Fuente: Noticias ICEX Lugar: Threat Intelligence Threat IntelligenceTracking the cyber consequences of geopolitical eventsHow CTI analysts can monitor geopolitical activity to defend against emerging cyber threats Alessandro Magion Mar 11, 202615-second summaryRecent geopolitical tensions in the Middle East are a reminder that armed conflict increasingly has a cyber dimension. CTI analysts need to ensure their organizations are prepared to defend against downstream consequences that could affect them. This means understanding the actors, the latest developments, who they are targeting, and their techniques, using sources in multiple languages.Here’s how Feedly can help with this and similar global threats as they emerge.Multi-language AI Feeds to monitor conflicts in local languages of the affected countries, reporting in 15 languages, including Arabic, Russian, and Chinese, in addition to English.TTP AI Agents to track related state-sponsored and hacktivist groups, and get alerted as their tactics evolve.Threat Actor Insight Cards for quick, structured overviews of each actor’s capabilities, targeted sectors, and recent activity. Use Ask AI to tailor your research.Automated intel reports and newsletters to push a curated daily brief on conflict-linked cyber activity to your team.We’ll walk you through six steps to go from initial research to ongoing monitoring to daily dissemination.Start Free TrialHow to use Feedly to track geopolitical events in real timeStep 1: Use Ask AI Research to get a quick summary of the cyber threats associated with the conflictAsk AI Research is quick and grounded in the Feedly Threat Graph. When you ask a question, it quickly researches related articles, associated threat actors, and more, and provides links to sources for deeper investigation.Using the recent escalations of the US-Iran-Israel conflict from February 2026 as an example, you could quickly get an understanding of the primary cyber threats, relevant threat actors, and the TTPs they’ve used.Full Ask AI Research responseIranian-Linked Threat Actors and TTPs Targeting Financial Services in EuropeGiven the escalating conflict between Iran, Israel, and the US that began on February 28, 2026, European financial services organizations face a multi-directional threat landscape from both state-sponsored APTs and proxy hacktivist groups.Key Threat Actors to Monitor#1: Seedworm / MuddyWater (Static Kitten) - Symantec researchers identified Iranian APT group Seedworm conducting intrusion operations against multiple U.S. organizations beginning in early February 2026, with targeted entities including a U.S. bank, software company, airport, and NGOs in the U.S. and Canada. This direct targeting of a bank demonstrates clear intent to compromise financial institutions. Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten, is assessed by CISA as a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).#2: OilRig (APT34 / Helix Kitten) - OilRig primarily targets financial services, defense contractors, and energy organizations through spear-phishing and credential harvesting. OilRig specializes in cyberespionage with modular malware, PowerShell-based tools, DNS tunneling for C2, and custom backdoors like Helminth and QUADAGENT. In 2025, they targeted US transportation and manufacturing organizations, evolving tactics after a 2019 tool leak to enhance credential theft and network persistence.#3: TA453 / Charming Kitten (Damselfly, Mint Sandstorm, APT42) - On 8 March, Proofpoint observed TA453 conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this attempt commenced prior to the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set. Charming Kitten, active since 2014 and linked to the IRGC, specializes in espionage through spear-phishing with fake personas and compromised emails to deliver POWERSTAR malware, exploiting Microsoft Exchange vulnerabilities, and using password-spraying. Recently in 2024, they targeted US election accounts and Israeli cybersecurity experts with phishing via benign PDFs for credential harvesting.