Nasir Security is a newly identified cybercriminal group believed to be affiliated with Iran, emerging in October 2025. The group specifically targets the energy sector within the Middle East, focusing on supply chain vendors that provide engineering, safety, and construction services. Their approach leverages social engineering techniques such as spear phishing and business email compromise (BEC), alongside exploiting vulnerabilities in public-facing applications to gain initial access. The group claims to have attacked prominent energy companies including Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company; however, these claims appear exaggerated, with actual breaches primarily involving third-party contractors rather than the primary targets themselves. This tactic reflects a strategic focus on supply chain compromise, which can serve as a vector to infiltrate larger organizations indirectly. Additionally, Nasir Security’s operations include spreading disinformation, consistent with Iran’s broader cyber strategy to influence geopolitical narratives and destabilize adversaries. The group uses domains such as nasir.cc and a Tor hidden service (yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion) for command and control or operational infrastructure. No known CVEs or exploits are currently associated with this campaign, and no public patches are available. The campaign’s medium severity rating reflects the moderate sophistication of attack vectors, the critical nature of the energy sector, and the indirect targeting via supply chain vendors.

The potential impact of Nasir Security’s campaign is significant for organizations in the Middle East’s energy sector and their supply chain partners. Successful business email compromise and spear phishing attacks can lead to unauthorized access, data exfiltration, financial fraud, and disruption of operational technology environments. Supply chain compromises can cascade, allowing attackers to pivot into primary energy companies, potentially disrupting critical infrastructure and energy production. Additionally, the spread of disinformation can undermine trust, cause reputational damage, and complicate incident response efforts. While direct breaches of major energy firms have not been confirmed, the targeting of third-party contractors increases the risk surface and complicates defense strategies. The campaign also exemplifies the geopolitical use of cyber operations to exert pressure and influence regional stability, which could escalate tensions and provoke retaliatory actions. Organizations worldwide with business ties or dependencies on Middle Eastern energy suppliers may face indirect risks from supply chain disruptions or misinformation campaigns.

Organizations should implement targeted defenses against spear phishing and business email compromise, including advanced email filtering, multi-factor authentication (MFA) for email and VPN access, and continuous user awareness training focused on social engineering tactics. Supply chain risk management must be strengthened by conducting thorough security assessments of third-party vendors, enforcing strict access controls, and segmenting networks to limit lateral movement. Monitoring and analyzing network traffic for anomalies related to known Nasir Security domains (nasir.cc and the specified onion domain) can help detect early indicators of compromise. Public-facing applications should be regularly tested and patched to reduce exploitable vulnerabilities. Incident response plans should incorporate scenarios involving supply chain breaches and disinformation campaigns, with coordination between energy companies and their contractors. Sharing threat intelligence within industry groups and with regional cybersecurity authorities can enhance collective defense. Given the geopolitical context, organizations should also monitor for misinformation and coordinate communication strategies to mitigate reputational harm.