Iran's offensive cyber program is, in many ways, a direct product of the Stuxnet operation (discovered 2010). The joint U.S.-Israeli campaign to sabotage Iran's Natanz uranium enrichment facility demonstrated that cyber weapons could cause physical destruction -- and that Iran was acutely vulnerable. Within two years, Tehran had invested heavily in both defensive and offensive cyber capabilities, launching Operation Ababil (DDoS against U.S. banks) in 2012 and the destructive Shamoon attack against Saudi Aramco the same year (Mandiant; CISA).
By 2025, Iran operates one of the most active nation-state cyber programs globally, behind China and Russia but ahead of North Korea in breadth of targeting. The program has evolved from crude DDoS and defacement to sophisticated espionage, wiper deployment, ransomware-as-cover, and coordinated influence operations.
IRGC vs. MOIS: Two Pillars of Iranian Cyber Operations¶
Iran's cyber operations are split across two principal organizations, each with distinct mandates and operational styles:
Iran relies heavily on ostensibly private companies to conduct operations, providing plausible deniability. Known front companies include:
Emennet Pasargad (also known as Aristander Technologies): Linked to Cotton Sandstorm; indicted by DOJ in 2022 for election interference operations targeting the 2020 U.S. presidential election (DOJ)
Najee Technology / Afkar System: IRGC-affiliated; indicted in 2022 for ransomware attacks targeting U.S. critical infrastructure (FBI)
Mahak Rayan Afraz (MRA): IRGC-CQF front company linked to APT42 and Charming Kitten operations (Google TAG)
Ravin Academy: Training pipeline for MOIS-linked operators (Check Point Research)
Iran's cyber program fills a critical gap in its strategic calculus. Facing overwhelming conventional military disadvantage against the U.S. and Israel, crippling economic sanctions, and limited power-projection capability, cyber operations provide:
Low-cost retaliation: Destructive attacks on adversary infrastructure without crossing kinetic thresholds
Sanctions circumvention intelligence: Espionage against financial, trade, and diplomatic targets
Regional influence: Information operations targeting Gulf states, Israel, and Arab populations
Domestic control: Surveillance of dissidents, journalists, and human rights activists both inside Iran and in the diaspora
The table below catalogs the principal Iranian threat groups, their aliases across vendor naming conventions, assessed organizational affiliation, and primary activity type.
Group (Primary Name)
Aliases
Affiliation
Primary Activity
Active Since
APT33 / Peach Sandstorm
Elfin, Refined Kitten, Magnallium, Holmium
IRGC
Espionage (aerospace, defense, energy); credential spraying at scale
Telecom and ISP targeting in Middle East and Africa
~2017
CopyKittens
Parisite (partial overlap)
Unconfirmed (assessed state-linked)
Espionage targeting Israel, Germany, Turkey; strategic government entities
~2013
Scarred Manticore
DEV-0861 (partial overlap)
MOIS
Long-term espionage; Middle East government and telecom infiltration
~2019
DarkBit
--
Unconfirmed (assessed MOIS-linked)
Ransomware against Israeli academia (Technion attack, 2023)
~2023
CyberAv3ngers
--
IRGC-CEC (Cyber-Electronic Command)
OT/ICS targeting; US and Israeli water systems; Unitronics PLC exploitation
~2023
Cyber Toufan
--
Assessed IRGC-linked
Mass data exfiltration and leaking from Israeli organizations post-Oct 7
~2023
Attribution Confidence
Attribution of Iranian cyber groups to specific government organizations (IRGC vs. MOIS) is based on U.S. government indictments, sanctions designations, and vendor intelligence assessments. The boundary between IRGC and MOIS operations is not always clean -- some groups (e.g., MuddyWater) have been assessed as MOIS-subordinate by some vendors and IRGC-subordinate by U.S. Cyber Command. Contractor relationships further blur organizational lines.
Iranian threat actors are generally less technically sophisticated than Chinese or Russian counterparts but compensate with persistence, aggression, and a willingness to cause visible destruction. Key characteristics:
Opportunistic exploitation over zero-days: Iranian groups overwhelmingly exploit known (N-day) vulnerabilities rather than developing or purchasing zero-day exploits. They move fast once a CVE is published, particularly for internet-facing devices (Mandiant).
Heavy reliance on VPN/firewall exploits: Fortinet, Pulse Secure, Citrix, and F5 vulnerabilities are consistently favored initial access vectors.
Password spraying at industrial scale: APT33/Peach Sandstorm in particular conducts massive credential-spraying campaigns against thousands of organizations simultaneously (Microsoft).
Elaborate social engineering: APT42 and Mint Sandstorm build fake personas (journalists, academics, think-tank researchers) over weeks or months to lure high-value targets into credential phishing (Google TAG).
Wipers as a first-resort weapon: Unlike most nation-states that reserve destructive capability, Iranian actors deploy wipers frequently as retaliation or coercion.
"Lock and leak" operations: Encryption of victim data (mimicking ransomware) combined with public data leaks on Telegram channels -- designed for psychological and reputational damage rather than financial gain.
