{"total":1181,"returned":52,"filters":{"country":"IR","sanctioned":false,"limit":500},"bySource":{"mitre":174,"misp":964,"ransomwatch":216,"sanctions":6},"byCountry":[{"country":"CN","count":198},{"country":"RU","count":75},{"country":"IR","count":52},{"country":"KP","count":25},{"country":"PS","count":9},{"country":"TR","count":7},{"country":"VN","count":6},{"country":"UA","count":6},{"country":"US","count":5},{"country":"IL","count":5},{"country":"IN","count":4},{"country":"PK","count":4},{"country":"Unknown","count":4},{"country":"BY","count":4},{"country":"LB","count":3},{"country":"BR","count":3},{"country":"NG","count":3},{"country":"ID","count":3},{"country":"KR","count":2},{"country":"AE","count":2},{"country":"RO","count":2},{"country":"MY","count":2},{"country":"ES","count":2},{"country":"TN","count":2},{"country":"SY","count":2}],"byMotive":[{"motive":"ransomware","count":215},{"motive":"Espionage","count":85},{"motive":"Hacktivists-Nationalists","count":5},{"motive":"Cybercrime","count":2},{"motive":"Sabotage","count":2},{"motive":["Espionage","Sabotage"],"count":1},{"motive":"Extortion","count":1},{"motive":["Denial of service"],"count":1},{"motive":"Denial of service","count":1},{"motive":"Business Email Compromise","count":1},{"motive":["Denial of service"],"count":1},{"motive":"mainly financially motivated, additional espionage objective.","count":1},{"motive":["Denial of service"],"count":1},{"motive":"state-sponsored espionage and financially motivated","count":1},{"motive":"Information Operations","count":1}],"groups":[{"name":"VOID MANTICORE","aliases":["karma","Void Manticore","HomeLand Justice","COBALT MYSTIQUE","Handala Hack","Homeland Justice","Karma","Karmabelow80"],"description":"[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least mid-2022, VOID MANTICORE has targeted government entities,","targetSectors":[],"suspectedVictims":[],"refs":["https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp","https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/","https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against","https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"],"sources":["mitre","misp","ransomwatch"],"cves":["CVE-2019-0604"],"leakSites":["3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion"],"mitreId":"G1055","attackUrl":"https://attack.mitre.org/groups/G1055","techniqueCount":63,"softwareCount":0,"country":"IR","motive":"ransomware"},{"name":"Agrius","aliases":["blackshadow","Pink Sandstorm","AMERICIUM","Agonizing Serpens","BlackShadow","DEV-0022","UNC2428","Black Shadow","SPECTRAL KITTEN"],"description":"[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked [Agriu","targetSectors":[],"suspectedVictims":[],"refs":["https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/","https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/","https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/","https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors","https://www.enigmasoftware.com/moneybirdransomware-removal/","https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/","https://services.google.com/fh/files/misc/m-trends-2025-en.pdf"],"sources":["mitre","misp","ransomwatch"],"cves":["CVE-2018-13379"],"leakSites":["544corkfh5hwhtn4.onion"],"mitreId":"G1030","attackUrl":"https://attack.mitre.org/groups/G1030","techniqueCount":22,"softwareCount":9,"country":"IR","motive":"ransomware"},{"name":"Moses Staff","aliases":["mosesstaff","MosesStaff","DEV-0500","Marigold Sandstorm","VENGEFUL KITTEN"],"description":"[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their m","targetSectors":[],"suspectedVictims":[],"refs":["https://twitter.com/campuscodi/status/1450455259202166799","https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/","https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations","https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard"],"sources":["mitre","misp","ransomwatch"],"cves":[],"leakSites":["mosesstaffm7hptp.onion","moses-staff.se"],"mitreId":"G1009","attackUrl":"https://attack.mitre.org/groups/G1009","techniqueCount":12,"softwareCount":4,"country":"IR","motive":"ransomware"},{"name":"Magic Hound","aliases":["TA453","APT35","Charming Kitten","COBALT ILLUSION","ITG18","Phosphorus","Newscaster","Parastoo","iKittens","Group 83","NewsBeef","G0058"],"description":"[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted ","targetSectors":["Defense","Diplomacy","Military","Technology","Government, Administration","Government"],"suspectedVictims":["U.S. government/defense sector websites","Saudi Arabia","Israel","Iraq","United Kingdom"],"refs":["https://en.wikipedia.org/wiki/Operation_Newscaster","https://iranthreats.github.io/resources/macdownloader-macos-malware/","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf","https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/","https://cryptome.org/2012/11/parastoo-hacks-iaea.htm","https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf","https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/","https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf","https://www.cfr.org/interactive/cyber-operations/newscaster","https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/","https://securelist.com/freezer-paper-around-free-meat/74503/","https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/","http://www.arabnews.com/node/1195681/media","https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f","https://blog.certfa.com/posts/the-return-of-the-charming-kitten/","https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber","https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/","https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf","https://attack.mitre.org/groups/G0058/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"],"sources":["mitre","misp"],"cves":["CVE-2021-44228","CVE-2021-34523","CVE-2021-34473","CVE-2021-31207","CVE-2021-27065"],"leakSites":[],"mitreId":"G0059","attackUrl":"https://attack.mitre.org/groups/G0059","techniqueCount":78,"softwareCount":13,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"OilRig","aliases":["CHRYSENE","COBALT