HOMETHREATSPOLONIUM
APT / THREAT GROUP🕵️ ESPIONAGE

POLONIUM

🇱🇧LB-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Threat Analysis

POLONIUM is a known-sophistication threat actor attributed to LB, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Known Campaigns

POLONIUM — Active Operations March 2026

POLONIUM is a unknown-motivation threat actor attributed to LB. Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM....

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Origin🇱🇧 LB
Aliases1
SourceMalpedia

Also Known As

Plaid Rain

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.