hacktivist tactic used to disrupt targets, attract maximum publicity, apply psychological pressure on governments and citizens, and build credibility in the cybercriminal underground.

Website defacement is a common disruption method during conflicts. In these attacks, adversaries replace homepages with political slogans, calls to action, or threats. In Q1 2026, Cyber Islamic Resistance and 313 Team jointly claimed to have breached a Saudi university's website and placed both groups' logos across the homepage.

However, amid the wave of mass DDoS attacks against less protected targets, there were also serious incidents affecting critical infrastructure. For example, NoName057(16) claimed that, using its custom DDoS toolkit DDoSia Project, it gained full access to an Israeli industrial pump control system and disabled "an important part of Israel's critical infrastructure in a couple of minutes."

During geopolitical flare-ups, data leaks are weaponized to apply psychological pressure. Attackers publish stolen data without making ransom demands, simply to expose the target's weaknesses. By contrast, financially motivated attackers steal sensitive data to extort ransoms or sell it on dark web marketplaces. The price depends on the value of the data, especially its uniqueness, volume, and the size of the breached company.

Databases

Databases often contain employees' and customers' personally identifiable information (PII), credentials, and corporate secrets. Threat actors can use this information to launch follow-on attacks against specific individuals.

For example, a database containing 406,000 potential UAE leads collected from advertising campaigns is being sold on the dark web for $3,000. It includes 373,000 unique phone numbers and 300,000 unique email addresses. Attackers can use this data to create fake social media profiles for fraud or to compromise mobile banking accounts.

Leaked personal data belonging to job seekers allows attackers to impersonate legitimate recruiters or well-known companies, tricking candidates into sharing sensitive information or downloading malware. One dark web listing, priced at $1,000, offers data on 220,000 UAE job applicants.

After a March 2025 cyberattack on a major Iranian bank, more than 12 TB of data was leaked. The dump contained financial, identity, and residential information on 42 million customers. The Codebreakers group later listed the data for sale on the dark web for $42 million. However, experts assess that the incident was primarily ideologically motivated rather than financially driven.

 Access for sale

Initial network access commands high prices because obtaining it requires advanced skills and can enable a wide range of malicious activities.

Full access to the internal network and email systems of a major international automotive company in Israel was listed for $50,000. The seller stated that the access provided complete control over the company's Israeli network infrastructure. In addition, the compromised email accounts belonged to senior executives, giving the buyer direct access to C-suite communications.

Access to a major Israeli IT company specializing in digital mall displays was listed for $100,000. According to the seller, the offer included control over 17 Windows servers, remote administrator access to management systems, and direct access to the central server controlling the display fleet, which would allow instant content distribution, as well as a high-speed connection for the buyer's use.

Although harvesting and selling network access is highly profitable, access is sometimes given away for free. This behavior is typical of hacktivists seeking publicity, state-aligned groups releasing low-value access for psychological impact, or inexperienced hackers trying to build a reputation in the cybercriminal underground. 

Excluding the "other information" category (37%), the most common types of corporate leaks were trade secrets (19%) and credentials (16%). "Other information" included the internal network directory structure of a leading Kuwaiti telecom provider, stolen by the Kraken ransomware group, as well as Omani and Moroccan diplomatic documents exfiltrated by Ashen Lepus, an APT group targeting government and diplomatic entities in the Middle East.

The escalation of the conflict in June and July 2025 led to a rise in credential leaks, which accounted for 25% and 26% of leaks in Q2 and Q3 2025, respectively. This likely reflects the reconnaissance phase of threat actor operations. 

Botnets are rapidly spreading and becoming more powerful. According to Akamai, hyper-massive botnets generate attacks exceeding 30 Tbps 30 Tbps, 14 billion packets per second, and 300 million HTTP requests per second. Cybercriminals use these botnets to launch hundreds of thousands of attacks. Botnets have evolved significantly. What were once isolated malware distribution campaigns have become core infrastructure supporting many forms of cybercrime. Many of these botnet campaigns have directly affected the Middle East.

