APT Groups in the MENA Region: Notable Threat Actors in Cyber Espionage
Advanced Persistent Threat (APT) groups, or state-sponsored organizations, conduct persistent and targeted cyber-espionage operations. Often state-funded, have high levels of skill, resources, and complex attacks to carry out. Their primary interests often relate to gross critical infrastructures, government agencies, and strategic industries that are relevant to functional intelligence collection (e.g., military, national security, non-revenue-generating assessments of national assets or operational disruption, and geopolitical advantage).
The Middle East and North Africa (MENA) present a particularly salient APT challenge, as their geographic significance makes this area a specific target of interest and any and all associated operations occur at multiple levels, often drifting far outside domestic borders. Below is an outline of five groups that have had a significant and persistent presence since the commencement of the campaign, through high profile operations.
MuddyWater
MuddyWater, active since 2017 and tied to Iranian intelligence, has consistently targeted telecommunications, energy, and government networks. The group’s tactics often involve spear-phishing, PowerShell-based malware, and the misuse of legitimate administrative tools to maintain persistence and exfiltrate data.
One of its most prominent campaigns occurred in 2024 against Israeli organisations. During this campaign, MuddyWater deployed a new backdoor called BugSleep, relying on a C2 (command & control) infrastructure called “DarkBeatC2.” The operation began with phishing emails that had malicious attachments, taking advantage of living-off-the-land techniques to blend in with legitimate network activity. Once the attackers were able to get onto the network, they established persistence and elevated privileges before exfiltrating sensitive data. This campaign demonstrated not only MuddyWater’s ever-evolving toolset but also its continued role in executing Iran’s geopolitical objectives to undermine Israel’s national security.
OilRig (APT34)
OilRig has been active since at least 2014 and is another widely known espionage unit that is thought to be linked to Iran’s political agenda. OilRig campaigns primarily target the finance, energy, telecom, and government sectors, using spear-phishing, malicious macros, or custom built backdoors to achieve a long-term presence.
A high-profile campaign associated with OilRig began in 2018 and was called “Out to Sea.” The operation lasted several years and targeted diplomatic organizations, healthcare organizations, and technology companies in the region. Attackers were able to deploy several backdoors (e.g., DanBot, Shark, and Milan) before moving to a more sophisticated tool called Marlin. Uniquely, Marlin leveraged Microsoft OneDrive as its command-and-control channel which made detection far more difficult. This campaign allowed OilRig to harvest sensitive diplomatic and healthcare-focused data and demonstrate its alignment to Iran’s regional political goals while showcasing its ability to innovate despite countermeasures.
Moses Staff
Moses Staff began publicly engaging in campaigns in late 2021 employing an unusual combination of tactics that made it difficult to categorize. Much of the activity blurs the boundaries between ransomware and hack-and-leak campaigns. Nonetheless, acting in an atypical manner, Moses Staff does not demand payment. Instead, the group encrypts systems and steals data in order to release data publicly and cause reputational and operational harm.
One of the group’s earlier incidents of high visibility involved Israeli companies. Attackers accessed corporate networks, encrypted servers, and exfiltrated sensitive business information, which they publicly leaked in an effort to humiliate the victim companies. The attackers included propaganda messages with the leaks, framing the attack as a form of resistance rather than motivated solely by profit. This caused disruptions for the firm, while also creating a propaganda effect that fueled political tensions. This type of action positioned Moses Staff as a destructive actor intent on undermining their regional rivals.
APT33 (Elfin)
APT33 (Elfin) is one of Iran’s better-known cyber threat groups, which is state-sponsored. The group has been active since as early as 2013. APT33’s activities have generally been applied against energy, aviation, and defence industries – primarily in Saudi Arabia. It has a known history of leveraging custom malware to breach industrial systems, including disruption of business processes that are linked to national security.
In approximately 2017, APT33 launched a campaign targeting multiple Saudi petrochemicals and aviation companies. Attackers appear to have used multiple malware families including DROPSHOT and TURNEDUP backdoor which provide remote access, and persistence, and responsible for the ability to add additional backdoors, among other features. Evidence also connected this actor to destructive malware, such as StoneDrill, which enables attackers to wipe systems and disrupt industrial processes.
The campaign was evidence of the group’s ability to do more than just exfiltrate sensitive information – it could cause physical and operational disruption to critical sectors of Saudi Arabia’s economy and defense posture.
SideWinder
Over the past few years, SideWinder (associated with India) broadened its activities beyond South Asia to include the MENA region, and their campaigns typically use phishing emails, outdated Office vulnerabilities, and multi-stage malware loaders to deliver the tools necessary to support their espionage activities.
In 2024, SideWinder was linked to an espionage campaign targeting ports and maritime facilities in select countries strategically important to India including Egypt, Bangladesh, and Sri Lanka. In the case of Egypt, and using targeted phishing emails to employees of port authorities and logistics firms, SideWinder gained assured access to the systems that enabled and supported maritime trade and operations. SideWinder was then able to deploy multi-stage malware capable of exfiltrating sensitive documents from the systems along with the ability to monitor internal communications. The campaign illustrated how SideWinder is looking to use maritime (port/navigation) infrastructure as a strategic intelligence target, which is indicative of the increased role that maritime security and risks are playing to help shape regional security risks.
Escalation During the Iran–Israel Conflict
The recent conflict between Iran and Israel has only highlighted the role of APT groups. Security researchers noticed a massive increase in activity related to Iranian-backed actors during and immediately after the escalation.
MuddyWater, for example, was linked to a new Android surveillance tool called DCHSpy that extracts WhatsApp messages, SMS, call logs, GPS location, and, in a particularly insidious feature, will allow someone to start the camera and/or microphone. This surfaced less than a week after the start of the conflict, indicating that Iranian APTs can mobilize cyber assets quickly alongside conventional warfare.
Meanwhile, reporting had established that other Iranian-linked groups such as OilRig and APT33 had increased overall activity, and some reporting had suggested an increase in attempts as high as 130% during this escalation. The targets were not only Israeli entities, but also any of the allied entities in the U.S., with a focus on parts of the transport and manufacturing industries. The activity also highlights that, in periods of geopolitical crisis, activity will directly translate into immediate cyber activity and state-led APTs act like state instruments to support national interest.
Conclusion
The actions of MuddyWater, OilRig, Moses Staff, APT33, and SideWinder show just how varied and persistent the threat landscape is for defenders in the MENA region. These groups all employ different tools and techniques, but their shared focus on strategic infrastructure, including energy, petrochemicals, state systems, and port logistics, highlights the scale of the challenge.
The uptick in activity recently during the Iran–Israel conflict also shows that these actors are not stable, as they rapidly adapt their operational focus according to geopolitical circumstances. In these instances, the cyber campaign can be uniquely instructive in showing how a state can wield cyber capabilities as an extension of its power. As noted for defenders, this should be a lesson in that professionals will not only need to build technical resilience but remain aware of their situational context in the broader political landscape that these groups are operating.
