Bitdefender has today released new research revealing that cyber attacks linked to geopolitical conflict are escalating in both volume and sophistication, with a 130% increase in phishing and malware campaigns targeting Gulf countries following the recent escalation involving Iran, Israel and the United States.

The research shows a clear inflection point beginning February 28. Within days, malicious email activity doubled and remained consistently elevated, with peak volumes reaching nearly four times pre-conflict baselines. This pattern suggests a coordinated and sustained shift in attacker behaviour, rather than a short-term spike.

The targeting reflects strategic realities, as the Gulf countries offer access into major financial and energy hubs, are highly connected to global business networks and active in large-scale projects and international trade. This makes them attractive targets for credential theft, financial fraud and initial access into corporate environments.

For Australian organisations, particularly across defence, government and critical infrastructure, the findings reflect a broader trend: cybercriminal and state-aligned actors rapidly adapt to geopolitical instability, using conflict as a trigger to scale and refine attack campaigns.

The attacks rely heavily on social engineering techniques embedded in everyday business processes. Common lures include invoices, contract updates, banking communications and delivery notifications, designed to blend seamlessly into routine operations and avoid suspicion. In several cases, emails impersonate financial institutions or government entities, referencing loan approvals, legal notices or urgent account actions to create pressure for immediate response.

This shift towards operational realism marks a departure from generic phishing. Campaigns are increasingly tailored to reflect real-world workflows, making them significantly harder to detect.

Beyond initial access, the research highlights a growing use of multi-stage attack chains designed for persistence and evasion. Threat actors are deploying a mix of remote access trojans (RATs), spyware and fileless techniques executed via PowerShell, enabling malicious activity to run in memory with minimal forensic footprint.

One observed campaign used a fake invoice attachment that delivered a heavily obfuscated Java-based RAT. Once executed, the malware established persistence through startup folders and scheduled tasks, while communicating with command-and-control infrastructure linked to domains referencing the ongoing conflict. These techniques allow attackers to maintain long-term access, move laterally across networks and prepare for more complex operations.

While no direct attribution to state-sponsored actors has been confirmed, the campaigns demonstrate how quickly cybercriminal groups can exploit geopolitical events to increase effectiveness and scale. The infrastructure, themes and timing indicate attackers are actively adapting campaigns in real time, capitalising on heightened regional sensitivity and business disruption.

For Australia, the implication is clear: these tactics are not geographically contained. The same methods can be rapidly redirected to new regions and sectors, particularly those tied to defence supply chains, energy markets and international trade.

Bitdefender advises organisations to treat routine business emails with caution, particularly during periods of geopolitical tension. Unexpected attachments, compressed files and urgent requests should be verified through trusted channels, while links should be checked before clicking. Keeping systems updated and using security tools capable of detecting fileless and multi-stage attacks is critical, as phishing remains the primary entry point for more advanced compromises.