Iranian APT Operations Against MEA Financial Sector: Patterns from the Last 18 Months

Threat Intelligence

MuddyWater, APT34, and adjacent Iranian clusters have run a consistent campaign against banks and financial regulators across the Middle East and Africa. The lures and infrastructure overlaps are remarkably stable.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 11, 2024 · 7 min read

A regional bank in the Gulf called us after their SOC flagged a suspicious Atera installation on a finance team workstation. By the time we arrived, the Atera agent had been live for 11 days, the operator had pivoted to two more workstations via WMI, and a SharePoint enumeration script had run against the M&A folder. The toolset, the Atera abuse, the lure document found in the user's mailbox, and the C2 infrastructure were all consistent with MuddyWater activity we had seen at two other banks in the prior six months.

Iranian APT activity against MEA financial institutions has been remarkably consistent since late 2023. The clusters of interest are MuddyWater (also known as Static Kitten), APT34 (OilRig), and a smaller cluster sometimes labeled Scarred Manticore. Their tradecraft is distinct from Russian or Chinese operations and worth understanding on its own terms if your org operates in that geography.

Lure types that recur

The phishing lures used in these campaigns cluster around three themes that almost any financial sector employee in the region will engage with.

• Central bank communications: spoofed memos from regional regulators (CBUAE, SAMA, CBE) about new compliance requirements or inspection schedules.
• Salary and HR: fake "updated salary scale" or "end of service benefit revision" PDFs with embedded macros or XLL loaders.
• Geopolitical tension: news-pretext lures about regional conflicts or sanctions designed for executives who follow these issues closely.

The delivery mechanism rotates between malicious macros (still surprisingly effective in some MEA orgs that have not enforced macro blocking), XLL Excel add-ins, ISO/IMG containers carrying LNK files, and increasingly, OneNote files with embedded scripts. PowerShell remains heavily used despite the noise it generates, partly because many of the target orgs have weak PowerShell logging or no Constrained Language Mode.

Tooling and persistence patterns

MuddyWater in particular has standardized on legitimate RMM tools as a primary persistence mechanism. Atera, ScreenConnect, RemoteUtilities, and SimpleHelp have all appeared in incidents we have responded to. The logic is sound from the operator's perspective: these tools are signed, they bypass most behavioral detection, they are used legitimately by IT teams, and they provide full remote access without dropping a custom backdoor.

APT34 maintains more custom tooling. The PowerShell-based BondUpdater family, the more recent SideTwist backdoor, and DNS tunneling implants are still in active use. The DNS tunneling specifically is worth paying attention to: many MEA banks do not have egress DNS inspection or DNS query logging at the resolver level, and APT34 has exploited that gap repeatedly.

Infrastructure overlaps

We have seen consistent reuse of certain hosting providers and ASNs across these clusters, particularly Iranian-owned VPS providers fronting through European or Asian hosting. The same TLS certificates, the same self-signed cert subjects, and the same pattern of one-domain-per-target campaign infrastructure recur. Pivot pivots in VirusTotal and Censys consistently produce more nodes from a single seed.

What's specific to financial sector targeting

Iranian operations against banks are not primarily about ransomware or financial theft. The objectives we have inferred from observed activity are intelligence collection on regional banking flows, especially anything related to sanctioned parties or front companies, intelligence on regulator communications and enforcement priorities, and pre-positioning for potential disruptive action during periods of geopolitical escalation.

That last point matters. Several of the intrusions we have responded to involved no exfiltration we could detect, but did include enumeration of SWIFT-adjacent systems, payment gateway architecture, and core banking application servers. The operators were mapping the environment, not stealing from it. That posture changes how you communicate findings to executives. The risk is not necessarily a near-term theft. It is dwell time creating optionality for whoever ordered the operation.

What threat intel teams should maintain

A working threat profile for these clusters needs the following kept current: known C2 infrastructure refreshed quarterly (it rotates), known RMM-abuse patterns with detection content, lure document themes by quarter, and a relationship with regional CERTs (especially in the GCC) that share early indicators.

Iranian APT activity is less spectacular than Russian or Chinese operations and often gets less coverage. For MEA financial institutions, it is the most consistent ongoing threat. Treat it accordingly.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.