GYPSY","IRN2","APT34","Helix Kitten","Evasive Serpens","Twisted Kitten","Cobalt Gypsy","Crambus","APT 34","ATK40","G0049"],"description":"[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government","targetSectors":["Chemical","Energy","Engineering","Finance","Government, Administration","Telecoms","Other","Government","Private sector","Civil society"],"suspectedVictims":["Israel","Kuwait","United States","Turkey","Saudi Arabia","Qatar","Lebanon","Middle East","Iraq","United Kingdom","Pakistan"],"refs":["https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability","https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/","https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/","https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/","https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/","https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/","https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/","https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/","https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/","https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/","https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/","https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/","https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/","https://pan-unit42.github.io/playbook_viewer/","https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html","https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html","https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf","https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a","https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json","https://www.cfr.org/interactive/cyber-operations/oilrig"],"sources":["mitre","misp"],"cves":["CVE-2024-30088","CVE-2017-11774"],"leakSites":[],"mitreId":"G0049","attackUrl":"https://attack.mitre.org/groups/G0049","techniqueCount":76,"softwareCount":30,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"MuddyWater","aliases":["Earth Vetala","MERCURY","Static Kitten","Seedworm","TEMP.Zagros","COBALT ULSTER","G0069","ATK51","Boggy Serpens","Mango Sandstorm","TA450"],"description":"[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, [MuddyWater](https://attack.mitre.org/group","targetSectors":["Government"],"suspectedVictims":["Saudi Arabia","Georgia","Turkey","Iraq","Israel","India","United Arab Emirates","Pakistan","United States"],"refs":["https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/","https://www.cfr.org/interactive/cyber-operations/muddywater","https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html","https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/","https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/","https://securelist.com/muddywater/88059/","https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group","https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf","https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/","https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html","https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/","https://attack.mitre.org/groups/G0069/","http://www.secureworks.com/research/threat-profiles/cobalt-ulster","https://unit42.paloaltonetworks.com/atoms/boggyserpens/","https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/","https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html","https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/"],"sources":["mitre","misp"],"cves":["CVE-2020-1472","CVE-2020-0688","CVE-2017-0199"],"leakSites":[],"mitreId":"G0069","attackUrl":"https://attack.mitre.org/groups/G0069","techniqueCount":68,"softwareCount":21,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"APT39","aliases":["ITG07","Chafer","Remix Kitten","REMIX KITTEN","COBALT HICKMAN","G0087","Radio Serpens","TA454","Burgundy Sandstorm"],"description":"[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2","targetSectors":[],"suspectedVictims":[],"refs":["https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html","https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions","https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/","https://securelist.com/chafer-used-remexi-malware/89538/","https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets","https://attack.mitre.org/groups/G0087/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://www.secureworks.com/research/threat-profiles/cobalt-hickman","https://unit42.paloaltonetworks.com/atoms/radioserpens/","https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0087","attackUrl":"https://attack.mitre.org/groups/G0087","techniqueCount":53,"softwareCount":11,"country":"IR"},{"name":"Fox Kitten","aliases":["UNC757","Parisite","Pioneer Kitten","RUBIDIUM","Lemon Sandstorm","PIONEER KITTEN","PARISITE"],"description":"[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North Am","targetSectors":[],"suspectedVictims":[],"refs":["https://youtu.be/pBDu8EGWRC4?t=2492","https://www.dragos.com/threat/parisite","https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf","https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf","https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf","https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices","https://www.crowdstrike.com/blog/who-is-pioneer-kitten","https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum","https://us-cert.cisa.gov/ncas/alerts/aa20-259a"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0117","attackUrl":"https://attack.mitre.org/groups/G0117","techniqueCount":41,"softwareCount":5,"country":"IR"},{"name":"HEXANE","aliases":["LYCEUM","Lyceum","Siamesekitten","Spirlin","COBALT