Influence operations integration: Cyber intrusions are increasingly paired with information operations -- stolen data is selectively leaked, social media accounts amplify narratives, and hack-and-leak personas are created to maximize impact.
Sustained DDoS campaign against major U.S. financial institutions (Bank of America, JPMorgan, Wells Fargo, others)
Significant service disruptions; one of the largest DDoS campaigns against U.S. banking sector at that time (CISA)
Shamoon / Saudi Aramco
August 2012
Assessed IRGC-linked
Wiper destroyed ~35,000 workstations at Saudi Aramco by overwriting MBR and files
Most destructive cyberattack on a single company at the time; weeks of recovery
Bowman Avenue Dam
2013
Assessed IRGC
Intrusion into SCADA systems of a small dam in Rye Brook, New York
No physical impact (sluice gate was manually disconnected), but demonstrated Iran's interest in U.S. critical infrastructure; led to indictments
Sands Casino Hack
February 2014
Assessed IRGC
Destructive attack against Las Vegas Sands Corp. -- wiper deployment, data theft, website defacement
Retaliation for CEO Sheldon Adelson's public comments about nuclear strikes on Iran; $40M+ in damages (Bloomberg)
Shamoon 2.0 / 2.5
2016--2017
Assessed IRGC-linked
Return of Shamoon wiper targeting Saudi government agencies, petrochemical companies, and other Gulf entities
Multiple organizations affected; expanded target set beyond Aramco
APT33 aerospace/energy campaigns
2016--present
APT33/Peach Sandstorm
Persistent targeting of U.S. and Saudi defense contractors, aerospace firms, and energy companies
Credential theft and espionage at scale; intelligence collection on defense programs
MuddyWater regional espionage
2017--present
MuddyWater/Mango Sandstorm
Continuous espionage campaigns across Middle East, Turkey, Pakistan, Central Asia; targeting government, telecom, energy
Thousands of organizations targeted; one of the most prolific Iranian groups
ZeroCleare energy sector attacks
2019
APT33 + OilRig (collaborative)
Wiper targeting Middle East energy and industrial sectors
Destructive intent against critical infrastructure; Bahrain's Bapco targeted via Dustman variant
Travelex ransomware
December 2019 -- January 2020
Assessed Iranian-linked (disputed)
Ransomware attack on foreign exchange company Travelex; systems offline for weeks
$2.3M ransom reportedly paid; Travelex entered administration; $30M+ in losses
APT42 dissident surveillance
2015--present
APT42
Systematic surveillance of Iranian dissidents, journalists, human rights lawyers, and activists worldwide
Compromise of personal communications; physical safety implications for targets inside Iran (Google TAG)
Iran-Albania confrontation
July 2022
Assessed MOIS-linked (HomeLand Justice)
Destructive attack against Albanian government systems; Albania severed diplomatic relations with Iran
First known case of a nation severing diplomatic ties over a cyberattack (Microsoft)
Moses Staff / Abraham's Ax "lock and leak"
2021--2022
Moses Staff
Encryption and leaking of data from Israeli companies and government entities; psychological warfare messaging
Dozens of Israeli organizations targeted; data leaked on Telegram
Charlie Hebdo hack-and-leak
January 2023
Cotton Sandstorm/Neptunium
Breach of Charlie Hebdo subscriber database; leak of 230,000 subscriber records after the magazine published cartoon contest mocking Iran's Supreme Leader
Personal data exposure; assessed as IRGC retaliation (Microsoft)
CyberAv3ngers Unitronics PLC campaign
November 2023
CyberAv3ngers (IRGC-CEC)
Exploitation of Unitronics Vision Series PLCs with default credentials in U.S. water and wastewater systems; defacement of HMI screens with anti-Israel messaging
Municipal Water Authority of Aliquippa (PA) and others compromised; CISA emergency advisory; U.S. Treasury sanctions against IRGC-CEC officials (CISA)
BiBi wiper campaigns
October 2023--2024
Assessed IRGC-linked (BiBiGun)
Deployment of BiBi-Linux and BiBi-Windows wipers against Israeli organizations following October 7 Hamas attack
Destructive impact across multiple Israeli sectors; named after PM Netanyahu as psychological element
Cyber Toufan mass leaks
October 2023--2024
Cyber Toufan (assessed IRGC-linked)
Mass exfiltration and leaking of data from dozens of Israeli companies; systematic "name and shame" campaign on Telegram
Over 100 Israeli organizations claimed as victims; significant data exposure
Mint Sandstorm credential campaigns
2023--2025
Mint Sandstorm/APT35
Sustained credential harvesting targeting universities, think tanks, defense researchers, and Middle East policy experts
Ongoing; thousands of individuals targeted with bespoke phishing (Microsoft)
Peach Sandstorm defense targeting
2023--2025
Peach Sandstorm/APT33
Password spray and targeted attacks against defense, satellite, and pharmaceutical sectors globally
Intelligence collection on defense industrial base; Azure infrastructure abused for C2
Cotton Sandstorm influence operations
2024--2025
Cotton Sandstorm/Emennet Pasargad
Influence operations targeting U.S. and Israeli audiences; fake news sites, social media manipulation, personas posing as activist groups
Election-related disinformation; attempts to amplify social divisions
The following defensive measures address the most common and impactful Iranian TTPs. Organizations in targeted sectors should treat these as baseline requirements.
