The activity, tracked between October 2025 and March 2026, shows threat actors aligned with Beijing moving quickly around geopolitical shocks, particularly after the escalation involving Iran from late February. Maritime affairs, oil flows, energy infrastructure, government networks and strategic technologies have emerged as priority targets, with the Gulf states, Venezuela, Syria, South Korea, Cambodia and Panama appearing in the broader pattern of operations.
The campaign underlines a central feature of modern cyber conflict: state-aligned hackers are no longer waiting for wars to end before exploiting their consequences. They are using instability itself as cover, focusing on sectors that can reveal shipping resilience, energy supply risks, reconstruction opportunities, political decision-making and military-adjacent technology.
Maritime and energy companies in the Gulf are especially exposed because the region sits at the intersection of global shipping, oil exports, liquefied natural gas flows and military pressure around the Strait of Hormuz. Disruptions in that corridor have immediate consequences for insurers, ship operators, ports, refiners and governments. For intelligence agencies, access to corporate networks can offer visibility into cargo schedules, emergency planning, procurement chains, tanker rerouting and the readiness of critical infrastructure.
The China-linked activity fits a wider pattern in which espionage operations are shaped by Beijing’s economic and security priorities. One group, FamousSparrow, targeted a Venezuelan government entity connected to maritime affairs, a move assessed as likely designed to monitor the durability of oil shipments after US intervention. Venezuela remains a significant energy supplier to China, making shipping data and government maritime planning valuable strategic intelligence.
Another China-aligned group, SteppeDriver, reached a Syrian government network in February. That activity appeared to reflect both commercial interest in Syria’s reconstruction and security concerns linked to Uyghur fighters in the country. Syria’s rebuilding process is expected to draw foreign contractors, infrastructure bids and energy-sector negotiations, giving cyber-espionage operators strong incentives to map state agencies and policy channels ahead of formal commercial openings.
A separate cluster, NegativeGlimmer, compromised government entities in Cambodia and Panama and also targeted an AI and robotics company in South Korea. The South Korean intrusion fits Beijing’s long-running interest in strategic technologies identified under the Made in China 2025 industrial policy, with robotics, artificial intelligence and advanced manufacturing placed high on the list of sectors where intellectual property and engineering data carry national value.
Security analysts also identified PhiliKit, a new implant assessed as part of UNC5221’s SPAWN toolset targeting Ivanti VPN appliances. The targeting of VPN infrastructure is significant because remote-access systems are often used by government bodies, contractors and industrial operators to connect staff and service providers to sensitive networks. Once compromised, such systems can provide a quiet route into wider environments.
The cyber activity unfolded as Iran-aligned operations showed a more complex pattern. The war that began in late February coincided with a drop in activity from established Iran-linked advanced persistent threat groups, most likely because internet restrictions inside Iran disrupted their operations. At the same time, proxy and hacktivist actors expanded attacks against Israel, the United States and other governments viewed as hostile to Tehran.
That shift created a noisy threat environment in which China-linked espionage, Iran-aligned disruption, hacktivist campaigns and unattributed operations overlapped. For defenders in maritime and energy sectors, the immediate challenge is attribution becoming less useful than impact: whether an intrusion is designed for spying, sabotage, leverage or future access, the same weak points in remote systems, identity controls and operational technology can be exploited.
Israel remained a major focus for Iran-aligned and Iran-linked activity, with targets ranging from organisations hit by espionage intrusions to device manufacturers facing destructive tooling. Unattributed clusters known as Rusty Boots and MoKhargosh demonstrated both spying capability and destructive potential, including bootkit-style wiper activity and retained destructive tools. Another cluster, MOØN Badr, appeared limited to targeted espionage.
The Gulf dimension widened with a defence company in the United Arab Emirates being compromised through a SmartOffice CRM server. Arabic-speaking users were also targeted with Android spyware called Asin, possibly aimed at journalists or open-source intelligence practitioners following military developments. The attacker’s Telegram channel appeared to echo the branding of Live Universal Awareness Map, a platform used to track conflict incidents.
The timing has sharpened concern among energy and shipping executives because cyber activity is moving alongside physical and electronic disruption in maritime zones. Satellite navigation interference around the Strait of Hormuz has added to operational risks, while critical infrastructure operators across the region are reassessing exposed industrial systems, remote access pathways and third-party software dependencies.
The threat to maritime and energy firms is not confined to direct attacks on ships or pipelines. Corporate email, logistics platforms, port systems, vessel-tracking services, engineering contractors and customer relationship management tools can all become entry points. Espionage groups often seek persistent access rather than immediate disruption, allowing them to observe trade flows, political pressure points and emergency responses over time.
For Gulf-based operators, the immediate priority is narrowing the space available to state-aligned actors: tighter segmentation between corporate and operational networks, stronger controls on VPN and CRM systems, faster patching of internet-facing appliances, monitoring for unusual authentication patterns and more scrutiny of suppliers with privileged access.
Also published on Medium.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