LYCEUM","UNC1530","MYSTICDOME","siamesekitten","Chrono Kitten","Storm-0133"],"description":"[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been locat","targetSectors":["Government","Energy","High-Tech","Telecomms","Education","Military","Defense"],"suspectedVictims":["Israel","Middle East"],"refs":["https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign","https://www.secureworks.com/research/threat-profiles/cobalt-lyceum","https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/","https://www.clearskysec.com/siamesekitten/","https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf","https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1001","attackUrl":"https://attack.mitre.org/groups/G1001","techniqueCount":36,"softwareCount":12,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"APT42","aliases":["UNC788","CALANQUE"],"description":"[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries a","targetSectors":["Education","Government","Military","Defense","Energy","Finance","Healthcare","Pharmaceuticals","Civil Society","Legal","Manufacturing","Media","NGOs"],"suspectedVictims":["Australia","Europe","Israel","Middle East","United States"],"refs":["https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises","https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1044","attackUrl":"https://attack.mitre.org/groups/G1044","techniqueCount":32,"softwareCount":2,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"APT33","aliases":["HOLMIUM","Elfin","Peach Sandstorm","APT 33","MAGNALLIUM","Refined Kitten","COBALT TRINITY","G0064","ATK35","TA451"],"description":"[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and ","targetSectors":["Private sector"],"suspectedVictims":["United States","Saudi Arabia","South Korea"],"refs":["https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html","https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/","https://www.brighttalk.com/webcast/10703/275683","https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage","https://www.secureworks.com/research/threat-profiles/cobalt-trinity","https://attack.mitre.org/groups/G0064/","https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/","https://www.cfr.org/interactive/cyber-operations/apt-33","https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf","https://dragos.com/adversaries.html","https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"],"sources":["mitre","misp"],"cves":["CVE-2018-20250","CVE-2017-11774","CVE-2017-0213"],"leakSites":[],"mitreId":"G0064","attackUrl":"https://attack.mitre.org/groups/G0064","techniqueCount":31,"softwareCount":16,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"CURIUM","aliases":["Cuboid Sandstorm","Bohrium","Tortoiseshell","Crimson Sandstorm","TA456","Tortoise Shell","Yellow Liderc","IMPERIAL KITTEN","Imperial Kitten","DUSTYCAVE","Smoke Sandstorm","BOHRIUM"],"description":"[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. [CURIUM](https://attack.mitre.org/groups/G1","targetSectors":["Defense","Government","Military","Finance","Energy","Healthcare","Pharmaceuticals","Telecoms","High-Tech","Media","NGOs","Civil Society","Legal","Rail","Transportation"],"suspectedVictims":["United States","Israel","Middle East","Europe"],"refs":["https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain","https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897","https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html","https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/","https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf","https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/","https://twitter.com/CyberAmyHB/status/1532398956918890500","https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1012","attackUrl":"https://attack.mitre.org/groups/G1012","techniqueCount":19,"softwareCount":1,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Silent Librarian","aliases":["TA407","COBALT DICKENS","Mabna Institute","TA4900","Yellow Nabu","Mabna Institute Group"],"description":"[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of  [Silent Libra","targetSectors":[],"suspectedVictims":[],"refs":["https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment","https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment","https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic","https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary","https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again","https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities","https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff","https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian","https://www.secureworks.com/research/threat-profiles/cobalt-dickens","https://community.riskiq.com/article/44eb0802","https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0122","attackUrl":"https://attack.mitre.org/groups/G0122","techniqueCount":13,"softwareCount":0,"country":"IR"},{"name":"CopyKittens","aliases":["Slayer Kitten","G0052"],"description":"[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group","targetSectors":["Government","Private sector","Civil society"],"suspectedVictims":["Israel","Jordan","Saudi Arabia","Germany","United