MENA Under Cyber Onslaught: Escalating Threats in Summer 2025

Executive Summary

• 236% surge in DDoS across MENA, driven by Iran–Israeli conflict and hacktivist campaigns.
• 12-day cyber war saw destructive attacks, including $90M crypto burned and fabricated disinformation alerts.
• AI-driven ransomware industrialized with multilingual chatbots and affiliate profit-sharing.
• Critical infrastructure under fire: ICS-targeting malware, API-layer DDoS, and PLC manipulation attempts.
• Saudi Arabia, UAE, Iranians, and Israelis emerged as top cyber battlegrounds.

What Happened

From July–August 2025, the MENA region experienced its most aggressive wave of cyberattacks to date. Escalation peaked during the Iran–Israeli cyber conflict, while ransomware, DDoS, and ICS malware campaigns surged across Gulf and North African states. Governments scrambled with new strategies, but attackers demonstrated evolving methods at unprecedented scale.

Technical Breakdown

• DDoS escalation: 236% spike; 73% of traffic from hacktivists; API-layer attacks up 162%, requiring 88% less bandwidth.
• Iran–Israeli cyber war: Iranian groups launched a major escalation of attacks, coupled with disinformation campaigns and fake alert messages. Pro-Israeli hacking group Predatory Sparrow burned Nobitex’s $90M crypto reserves.
• AI ransomware (GLOBAL GROUP): Automated payloads across OS platforms, 85% affiliate revenue, AI chatbots for negotiation.
• ICS malware: Stealth Soldier, FrostyGoop, IOCONTROL targeting water and energy systems; PLC exploitation attempts by IRGC-linked groups.
• APT exploitation: Stealth Falcon (UAE-attributed) weaponized Microsoft WebDAV CVE-2025-33053 with Horus Agent.
• Recon surge: Probing up 9x; HTTP floods from 140K-device botnets.

Impact Analysis

• Short-Term:

  • Governments forced into real-time defense upgrades.
  • Financial and energy sectors saw record targeting.
  • Geopolitical cyber warfare normalized as a parallel battlefield.

• Long-Term:

  • Industrial systems remain at heightened risk of sabotage.
  • AI integration into cybercrime will accelerate affiliate adoption.
  • Regulatory tightening across GCC will raise compliance burdens.
  • Hacktivist networks like CyberAv3ngers and Handala will continue shaping psychological ops.

Operational Takeaways

• Harden API endpoints; prioritize rate-limiting and bot detection.
• Segment and monitor ICS/OT networks; block external internet exposure.
• Prepare incident response for AI-driven ransomware with multilingual negotiation lures.
• Adopt intelligence-driven defense: track regional APTs (Serpens, Stealth Falcon, CyberAv3ngers).
• Expect cross-border escalation; align with GCC frameworks and U.S. alerts (DHS, CISA).

Related Incidents

• CyberAv3ngers Hijacks (2025) – Targeted Israeli-linked water systems with ICS malware, showing hacktivists evolving into critical infrastructure threats.
• UAE Cybersecurity Strategy 2024–2025 – Introduced MSOC licensing and Saudization requirements, reshaping regional defense frameworks.
• Iranian “Serpens” APT Persistence – Maintained two years of undetected access in MENA critical infrastructure using stolen VPN credentials and custom RATs.

Noorstream Analysis

The surge of cyber activity in Summer 2025 confirms a decisive shift: cyber operations in MENA are no longer episodic — they are structural. The Iran–Israeli digital war normalized nation-state cyber campaigns as part of daily conflict, while AI-driven ransomware industrialized at a pace that outpaces traditional defenses.

Three points stand out for operators and decision-makers:

• Hacktivist evolution: Groups like CyberAv3ngers are not noise; they now pair propaganda with ICS compromise. This elevates them into the same threat tier as mid-range APTs.
• AI adoption curve: The GLOBAL GROUP’s model (multilingual ransom bots, 85% affiliate share) will become the playbook for others. Expect rapid copycats targeting GCC economies.
• Regulatory dragnet: Saudization mandates and UAE’s MSOC licensing are not just compliance burdens. They are shaping who can defend — and who gets visibility into incidents.

Bottom line: MENA defenders are now facing a hybrid battlefield — geopolitics, cybercrime, and infrastructure sabotage operating in parallel. Organizations that fail to anticipate this convergence will burn resources chasing symptoms instead of neutralizing core risks.