Adversary Intelligence

Threat Actors Targeting the UAE & GCC

Know your adversary. This reference profiles the advanced persistent threat (APT) groups and actors most active against Gulf organizations — their origins, what they want, who they hit, and the techniques that matter for your defenses. Profiles are summarized from open-source reporting and MITRE ATT&CK; they are educational, not operational attribution.

OilRig MuddyWater APT33 Agonizing Serpens Lazarus Group Anonymous Sudan

OilRig

APT34 · Helix Kitten · Cobalt Gypsy · Earth Simnavaz

Critical risk

Origin

Iran (state-aligned)

Motivation

Espionage

Active since

2014

One of the most persistent espionage groups operating across the Gulf, OilRig conducts long-running intelligence collection against UAE and wider GCC government, energy, and financial targets. It favors patient, credential-driven access and custom backdoors that blend into normal network traffic.

Tactics & Techniques

Spear-phishing with malicious documents
DNS tunneling for C2 (DNSExfiltrator-style)
Custom backdoors (Karkoff, RDAT, Saitama)
Webshells on internet-facing servers
Abuse of legitimate cloud and email services

Targeted sectors

GovernmentEnergyFinanceTelecom

Defender takeaway

Repeatedly observed exfiltrating data over DNS and webmail to evade perimeter controls — a reminder to monitor DNS and outbound mail patterns, not just web traffic.

MuddyWater

Static Kitten · Mercury · Seedworm · TEMP.Zagros

High risk

Origin

Iran (MOIS-linked)

Motivation

Espionage

Active since

2017

A prolific group conducting espionage and access operations across the Middle East. MuddyWater leans heavily on legitimate remote-management tools and living-off-the-land techniques, making detection difficult for under-instrumented SOCs.

Tactics & Techniques

Phishing with macro-laden documents
Abuse of RMM tools (Atera, ScreenConnect, Syncro)
PowerShell-based loaders and backdoors
Credential harvesting and lateral movement
Use of compromised infrastructure for C2

Targeted sectors

GovernmentTelecomDefenseOil & Gas

Defender takeaway

Its reliance on commercial remote-management software means that tightly controlling and alerting on RMM installs is one of the highest-leverage defenses.

APT33

Elfin · Refined Kitten · Holmium · Peach Sandstorm

High risk

Origin

Iran (state-aligned)

Motivation

Espionage

Active since

2013

APT33 targets aviation and energy organizations with strategic interest to Iran, including entities in the UAE and Saudi Arabia. It has links to destructive activity and is known for large-scale password-spraying campaigns.

Tactics & Techniques

Password spraying against cloud and VPN logins
Spear-phishing with job-themed lures
Custom droppers and backdoors (TURNEDUP, SHAPESHIFT)
Possible ties to wiper malware operations

Targeted sectors

AviationEnergyPetrochemicalDefense

Defender takeaway

Heavy use of password spraying makes MFA enforcement and impossible-travel detection essential controls against this actor.

Agonizing Serpens

Agrius · Pink Sandstorm · BlackShadow

Critical risk

Origin

Iran (state-aligned)

Motivation

Sabotage

Active since

2020

A destructive actor that masquerades as ransomware while its true objective is data theft and disruption. Agrius deploys wipers under the cover of extortion, causing lasting damage even when victims attempt to pay.

Tactics & Techniques

Exploitation of internet-facing web apps and VPNs
Wipers disguised as ransomware (Apostle, Fantasy, IPSec Helper)
Data theft prior to destruction
Custom tooling to bypass EDR

Targeted sectors

EducationTechnologyGovernment

Defender takeaway

Because 'ransom' demands are a smokescreen for wiping, immutable offline backups are the only reliable defense — paying does not restore data.

Lazarus Group

Hidden Cobra · APT38 · Diamond Sleet

High risk

Origin

North Korea (state-sponsored)

Motivation

Financial

Active since

2009

A state-sponsored group that funds the North Korean regime through large-scale financial theft, increasingly targeting cryptocurrency exchanges and financial institutions in the Gulf's growing fintech sector.

Tactics & Techniques

Supply-chain and software-update compromise
Fake job offers and social-engineering on LinkedIn
Trojanized trading and crypto apps
Theft from SWIFT and crypto-exchange infrastructure

Targeted sectors

FinanceCryptocurrencyDefenseTechnology

Defender takeaway

Its 'dream job' social-engineering campaigns target developers and finance staff directly — security awareness must extend to professional networking platforms.

