The Middle East’s Cyber Threat Picture in 2026: What 170 Incidents Tell Us

If you only looked at the headline number, 2026 in the Middle East would seem like a fairly typical ransomware year. 170 ransomware and extortion incidents across 17 countries, most of them hitting manufacturing, healthcare, finance, and government. Criminals chasing money, in other words. Business as usual.

But spend some time inside the data and a different story emerges. A meaningful chunk of what got labeled “ransomware” this year wasn’t about money at all. It was about politics, attention, and intelligence. And that mix profit-driven crime running side by side with ideological operations is what makes the region’s threat picture so hard to defend against right now.

Turkey took the biggest hit

Turkey topped the list with 45 incidents, roughly a quarter of everything recorded in the region. Two groups TheGentlemen and Qilin were responsible for 40% of that on their own, with 9 attacks each. Qilin went after holdings, healthcare, and food companies. TheGentlemen focused on manufacturers, including one of Turkey’s biggest and most recognizable industrial names, Arçelik.

The listing that worried us most, though, came from Nightspire. On a single day in April, the group posted two Turkish defense and research entities: TTAF Defense and PARS AR-GE. Ransomware groups going after defense contractors isn’t new, but when it happens in a country sitting at the center of several regional conflicts, the stolen material has obvious value well beyond a ransom payment.

Behind Turkey came the UAE (31 incidents), Israel (27), Egypt (22), and Saudi Arabia (13). Together those five countries absorbed the vast majority of the region’s ransomware activity, which tracks with their economic weight, digitalization levels, and simply how much attack surface they expose.

Handala changed the shape of the year

Here’s where the numbers get interesting. Israel ranked third overall, but more than half of its 27 incidents 14 of them came from a single actor: Handala, the pro-Iranian hacktivist group. These weren’t extortion attempts. Handala listed Israel’s largest healthcare provider Clalit, the Hebrew University of Jerusalem, and a string of targets it claimed were tied to intelligence and government bodies. No ransom demands, no negotiation portals. Just exposure, aimed at reputational and psychological damage.

Handala showed up elsewhere too. It listed Aramco in Saudi Arabia arguably the single most significant listing of the year given the company’s role in global energy markets and the Sharjah National Oil Corporation in the UAE. Its Iran-tagged activity was stranger still: rather than attacking Iranian state targets, it went after the IDF’s Farsi-language information operation, the opposition outlet IranWire, and an Iranian dissident. The group calls itself pro-Palestinian, but its targeting pattern reads a lot like an actor working in alignment with Iranian state interests, and several vendors have assessed exactly that.

With 21 listings across the region, Handala finished second only to TheGentlemen (28) in total activity. Think about that for a second. The second most active “ransomware” actor in the Middle East wasn’t running a ransomware business at all.

The dark web tells its own story

Away from the leak sites, underground forums stayed busy all year. The UAE saw 140 defacement and compromise claims, Iran logged 106 data leak incidents, and Turkey recorded 95 defacements and major database breach ads.

Some of what surfaced was genuinely alarming. A seller offered what they claimed was super-administrator access to an Iranian national dams SCADA system for 2 BTC. Another actor claimed to have compromised Kuwait’s Public Authority for Civil Information, advertising civil records, death records going back to 1980, and roughly 5.23 million ID card images for $1,000. In Turkey, a January post claimed 2.7 million TurkNet customer records, national ID numbers included. Iraqi voter data, Lebanese vehicle registrations, a Qatari bank database: the list goes on, and while many of these claims can’t be independently verified, the sheer volume of citizen data moving through these markets should concern every government in the region.

DDoS-heavy hacktivist crews like Keymous Plus, 313 Team, and Fatimion cyber team dominated activity against Gulf states, with government portals as their favorite targets. Bahrain alone recorded 84 DDoS incidents; Kuwait saw 124.

Meanwhile, the quiet operations continued

None of this slowed down the state-sponsored side. MuddyWater ran espionage campaigns across the region throughout the first half of the year, leaning on spear-phishing, PowerShell, and lightweight Node.js implants and in January it added a modular Rust-based malware family to its toolkit, targeting diplomatic, telecom, maritime, and financial organizations. OilRig (APT34) kept working government, energy, and telecom targets across Iraq and the Gulf.

The common thread was patience. These groups mostly avoided deploying noisy malware and instead lived off the land: PowerShell, WMI, PsExec, RDP, scheduled tasks. Cloud identities became a favorite target too, since a stolen Microsoft 365 credential gives an attacker mailbox and document access without ever touching an endpoint again.

Our infostealer log analysis backs this up. Iranian domains produced the largest raw log volume in the region, Saudi and UAE logs feed a thriving initial-access market, and one detail stood out to us: Israel’s general .il traffic was low, but hits on gov.il and ac.il domains were significant. That’s not opportunistic infection. That’s deliberate targeting of government and research networks.

What we'd take away from all this

The Middle East’s threat landscape doesn’t split cleanly into “criminals” and “spies” anymore. Ransomware crews are listing defense contractors. Hacktivists are running what amount to intelligence operations. APT groups are hiding inside legitimate admin tools and cloud sessions. An organization in this region can realistically face all three in the same quarter.

That reality has practical consequences. Traditional perimeter controls won’t catch an attacker who logs in with valid credentials and moves around using PowerShell. Backup strategies won’t help when the attacker’s goal is publication rather than encryption. What actually moves the needle is knowing who is targeting your sector, watching for your data and access on underground markets, locking down identity and cloud access, and shrinking the attack surface those actors keep exploiting.

The full report covers all 17 countries in detail country-by-country statistics, group profiles, dark web findings, APT tradecraft, and infostealer distribution data. If you operate in the region, it’s worth the read.

More posts

This image is about multiple Nginx vulnerabilities.
This image is about multiple Microsoft IIS vulnerabilities.
This image is about SMTP open mail relay vulnerability.
SSL Expire" means an SSL certificate has expired, causing security warnings for site visitors.
What is Server Header Information Disclosure?
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues

advanced divider

Subscribe to our blog newsletter to follow the latest posts