States"],"refs":["https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf","https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr","http://www.clearskysec.com/copykitten-jpost/","http://www.clearskysec.com/tulip/","https://www.cfr.org/interactive/cyber-operations/copykittens","https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf","https://attack.mitre.org/groups/G0052/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0052","attackUrl":"https://attack.mitre.org/groups/G0052","techniqueCount":8,"softwareCount":4,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Ajax Security Team","aliases":["Rocket Kitten","Flying Kitten","Operation Woolen-Goldfish","AjaxTM","Operation Saffron Rose","SaffronRose","Saffron Rose","AjaxSecurityTeam","Group 26","Sayad","TEMP.Beanie","Operation Woolen Goldfish"],"description":"[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from ","targetSectors":["Aerospace","Defense","Gas","Oil","Military","Civil society","Activists","Journalist","Research - Innovation","Academia - University","Government, Administration","Government"],"suspectedVictims":["United States","Iranian internet activists","Saudi Arabia","Venezuela","Afghanistan","United Arab Emirates","Iran","Israel","Iraq","Kuwait","Turkey","Canada","Yemen","United Kingdom","Egypt","Syria","Jordan"],"refs":["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf","https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/","https://www.cfr.org/interactive/cyber-operations/saffron-rose","https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing","https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf","http://www.clearskysec.com/thamar-reservoir/","https://citizenlab.ca/2015/08/iran_two_factor_phishing/","https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf","https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/","https://en.wikipedia.org/wiki/Rocket_Kitten","https://www.cfr.org/interactive/cyber-operations/rocket-kitten"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0130","attackUrl":"https://attack.mitre.org/groups/G0130","techniqueCount":6,"softwareCount":2,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Ferocious Kitten","aliases":[],"description":"[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0137","attackUrl":"https://attack.mitre.org/groups/G0137","techniqueCount":6,"softwareCount":2,"country":"IR"},{"name":"Cleaver","aliases":["Threat Group 2889","TG-2889","Operation Cleaver","Op Cleaver","Tarh Andishan","Alibaba","Cobalt Gypsy","G0003"],"description":"[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.  Strong circumstantial evidence suggests Cleaver is linked to Threat","targetSectors":["Defense","Energy","Technology","Government, Administration","Academia - University","Private sector","Government"],"suspectedVictims":["Canada","France","Israel","Mexico","Saudi Arabia","China","Germany","United States","Pakistan","South Korea","United Kingdom","India","Kuwait","Qatar","Turkey"],"refs":["https://www.secureworks.com/research/the-curious-case-of-mia-ash","https://www.cfr.org/interactive/cyber-operations/operation-cleaver","http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/","https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing","https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations","https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/","https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf","https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf","https://attack.mitre.org/groups/G0003/","https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/","https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles","https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten","https://www.cfr.org/cyber-operations/operation-cleaver","https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html","https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0003","attackUrl":"https://attack.mitre.org/groups/G0003","techniqueCount":5,"softwareCount":4,"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Shamoon Group","aliases":["Cutting Sword of Justice"],"description":"Shamoon Group is an Iran-linked threat actor associated with destructive Shamoon wiper operations targeting organizations in the Middle East, especially in the energy sector.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.cfr.org/cyber-operations/shamoon","https://securelist.com/shamoon-2-0-the-return-of-the-disttrack-wiper/77232/","https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cutting Kitten","aliases":["ITsecTeam"],"description":"One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.","targetSectors":[],"suspectedVictims":["United States","Bank of America","US Bancorp","Fifth Third Bank","Citigroup","PNC","BB&T","Wells Fargo","Capital One","HSBC","AT&T","NYSE"],"refs":["https://www.cfr.org/interactive/cyber-operations/itsecteam","https://www.justice.gov/usao-sdny/file/835061/download"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":["Denial of service"]},{"name":"Magic Kitten","aliases":["Group 42","VOYEUR"],"description":"Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.","targetSectors":["Opposition","Dissidents","Political party"],"suspectedVictims":[],"refs":["https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/","https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Sands Casino","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cadelle","aliases":[],"description":"Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of","targetSectors":[],"suspectedVictims":[],"refs":["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Greenbug","aliases":[],"description":"Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.","targetSectors":["Education","Energy","Investment","Aerospace","Government, Administration"],"suspectedVictims":[],"refs":["https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon","https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/","https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/","https://www.clearskysec.com/greenbug/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Infy","aliases":["Operation Mermaid","Prince of Persia","Foudre"],"description":"Infy is a group of suspected Iranian origin.