Q1 2026: Iranian crews living off P2P

Israeli incident response firms are reporting a sustained pattern across Q1 and Q2 2026. Compromised peer-to-peer accounts - file sync, messaging, payment, WebRTC-based collaboration - used as the pivot inside corporate networks. The targeted sectors are defense supply chain, fintech, logistics, and healthcare. Iranian-aligned clusters tracked as MuddyWater, Imperial Kitten, and Pioneer Kitten are named in three separate vendor reports. The technique is not new. The scale, the persistence, and the operational tempo against this region are.

The entry vector is account takeover against a personal P2P account that the employee also uses, or has linked, from a corporate device. Credential stuffing is the dominant primitive. ATO marketplaces sell verified Israeli-resident accounts for between four and twenty USD, depending on the platform. Telegram, WhatsApp Business, Resilio Sync, Syncthing instances exposed via UPnP, and the file-sharing layer inside Microsoft Teams external federation each appear in the post-incident reports. Token theft from infostealer logs - RedLine, LummaC2, Vidar - supplies the initial credential material. MITRE T1078.004, valid accounts, cloud. The platform is consumer-grade. The credential reuse is corporate-grade.

Once the attacker holds a P2P account that the employee has on their workstation, the account itself becomes the lateral movement primitive. This is the operational shift. The attacker does not need to land a binary. The legitimate P2P client, already installed and trusted by the EDR baseline, already whitelisted by the proxy, already exempted from DLP by policy, already running with the user’s token, becomes the channel. The attacker pushes content from the controlled account. The local client receives it, writes it to the configured sync directory, and the file lands on the corporate filesystem under a process tree that is allowed. T1105, ingress tool transfer, executing through a sanctioned data path.

The lateral movement that follows depends on the sync directory’s reach. Resilio and Syncthing deployments observed in the field were configured to sync to network shares - mapped drives backed by SMB to file servers, sometimes to engineering source trees, sometimes to shared CAD directories on manufacturing-side networks. The attacker’s payload, dropped via the P2P sync from a controlled peer, propagates to the share within the sync interval. From there, scheduled tasks on adjacent hosts, watching the share for build artifacts, execute the payload. T1080, taint shared content. The kill chain runs end to end without an outbound network call from the victim host to attacker infrastructure. The C2 is the P2P fabric.

For exfiltration the same primitive runs in reverse. The compromised P2P account, controlled by the attacker, pulls files placed into the sync directory by the workstation. The data leaves the network embedded in the standard P2P protocol traffic - encrypted, often UDP-based, frequently using hole-punched direct peer connections that never traverse a forward proxy. T1567 exfiltration over web service, but the service is peer-to-peer, not a cloud SaaS endpoint a CASB can see. DLP egress controls watching TLS to known SaaS domains do not fire. The bytes leave through a UDP flow to a residential IP, which forwards to the operator. From the SIEM, it is a normal P2P session on a host that has been doing P2P sessions all year.

The specific pattern observed against Israeli fintech in March involved WhatsApp Web sessions and the linked-device mechanism. The attacker, holding stolen credentials and the SMS or call-relay vector necessary to complete enrollment, linked a controlled device to the victim’s account. WhatsApp’s linked device sync replicates message history to the new peer. Where the victim had received files from internal counterparts, those files synced to the attacker-controlled endpoint. No malware. No process injection. No anomalous parent-child process tree. The data left through an end-to-end encrypted channel from a process - WhatsApp.exe or the browser tab - that the EDR has no policy to inspect inside of. T1530, data from cloud storage object, mapped onto a messaging platform’s media cache.

For payment-rail P2P the operational impact is different but the access mechanism is similar. Bit, the Israeli P2P payment app operated by Bank Hapoalim, has reported a spike in account takeover incidents through Q1 2026. The reported volume is in the tens of thousands of accounts. The vector is SIM-swap-assisted credential reset combined with infostealer-sourced credentials. T1451, SIM swap. Inside a targeted organization, a Bit account belonging to a finance employee becomes a pivot for social engineering - the attacker, now operating the employee’s verified P2P payment identity, requests transfers from internal counterparts using legitimate channels the employee has used before. The fraud is not the endpoint. The trust relationship the account represents is.

The telemetry picture is where defenders are losing this. EDR platforms - CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint - generate process telemetry, network connection events, and file write events. A Syncthing process writing a file to a configured sync directory is a normal event. The file write fires Sysmon Event ID 11. The parent process is syncthing.exe. The integrity check passes. There is no DLL sideload, no LOLBin invocation, no script interpreter spawned. The behavioural ML models that flag suspicious process trees see nothing because the process tree is the expected one. The detection has to happen at the content layer or the account layer, neither of which the endpoint agent is positioned to inspect.

Network telemetry is worse. P2P protocols are designed to defeat NAT. STUN, TURN, and ICE candidate exchange produce UDP flows to residential IP space that do not match any threat intelligence feed because residential IPs are not on threat feeds. The destination ASN is a consumer ISP in Iran, Lebanon, or a VPS provider with residential proxy resale - Bright Data, Oxylabs, anonymous residential proxies the attacker rents by the hour. Flow records show normal session volumes. TLS inspection does not apply because the traffic is QUIC or raw UDP with application-layer encryption. Suricata signatures for known P2P protocols fire constantly across the environment because P2P is in use legitimately. The signal-to-noise ratio is hostile.

The identity layer is where the detection has to live. Account takeover precedes every step of this chain. Okta, Azure AD, and Google Workspace each emit sign-in telemetry that includes device fingerprint, geographic origin, and risk score. The P2P platforms themselves emit equivalent telemetry - new device linked, new session from new IP, password reset from new origin - but the SOC is not consuming it because the P2P account is not a corporate identity. It is a personal account that touches the corporate environment through a sync client. The trust boundary is wrong. The account belongs to the user, but the access it grants belongs to the organisation. No identity provider sits across that boundary.

Known exploitation in the region maps to specific operators. Imperial Kitten - also tracked as Tortoiseshell and Crimson Sandstorm - has run waterhole and credential phishing operations against Israeli logistics and shipping since 2021. The Q2 2026 reporting from regional CERTs places this cluster on the consumer P2P abuse pattern. MuddyWater has been observed using legitimate file-sharing services as C2 stagers since 2020, with documented use of OneHub, Sync.com, and TeraBox in earlier campaigns. The pivot to peer-to-peer fabrics - where there is no service provider to subpoena, no logs to extract, no domain to sinkhole - is the operational evolution.

The patch boundary on this is not a CVE. There is no software fix. The exposure is configuration and policy. Personal P2P clients installed on corporate devices, sync directories that overlap with corporate file shares, P2P account credentials reused from corporate identity, MFA enrollment paths on P2P platforms that depend on SMS or single-factor email, and DLP policies that exempt the P2P client binary from inspection. Each of those is a control decision, not a vendor patch. Removing any one of them breaks the chain. Removing none of them leaves the residual exposure that has driven the reported intrusion volume.

What still applies post-mitigation is the underlying truth of the technique. Consumer-grade peer-to-peer fabrics, embedded in corporate environments through user behaviour rather than IT provisioning, route around every network and endpoint control built on the assumption that data leaves through inspectable channels. The Israeli incident volume in 2026 is the visible edge of the pattern. The same conditions exist in every organisation that allows personal device synchronisation, federated guest access, or installed P2P clients on managed endpoints. The geography is the signal. The technique is portable.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.