#4: TA473 / Winter Vivern (Belarus-aligned) - Between 3–5 March 2026, the Belarus-aligned threat actor TA473 sent emails to government organizations in Europe and the Middle East. These messages originated from likely compromised infrastructure and purported to be a European Council President spokesperson. The phishing emails contained an HTML attachment titled "european union statement on the situation in iran and the middle east.html." Notably, Proofpoint has not previously observed TA473 targeting Middle Eastern government organizations. The expansion into European targets makes this actor particularly relevant for European institutions.Hacktivist GroupsHandala: Known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers.DieNet: The pro-Palestine hacktivist group DieNet launched high-volume distributed denial-of-service attacks against U.S. critical infrastructure sectors, including energy, finance, healthcare, and transportation, using amplification techniques and DDoS-as-a-service infrastructure to disrupt operations.TTPs to MonitorInitial AccessSpear-Phishing (T1566): Campaigns heavily relied on aspects of the conflict as topical lure content to engage targets and often used compromised accounts belonging to government organizations to send phishing emails.Credential Harvesting (T1056.003): Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.Password Spraying (T1110.003): Organizations should deploy monitoring for password spraying attempts across multiple user accounts from unusual geographic locations, particularly authentication failures outside normal working hours or from VPN infrastructure including NordVPN endpoints.Execution and PersistenceNew Backdoors — Dindoor and Fakeset: Seedworm deployed a previously unknown backdoor named Dindoor leveraging Deno runtime for JavaScript and TypeScript execution, signed with certificates issued to "Amy Cherne." A separate Python backdoor called Fakeset was discovered on U.S. airport and non-profit networks, signed with certificates issued to "Amy Cherne" and "Donald Gay."MuddyWater — New Malware (Operation Olalampo): First observed on 26 January 2026, MuddyWater deployed several novel malware variants including a Rust backdoor called CHAR that leveraged a Telegram bot as a command-and-control (C2) channel. Researchers identified indicators suggesting AI-assisted malware development.DLL Sideloading (T1574.002): A loader executes a benign signed executable vulnerable to DLL sideloading ("nvdaHelperRemoteLoader.exe"), which then loads the malicious loader DLL "nvdaHelperRemote.dll," decrypts a Cobalt Strike payload from WinHlp.hlp and loads it into memory.Data Exfiltration (T1537): Attackers attempted data exfiltration from a software company using Rclone to transfer backups to Wasabi cloud storage buckets. Financial institutions should specifically monitor for unauthorized use of tools like Rclone.Destructive Capabilities (T1485): Iran has demonstrated capability for destructive cyberattacks including wiper malware deployment, with historical operations like Shamoon against Saudi Arabia's oil industry and BibiWiper attacks against Israeli targets.DDoS (T1498): In DDoS attacks, groups have leveraged high-volume attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods, and NTP amplification attacks, as well as website defacements and data breaches.Defensive RecommendationsEnable multi-factor authentication across all remote access, disable legacy authentication protocols, and implement conditional access policies based on location and device risk.Search environments for the presence of Deno runtimes or unauthorized Python scripts, which may indicate Dindoor or Fakeset infections. Monitor for the unauthorized use of data exfiltration tools like Rclone, especially large outbound transfers to external cloud storage platforms like Wasabi or Backblaze.Given warnings that Iranian actors may escalate to disruptive or destructive operations, organizations should also validate network segmentation, protect and isolate backups, test recovery procedures, and ensure monitoring is in place for shadow copy deletion, mass task creation, suspicious administrative command execution, and attempts to disable security tooling.Threat intelligence signatures tied to Iranian APT groups should be updated on a rolling basis, with real-time feeds enabled and newly published IOCs reviewed without delay. Reducing the external attack surface is equally urgent — default credentials must be changed across all assets, particularly OT and IoT devices that often go unpatched for long periods.For a comprehensive view of the TTPs referenced above, visit the Feedly TTP AI Agent.Sources and References[1] (Security Risk Advisors) 🚩 Iranian APT Seedworm Deploys New Backdoors on U.S. Bank, Airport, and Software Company Networks - https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us[2] (Cyber Security News) Escalating Iranian APT Threats Against Critical Infrastructure Amid Geopolitical Conflict - https://cybersecuritynews.com/escalating-iranian-apt-threats-against-critical-infrastructure/[3] (PolySwarm Main Blog) Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks - https://blog.polyswarm.io/cyber-strategy-under-fire-iranian-apt-and-proxy-retaliation-risks[4] (Proofpoint