In July 2025, FortiGuard Labs detected new botnet activity exploiting vulnerabilities in network devices. Researchers identified loader scripts targeting devices from Asus, Vivo, Zyxel, and Realtek. The malicious code delivered malware together with the XMRig cryptominer. The attacks targeted several countries, including Israel. In October 2025, during a major AWS outage, a new Mirai-based botnet called ShadowV2 appeared. It exploited known vulnerabilities to hijack IoT devices from vendors such as D-Link and TP-Link. Attacks were recorded in 28 countries across the government, technology, manufacturing, and education sectors.

In addition to botnets, attackers frequently use compromised websites. In August 2025, a large campaign dubbed ShadowCaptcha used more than 100 hacked WordPress sites to distribute ransomware, spyware, and cryptominers. The campaign combined social engineering, abuse of legitimate Windows utilities, and multistage payload delivery.

The frequency of attacks against countries in the region is shaped by several key factors:

1. Geopolitical conflicts. Cyberattacks often mirror real-world events. Strained international relations trigger direct responses from politically motivated threat actors.
2.  Economic strength, population size, and wealth. Large, highly digitized companies expand the attack surface and make attractive targets for ransomware groups seeking payouts. Larger populations mean more potential victims, while greater national wealth usually means more connected devices per person, further widening the attack surface.
3. Critical infrastructure and facilities that are vital to national survival or GDP are prime targets for all types of attackers. In the Middle East, oil refineries often function as both critical infrastructure and major economic drivers vital to GDP. For example, the oil and gas sector accounts for roughly 60% of Qatar's GDP and 46% of Saudi Arabia's. Life-support infrastructure includes desalination plants—Saudi Arabia alone produces about 20% of the world's desalinated water across roughly 30 plants—and water supply systems, which are especially critical given the region's severe freshwater shortages.
4. New technologies. Technological adoption usually outpaces cybersecurity measures. Although this is a global issue, countries that are digitizing more quickly present especially attractive opportunities for attackers.

During the analyzed period, the most frequently targeted countries in the Middle East were Israel (33%), Saudi Arabia (12%), and the UAE (11%). The number of successful attacks on Qatar, Kuwait, and Cyprus only began to approach the leading countries in Q1 2026, driven by escalating regional geopolitics.

When analyzing the Middle East conflict, it is important to consider Iran's cyberthreat landscape, even though it did not rank among the top three. Its absence is likely due to systemic underreporting of successful breaches.

In Israel, cyberattacks were heavily related to geopolitical flare-ups with Iran. Because information about cyberattacks often becomes public long after the initial breach, this reporting delay likely explains the spike in recorded incidents in Q3 2025.

Attacks on Saudi Arabia peaked in Q2 2025 (26%). The Ralord ransomware group was highly active in the country, compromising a major company involved in designing, building, and operating water infrastructure. The breach resulted in the theft of sensitive corporate data, including financial records, confidential reports, backups, and configuration files. Saudi organizations, along with many others worldwide, were also affected by the Cl0p ransomware gang, which notably hit a major authorized dealer for General Motors and GAC Motor.

Attacks on the UAE peaked in Q4 2025 (37%) and were marked by aggressive ransomware activity. In particular, the Coinbase Cartel group attacked several organizations at the same time, mainly in the real estate sector.

In late January 2026, the Israel National Cyber Directorate reported that the country faced more than 26,000 cyberattacks in 2025, a 55% year-over-year increase. Q1 2026 was the most intense period, accounting for more than half (56%) of all incidents targeting Israel. This surge was driven by heightened hacktivist activity amid the escalating military conflict.

The three most targeted sectors in Israel were manufacturing and industry (22%), government agencies (16%), and IT and transport, each at 9%.

The industrial sector remained the main target from Q2 through Q4 2025, accounting for 20%, 8%, and 33% of attacks, respectively, and continued to lead in Q1 2026 (26%), a quarter that saw a significant shift in victim demographics.

