Skip to content
Ransomware group

Nasir Security

Nasir Security is a relatively new, likely Iran-aligned threat actor tracked by Resecurity and described in reporting as a suspected Iran-linked hacktivist or cybercriminal group.

Profile source: Mallory opens in a new tab

Nasir Security

Family profile

Nasir Security is a relatively new, likely Iran-aligned threat actor tracked by Resecurity and described in reporting as a suspected Iran-linked hacktivist or cybercriminal group. Known aliases and self-identifications in the provided content include Nasir Resistance, Al-Nasir Resistance, Sons of Hezbollah Lebanon, and Sons of Al-Nusayr. The group has been associated with pro-Iranian messaging and was described as aligning itself with Hezbollah and the Alawite ethnic group in Syria.

Based on the provided content, Nasir Security primarily targets energy organizations in the Middle East, especially through their supply chain. Reported targets and claimed victims include Dubai Petroleum in the UAE, CC Energy Development in Oman, an Iraq-based oil and gas organization, and Al-Safi Oil Company in Saudi Arabia. Resecurity assessed that in these cases the actor likely compromised third-party vendors involved in engineering, construction, safety, and fire alarm or safety equipment rather than directly breaching the named energy companies. The stolen material reportedly included authentic schemes, contracts, maps, and risk assessment reports, which Resecurity warned could support follow-on targeting of oil fields and pipeline infrastructure.

The group’s reported tactics and techniques include business email compromise, targeted spear phishing, impersonation, exploitation of public-facing applications, and exfiltration from insecure cloud storage services. The content also states that the actor operates leak infrastructure on both clearnet and Tor, and that its public claims have been assessed by Resecurity as heavily exaggerated, including overstated data theft volumes and repackaging of authentic third-party documents to create the appearance of direct compromises. Some affected organizations reportedly said they were never contacted or extorted, suggesting ideological, propaganda, influence, or psychological objectives rather than purely financial motives.

The content also links Nasir Security to an alleged months-long breach and subsequent data leak involving Dubai International Airport. In that reporting, the group is described as Nasir Resistance and as a suspected Iran-linked hacktivist operation. The leaked material reportedly included passport photos, luggage content images, and airport security scanner photos. Researchers cited in the content said there was no indication that sensitive airport operational or intelligence information had been exposed, but warned that the leaked personal data could facilitate identity theft and fraud.

Resecurity reported that the group emerged around October 2025, initially targeting Taldor, an Israeli IT company, and later shifted messaging toward energy, oil, and gas targets across the region. The content also notes a significant pause in activity since October 2025 in one report, while other reporting states the group reappeared in March 2026.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.