Threat Insight) Iran conflict drives heightened espionage activity against Middle East targets - https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets[5] (SECURITY.COM (http://SECURITY.COM)) Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company - https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us[6] (Google Alert - ransomware) Symantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply ... - https://industrialcyber.co/ransomware/symantec-reports-iranian-seedworm-hackers-infiltrate-us-infrastructure-and-defense-supply-chain-networks/[7] (Group-IB Blog) Operation Olalampo: Inside MuddyWater’s Latest Campaign - https://www.group-ib.com/blog/muddywater-operation-olalampo/Step 2: Pivot into Threat Actor Insights Cards, quickly get up to speedFrom that Ask AI Research, you can see the associated Threat Actor Insights Cards. Pull up the Insight Cards for each group to get a clear baseline on capabilities, past attacks, and known targeting. You’ll get real-time threat actor profiles to help you contextualize incoming threat reporting without spending hours researching each actor.Full Charming Kitten Threat Actor Insights CardPDF download - Captured on March 11th, 2026.Step 3: Configure Cyberattack Intel Agents to monitor key activity in the regionCreate a Cyberattack Intel Agent to monitor new attacks in the affected region. In the aforementioned conflict, we could follow all cyberattacks in Middle Eastern countries.The agent will surface new and updated information about attacks from the moment it’s published, so you're not manually scanning dozens of sources.Step 4: Build AI Feeds to collect relevant intelligenceSet up AI Feeds for ongoing monitoring and filtering of articles about the geopolitical event and connected threat actors and the TTPs they’re using.Use AI Models related to the countries and threat actors involvedFollow multiple languages, including English, Arabic, Russian, and ChineseFollow sources, including:Threat intelligence vendors publishing advisories specific to the geopolitical event (CISA, NCSC, Mandiant, Microsoft MSTIC, etc.)Regional news sources in Arabic that report on cyber activityOSINT communities on Twitter/X and Mastodon tracking the conflictGovernment and CERT advisories from countries involved or affected by the conflictYou can set up multiple AI Feeds to track different aspects or intelligence requirements related to the geopolitical event. In this example, we follow threat actors and TTPs in the region.Step 5: Use Ask AI to analyze content in your AI FeedAccelerate your threat analysis by using Ask AI to synthesize and summarize articles in your customized feed. Ask your specific intelligence questions to get answers grounded in the content you choose.PromptWhat are the latest TTPs being used by threat actors associated with the US-Israel-Iran conflict? Identify the MITRE ATT&CK T-Codes linked to each TTP, which threat actor is using them, and if there are any TTPs being reported as novel/new that emerged during this conflict.

Using MITRE D3FEND, suggest defensive mitigations for each MITRE ATT&CK you identify.

Output: Create a table for this information. Step 6: Automate a daily geopolitical threat briefUse Feedly's Report Builder or Automated Newsletters to create standing daily threat briefs tailored to your stakeholders, covering:New threat activityRelevant government advisoriesConflict-related geopolitical developments with cyber implicationsAutomate sending them to your SOC, leadership, and relevant stakeholders each morning to keep them informed without adding too extra manual work to your daily workload.Full Geopolitical Cyber BriefPDF download - Captured on March 11th, 2026.The bottom line for your organizationGeopolitical volatility isn't letting up, and the cyber threat landscape is shifting with it. CTI teams that can connect those dots and translate them into clear guidance for leadership are the ones proving their program's worth.Government advisories are helpful, but they're static. You need to get ahead of the threat, monitor it continuously, and make sure your organization has the context it needs to act and mitigate risk.Feedly is built for sustained, automated monitoring, to give your team the signal, structure, and speed to stay ahead of what's coming.Track the cyber consequences of geopolitical events in FeedlyWhen tensions escalate, the cyber threat landscape shifts fast. Feedly helps your team move from initial research to continuous monitoring to automated daily briefs, so you always have the context you need to act proactively.Start Free Trial