ZeroFox Intelligence Assessment - Q1 2026 MEA Cyber Threat Activity Wrap-Up

Standing Intelligence Requirements

DDW

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here.

ZeroFox observed at least 209 separate cyber threat incidents in Q1 2026 targeting Middle East and Africa (MEA)-based entities, an increase of roughly 5 percent from Q4 2025, which accounted for at least 196 incidents; and an increase of nearly 64 percent from Q1 2025 which saw at least 126 incidents.
Notably, Iranian authorities imposed a nation-wide internet blackout on January 8, 2026, and later following the U.S. and Israeli-led strikes in Iran, the regime further restricted internet access in the nation. This very likely impacted cyber threat incident volume, especially those coming from or targeting Iran and contributed to less incidents than anticipated for Q1 2026.
In Q1 2026, government organizations continued to represent the most targeted victims for threat actors in MEA. This sustained targeting is likely driven by factors such as regional and international geopolitical tensions and conflict. MEA is the only region where government organizations are the most targeted industry.
ZeroFox observed that the five most active threat collectives in Q1 2026 for MEA were almost certainly The Gentlemen, Handala Hack, TENGU, LockBit and INC Ransom—with Handala likely to continue to serve as a key instrument for Iranian state-sponsored cyberattacks.