\nSince early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in th","targetSectors":["Activists","Civil society","Government","Private sector"],"suspectedVictims":["Israel","Iran","France","China","Sweden","United States","United Kingdom","Germany","Syria","Italy","Denmark","Canada","Russia","Saudi Arabia","Bahrain"],"refs":["https://www.intezer.com/prince-of-persia-the-sands-of-foudre/","https://www.freebuf.com/articles/network/105726.html","https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf","https://iranthreats.github.io/","http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/","http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/","https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/","https://www.cfr.org/interactive/cyber-operations/prince-persia","https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/","https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Sima","aliases":[],"description":"Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and","targetSectors":[],"suspectedVictims":[],"refs":["https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf","https://iranthreats.github.io/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Madi","aliases":[],"description":"Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian a","targetSectors":["Infrastructure","Engineering","Government, Administration","Finance","Government","Private sector"],"suspectedVictims":["Iran","Pakistan","Israel","United States"],"refs":["https://securelist.com/the-madi-campaign-part-i-5/33693/","https://securelist.com/the-madi-campaign-part-ii-53/33701/","https://www.cfr.org/interactive/cyber-operations/madi","https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east","https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/","https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Espionage"},{"name":"Clever Kitten","aliases":["Group 41"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://www.crowdstrike.com/blog/whois-clever-kitten/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cyber fighters of Izz Ad-Din Al Qassam","aliases":["Fraternal Jackal"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://pastebin.com/u/QassamCyberFighters","http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Domestic Kitten","aliases":["Bouncing Golf","APT-C-50"],"description":"An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/","https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html","https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/","https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"TRACER KITTEN","aliases":[],"description":"In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to","targetSectors":["Telecoms"],"suspectedVictims":[],"refs":["https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"DEV-0270","aliases":["Nemesis Kitten","Storm-0270"],"description":"Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Scarred Manticore","aliases":[],"description":"Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.","targetSectors":[],"suspectedVictims":[],"refs":["https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"UNC3890","aliases":[],"description":"A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdo","targetSectors":[],"suspectedVictims":[],"refs":["https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/","https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cyber Av3ngers","aliases":[],"description":"The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/","https://cyberwarzone.com/cyber-av3ngers-claims-infiltration-of-israeli-water-treatment-stations-amid-ongoing-conflict/","https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"TAG-56","aliases":[],"description":"TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating","targetSectors":[],"suspectedVictims":[],"refs":["https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/","https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"AppMilad","aliases":[],"description":"AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.","targetSectors":[],"suspectedVictims":[],"refs":["https://zimpstage.wpengine.com/blog/we-smell-a-ratmilad-mobile-spyware/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"MalKamak","aliases":[],"description":"MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Gray Sandstorm","aliases":["DEV-0343"],"description":"Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in suppo","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/","https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cyber Toufan","aliases":[],"description":"Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month","https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/","https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/","https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict","https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cotton Sandstorm","aliases":["Emennet Pasargad","Holy Souls","MARNANBRIDGE","NEPTUNIUM","HAYWIRE KITTEN"],"description":"Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury","targetSectors":["Government","Finance","High-Tech","Telecoms","NGOs","Civil Society","Rail","Energy"],"suspectedVictims":["United States","Israel","Middle East","Europe"],"refs":["https://blog.sekoia.io/iran-cyber-threat-overview/","https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/","https://www.ic3.gov/Media/News/2022/220126.pdf","https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/","https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":"Information