Elevated APT Activity in the MENA Region — and Closer to Home

Advisory | Threat Intelligence | February 2026

What We're Hearing — and Seeing

Word is being shared through ISAC channels indicating a notable uptick in Advanced Persistent Threat (APT) activity targeting organizations across the Middle East and North Africa (MENA) region. Against the backdrop of ongoing geopolitical tensions in the area, threat actors have historically exploited periods of regional instability to intensify cyber operations — and the current environment is no different.

What makes this moment particularly significant: our team has directly observed active attacks hitting organizations in North America. This is no longer a regional concern. The campaigns are live, the targeting is broad, and the tradecraft is sophisticated.

Of particular concern is MuddyWater, an Iranian-linked APT group with a long history of targeting government and critical infrastructure organizations across the MENA region and beyond. Researchers have recently detailed Operation Olalampo, an active MuddyWater campaign employing sophisticated, multi-stage attack chains that have now been observed reaching targets in North America.

The campaign's activity shares a consistent pattern: targeted spear-phishing emails carrying malicious attachments serve as the primary entry point, followed by deployment of novel malware tooling — some of which shows signs of AI-assisted development. Once inside, actors focus on persistence, credential harvesting, and lateral movement consistent with long-term espionage objectives. Notably, legitimate communication platforms are being abused for command-and-control, specifically to blend into normal network traffic and evade detection.

Why This Should Prompt Action Now

The sectors in the crosshairs — government, telecommunications, energy, finance, and healthcare — are precisely those where a breach carries the highest consequence. And organizations don't need to operate in the MENA region to be exposed; supply chain relationships, vendor dependencies, and shared infrastructure create indirect pathways that threat actors are actively exploiting.

Traditional perimeter defenses are not enough. These campaigns are designed to get past them.

What Organizations Should Do Now

The current threat environment warrants an elevated security posture. We recommend the following immediate actions:

Raise your alert level. Security operations teams should increase monitoring sensitivity and reduce response thresholds. Active campaigns are running now — dwell time is the enemy.

Leverage current threat intelligence. Ensure your security operations function is actively ingesting and acting on the latest threat intelligence, including indicators associated with campaigns currently targeting MENA and North American organizations. If your team is not consuming structured threat feeds or ISAC-shared intelligence, that gap needs to close immediately.

Contact us for specific guidance. The threat activity we are tracking carries technical detail not appropriate for general distribution. If you want a direct briefing on what we're observing — including specific TTPs, indicators, and defensive actions tailored to your environment — reach out to our team directly.

This advisory is based on intelligence shared through industry channels, open-source threat research, and firsthand observation. Indicators of compromise and technical details are available upon request for qualified security teams.