Iranian government-linked hackers are intensifying surveillance operations across the Middle East. With new cyberespionage campaigns uncovered in both Iraq and Yemen. Despite political alliances and regional partnerships, Iran continues to covertly monitor even its supposed allies.
Cybersecurity firm Check Point has tracked a long-running operation led by the Iranian-linked threat group APT34, also known as OilRig, Helix Kitten, or MuddyWater. The group has direct ties to Iran’s Ministry of Intelligence and Security (MOIS) and has been active for years. According to Check Point researchers, the group’s campaign against Iraqi government entities has not only persisted into 2025. But has also expanded into Yemen through a separate subgroup.
“Iranian actors want to monitor everything happening across the region—even in countries that publicly align with them,” said Sergey Shykevich, threat intelligence group manager at Check Point. “Their goal is to stay a step ahead, regardless of diplomatic ties.”
Check Point’s investigation reveals that the campaign targeting Iraq dates back to March 2024, when new samples of custom malware were uploaded to VirusTotal. These included two advanced backdoors—Veaty and Spearal—and a third, unnamed tool designed for SSH tunneling. To trick victims, the malicious files were disguised with double extensions to resemble regular documents, likely delivered via phishing emails.
“These aren’t just off-the-shelf tools,” noted Amitai Ben Shushan Ehrlich, threat intelligence team lead at Check Point. “The Veaty backdoor, for example, was tailored to hijack legitimate Iraqi government email accounts, allowing attackers to exfiltrate data or send commands under trusted identities.”
In addition to email-based exfiltration, the group used custom SSH connections and DNS tunneling, a common method in APT34’s toolkit. Despite being exposed publicly in September 2024, the campaign has continued in waves into 2025, suggesting the attackers faced little resistance.
“They only improved their tools where necessary,” added Shykevich. “In environments like Iraq, where cybersecurity defenses may be limited, attackers don’t need cutting-edge methods to succeed.”
Check Point also noted that even when local agencies detect intrusions, they often fail to fully respond or remediate the breach. This incomplete response enables threat actors to return and resume operations using familiar access points.
In Yemen, APT34’s tactics shifted. Midway through 2024, a separate subgroup was discovered using “Power Service,” a simplistic PowerShell-based backdoor. The malware was less advanced, and the targeting appeared broader, suggesting a more opportunistic approach.
“The campaign in Yemen lacked the precision and sophistication seen in Iraq,” explained Ehrlich. “It was likely a different APT34 team, still connected to MOIS, but using shared infrastructure and basic tools.”
Despite the different operational styles, both efforts share a clear origin. Check Point researchers believe APT34 operates as a loose collection of teams with overlapping access to malware tools and targets. While some components are reused across campaigns, others are tailored to individual missions.
“It’s like an ecosystem,” said Ehrlich. “They collaborate when needed, but each subgroup also runs independently. Some tools are passed between teams, while others are built for specific operations.”
This decentralized structure has made attribution more difficult, but the fingerprints of Iranian state-backed espionage remain consistent. The ongoing campaigns in Iraq and Yemen underscore Tehran’s determination to monitor political, military, and economic developments across the region—even among its allies.
As the Middle East grapples with rising digital threats, Iran’s aggressive cyber posture continues to blur the lines between diplomacy and espionage.
