UAE Threat Landscape: How Hacktivist Groups Targeting the Emirates Rotated Between Q4 2025 and Q1 2026
Our Telegram monitoring module tracks threat actor channels that reference UAE entities — government agencies, banks, telecoms, critical infrastructure, and brands. The volume barely changed between quarters: 53 posts in Q4, 49 in Q1. But the entire cast of threat actors targeting the UAE rotated. Conflict-driven groups vanished. Ideological collectives took their place. And in April, a North African group appeared for the first time. Here's what UAE security teams need to know.
Key Findings
- 01 Volume flat, actors completely different — Q4 and Q1 had nearly identical post counts (~50), but zero overlap in the top 5 most active groups
- 02 Q4 was conflict-driven — Red Eye of Palestine, Ghosts of Gaza, and DieNet dominated, tied directly to the Gaza conflict
- 03 Q1 shifted to ideological — Keymous Plus (17 posts), 313 Team (11), and MAD Ghost (9) replaced the conflict groups entirely
- 04 New group in April — Tunisian Maskers Cyber Force emerged from North Africa, expanding the geographic reach of hacktivist campaigns
- 05 40%+ Arabic-language content — a persistent blind spot for platforms focused on English and Russian sources
The Big Picture: Same Volume, Different Actors
At first glance, the threat volume targeting the UAE looks stable. Our module captured 53 relevant posts in Q4 2025 and 49 in Q1 2026 — an 8% decline. But volume alone misses the story. When we look at which groups are threatening UAE interests, the landscape has transformed completely.
Quarterly Post Volume
Q3 2025 spike (199 posts) correlates with regional conflict escalation in July 2025.
Q4 2025: Conflict-Driven Groups Target UAE
Q4 2025 was dominated by groups with direct ties to the Israeli-Palestinian conflict who expanded their target set to include the UAE and broader GCC. Their activity was reactive — surging after specific events, referencing UAE entities as symbols of regional allegiance, then declining as media attention shifted.
| Group | Posts | Language | Driver |
|---|---|---|---|
| Red Eye of Palestine | 9 | English | Gaza conflict |
| Ghosts of Gaza | 9 | Mixed | Gaza conflict |
| The Garuda Eye | 8 | English | Southeast Asian solidarity |
| ZagNet | 6 | Mixed | Regional hacktivism |
| DieNet | 5 | English | DDoS campaigns |
| Sylhet Gang-SG | 4 | English | South Asian hacktivism |
| Server Killers | 3 | Mixed | Infrastructure disruption |
Note: 5 of these 7 groups posted zero messages in Q1 2026. The entire conflict-driven cohort went dormant as the news cycle moved on.
Q1 2026: New Groups, Same Target — UAE
Q1's top groups were entirely different — no overlap with Q4's top 5. The new actors are ideologically motivated rather than conflict-reactive, but the UAE remains a consistent target. Keymous Plus, the most active Q1 group, made multiple references to UAE government and financial sector entities.
| Group | Q4 Posts | Q1 Posts | Status |
|---|---|---|---|
| Keymous Plus | 0 | 17 | NEW in Q1 |
| 313 Team | 0 | 11 | NEW in Q1 |
| MAD Ghost | 2 | 9 | 350% increase |
| Sylhet Gang-SG | 4 | 5 | Steady |
| Nullsec Philippines | 0 | 4 | NEW in Q1 |
| Red Eye of Palestine | 9 | 0 | Went silent |
| Ghosts of Gaza | 9 | 0 | Went silent |
| The Garuda Eye | 8 | 0 | Went silent |
The Rotation Pattern
This is the key finding: 100% of Q4's top 3 groups went silent in Q1, and 100% of Q1's top 3 groups were absent in Q4— yet the UAE remained a consistent target throughout. The actors change, but the target doesn't. Conflict-driven groups activate during crises and go dormant after. Ideological groups fill the gap. Any UAE security team relying on a fixed threat actor watchlist will miss this rotation entirely.
Early April: The Next Rotation Begins
The first 10 days of April already show Q1's dominant groups declining, with Keymous Plus dropping from 17 posts (full Q1) to 6 (April pace). More significantly, a previously unseen group has emerged:
New: Tunisian Maskers Cyber Force
5 posts in early April. A North African hacktivist collective appearing in our monitoring scope for the first time. This marks a geographic expansion— previous activity was concentrated in the Middle East, South Asia, and Southeast Asia. The Maghreb region is now producing organized cyber threat actors.
NEW GROUP · NORTH AFRICA · FIRST APPEARANCEWhat This Means for UAE Security Teams
1. Static Watchlists Are Obsolete
If your threat intelligence vendor gave you a list of “top hacktivist groups” in Q4, that list is already wrong. The entire top 5 rotated between quarters. Continuous, automated channel discovery is the only approach that keeps pace.
2. Geopolitical Events Drive UAE Targeting
The Q3 2025 spike (199 posts) and Q4 conflict-group dominance were direct consequences of the Gaza escalation. The UAE was targeted not for direct involvement, but as a symbol of regional economic power. UAE security teams should treat geopolitical flashpoints anywhere in the MENA region as early warning signals for hacktivist mobilization against UAE entities.
3. Geographic Expansion Requires Wider Coverage
The emergence of Tunisian Maskers from North Africa signals that hacktivist campaigns are no longer confined to the Middle East and South Asia. Organizations should expect new collectives from previously quiet regions to appear with little warning.
4. Arabic-Language Monitoring Is Non-Negotiable for UAE
Over 40% of the activity targeting UAE entities is in Arabic or mixed-language channels. Most international threat intelligence platforms focus on English and Russian sources. UAE organizations relying on these platforms have a direct blind spot on threats specifically targeting them.
How Cyntelligence Monitors This
Our Telegram intelligence pipeline runs continuously:
Real-time Collection
Every post captured with full metadata, media, and reply context. Zero manual effort.
Auto-Translation
Arabic, Farsi, and mixed-language posts translated using on-premise AI. No data leaves your network.
AI Intent Classification
Each post classified as: threat claim, data leak, tool sharing, recruitment, hacktivism, or news sharing.
Group Profiling
Behavioral profiles built over time: claim frequency, targeting patterns, alliances, and capability indicators.
Q2 Outlook
Based on the Q4 → Q1 rotation pattern and early April signals:
- • Expect another full group rotation — Q1's dominant actors will likely decline as new groups emerge
- • North African and Southeast Asian collectives will expand their operational tempo
- • Any regional conflict escalation will trigger rapid hacktivist mobilization within 48–72 hours
- • GCC government and financial sector will remain the primary stated targets
Our Q2 report will be published in July 2026.
Methodology
This report covers data collected by Cyntelligence's Telegram monitoring module during Q4 2025 (October–December) and Q1 2026 (January–March), with early indicators from April 2026. Monitoring is scoped to UAE-relevant keywords covering government, financial, telecom, infrastructure, and brand entities. All monitoring is conducted passively on public channels. AI-powered translation and classification is performed entirely on-premise. No data was shared with external services.
Want real-time visibility into threat actors targeting UAE organizations?
Request Demo