Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

🇦🇪 1. UAE — 600,000 Daily AI-Powered Attacks Including Iranian Password-Spraying

The UAE Cybersecurity Council confirmed the country is facing between 500,000 and 700,000 daily cyberattacks, significantly elevated during geopolitical tension periods. Iran-linked groups are conducting multi-wave password-spraying campaigns against Microsoft 365, UAE government portals, energy sector cloud infrastructure, and strategic organizations. Three waves of coordinated credential attacks have been documented in 2026, with possible account compromise impacts across UAE government entities.

Region: UAE | Type: Credential attack / AI-powered | Actor: Iran-linked APTs
Source: Gulf News / Eventus Security — https://gulfnews.com/uae/government/uae-issues-warning-as-iran-deploys-ai-for-cyber-attacks-1.500525604

🇦🇪 2. UAE/Gulf — MuddyWater APT Multi-Sector Espionage Campaign

MuddyWater (Iranian MOIS-linked APT) continues ongoing cyber espionage targeting UAE critical sectors including government, transport, and industrial organizations across the MENA region. The group abuses Remote Monitoring and Management (RMM) tools and PowerShell loaders for persistence, operating as a persistent stealth threat across Gulf states. The campaign is documented as one of the most sustained Iranian APT operations in the region.

Region: UAE/MENA | Type: Cyber espionage | Actor: MuddyWater (Iran)
Source: Eventus Security — https://eventussecurity.com/uae/cyber-attacks/

Handala (Iranian MOIS-linked, also known as Void Manticore) escalated its targeting of military personnel in the Gulf region this week, sending spoofed WhatsApp business messages purportedly warning of missile and drone strikes. The campaign is designed to install malware on military-linked devices, steal credentials, and establish persistent access to defense-related communications. Help AG flagged this as a top active threat to the MENA region.

Region: Gulf States | Type: Social engineering / malware delivery | Actor: Handala
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/

🌍 4. Gulf/Saudi Arabia — Iranian Hybrid Cyber-Physical Infrastructure Attacks

Iranian-linked groups launched kinetic and cyber hybrid attacks against cloud and technology infrastructure, including documented strikes on AWS data centers in UAE and Bahrain that disrupted cloud services across the region. 313 Team (Cyber Islamic Resistance in Iraq), DieNet, and related groups claimed coordinated attacks against Gulf government portals, financial institutions, and aviation systems.

Region: UAE, Bahrain, Saudi Arabia | Type: Hybrid warfare (cyber + physical) | Actor: Iranian state-aligned groups
Source: RH-ISAC / Halcyon — https://rhisac.org/threat-intelligence/middle-east-conflict/

5. GitHub — 5,561 Repositories Backdoored (Megalodon/TeamPCP)

On May 18, 2026, TeamPCP executed the Megalodon campaign, pushing 5,718 malicious commits in 6 hours to 5,561 GitHub repositories. The attack targeted CI/CD credentials, OIDC tokens, AWS/GCP/Azure credentials, and SSH deploy keys. The follow-up Hudson Rock analysis revealed the attack originated from infostealer infections that provided the initial GitHub credential access.

Region: Global | Type: Supply chain attack | Actor: TeamPCP
Source: The Hacker News — https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html

6. Grafana Labs — Source Code Theft via TanStack Supply Chain

A cybercrime group (TeamPCP) stole Grafana Labs’ entire codebase and internal GitHub repositories, including business contact data, through a weaponized Nx Console VS Code extension (Mini Shai-Hulud campaign). The breach was limited to the GitHub environment with no confirmed impact on customer production systems, but represents a significant intellectual property theft and potential supply chain risk for Grafana’s millions of users.

Region: Global / Software Supply Chain | Type: Supply chain / IP theft | Actor: TeamPCP
Source: SecurityWeek — https://www.securityweek.com/grafana-says-codebase-and-other-data-stolen-via-tanstack-supply-chain-attack/

7. Drupal Websites (6,000+ Sites) — CVE-2026-9082 Mass Exploitation

Within hours of Drupal’s advisory release on May 20, attackers began targeting CVE-2026-9082 at scale — with Imperva recording 15,000+ exploitation attempts against nearly 6,000 Drupal sites across 65 countries. The attacks target PostgreSQL-backed CMS installations to steal user credentials, modify content, and in some cases attempt privilege escalation to remote code execution.

Region: Global | Type: Web application exploitation | Actor: Multiple threat actors
Source: SecurityWeek — https://www.securityweek.com/drupal-vulnerability-in-hacker-crosshairs-shortly-after-disclosure/

8. U.S. Gas Stations — Iranian Hackers Breach ATG Fuel Monitoring Systems

U.S. officials revealed this week that Iranian hackers breached automatic tank gauge (ATG) systems at gas stations across multiple U.S. states. ATG systems monitor fuel levels in underground storage tanks and are part of critical energy distribution infrastructure. The breach raises serious concerns about physical infrastructure tampering, fuel safety, and the expanding scope of Iranian hybrid operations targeting U.S. critical infrastructure.

Region: United States | Type: Critical infrastructure / OT/ICS attack | Actor: Iranian state-linked
Source: SecurityWeek — https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/

9. Canvas LMS — ShinyHunters Ransomware Targets 275 Million Education Users

ShinyHunters re-attacked Canvas LMS on May 7, 2026, replacing its login page with a ransomware message after a prior breach on April 25. The group claimed to have stolen 3.65 terabytes of data from approximately 275 million users across 8,809 universities and educational institutions worldwide. The U.S. House Homeland Security Committee launched an official investigation, with Canvas used by 41% of U.S. higher education institutions.

Region: Global / Education | Type: Ransomware / Data breach | Actor: ShinyHunters
Source: Wikipedia / House Homeland Security Committee — https://en.wikipedia.org/wiki/2026_Canvas_data_breach

10. Windows Enterprise — RedSun/UnDefend Zero-Day Exploitation Chain

Threat actors actively exploited the RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) Windows Defender zero-days in the wild before patches became available on May 20. These vulnerabilities, when chained with the previously patched BlueHammer (CVE-2026-33825), enable full SYSTEM-level access and silent disabling of endpoint protection — representing a complete compromise of Windows defenses across Windows 10, 11, and Server 2016–2025.

Region: Global | Type: Zero-day exploitation | Actor: Multiple threat actors
Source: SecurityWeek / Petri.com — https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/