Inside the Shadows: Understanding Active Iranian APT Groups

Iran’s cyber operations have grown increasingly sophisticated over the past decade. While not as technologically advanced as their Russian or Chinese counterparts, Iranian threat actors have demonstrated persistence, adaptability, and a deep alignment with the nation’s strategic objectives. These groups, often backed by or affiliated with Iranian intelligence and military organizations, operate across multiple continents, targeting entities that align with Iran’s political, ideological, and security interests. 

In this blog post, we explain the historical context and details the most active Iranian APT groups and how organizations can defend themselves against state-sponsored APT attacks.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

Brief History of Iranian APT Groups

Iran’s journey into cyber operations began in the early 2010s, accelerated by the Stuxnet attack in 2010, which targeted its nuclear enrichment program. The Stuxnet attack made clear that cyber warfare had entered the geopolitical mainstream, and Iran was on the receiving end of its impact. In response, Iranian security agencies began rapidly investing in their cyber capabilities. The government supported the creation of several distinct cyber units, many of which would evolve into persistent and well-resourced APT groups.

By the mid-2010s, groups like APT 33 and OilRig began surfacing in public reporting, conducting espionage campaigns against regional adversaries and Western organizations. Iranian APTs distinguished themselves with their ideological messaging, extensive use of social engineering, and targeting of dissident communities abroad. Their operations also expanded beyond espionage, incorporating destructive wiper malware, ransomware masquerading as hacktivism, and cyber-enabled influence campaigns.

Today, Iranian cyber actors are among the most prolific, blending traditional espionage tradecraft with disruptive tactics.

Active Iranian APT Groups

The current landscape of Iranian APT activity is rich with diverse actors, each playing a distinct role in advancing the strategic objectives of the Iranian state. Some are directly linked to government agencies, while others operate under the guise of hacktivist or patriotic groups. Together, they form an ecosystem that adapts to evolving geopolitical tensions and advances in defensive technologies.

In this blog, we covered Iranian APT groups that have demonstrated significant activity within the past five years.

Tracer Kitten

Tracer Kitten is an Iranian APT group that has gained attention for its spearphishing attacks and credential harvesting campaigns. It is believed to be closely related to other known Iranian groups, possibly functioning as a rebranded or parallel operation. Tracer Kitten has primarily targeted Western think tanks, academic institutions, and dissident communities. The group frequently uses fake login pages, password reset lures, and impersonation tactics to trick targets into disclosing credentials.

Magic Hound (APT 35, Charming Kitten)

Magic Hound, also known as APT 35, Charming Kitten, and Cobalt Illusion, is one of the most publicized Iranian APT groups. Tied directly to the IRGC, Magic Hound is infamous for its use of social engineering, particularly spearphishing campaigns designed to harvest credentials or gain access to personal accounts. Its targets have included journalists, researchers, human rights activists, and government officials, especially those critical of the Iranian regime. The group often uses fake personas, such as academics or journalists, to build trust before delivering malicious payloads or phishing links. Over the years, Magic Hound has also exploited software vulnerabilities, such as CVE-2021-40444, and used cloud platforms for command-and-control infrastructure.

APT 33 (Elfin, Magnallium)

APT 33, also tracked under the names Elfin and Magnallium, is an Iranian APT group that focuses primarily on cyber espionage and long-term intelligence collection. It has repeatedly targeted organizations in the aerospace, energy, and defense sectors, with a particular focus on Saudi Arabia, the United States, and South Korea. APT 33 has developed and deployed custom malware such as DropShot and TurnedUp while also making use of commercial remote access tools like Remote Utilities. The group’s infrastructure is often tied to Iranian hosting providers and reveals consistent operational patterns. Analysts believe APT 33 may have dual roles, conducting traditional espionage and preparing the groundwork for potentially destructive operations involving critical infrastructure.

OilRig (APT 34, Helix Kitten, Chrysene)

OilRig, also known as APT 34, Helix Kitten, or Chrysene, is a long-standing Iranian cyberespionage group with links to the Ministry of Intelligence and Security (MOIS). Active since 2014, OilRig has been involved in campaigns targeting the financial, energy, telecom, and government sectors across the Middle East. The group is known for its modular malware and PowerShell-based tools, as well as its use of DNS tunneling and custom backdoors such as Helminth and QUADAGENT. In 2019, a major leak exposed the group’s internal tools and training materials, shedding light on their tradecraft and internal organization. OilRig has continued to evolve its methods, often exploiting publicly known vulnerabilities for initial access and leveraging stolen credentials to pivot laterally within networks.