One of the most critical industrial incidents in Q1 2026 was a possible breach by the CARDINAL group of systems linked to the Dimona nuclear reactor. The group published screenshots of a monitoring interface allegedly connected to the facility. In its statement, the group claimed to have full control over five key sectors of the nuclear research center. The attackers said they could move reactor rods, push the cooling system to its breaking point, and fully hijack one of the reactors.

Government agencies entered the top three because of conflict escalation: attacks on the public sector reached 20% in Q2 2025 and 26% in Q1 2026. A similar trend was seen in the transport sector, where statistically significant attack volumes appeared only in Q2 2025 (20%) and Q1 2026 (13%). Among other targets, DDoS attacks affected a major Israeli bus operator and companies involved in railway infrastructure.

IT companies were among the top targets during the first three quarters of 2025, accounting for 20%, 23%, and 17% of attacks, respectively, although their share fell to a statistically insignificant level in Q1 2026. Israeli technology companies play an important role in the global IT ecosystem and are deeply integrated into international supply chains. As a result, their data sells for high prices on the dark web. For example, access to a dataset from a major Israeli cybersecurity company was listed for $340,475. The package included internal network maps, architectural diagrams, user credentials, employee contacts, project documentation, source code, and proprietary software binaries. 

Driven by the surge in Q1 2026, DDoS attacks became the leading attack vector overall, accounting for 51% of all incidents.

Quarterly data shows a sharp spike in DDoS attacks in Q1 2026, rising from 8% to 84%. During this period, attackers primarily targeted government agencies (31%) and industrial organizations (27%).

Malware deployment (29%) and vulnerability exploitation (27%) were almost equally common. This reflects both the global trend toward malware-heavy attacks and underlying security gaps in Israel's digital infrastructure. Ransomware dominated the malware category (30%), likely because it serves the different objectives of various types of threat actors.

The impact of attacks on Israel closely matched the methods used. The surge in DDoS attacks made business disruption the most common outcome, accounting for 56% of incidents during the analyzed period, while data leaks (25%) were mainly the result of ransomware operations. The hijacking of resources for follow-on attacks was likely connected to the exploitation of outdated software and the recruitment of IoT devices into botnets.

In Q1 2026, threat groups targeting Israel became highly focused on specific sectors. For example, DarkStormTeam concentrated on the public sector, carrying out 75% of all DDoS attacks against government agencies that quarter. Meanwhile, NoName057(16) primarily targeted critical infrastructure. During its #OpIsrael campaign, the group attacked Israel's main telecommunications provider, a UAV manufacturer, and the national water company, while also claiming responsibility for taking down a major bus operator. This coordinated campaign against telecommunications, transport, water, and defense targets shows the group's intent to cause maximum nationwide damage.

The Fearless group used a different approach. Its #OpIsrael campaign targeted various victims, including an oil company, an industrial technology services provider, an advanced defense contractor, and a digital marketing firm. This seemingly random choice of targets suggests a deliberate strategy of mixing victims, likely to maximize the efficiency of attacks.

According to Cyfirma, Saudi Arabia saw a noticeable rise in cybercrime in 2025, with attackers increasingly targeting key sectors such as government, financial services, transport, shipping, and healthcare. This led to a series of data leaks.

Government agencies accounted for the largest share of successful cyberattacks (35%). This was driven mainly by Q1 2026, when 71% of all attacks on Saudi organizations affected government entities. This reflected the geographic spillover of the Iran–Israel conflict and the activity of hacktivists, particularly the Fearless group, which carried out DDoS attacks against Saudi government websites.

Industrial organizations made up the largest victim category (31%) from Q2 to Q4 2025. During periods when the Middle East conflict eased, financially motivated ransomware groups were more visible. In Q1 2026, however, industrial targets also drew the attention of politically motivated cybercriminals.

Ransomware attacks affected companies in the oil and gas, engineering, and construction sectors.

The relatively high share of attacks on Saudi retail companies is linked to the sector's digital transformation under Saudi Vision 2030. Retail companies are rapidly adopting modern tools to improve operations and customer service.

The large volumes of data stored in the infrastructure of retail organizations have become a popular commodity on underground markets. For example, one dark web forum listing offered shell access to a CRM system and a database containing information on 17,000 customers of a food retail company for $300.