Iranian groups' heavy reliance on exploiting internet-facing VPN appliances, firewalls, and Exchange servers makes patch management for edge devices the single highest-impact defensive measure.
Prioritize patching for Fortinet, Pulse Secure/Ivanti, Citrix, F5, and Microsoft Exchange vulnerabilities
Maintain an accurate inventory of all internet-facing assets
Subscribe to CISA Known Exploited Vulnerabilities (KEV) catalog alerts
Implement virtual patching via WAF/IPS where immediate patching is not possible
Water sector (CyberAv3ngers): Change default credentials on all PLCs/HMIs; remove Unitronics and other PLCs from internet exposure; segment OT networks; monitor for unauthorized access to TCP port 20256 (Unitronics default)
Energy sector: Implement network monitoring at Purdue Model Level 3.5; deploy OT-specific threat detection
Follow CISA ICS advisories for Iranian-specific TTPs
Iranian cyber operations drive demand across several cybersecurity market segments:
Market Segment
Iran-Driven Demand Signal
Relevant Products/Vendors
OT/ICS Security
CyberAv3ngers' targeting of water systems and Unitronics PLCs catalyzed emergency spending across U.S. water utilities; CISA advisories and congressional attention drove new budget allocations
Claroty, Nozomi Networks, Dragos, OTORIO, Fortinet OT
Edge Device Hardening
Persistent exploitation of VPN/firewall vulnerabilities drives demand for network access control, Zero Trust network access (ZTNA), and exposure management
Information on Iranian cyber operations in late 2025 and 2026 is limited. The author's training data has a cutoff, and attribution of very recent campaigns may be incomplete or revised as new intelligence emerges. The following reflects the best available public reporting through early 2025, with assessed trajectory into 2026.
CyberAv3ngers -- Continued OT Targeting (2024--2025) Following the November 2023 Unitronics campaign, CyberAv3ngers expanded targeting to additional water and wastewater systems. U.S. Treasury imposed sanctions on six IRGC-CEC officials in February 2024. The group developed custom malware for IoT and OT devices, including a modified CentOS-based toolkit (Claroty Team82). Continued probing of internet-exposed industrial control systems through 2025.
BiBi Wiper Campaigns (2023--2024) BiBi-Linux and BiBi-Windows wipers were deployed against Israeli organizations across multiple sectors in the months following October 7, 2023. The wipers were designed for maximum destruction -- corrupting file systems, overwriting data, and damaging partition tables. Deployment continued into mid-2024 as part of broader Iran-aligned cyber operations against Israel.
Mint Sandstorm / Charming Kitten Credential Campaigns (2024--2025) Microsoft and Google TAG reported sustained campaigns targeting Middle East policy researchers, university faculty, journalists, and current/former government officials. APT42 subgroups used increasingly sophisticated phishing lures, including fake conference invitations, interview requests, and document-sharing pretexts. Expanded targeting to individuals involved in Israel-Iran diplomacy and regional security discussions.
Cotton Sandstorm Influence Operations (2024--2025) Emennet Pasargad-linked operators conducted influence operations targeting U.S. audiences during the 2024 election cycle, building on 2020 election interference tactics. Operations included fake activist websites, social media personas, and amplification of divisive narratives. Microsoft and FBI issued joint advisories on Iranian influence operations targeting U.S. elections.
Peach Sandstorm Defense Sector Targeting (2024--2025) APT33 continued large-scale password spray campaigns against defense, satellite, and pharmaceutical organizations globally. Compromised Azure infrastructure was used for C2 relay via the EagleRelay tool. Microsoft assessed increased sophistication in post-compromise tradecraft, including use of legitimate remote management tools for persistence.
Sustained Israel-Focused Operations (2024--2026) The broader Israel-Hamas conflict and subsequent regional escalation maintained an elevated tempo of Iranian-aligned cyber operations against Israeli targets. Multiple groups -- including Cyber Toufan, Agrius, and Moses Staff successors -- continued data theft, wiper deployment, and hack-and-leak operations. The operational tempo is assessed as remaining high into 2026 given unresolved regional tensions.
OT/ICS targeting expansion: Beyond water systems to energy, transportation, and manufacturing -- particularly in Israel and Gulf states
AI-assisted operations: Adoption of large language models for phishing content generation, persona management, and target research (assessed based on general nation-state trends)
Increased collaboration between groups: More joint operations combining espionage access (MOIS groups) with destructive capability (IRGC groups), as seen in the ZeroCleare precedent
Continued "lock and leak" evolution: Increasingly professional data-leak operations with Telegram channels as primary distribution
Cloud targeting maturation: Greater focus on cloud environments (Azure, M365, Google Workspace) as organizations migrate infrastructure
This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.
Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits
RGB
Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations