High

Analysis Summary

Researcher is monitoring a relatively new cybercriminal group, Nasir Security, believed to have Iranian affiliations, targeting energy sector organizations in the Middle East. The group primarily focuses on supply chain vendors involved in engineering, safety, and construction, rather than directly attacking core energy companies. While claims of stolen data are often exaggerated, the documents accessed are authentic, posing strategic risks for adversaries by providing insight into key infrastructure components. The attacks appear ideologically motivated, coinciding with regional tensions, including Iran’s military actions against GCC countries, and are amplified through cyberspace as part of broader propaganda and psychological operations.

Since its emergence in October 2025, Nasir Security has conducted only a handful of operations. These early operations highlighted a supply chain attack strategy, emphasizing optics and perception over operational damage. The group has since rebranded and expanded its targets, using various misleading attributions such as “Sons of Hezbollah Lebanon” and “Sons of Al-Nusayr” to amplify ideological narratives.

According to the Researcher, The group’s more recent activity has targeted energy companies and contractors in the UAE, Oman, Iraq, and KSA, claiming large-scale exfiltration of sensitive data. Investigations by Researcher indicate that the stolen information primarily originated from third-party vendors, including safety and fire equipment providers, rather than the organizations themselves. While the data is authentic, the exaggerated claims of volume and impact suggest a deliberate misinformation campaign. Such tactics create uncertainty for affected organizations and amplify the perception of Iranian cyber capabilities during ongoing geopolitical conflicts.

Nasir Security maintains a public-facing Data Leak Site with clearnet and TOR mirrors, indicating a structured operational approach for dissemination. The group’s statements, pseudo-leaks, and false flags highlight the psychological and propaganda dimension of their activity, rather than financially motivated attacks. Resecurity assesses that Iran-linked actors leverage the IT and OT supply chain to demonstrate quantitative results in cyberspace, exploiting vendor vulnerabilities while minimizing direct operational risk. Enterprises are advised to strengthen third-party cybersecurity monitoring, conduct rigorous vendor risk assessments, and remain vigilant against supply chain compromises amplified by misinformation and influence operations.

Impact

• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

• http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement advanced anti-phishing tools and email filtering to detect spear-phishing campaigns.
• Enable multi-factor authentication (MFA) for all employee accounts, including contractors and vendors.
• Conduct a vendor risk assessment for all contractors and suppliers handling sensitive data.
• Require cybersecurity hygiene audits for third-party vendors, including cloud and email security practices.
• Review and restrict access to cloud applications and critical infrastructure systems.
• Apply least privilege principle to vendor and employee accounts.
• Audit and secure all public-facing and cloud storage repositories.
• Encrypt sensitive data stored in the cloud and monitor unauthorized access attempts.