DarkBlinders earned its place on the 2026 list not through the size of its victim list, but through the precision of its targeting and the speed of its evolution. Active since September 2024, this group has concentrated every operation on two sectors that sit at the center of Arabian Gulf strategic interest: aviation infrastructure and telecommunications — in the UAE and Iraq specifically.
Seven confirmed victim organizations. Two countries. Two critical infrastructure sectors. It reads like a small footprint. But the detail that makes DarkBlinders worth watching is an 8/10 TTP evolution score — observed in a window of less than two years of activity. For an intrusion set this young as multiple updated versions of their custom malware was deployed in real attacks in a relatively short period of time.
The absence of financial extortion indicators points to intelligence collection as the primary objective. Who flies, when, and where — alongside the telecommunications infrastructure that connects Gulf state institutions — is the kind of information that has strategic value well beyond financial gain. DarkBlinders’ targeting profile reflects the surveillance priorities of an actor operating in one of the most geopolitically active regions in the world.
Group-IB assesses with low confidence that DarkBlinders is an intrusion set closely associated with Iran-nexus APT activity. The low confidence rating reflects the absence of definitive evidence linking it to previously established threat groups; however, the victimology and broader operational context of the campaign point to an Iranian state-sponsored actor.
Notably, the operators behind these intrusions have shifted both their tooling and their tactics, techniques, and procedures (TTPs), and DarkBlinders activity has not been observed for some time. As it is uncommon for cyberespionage operations to begin and cease abruptly, we assess that the observed TTPs and toolset likely represent one operational phase of a persistent actor — subsequently retired or evolved into a new arsenal that leaves no noticeable technical overlap with prior activity.
Group-IB analysts assessing DarkBlinders noted that TTP changes during the observation period were significant enough to retire previous detection techniques — an indicator that the group actively monitors for exposure and pivots when needed. The full scope of their current capability is still being assessed.
Key Numbers
— 7 Confirmed victim organizations as of investigation period
— 2 Countries targeted: UAE and Iraq (Kurdistan Region of Iraq)
— 2 Critical infrastructure sectors: aviation and telecommunications
— 8/10 TTP evolution score — one of the highest short-timeline evolution rates in this year’s top 10
— <2 years Operational window in which this evolution was observed
Middle East — United Arab Emirates (primary), Iraq
sustained targeted intrusion campaign against aviation infrastructure operators in the UAE. Malicious internet infrastructure was observed hosting websites mimicking target organization websites, and delivering custom malware.
Multiple attacks were observed targeting the Kurdish telecom sector in Iraq, including internal phishing attempts where phishing emails were sent from compromised employees to other employees blending in with existing email threads.
The most distinctive aspect of DarkBlinders is their Peaky Blinders television series theme. The group systematically incorporates names of the Shelby brothers (main characters from the show) throughout their infrastructure.
DarkBlinders is an operationally disciplined intrusion set whose recent activity in the United Arab Emirates and Iraq demonstrates a mature, multi-stage tradecraft. The group blends targeted social engineering, bespoke malware, and an unusual command-and-control (C2) channel that abuses legitimate GitHub infrastructure to blend in with normal enterprise traffic.
The group relies primarily on spear-phishing (T1566.001), delivered through two complementary vectors: weaponized emails carrying trojanized utilities, and attacker-controlled websites that host similar tools as direct downloads. The lures are consistently professional in tone, mimicking legitimate diagnostic software and corporate portals. Observed delivery activity includes:
— Kurdistan, Iraq (Feb 2025): Trojanized network-testing tools (JPerf, NewrozSpeedtest) delivered to telecommunications targets via email and dedicated download sites.
— UAE (Jan 2025): Credential-harvesting portals impersonating an aviation organization.
Following execution, DarkBlinders establishes persistence through a layered combination of techniques. Registry Run keys (T1547.001) trigger malware on user logon, scheduled tasks (T1053.005) provide redundant execution paths, and DLL search-order hijacking (T1574.001) is used to load malicious libraries — HTTPService.dll, TeamsService.dll, and HTTPApi.dll — alongside legitimate signed host applications. Installation is wrapped in Inno Setup packages.
Once resident, the implants prioritize host triage and intelligence collection over aggressive lateral movement. Reconnaissance covers system enumeration (T1082), running processes (T1057), user context (T1033), and file-system layout (T1083). Collection is oriented toward credential and document theft: a dedicated keylogger (T1056.002), a screen-capture utility (T1113, observed as Screenshot.exe), and automated harvesting of local files (T1005, T1119) feed the operators a steady stream of information from each victim.
