Iranian Hackers Used Fake Recruiters During Middle East Conflict

Cybersecurity researchers say Iranian-linked hackers allegedly used fake recruiter outreach and fraudulent job offers to target employees in the aviation and energy sectors during the recent conflict involving Iran, Israel and the United States.

According to a new report from Palo Alto Networks Unit 42, the campaign focused on workers with high-level technical access at companies in the United States, Israel and the United Arab Emirates.

Researchers said the operation appeared aimed primarily at cyber espionage and intelligence gathering rather than immediate disruption or destructive attacks.

Fake Hiring Schemes Used to Deliver Malware

Unit 42 researchers said the hackers posed as recruiters and prospective employers to contact software engineers and IT workers, particularly those with privileged access to internal systems.

In one case, researchers identified a fake job posting impersonating a U.S. airline and advertising a “senior software engineer” role.

The operation allegedly used fake interview invitations and video conferencing tools embedded with malicious software designed to steal credentials or gain access to company infrastructure.

Researchers said the campaign reflected a broader trend in cyber warfare where attackers increasingly use ordinary workplace communication tools to infiltrate organizations.

“The most effective attacks are the ones that look exactly like normal work,” one widely shared Reddit comment said during online discussions about the report.

Why Airlines and Energy Firms Were Targeted

Cybersecurity analysts said aviation and energy companies are especially valuable targets during geopolitical conflicts because they can provide strategic intelligence about transportation, logistics, fuel supplies and regional economic activity.

Researchers noted that access to airline systems could potentially reveal flight activity and movement patterns tied to the Middle East, while infiltrating oil and gas firms could provide insight into energy supply operations during periods of instability.

The campaign reportedly focused heavily on software engineers because those employees often maintain broad access across corporate networks.

No Confirmed Major Breaches Reported

Despite the sophistication of the operation, Unit 42 told CNN it found no evidence that the targeted aviation or energy companies suffered confirmed major breaches during this phase of the campaign.

However, researchers warned the activity demonstrated how cyber operations remain a central part of modern geopolitical conflict, especially for countries seeking lower-cost asymmetric tools outside conventional warfare.

The Aviation Information Sharing and Analysis Center, which monitors cyber threats affecting airlines and airports, said the activity matched expectations following heightened tensions in the region.

“We have been expecting attacks as a consequence of the war,” Aviation ISAC president Jeffrey Troy told CNN.

Cyber Tensions Continue Alongside Military Conflict

The cyber campaign reportedly emerged after U.S. and Israeli strikes targeted Iranian nuclear-linked and military infrastructure earlier this year, followed by Iranian retaliatory actions and heightened regional tensions.

In March, the Israel Defense Forces claimed it struck a facility described as Iran’s “cyber warfare headquarters,” though no independent confirmation has verified the extent of damage.

Researchers said the latest operation showed no signs of slowing despite military pressure.