APT 42

APT 42 is a relatively recent addition to the Iranian APT ecosystem, with a particular focus on surveillance of individuals and institutions deemed adversarial to the regime. The group is reportedly affiliated with the IRGC Intelligence Organization and is known for targeted spearphishing campaigns against journalists, researchers, NGOs, and members of the Iranian diaspora. APT 42 uses cloud-based platforms, mobile spyware, and credential phishing to collect information and monitor dissident activity. Its campaigns are often stealthy, low-volume, and narrowly scoped, suggesting a strategic approach to human intelligence collection rather than mass-scale espionage.

MuddyWater (Seedworm, Static Kitten, TEMP.Zagros)

MuddyWater, also known as Seedworm, Static Kitten, or TEMP.Zagros, is a prolific Iranian APT group known for its dual focus on espionage and disruption. It has targeted a wide range of industries, including telecommunications, energy, academia, and government, especially in the Middle East and South Asia. MuddyWater often leverages legitimate administrative tools such as PowerShell, Remote Desktop Protocol, and screen capture utilities to maintain access to compromised systems. The group is also known for deploying destructive malware like PowGoop and Thanos ransomware variants. Its operations often blend traditional espionage with techniques designed to confuse attribution, such as faux hacktivist personas and data leaks. MuddyWater is widely believed to operate under the direction of the Iranian Ministry of Intelligence.

Parisite (Fox Kitten, Pioneer Kitten)

Parisite, also known as Fox Kitten or Pioneer Kitten, is an Iranian APT group specializing in the exploitation of edge infrastructure vulnerabilities. It has been observed targeting VPN gateways, Citrix appliances, and remote desktop solutions to gain initial access to corporate networks. Once inside, the group focuses on establishing long-term persistence and privilege escalation, frequently using open-source tools like SSH tunneling and Mimikatz. Parisite has reportedly sold or shared access with other Iranian APTs, suggesting a layered or modular approach to cyber operations. The group’s focus on initial access operations makes it a critical part of Iran’s offensive cyber ecosystem, particularly in supporting downstream espionage or sabotage efforts.

Tortoiseshell (Imperial Kitten)

Tortoiseshell, or Imperial Kitten, is notable for its targeting of IT service providers and supply chain entities, especially those connected to the defense and energy sectors in the Middle East. By compromising less secure service providers, Tortoiseshell seeks to pivot into higher-value targets through trusted relationships and inherited privileges. The group uses both custom and commodity tools to achieve lateral movement, often deploying payloads like Syskit for remote access. Its campaigns show a high degree of operational planning, with some indicators suggesting collaboration or overlap with other Iranian APTs. 

CyberAv3ngers

CyberAv3ngers is a pro-Iranian hacktivist group that blurs the line between activism and state-sponsored operations. While publicly claiming to operate independently, its messaging, targeting, and timing often align with Iranian geopolitical interests. CyberAv3ngers is best known for defacing websites and launching DDoS attacks against Israeli infrastructure and Western institutions. The group often publishes propaganda videos and manifestos online, framing its actions as retaliation for perceived injustices.

Agrius (TA455, Smoke Sandstorm)

Agrius, also tracked as TA455 and Smoke Sandstorm, represents Iran’s pivot toward more destructive cyber operations. First identified in 2020, Agrius is believed to be responsible for wiper attacks disguised as ransomware, particularly against Israeli organizations. It has deployed malware families, such as Apostle and Deadwood, designed to delete data while appearing to demand ransom payments. The group has also used legitimate remote access tools and custom loaders to evade detection. 

HomeLand Justice (DEV-0270, Nemesis Kitten)

HomeLand Justice, also known as Nemesis Kitten or DEV-0270, is an Iranian threat actor that combines ransomware tactics with hacktivist branding. It has targeted critical infrastructure, government agencies, and public services, leaving behind messages intended to create fear and erode public confidence. HomeLand Justice typically exfiltrates data before deploying encryption payloads, and it often leaks the stolen data on dedicated websites or social media platforms. 

Moses Staff

Moses Staff is an Iranian-linked group that primarily targets Israeli entities with a mix of data theft, encryption, and ideological propaganda. It first emerged in 2021 and has claimed responsibility for attacks on public and private sector organizations in Israel. Moses Staff often uses custom ransomware, defacement, and data leaks to embarrass or undermine its targets. The group publishes victim information and inflammatory statements via Telegram and other media channels, highlighting its role in cyber-enabled influence operations. 

GreenCharlie

GreenCharlie is one of the newer names that emerged among Iranian threat actors. Public reporting on the group remains limited, and attribution efforts are still in progress. However, available evidence suggests GreenCharlie operates in alignment with Iranian state interests, particularly in the Middle East. Its campaigns appear to focus on cyber espionage, with targets including regional governments and defense sectors. 

How Picus Helps Simulate Iranian APT Attacks?

We also strongly suggest simulating Iranian APT attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Lazarus, MuddyWater, and Salt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Iranian APT Groups: 

Start simulating APT threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.