The Server Seizure That Affects Also Iran's Cyber Operations - Check Point Blog

Toggle Navigation

Blog Home > Research > The Server Seizure That Affects Also Iran’s Cyber Operations Filter by:<br>Select category<br>Research (726)<br>Security (1,158)<br>Securing the Cloud (351)<br>Workspace Security (325)<br>Company and Culture (64)<br>Innovation (62)<br>Customer Stories (21)<br>Security Operations (9)<br>Securing the Network (51)<br>Partners (21)<br>Email Security (326)<br>Artificial Intelligence (100)<br>Check Point Services (39)<br>Crypto (20)<br>Healthcare (17)<br>SASE (42)<br>MSSP (9)<br>Executive Insights (264)<br>Mobile (4)<br>Avanan (59)<br>Hybrid Mesh (20)<br>Services (3)<br>Portal (3)<br>Exposure Management (9)<br>AI Security (8)<br>USA (13)<br>APAC (5)<br>EMEA (7)

Share

On May 22, 2026, Dutch financial-crime investigators walked into data centers in Dronten and Schiphol-Rijk and seized approximately 800 servers. The target was WorkTitans B.V. , a hosting provider that, on the surface, looked like any other internet infrastructure company. What investigators uncovered, however, was something far more significant: a ghost operation built on sanctioned infrastructure, quietly serving as the backbone for some of Iran’s most active cyber espionage campaigns.

The story starts a year earlier. In May 2025, the European Union sanctioned Stark Industries, an internet service provider linked to Russian information-warfare operations. Rather than shutting down, the people behind it simply rebranded. WorkTitans emerged as its successor, allegedly running the same servers under a fresh corporate name. It was a brazen move, and for a while, it worked.

Three Groups and One Hosting Provider

The uncovering of this story tells you a lot about how modern cyber operations actually function. Three separate Iranian threat actor groups, each running their own campaigns against different targets, were all using WorkTitans infrastructure to get the job done.

Based on our tracking of threat actor infrastructure, the WorkTitans takedown likely had an impact on Iranian cyber operations. Three separate Iranian threat actor groups, each running their own campaigns against different targets, were observed using WorkTitans infrastructure for core operational purposes.

MuddyWater is an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), and one that Check Point Research has tracked closely over the years. Our previous research documented BugSleep , a custom backdoor developed and deployed by the group in phishing campaigns primarily targeting Israeli organizations. MuddyWater typically gains initial access through phishing emails sent from compromised organizational accounts, and has historically used legitimate remote management tools like Atera Agent and ScreenConnect to maintain persistence. In more recent campaigns, BugSleep replaced those tools as their preferred implant, with WorkTitans servers serving as its command-and-control backbone.

Agrius , also tracked as UNC2428, is an Iran-nexus group has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social-engineering campaign. As documented by Google Threat Intelligence, the group ran a campaign impersonating an Israeli defense contractor luring targets with what appeared to be a legitimate job application process. Victims who expressed interest were directed to a convincing fake website and asked to download a tool called RafaelConnect.exe, an installer the researchers named LONEFLEET. Once launched, it presented a realistic interface prompting users to fill in personal details and upload a resume, while quietly deploying a backdoor called MURKYTOUR in the background. That backdoor communicated through WorkTitans infrastructure.

Nimbus Manticore takes also a recruitment-themed approach but operates across a broader target base, focusing on individuals in aerospace, aviation, and defense . The group reaches victims through fake recruiter personas on LinkedIn and purpose-built job portals, eventually leading them to download a ZIP archive that appears legitimate but contains a malicious DLL. Executing the lure triggers DLL side-loading, giving the attackers remote access, credential theft capabilities, and a foothold for lateral movement. Nimbus Manticore is also notable for continuously rotating its infrastructure across multiple VPS providers, including WorkTitans, specifically to make its campaigns harder to track and block. Beyond espionage, WorkTitans infrastructure being used to scan Middle Eastern targets for known IP camera vulnerabilities, activity that was detected just one week before the US military launched Operation Epic Fury in February 2026.

What makes this seizure particularly notable is that a single law enforcement action against one hosting provider was enough to simultaneously disrupt multiple active operations, each targeting different sectors and using different techniques, but all sharing the same underlying infrastructure dependency.

The Lesson Hidden in Plain...