Reports published in 2024 show a clear pattern: Iranian-linked operators have been deploying bespoke backdoors and low-cost surveillance tools across state and telecom targets in the region. The most concrete public technical case concerns a campaign that targeted Iraqi government networks with two newly identified backdoors named Veaty and Spearal. Those implants use unusual command channels, including compromised mailboxes as a C2 mechanism and custom DNS tunneling, as well as an IIS module used as a passive web backdoor. The Check Point analysis provides configuration-level details, sample infection chains, and indicators that tie the toolset to clusters historically linked to Iranian intelligence services.
For Yemen the public picture is more fragmented, but the operational intent is similar. Lookout and other trackers identified active surveillanceware campaigns attributed to Houthi-aligned actors that specifically harvest device carrier and network metadata, GPS routes, and other telephony configuration details from infected phones. Those campaigns have used social engineering distribution over WhatsApp and direct browser downloads, giving operators a rich telemetry stream tied to mobile subscribers and by extension to local telecom infrastructure. This is not the same as a kernel-level compromise of a national switch, but the aggregated telemetry and carrier metadata are exactly the kind of signals that can be used to map subscriber relationships, network topology, and key operational personnel.
Taken together the publicly reported activity points to two important operational themes. First, Iranian-aligned teams are willing to combine high-end, custom backdoors against government networks with lower-effort commodity surveillance and phishing operations that touch telecom subscribers. That mixed tradecraft lets operators gather both privileged state communications and broad situational awareness across civilian networks. Second, attackers repeatedly favor covert C2 techniques that blend into existing services. The Veaty sample that uses targeted Exchange mailboxes, and Spearal’s DNS tunnel, are illustrative. These methods reduce noisy outbound traffic and complicate detection by traditional perimeter tools.
This activity has clear policy and defensive implications. U.S. and regional incident responders have already warned that Iran-based actors remain active against a variety of sectors, and that credential theft, MFA fatigue attacks, and brute force remain common initial access vectors. Public advisories describe these persistent behaviors and recommend hardening steps that are directly relevant to governments and telecom operators.
Practical priorities for government and telecom defenders
1) Assume mailbox and DNS channels can be weaponized. Harden mailboxes used by privileged accounts and service accounts. Enforce mailbox audit logging, require application-specific credentials where possible, and monitor for atypical mailbox rules and inbox forwarding. DNS monitoring should include unusual TXT activity and entropy analysis on subdomains. The Spearal DNS-tunneling pattern makes clear that TXT queries carrying encoded subdomain payloads are a likely detection surface.
2) Treat subscriber metadata as strategic. Telecoms must view metadata about SIMs, IMSI, and routing not only as commercial telemetry but as potential operational intelligence. Implement stricter access controls on OSS/BSS systems, log and review any bulk metadata exports, and apply anomaly detection to usage patterns that could indicate exfiltration or targeted collection. Lookout’s findings on GuardZoo show how mobile spyware harvests carrier and Wi-Fi configuration, which can be repurposed for larger mapping efforts.
3) Harden authentication and operational endpoints. The U.S. interagency guidance on Iran-based actor tactics emphasizes credential stuffing, MFA push bombing, and persistence via modified second factors. Enforce phishing-resistant MFA, restrict legacy protocols, and implement rate limits and account lockouts tuned to distinguish legitimate remote administration from brute force waves. System owners should rotate service account credentials after suspected exposures and require out-of-band verification before enabling new device or mailbox access.
4) Reduce blast radius with network segmentation and trusted execution boundaries. Separate management planes for network elements from user-facing services. For telecoms this means stricter segmentation between subscriber-facing elements and provisioning or billing systems. For government IT, isolate ministerial mail servers and admin consoles behind additional inspection layers and limited ingress egress points. Passive web modules and malicious IIS components are easier to hide on broad, flat networks. Keep attack surfaces small.
5) Prioritize rapid detection of low-skill commodity surveillance as an early warning. Not every infection will be a covert custom implant. Commodity spyware and PowerShell backdoors provide indicators of targeting intent. Operational teams should integrate mobile threat telemetry and host EDR telemetry into a single fusion view so that mobile trends can trigger deeper network hunts where state-level implants may lie dormant.
Policy and strategic recommendations
• Share sanitized metadata between telecom regulators and national CERTs under prearranged legal frameworks. Access to subscriber metadata for incident investigation is sensitive, but without timely sharing defenders will miss the macro signals that link handset-level spyware campaigns to infrastructure probing.
• Mandate baseline cybersecurity for national carriers. Require logging, segmentation, and incident response playbooks as regulatory minimums. Where regulators cannot enforce this immediately, fund capability assistance to small and national operators so they can implement basic defenses quickly.
• Invest in DNS telemetry and mail sandboxing at national scale. Nation-state operators are weaponizing common services. National scale telemetry that includes DNS resolution patterns and mailbox rule changes provides the highest yield for detecting DNS tunneling and mail-based C2.
• Treat allied and partner networks as part of the broader intelligence picture. Iranian-aligned operators do not restrict collection to adversaries. As public reporting shows, neighbors and nominal partners can be targets for tactical and strategic collection. Collaborative incident response and cross-border policing of hosting infrastructure help close the windows attackers exploit.
Conclusion
Between documented custom implants used against Iraqi government networks and widespread mobile surveillance activity in Yemen, the operational pattern is clear: espionage actors are combining stealthy custom tooling with commodity collection to build layered intelligence pictures. Governments and telecom operators must respond with layered defenses of their own. That means protecting mailboxes and DNS, treating subscriber metadata as strategic, enforcing phishing-resistant MFA, and building regulatory and operational bridges between the telecom and national security communities. If defenders accept that today’s backdoors are stealthy, low throughput, and built to look like normal service traffic, then detection and response must change accordingly.