Iranian-Linked Threat Actors and TTPs Targeting Financial Services in Europe
Given the escalating conflict between Iran, Israel, and the US that began on February 28, 2026, European financial services organizations face a multi-directional threat landscape from both state-sponsored APTs and proxy hacktivist groups.
Key Threat Actors to Monitor
Seedworm / MuddyWater (Static Kitten)
Symantec researchers identified Iranian APT group Seedworm conducting intrusion operations against multiple U.S. organizations beginning in early February 2026, with targeted entities including a U.S. bank, software company, airport, and NGOs in the U.S. and Canada. This direct targeting of a bank demonstrates clear intent to compromise financial institutions.
Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten, is assessed by CISA as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).
OilRig (APT34 / Helix Kitten)
OilRig primarily targets financial services, defense contractors, and energy organizations through spear-phishing and credential harvesting. OilRig specializes in cyberespionage with modular malware, PowerShell-based tools, DNS tunneling for C2, and custom backdoors like Helminth and QUADAGENT. In 2025, they targeted US transportation and manufacturing organizations, evolving tactics after a 2019 tool leak to enhance credential theft and network persistence.
TA453 / Charming Kitten (Damselfly, Mint Sandstorm, APT42)
On 8 March, Proofpoint observed TA453 conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this attempt commenced prior to the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set.
Charming Kitten, active since 2014 and linked to the IRGC, specializes in espionage through spear-phishing with fake personas and compromised emails to deliver POWERSTAR malware, exploiting Microsoft Exchange vulnerabilities, and using password-spraying. Recently in 2024, they targeted US election accounts and Israeli cybersecurity experts with phishing via benign PDFs for credential harvesting.
TA473 / Winter Vivern (Belarus-aligned)
Between 3–5 March 2026, the Belarus-aligned threat actor TA473 sent emails to government organizations in Europe and the Middle East. These messages originated from likely compromised infrastructure and purported to be a European Council President spokesperson. The phishing emails contained an HTML attachment titled “european union statement on the situation in iran and the middle east.html.” Notably, Proofpoint has not previously observed TA473 targeting Middle Eastern government organizations. The expansion into European targets makes this actor particularly relevant for European institutions.
Hacktivist Groups
Handala: Known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers.
DieNet: The pro-Palestine hacktivist group DieNet launched high-volume distributed denial-of-service attacks against U.S. critical infrastructure sectors, including energy, finance, healthcare, and transportation, using amplification techniques and DDoS-as-a-service infrastructure to disrupt operations.
TTPs to Monitor
Initial Access
Spear-Phishing (T1566): Campaigns heavily relied on aspects of the conflict as topical lure content to engage targets and often used compromised accounts belonging to government organizations to send phishing emails.
Credential Harvesting (T1056.003): Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.
Password Spraying (T1110.003): Organizations should deploy monitoring for password spraying attempts across multiple user accounts from unusual geographic locations, particularly authentication failures outside normal working hours or from VPN infrastructure including NordVPN endpoints.
Execution and Persistence
New Backdoors — Dindoor and Fakeset: Seedworm deployed a previously unknown backdoor named Dindoor leveraging Deno runtime for JavaScript and TypeScript execution, signed with certificates issued to “Amy Cherne.” A separate Python backdoor called Fakeset was discovered on U.S. airport and non-profit networks, signed with certificates issued to “Amy Cherne” and “Donald Gay.”
MuddyWater — New Malware (Operation Olalampo): First observed on 26 January 2026, MuddyWater deployed several novel malware variants including a Rust backdoor called CHAR that leveraged a Telegram bot as a command-and-control (C2) channel. Researchers identified indicators suggesting AI-assisted malware development.
DLL Sideloading (T1574.002): A loader executes a benign signed executable vulnerable to DLL sideloading (“nvdaHelperRemoteLoader.exe”), which then loads the malicious loader DLL “nvdaHelperRemote.dll,” decrypts a Cobalt Strike payload from WinHlp.hlp and loads it into memory.
Data Exfiltration (T1537)
Attackers attempted data exfiltration from a software company using Rclone to transfer backups to Wasabi cloud storage buckets. Financial institutions should specifically monitor for unauthorized use of tools like Rclone.
Destructive Capabilities (T1485)
Iran has demonstrated capability for destructive cyberattacks including wiper malware deployment, with historical operations like Shamoon against Saudi Arabia’s oil industry and BibiWiper attacks against Israeli targets.
DDoS (T1498)
In DDoS attacks, groups have leveraged high-volume attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods, and NTP amplification attacks, as well as website defacements and data breaches.
Defensive Recommendations
Enable multi-factor authentication across all remote access, disable legacy authentication protocols, and implement conditional access policies based on location and device risk.
Search environments for the presence of Deno runtimes or unauthorized Python scripts, which may indicate Dindoor or Fakeset infections. Monitor for the unauthorized use of data exfiltration tools like Rclone, especially large outbound transfers to external cloud storage platforms like Wasabi or Backblaze.
Given warnings that Iranian actors may escalate to disruptive or destructive operations, organizations should also validate network segmentation, protect and isolate backups, test recovery procedures, and ensure monitoring is in place for shadow copy deletion, mass task creation, suspicious administrative command execution, and attempts to disable security tooling.
Threat intelligence signatures tied to Iranian APT groups should be updated on a rolling basis, with real-time feeds enabled and newly published IOCs reviewed without delay. Reducing the external attack surface is equally urgent — default credentials must be changed across all assets, particularly OT and IoT devices that often go unpatched for long periods.
For a comprehensive view of the TTPs referenced above, visit the Feedly TTP Dashboard (https://feedly.com/i/dashboard/ttp).
Sources and References
[1] (Security Risk Advisors) 🚩 Iranian APT Seedworm Deploys New Backdoors on U.S. Bank, Airport, and Software Company Networks – https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
[2] (Cyber Security News) Escalating Iranian APT Threats Against Critical Infrastructure Amid Geopolitical Conflict – https://cybersecuritynews.com/escalating-iranian-apt-threats-against-critical-infrastructure/
[3] (PolySwarm Main Blog) Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks – https://blog.polyswarm.io/cyber-strategy-under-fire-iranian-apt-and-proxy-retaliation-risks
[4] (Proofpoint Threat Insight) Iran conflict drives heightened espionage activity against Middle East targets – https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets
[5] (SECURITY.COM (http://SECURITY.COM)) Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company – https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
[6] (Google Alert – ransomware) Symantec reports Iranian Seedworm hackers infiltrate US infrastructure and defense supply … – https://industrialcyber.co/ransomware/symantec-reports-iranian-seedworm-hackers-infiltrate-us-infrastructure-and-defense-supply-chain-networks/
[7] (Group-IB Blog) Operation Olalampo: Inside MuddyWater’s Latest Campaign – https://www.group-ib.com/blog/muddywater-operation-olalampo/