Operations"},{"name":"Storm-1084","aliases":["DEV-1084"],"description":"Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoo","targetSectors":[],"suspectedVictims":[],"refs":["https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns","https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"BANISHED KITTEN","aliases":["DUNE","Storm-0842","Red Sandstorm"],"description":"BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.","targetSectors":["Government","Healthcare","Pharmaceuticals","High-Tech","Telecomms","Education","Media","NGOs","Civil Society"],"suspectedVictims":["United States","Israel","Middle East","Europe"],"refs":["https://www.crowdstrike.com/adversaries/banished-kitten/","https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR","suspectedStateSponsor":"Iran (Islamic Republic of)","motive":["Espionage","Information Operations","Sabotage"]},{"name":"UNC1549","aliases":["Nimbus Manticore"],"description":"UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east","https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe","https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Edalat-e Ali","aliases":[],"description":"Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have ","targetSectors":[],"suspectedVictims":[],"refs":["https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/","https://securityaffairs.com/142172/hacktivism/iranian-state-tv-hacked.html","https://www.chronline.com/stories/a-hacking-slugfest-between-iran-and-its-foes-sparks-fears-of-a-wider-cyberwar,281423"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"UNC1860","aliases":[],"description":"UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent acces","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Shahid Hemmat","aliases":[],"description":"Shahid Hemmat is an IRGC-CEC affiliated hacking group linked to cyberattacks targeting U.S. critical infrastructure, including the defense industry and international transportation sectors. The group has been implicated in the hack of a booster station at the Municipal Water Authority in Aliquippa, Pennsylvania, which disrupted drinking water supply. Key figures within Shahid Hemmat include Manouc","targetSectors":[],"suspectedVictims":[],"refs":["https://securityonline.info/shahid-hemmat-hackers-10m-reward-offered-by-us/","https://www.bitdefender.com/en-us/blog/hotforsecurity/us-offers-10-million-bounty-for-members-of-iranian-hacking-gang/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"TA455","aliases":[],"description":"TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims. They employ spearphishing tactics with malicious ZIP files containing the executable “secur32[.]dll” and disguise their C2 communications within the traffic of reputable services like Cloudflare and GitHub. The group intentiona","targetSectors":[],"suspectedVictims":[],"refs":["https://www.clearskysec.com/irdreamjob24/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Educated Manticore","aliases":[],"description":"Educated Manticore is an Iranian APT group aligned with the Islamic Revolutionary Guard Corps, primarily engaged in espionage targeting government, military, and academic sectors. The group employs spear-phishing tactics, utilizing custom backdoors like POWERLESS and phishing kits designed as SPAs to harvest credentials. Their operations have included impersonating credible figures to lure victims","targetSectors":[],"suspectedVictims":[],"refs":["https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics","https://blog.checkpoint.com/security/check-point-research-uncovers-rare-techniques-used-by-iranian-affiliated-threat-actor-targeting-israeli-entities/","https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"BladedFeline","aliases":[],"description":"BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS module. BladedFeline utilizes techniques such as spearphishing (T1566), exploiting public-facing applications (T1190), and ti","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Cyber Islamic Resistance","aliases":[],"description":"Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website defacements, DDoS attacks, and data exfiltration targeting Israeli and Western entities. They have claimed breaches of Israeli cybersecurity firms and academic platforms, framing their actions as part of a broader narrative of retaliation. The group has also targeted critical","targetSectors":[],"suspectedVictims":[],"refs":["https://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/","https://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"APTIran","aliases":[],"description":"APTIran has claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure, asserting infiltration of government ministries, hospitals, universities, and financial institutions as retaliation for Israeli military operations. The group has leaked over 350,000 Israeli government login credentials and approximately 300 internal databases, while also threatening to create ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sophos.com/en-us/blog/hacktivist-campaigns-increase-as-united-states-iran-and-israel-conflict-intensifies","https://blog.talosintelligence.com/talos-developing-situation-in-the-middle-east/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"},{"name":"Ababil of Minab","aliases":[],"description":"Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting. The group claims responsibility for a cyberattack and allegedly possesses administrative access to targeted systems. Their pro-Iran messaging and targeting of a major US public transit authority align with known patterns of Iranian-aligned","targetSectors":[],"suspectedVictims":[],"refs":["https://www.dataminr.com/resources/intel-brief/pro-iran-actor-ababil-of-minab-claims-cyberattack-on-la-metro/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"IR"}]}