In another listing, administrator access to the control panel of a Magento-based e-commerce platform was offered for $600. This access also provided customer, order, and sales analytics data.

The distribution of cyberattack methods changed only slightly during the escalation of geopolitical tensions in Q1 2026. The impact of the escalation was most visible in DDoS attacks, which were carried out mainly by the Fearless group.

Malware use is a global trend, and it is especially relevant to Saudi Arabia because of the active presence of ransomware groups. Cyfirma researchers also noted a sharp rise in ransomware incidents, with groups such as KillSec, Everest Ransom, and Qilin Ransomware carrying out large-scale attacks against Saudi-based organizations. In Q2 and Q4 2025, RansomEXX (Storm-2460) and Cl0p ransomware activity was also observed in the country. Aside from the "other information" category, which accounted for 40% of all leaks, attackers most often stole trade secrets (25%) and credentials (15%).

In 2025, the UAE was the second most attacked country in the Middle East, accounting for 12% of all cyberattacks in the region. Its high level of digitalization expands the attack surface, while the large volume of financial flows concentrated mainly in Dubai attracts cybercriminals seeking financial gain.

Retail companies accounted for the largest share of successful cyberattacks (61%), indicating strong activity by financially motivated cybercriminals. Industrial companies ranked second at 11%. Financial organizations, IT companies, and companies in the service sector shared third place at 6% each, further showing that attackers in the UAE are primarily motivated by profit. This reflects the country's role in the Middle East as a regional financial hub.

Customer data from UAE marketplaces, as well as access to those platforms, often appears in listings on underground forums. One major organization affected by a data leak was a large Dubai-based digital platform designed to connect influencers and businesses for the promotion of products and services. The compromised data included users' personal information, such as names, dates of birth, ages, genders, nationalities, and other details, as well as mobile phone numbers, Instagram⁸ profiles, WhatsApp⁹ statuses, and more.

Ransomware groups were the most active actors in attacks on industrial organizations during the analyzed period. INC Ransom attacked a major Dubai-based manufacturer of fire protection, security, and safety equipment. According to the group, it obtained 1 TB of data, including financial records, corporate emails, HR data, budgets, strategic development plans, and other information.

However, the Iran–Israel conflict affected the entire Middle East, and some Q1 2026 cyberattacks against industrial organizations in the UAE were geopolitically motivated. For example, in March 2026, the hacktivist group Handala Hack Team breached an oil corporation and stole confidential data, including sensitive financial information, oil contracts, and project details.

On March 13, 2026, a Dubai-based petroleum products company was hit by a cyberattack. In their statement, the attackers claimed they had breached the company's systems, obtained 413 GB of data related to oil infrastructure, and extracted information about pipelines and strategic infrastructure in the oil sector. The attackers claimed that the stolen data was handed over to resistance cells for use in future attacks against the company's pipelines and infrastructure, further underscoring the political motivation behind the breach. Data samples were later published.

The UAE shows a somewhat unusual pattern in the cyberattack methods. In more than half of cases (56%), attackers managed to compromise supply chains or trusted communication channels. The Coinbase Cartel group is believed to have used these methods in Q1 2026. This choice may be linked to the high level of business digitalization in the UAE, where mature companies typically rely on automated internal processes, close integration between suppliers, contractors, partners, and corporate IT systems, and, in some cases, privileged access to IT systems for trusted suppliers and partners.

Nevertheless, malware and social engineering were also common due to the activity of ransomware groups, accounting for 44% and 28% of attacks, respectively. In addition to Coinbase Cartel and INC Ransom, KillSec, Blacknewas, and Medusa are active in the UAE.

In Q1 2026, the combined activity of ransomware groups and hacktivists resulted in confidential data leaks in 94% of attacks against organizations. Disruption of core operations accounted for 28%, including both ransomware attacks that halted the operations of targeted companies and hacktivist campaigns aimed at taking as many organizations offline as possible.

14% of confidential information leaks from UAE organizations involved trade secrets, while another 14% involved corporate correspondence. This points to the activity of both ransomware groups and politically motivated actors.

