THREAT INTELLIGENCE · EGYPT · H1 2026
Bi-annual

The Egypt threat landscape, documented.

Six months of ransomware, breaches, data leaks and dark-web activity targeting Egyptian organizations — plus profiles of the adversary groups behind them. Compiled and confirmed by PurpleGuard's 24/7 SOC.

Free · delivered to your inbox
VULNERABILITY LANDSCAPE

What six months looks like

41KTotal vulnerabilitiesdisclosed, H1 2026
12.1KCritical + High severityCVSS 7.9–10
295Actively exploitedconfirmed in the wild
TOP AFFECTED BRANDS
Microsoft
Oracle
Splunk
Cisco
Palo Alto Networks
Fortinet
cPanel
Flag of EgyptREGIONAL STANDING · H1 2026
#1most targeted country in Africa by cyberthreats
#2most targeted in the MENA region, behind Turkey
CONFIRMED INCIDENTS IN EGYPT

Confirmed victims in Egypt, H1 2026

92
Confirmed victims in Egypt, H1 2026
Data Breach57
Ransomware30
Defacement2
Coordinated cyber campaign1
DDoS1
Unauthenticated Access1
THREAT ACTORS TRACKED

The groups behind the activity

> Each profile covers background, recent activity, common techniques and objectives — factual, sourced, no speculation.

actor_profile.log
$ threat --profile the-gentlemen
The Gentlemen
The Gentlemen
Ransomware · RaaS
HIGH

Russian-speaking RaaS operation, also tracked by Microsoft as Storm-2697. Runs an aggressive 90/10 affiliate split, the GentleKiller EDR-killer suite and a Go-based encryptor, with double extortion via BreachForums-recruited affiliates.

Double extortionEDR killer
> first_seen: 17-Jul-25> origin: Russia
actor_profile.log
$ threat --profile nightspire
NightSpire
NightSpire
Ransomware
HIGH

Likely a rebrand of the Rbfs operation. Escalated quickly from data theft to double extortion, imposing ransom deadlines as short as 48 hours and encrypting OneDrive files without changing icons to delay detection.

Double extortionShort deadlines
> first_seen: 1-Feb-25> origin: South Korea
actor_profile.log
$ threat --profile payload
Payload
Payload
Ransomware
HIGH

Fast-growing group with a global footprint, using Babuk-derived source code. Exploits critical vulnerabilities in widely-used enterprise software for initial access, then threatens to publish stolen files on Tor leak sites.

Double extortionBabuk-derived
> first_seen: 15-Feb-26> origin: unknown

Full profiles for every group active against Egypt this half — in the report.

CONFIRMED TARGETS

Egyptian Victims

Organizations confirmed compromised this half, grouped by the actor responsible.

The GentlemenThe Gentlemen
Ebny Development
Ebny Development
Misr Chemical Industries
Misr Chemical Industries
EEC Group
EEC Group
ACE Consulting Engineers
ACE Consulting Engineers
Nile Air
Nile Air
Smart Glass
Smart Glass
Bouri Group
Bouri Group
NightSpireNightSpire
Sheraton Miramar Resort El Gouna
Sheraton Miramar Resort El Gouna
BA
basatamfi
Papa John's Egypt
Papa John's Egypt
Rawaj Consumer Finance
Rawaj Consumer Finance
LAMAICA
LAMAICA
FA
Future Association for Microfinance
INI Investments
INI Investments
MISR AL MAHABA HOSPITAL
MISR AL MAHABA HOSPITAL
PayloadPayload
Oriental Weavers
Oriental Weavers
United Finance Egypt
United Finance Egypt
SODIC
SODIC
Grid Fine Finishes
Grid Fine Finishes
El Wastani Petroleum Company
El Wastani Petroleum Company
Better House Development
Better House Development
Sayegh 1944
Sayegh 1944

Intelligence sharing, not naming and shaming. The report references real organizations that have been compromised, never to damage reputations, disrupt operations, or point fingers at their security teams — it exists so the wider community can learn and defend. Most of this data was already made public by the adversaries themselves; an organization is only included after PurpleGuard SOC engineers independently confirm the claim.

GET THE REPORT

Egypt Threat Intelligence Report — H1 2026

Delivered by email, in the language you pick below.

We only use your email to deliver the report. Privacy policy

Chat with us