On May 22, 2026, Dutch financial-crime investigators walked into data centers in Dronten and Schiphol-Rijk and seized approximately 800 servers. The target was WorkTitans B.V., a hosting provider that, on the surface, looked like any other internet infrastructure company. What investigators uncovered, however, was something far more significant: a ghost operation built on sanctioned infrastructure, quietly serving as the backbone for some of Iran’s most active cyber espionage campaigns.
The story starts a year earlier. In May 2025, the European Union sanctioned Stark Industries, an internet service provider linked to Russian information-warfare operations. Rather than shutting down, the people behind it simply rebranded. WorkTitans emerged
Three Groups and One Hosting Provider
The uncovering of this story tells you a lot about how modern cyber operations actually function. Three separate Iranian threat actor groups, each running their own campaigns against different targets, were all using WorkTitans
Based on our tracking of threat actor infrastructure, the WorkTitans takedown likely had an impact on Iranian cyber operations. Three separate Iranian threat actor groups, each running their own campaigns against different targets, were observed using
MuddyWater is an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), and one that Check Point Research has tracked closely over the years. Our previous research documented BugSleep, a custom backdoor developed and deployed by the group in phishing campaigns primarily targeting Israeli organizations. MuddyWater typically gains initial access through phishing emails sent from compromised organizational accounts, and has historically used legitimate remote management tools like Atera Agent and ScreenConnect to maintain
Agrius, also tracked as UNC2428, is an Iran-nexus group has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social-engineering campaign. As documented by Google Threat Intelligence, the group ran a campaign impersonating an Israeli defense contractor luring targets with what appeared to be a legitimate job application process. Victims who expressed interest were directed to a convincing fake website and asked to download a tool called RafaelConnect.exe, an installer the researchers named LONEFLEET. Once launched, it presented a realistic interface prompting users to fill in personal details and upload a resume, while quietly deploying a backdoor called MURKYTOUR in the background. That backdoor communicated through WorkTitans
Nimbus Manticore takes also a recruitment-themed approach but operates across a broader target base, focusing on individuals in aerospace, aviation, and defense. The group reaches victims through fake recruiter personas on LinkedIn and purpose-built job portals, eventually leading them to download a ZIP archive that appears legitimate but contains a malicious DLL. Executing the lure triggers DLL side-loading, giving the attackers remote access, credential theft capabilities, and a foothold for lateral movement. Nimbus Manticore is also notable for continuously rotating its infrastructure across multiple VPS providers, including WorkTitans, specifically to make its campaigns harder to track and block.
Beyond espionage, WorkTitans
What makes this seizure particularly notable is that a single law enforcement action against one hosting provider was enough to simultaneously disrupt multiple active operations, each targeting different sectors and using different techniques, but all sharing the same underlying infrastructure dependency.
The Lesson Hidden in Plain Sight
The real takeaway here goes beyond the headline. For years, defenders have focused on individual IP addresses, flagging known bad actors one address at a time. But threat actors figured out a long time ago that they can stay ahead of that approach simply by rotating IPs or hiding behind legitimate-looking providers.
What the WorkTitans case makes undeniably clear is that the hosting environment itself is the signal. A single IP might look clean while the network it belongs to has been repeatedly flagged for hosting phishing kits, malware, and scanning infrastructure. That pattern, visible through ASN reputation analysis, passive DNS history, and abuse reporting, is often a much earlier warning sign than any individual IP flag.
What This Means for Your Security Posture
The organizations best positioned to catch threats like these are the ones that have moved beyond point-in-time IP lookups and started evaluating infrastructure holistically. Here is what that looks like in practice:
- Map IP addresses to their hosting environment. Identify the ASN, netblock, and organization behind any suspicious source, and assess whether it belongs to a legitimate provider or a high-risk reseller network.
- Evaluate ASN reputation, not just individual IPs. Repeated abuse patterns across many addresses within the same ASN are a stronger signal than any single flagged IP.
- Review passive DNS history. Look for high domain churn, newly registered or randomly named domains, and phishing or malware infrastructure associated with the IP range.
- Check your own logs for behavioral signals. Scanning activity, brute force attempts, credential stuffing, and exploit probing from a VPS source are all red flags worth investigating further.
- Treat anonymizing infrastructure with higher scrutiny. Authentication attempts originating from known VPNs, proxies, or Tor exit nodes deserve a closer look regardless of whether the IP itself has been flagged.
- Flag geolocation anomalies. Unexpected cloud regions or impossible travel patterns are worth investigating, even if they do not confirm malicious intent on their own.
The WorkTitans seizure was a law enforcement success story. But it also served as a reminder that the most durable cyber threats rarely depend on a single point of failure. They rely on the gaps between what defenders check individually and what they overlook collectively. Closing those gaps is where the real work begins.