Iran's digital development is complicated by economic sanctions, recurring geopolitical tensions, and the need to counter financially motivated cybercriminals, pro-government groups, and hacktivists at the same time. All this has a significant impact on the country's cyberthreat landscape. Iran accounted for 9% of all cybersecurity incidents in the region. Most attacks happened during periods of conflict escalation: in Q2 2025 (56% of all successful cyberattacks against Iranian organizations) and Q1 2026 (38% of successful cyberattacks).

Iran's sectoral threat landscape differs from the broader regional picture, as government agencies did not rank among the top three most targeted sectors. This may be explained by the closed nature of the country's digital landscape. Iran has its own national network, and internal services are often separated from the global internet, making them less accessible to external cyberattacks. 

Financial organizations experienced the highest number of cybersecurity incidents (38%). In Iran, these institutions not only store valuable data but also serve as strategically important assets. To counter sanctions, Iran's financial system uses both traditional currencies and cryptocurrency, helping the country stabilize its economic situation.

During periods of conflict escalation, cybercriminals often target the financial sector in an attempt to cause economic and reputational damage to Iran. At the same time, threat actors frequently use the dark web to monetize stolen data and network access belonging to these institutions. For example, in February 2026, a listing appeared on a dark web forum offering shell access to the infrastructure of an Iranian fintech company with a SYSTEM account, the highest level of privileges in Windows. This access would allow an attacker to perform any action in the operating system, including opening protected files and launching processes and services. The seller priced the access at $1,000 and stated that the infrastructure contained more than 25 hosts and over 120 domain users.

Media companies accounted for 25% of successful cyberattacks in Iran. Trusted by a broad audience, these organizations are attractive targets for hacktivists and less experienced cybercriminals. One of the first attacks on media companies in Q1 2026 involved hijacking the broadcasts of several Iranian state TV channels to show protest footage and messages from an exiled opposition figure. The attack is believed to have been carried out by compromising a satellite network.

Industry and telecommunications shared third place at 13% each. While cyberattacks on industrial organizations had various goals, attacks on telecommunications were clearly related to the Iran-Israel conflict. Cybercriminals seek either to disrupt telecommunications, making military coordination and communication among civilians more difficult, or to demonstrate the vulnerability of Iran's critical infrastructure. One example was a dark web post offering a database of Iran's largest private mobile operator for free. The data contained 40 million records, including customer identification numbers, first and last names, addresses, and home phone numbers.

Malware was the leading attack method during the analyzed period (33%). This is typical for Iran, attacked both by cybercriminals using wipers and spyware and by ransomware groups seeking payouts. Wipers were observed in half of all cyberattacks (50%).

Most DDoS attacks (75%) occurred in Q1 2026. This spike highlights an active phase of the conflict, marked by massive campaigns to disrupt Iranian infrastructure. Together, malware and DDoS attacks took a heavy toll on Iranian organizations, disrupting core business operations in 56% of cases.

Globally, exploitation of vulnerabilities is the most common tactic, used in 17% of successful cyberattacks. In Iran, however, this method is especially effective due to international sanctions. Iranian organizations struggle to buy software licenses, get official vendor support, or access timely security updates. As a result, they heavily rely on outdated, unlicensed, or modified software, which drastically increases the number of vulnerabilities. 

Given the geopolitical tension in the Middle East, our forecast covers two scenarios: the conflict stabilizes, or it escalates.