The most distinctive element of the toolset is its abuse of GitHub as a covert C2 channel (T1102), where victim metadata and decryption keys are written to operator-controlled repositories and retrieved through the public API. Observed repositories include arturshellby, johnshelllby, peakyblinders-team, and GreenBeret0, accessed through endpoints such as:
— hxxps://api[.]github[.]com/repos/johnshelllby/myToken/contents/*/Info[.]txt
— hxxps://api[.]github[.]com/repos/johnshelllby/myToken/contents/*/License[.]txt
This GitHub channel is paired with a conventional HTTPS C2 layer (T1071.001) featuring encoded payloads (T1132.001) and TLS-encrypted traffic (T1573.001). The supporting network infrastructure is hosted via Stark Industries, a provider widely cited in bulletproof-hosting reporting:
— Domains: arthurshelby[.]click, speed-test[.]click, newroztelecom[.]digital
— Nameservers: ns1/ns2.arthurshelby[.]click, ns1/ns2.speed-test[.]click
— C2 IPs: 195[.]16[.]74[.]137, 195[.]16[.]74[.]138
— Additional staging: 172[.]86[.]68[.]55, 2[.]56[.]126[.]151/157/188
The group invests heavily in evasion. Payloads are obfuscated and packed (T1027), and the loaders implement both environment checks (T1497.001) and time-based stalling (T1497.003) to defeat sandbox detonation. On live hosts, the malware uses DLL injection and process hollowing (T1055.001) to execute from within trusted processes. The custom toolset itself centers on two components: SHELBYLOADER, a first-stage loader responsible for environment validation and staging, and SHELBYC2, the backdoor providing persistent operator access, tasking, and exfiltration.
In the UAE aviation campaign (January 2025), operators stood up lookalike domains for an aviation organization and used them to host credential-harvesting portals aimed at airline and airport personnel. In the Iraq telecommunications campaigns (February 2025), the group leaned on regionally credible lures — newroztelecom[.]digital and korektell[.]com — paired with Kurdish-branded diagnostic utilities to compromise carriers operating in the Kurdistan region, combining email delivery with public website distribution.
Taken together, these campaigns illustrate a threat actor that prioritizes plausibility over volume: small numbers of well-crafted lures, region-specific infrastructure, and stealthy long-dwell implants designed for sustained collection rather than disruption.
DarkBlinders is an intrusion set that emerged with no technical overlap with previously known groups, but their targeting seemed persistent and overlapping with Iran-Nexus APT activity. Group-IB continues to monitor and research this group in search of additional information that can lead to definitive attribution.
Aviation operators and telecommunications providers in the UAE and Iraq should treat DarkBlinders as an active threat. Ensure Group-IB Threat Intelligence feeds are integrated into your SOC for real-time indicator monitoring.
Organizations operating in the UAE and Iraq should establish direct relationships with national CERTs and cybersecurity authorities. Sharing DarkBlinders indicators with relevant authorities strengthens collective defense and may surface additional intelligence on the group's activities.
Monitor Suspicious communication with GitHub for signs of C2 traffic.
Train Employees on recognizing phishing attempts including internal phishing from within the organization, especially those in technical roles with administrative access to critical IT systems such as email, networking, active directory, etc..
Monitor DNS activity for abnormal resolutions, since Darkblinders used DNS to obtain a decryption key for the second stage payload.
Aviation infrastructure holds a category of data that is valuable for intelligence purposes rather than immediate financial gain: flight manifests, routing information, operational system architectures, and in some cases, communications data from government and diplomatic flights. For an actor with state-aligned intelligence objectives, that data is worth more than a ransomware payment. The UAE and Iraq are both strategically important to multiple regional powers — making their aviation and telecoms infrastructure priority targets for intelligence collection operations.
It means the group changed how it operates significantly during the observation period — enough that detection signatures built on earlier activity became unreliable. In practical terms, this means the group actively monitors its own exposure and adapts when it detects that defenders have caught up. An 8/10 evolution score in under two years of operation is a strong signal: DarkBlinders is not running a static playbook. It is learning and iterating with each campaign.
The targeting profile — aviation and telecoms in the UAE and Iraq — is consistent with state-directed intelligence collection objectives. The absence of financial extortion activity and the precision of victim selection reinforce an espionage assessment. Attribution confidence and any assessed nation-state affiliation will be detailed here once the TI team has reviewed this section for public disclosure.
Initial access methods are still being confirmed for public disclosure. Group-IB researchers are assessing the observed entry vectors across DarkBlinders’ confirmed intrusions.
Based on confirmed activity, DarkBlinders’ operations have been concentrated in the UAE and Iraq. However, the group’s high TTP evolution rate and the international connectivity of both aviation and telecommunications sectors mean the threat profile cannot be viewed as strictly regional. Organizations with operational exposure to UAE or Iraqi aviation infrastructure — including international carriers, air traffic management providers, and global telecoms operating in the region — should assess their risk posture accordingly.