Anonymous Sudan

Storm-1359

Elevated risk

Origin

Hacktivist (disputed attribution)

Motivation

Hacktivism

Active since

2023

A high-profile actor conducting politically motivated DDoS attacks against organizations across the Middle East and beyond. While disruptive rather than stealthy, its campaigns have caused notable outages for regional service providers.

Tactics & Techniques

Large-scale Layer 7 (application) DDoS
Use of paid DDoS infrastructure and botnets
Coordinated campaigns announced via Telegram

Targeted sectors

GovernmentAviationFinanceMedia

Defender takeaway

Defense centers on upstream DDoS mitigation, rate limiting, and CDN protection — perimeter scaling alone is rarely sufficient against sustained Layer 7 floods.

Defending against these actors

Across every group above, the same fundamentals blunt the attack: phishing-resistant MFA, rapid patching of internet-facing systems (track the CISA KEV feed on our dashboard), tested offline backups, monitored EDR, and tightly controlled remote-management tooling. Benchmark your readiness with the Security Posture Assessment or request a threat briefing.

Threat Actors Targeting the UAE & GCC

OilRig

APT34 · Helix Kitten · Cobalt Gypsy · Earth Simnavaz

Critical risk

Origin

Iran (state-aligned)

Motivation

Espionage

Active since

2014

Tactics & Techniques

Spear-phishing with malicious documents
DNS tunneling for C2 (DNSExfiltrator-style)
Custom backdoors (Karkoff, RDAT, Saitama)
Webshells on internet-facing servers
Abuse of legitimate cloud and email services

Targeted sectors

GovernmentEnergyFinanceTelecom

Defender takeaway

Repeatedly observed exfiltrating data over DNS and webmail to evade perimeter controls — a reminder to monitor DNS and outbound mail patterns, not just web traffic.

MuddyWater

Static Kitten · Mercury · Seedworm · TEMP.Zagros

High risk

Origin

Iran (MOIS-linked)

Motivation

Espionage

Active since

2017

Tactics & Techniques

Phishing with macro-laden documents
Abuse of RMM tools (Atera, ScreenConnect, Syncro)
PowerShell-based loaders and backdoors
Credential harvesting and lateral movement
Use of compromised infrastructure for C2

Targeted sectors

GovernmentTelecomDefenseOil & Gas

Defender takeaway

Its reliance on commercial remote-management software means that tightly controlling and alerting on RMM installs is one of the highest-leverage defenses.

APT33

Elfin · Refined Kitten · Holmium · Peach Sandstorm

High risk

Origin

Iran (state-aligned)

Motivation

Espionage

Active since

2013

Tactics & Techniques

Password spraying against cloud and VPN logins
Spear-phishing with job-themed lures
Custom droppers and backdoors (TURNEDUP, SHAPESHIFT)
Possible ties to wiper malware operations

Targeted sectors

AviationEnergyPetrochemicalDefense

Defender takeaway

Heavy use of password spraying makes MFA enforcement and impossible-travel detection essential controls against this actor.

Agonizing Serpens

Agrius · Pink Sandstorm · BlackShadow

Critical risk

Origin

Iran (state-aligned)

Motivation

Sabotage

Active since

2020

Tactics & Techniques

Exploitation of internet-facing web apps and VPNs
Wipers disguised as ransomware (Apostle, Fantasy, IPSec Helper)
Data theft prior to destruction
Custom tooling to bypass EDR

Targeted sectors

EducationTechnologyGovernment

Defender takeaway

Because 'ransom' demands are a smokescreen for wiping, immutable offline backups are the only reliable defense — paying does not restore data.

Lazarus Group

Hidden Cobra · APT38 · Diamond Sleet

High risk

Origin

North Korea (state-sponsored)

Motivation

Financial

Active since

2009

Tactics & Techniques

Supply-chain and software-update compromise
Fake job offers and social-engineering on LinkedIn
Trojanized trading and crypto apps
Theft from SWIFT and crypto-exchange infrastructure

Targeted sectors

FinanceCryptocurrencyDefenseTechnology

Defender takeaway

Its 'dream job' social-engineering campaigns target developers and finance staff directly — security awareness must extend to professional networking platforms.

Anonymous Sudan

Storm-1359

Elevated risk

Origin

Hacktivist (disputed attribution)

Motivation

Hacktivism

Active since

2023

Tactics & Techniques

Large-scale Layer 7 (application) DDoS
Use of paid DDoS infrastructure and botnets
Coordinated campaigns announced via Telegram

Targeted sectors

GovernmentAviationFinanceMedia

Defender takeaway

Defense centers on upstream DDoS mitigation, rate limiting, and CDN protection — perimeter scaling alone is rarely sufficient against sustained Layer 7 floods.