1. Attackers will focus on each country's core economic sectors: IT in Israel; manufacturing and services in Saudi Arabia; and retail, services, and manufacturing in the UAE. Financially motivated cybercriminals will dominate the region.
2. More GenAI attacks on the service sector. Wealthy Middle Eastern nations are heavily investing in consumer services, creating a prime target for AI fraud. We expect more deepfakes, such as fake product photos, vacation rentals, and video reviews.
3. Social commerce fraud in the UAE and Saudi Arabia. As consumers shift to mobile shopping, attackers will target individuals on social media. They will likely combine mobile-specific attacks with social engineering.
4. A rise in disruptive cyberattacks against retail websites. The fierce competition for ultra-fast delivery may push corporate rivalries into cyberspace.
5. A rise in cyberattacks on industrial facilities via compromised IoT devices. The region's shift to a carbon-neutral economy is driving digital transformation, especially in energy. Adopting more IoT devices, AI, and cloud tech will significantly expand the industrial attack surface.
6. More spyware attacks, especially against Iranian organizations. A sharp escalation in conflict necessitates rapid responses and precise cyberattacks. These are made possible by continuous intelligence gathering on a nation's critical infrastructure and key personnel.
   However, these types of attacks are not expected to be limited to Iran. The Middle East's pivot to high-tech industries, such as quantum computing and biotech, will likely attract the attention of other emerging economies. Consequently, attackers will increasingly target intellectual property, trade secrets, patents, and R&D data.
7. The region's push for sovereign AI and localized data storage may cause friction with nations that export hardware, processors, and IT components. This could trigger periodic attacks aimed at taking regional data centers offline.
8. As Arabic AI models emerge, attackers will use them to launch highly realistic social engineering campaigns. Hackers will also probe these models for vulnerabilities, threatening the infrastructure hosting them.

1. Advanced attacks on critical infrastructure: politically motivated hackers will escalate attacks on critical systems. Primary targets will include desalination plants, water supplies, and oil and gas facilities, with the goal of hijacking operations. The defense sector will also see more attacks aimed at stealing data or sabotaging military capabilities.
2. Relentless DDoS attacks on various sectors. Hacktivists will stay highly active. They will target any vulnerable organizations to maximize disruption and media coverage.
3. Targeting satellite systems: attackers will go after satellite infrastructure, hacking ground stations and control software. Their goal will be to intercept or spoof navigational data to disrupt military operations.
4. The active use of generative AI for disinformation and psychological manipulation. Deepfakes are becoming increasingly realistic, which enhances the effectiveness of social engineering attacks. This plays directly into the hands of cybercriminals seeking to influence the trajectory of the conflict. We expect Iranian state-aligned groups to heavily use AI for advanced phishing.
5. The Iran-Israel cyberwar will likely spread, hitting critical infrastructure in neighboring countries. Meanwhile, attacks on Iranian organizations will likely surge, mostly focusing on critical information infrastructure and the media.
6. Dark web data scams: hackers will artificially inflate prices for old databases stolen before the conflict escalated. They will repackage and sell them as fresh breaches.

Regardless of how the conflict unfolds, cybersecurity strategies must address both global trends and regional specifics.

1. Protect critical information infrastructure (CII). Focus on assets vital to national security, public safety, and the economy. These require continuous threat monitoring and proactive defense, such as SIEM solutions. Organizations can significantly enhance their security posture by regularly compiling and updating a list of non-tolerable events based on past successful cyberattacks, identifying their most valuable resources, and concentrating defensive efforts on critical assets.
2. Malware attacks remain a pervasive global tactic, irrespective of geopolitics. To protect critical and industrial infrastructure, organizations must secure their network perimeters and strictly filter primary malware delivery vectors, most notably corporate email.
3. Given the region's rapid digital transformation, threat prevention must begin at the software development stage. Application security testing (AST) tools, like static code analysis, help detect vulnerabilities before deployment. Meanwhile, dynamic analysis ensures any remaining flaws are fixed during testing and delivery.
4. Deploy early-detection systems for OT networks. Solutions based on industrial protocol network traffic analysis (NTA) can drastically enhance the defense of critical facilities, which is especially vital given the high degree of industrial digitalization in the region.
5. Countering AI-driven threats. The escalating use of GenAI in cyberattacks necessitates the development of deepfake detection tools and updated security awareness training for the general public.
6. Adopt zero-trust architectures in industrial environments. The digitalization of industrial infrastructure has vastly expanded the attack surface, requiring a shift toward zero-trust architectures and solutions for protecting CII. A technical challenge is integrating modern security tools with legacy systems and the existing OT environments. To address this, organizations should conduct regular cybersecurity exercises with qualified specialists to identify and mitigate common threats.