Iran Cyber Threat · Full Landscape Assessment

Iran's Cyber Threat Landscape 2026

Decentralized. Deniable. Persistent. Adaptive. Opportunistic. An OSINT assessment of Iran's full cyber delivery model — eight nodes, two institutions, one criminal ecosystem, and an expanding AI layer.

IRGC MOIS Joint / Contractor Updated June 2026 OSINT Assessment
← Read the full Iran & AI analysis
Cyber Delivery Model

Eight-node architecture

Node 01
IRGC
APT Groups — IRGC-IO, IRGC-CEC, IRGC-EWCD
  • APT35 / Charming Kitten / Mint SandstormIRGC-IO
  • APT42 — sub-cluster of APT35IRGC-IO
  • APT33 / Peach SandstormIRGC
  • Cotton Sandstorm / Emennet PasargadIRGC-EWCD
  • CyberAv3ngers / Sandcat — ICS/OTNEW
Node 02
MOIS
Long-dwell espionage, credential harvesting
  • MuddyWater / Mango SandstormMOIS
  • OilRig / APT34Joint
  • Agrius / Pink SandstormMOIS
  • Void Manticore / HandalaNEW
  • Cyber Toufan Al-AqsaNEW
Node 03
Contractors
Front companies — arm's length deniability
  • Mahak Rayan Afraz (MASN) — DOJ/Treasury Apr 2024
  • Najee Technology — IRGC-IO front
  • Alkar Systems — IRGC-IO front
  • Ashiyane Security — proxy/research
  • Ravin Academy — MOIS recruitment
Node 04
Hacktivist Layer
State-directed, publicly deniable
  • Handala / Homeland JusticeMOIS
  • Cyber Islamic Resistance
  • Fatemiyoun Electronic TeamNEW
  • FAD Team / Dienet
  • CyberAv3ngersIRGC-CEC
Node 05
Criminal Ecosystem
State-crime convergence — revenue + deniability
  • Pioneer Kitten / Fox Kitten — IAB since 2017
  • Pay2Key / Pay2Key.I2P RaaS (2025)
  • BQT.Lock / BaqiyatLock RaaS
  • Partners: RansomHub, BlackCat, NoEscape
  • Moonlighting IRGC operators
Node 06
Pre-Positioned Access
Dormant — activated on operational need
  • Long-term network intrusions
  • Credential harvesting at scale
  • Internal persistence mechanisms
  • Infrastructure reconnaissance
  • Strategic access banking
Node 07
Regional Proxies
Axis of Resistance cyber dimension
  • Hezbollah-linked operators (POLONIUM)
  • Houthi-aligned cyber activity
  • Iraqi militia ecosystems
  • Influence & pressure operations
  • Cross-border coordination
Node 08
AI-Assisted Operations
Documented 2024–2026
  • CyberAv3ngers — ChatGPT ICS recon (Oct 2024)
  • Crimson Sandstorm — AI phishing (Feb 2024)
  • STORM-2035 — AI influence ops (Aug 2024)
  • AI-generated malware & deepfakes
  • Azure cloud C2 blending (APT33)
Delivery Doctrine

Six operational principles

01
Asymmetric Cost Imposition
Impose costs on adversaries without direct military confrontation. Cyber is the domain where Iran compresses the capability gap against superior conventional forces.
02
Deniability Through Diffusion
Multiple actors, layers, and personas obscure origin and intent. The hacktivist layer is doctrine, not incompetence. Treasury confirms state direction after the fact.
03
Pre-Position Before Activation
Establish access and persistence in advance of operational needs. Node 06 dormant access exists specifically to be activated when strategic conditions require.
04
Operate Below Attribution Threshold
Conduct operations calibrated to remain below the threshold of clear attribution and proportionate response. Slow bleed, not shock.
05
Persist, Adapt, Expand
Continuously evolve tradecraft, tools, and targeting in response to defender countermeasures and geopolitical developments. Iran does not stop — it pivots.
06
Criminal-State Convergence
Weaponize ransomware and IABs for revenue and deniability simultaneously. The boundary between state cyber warfare and cybercrime has effectively collapsed by design.
Documented Tactics

Active techniques

— Malware deployment — Spearphishing — Wiper malware — DDoS — Disinformation — Supply chain compromise — Stolen credentials / IAB — Zero-day exploits — ICS/OT targeting — Ransomware — Initial access brokering — AI-assisted reconnaissance — Mobile surveillance — Hack-and-leak
APT Clusters

Full actor mapping

Actor Affiliation Also Known As Primary Activity
APT35 / Charming Kitten
IRGC-IO
Mint Sandstorm · TA453 · TG18 · Educated Manticore
Espionage, credential harvest, election targeting, AI-enhanced ops
APT42
IRGC-IO
Sub-cluster of APT35
Targeted surveillance, credential theft, iOS/Android spyware
APT33 / Peach Sandstorm
IRGC
Elfin · Refined Kitten · MAGNALIUM
Energy/defense espionage, Azure cloud C2 blending
Cotton Sandstorm
IRGC-EWCD
Emennet Pasargad · Haywire Kitten
Influence ops, disinformation, 2020 US election interference
CyberAv3ngers NEW
IRGC-CEC
Sandcat
ICS/OT targeting, US water/wastewater PLCs, AI-assisted recon
Fox Kitten / Pioneer Kitten
IRGC+IAB
Br0k3r · xplfinder · UNC757 · Lemon Sandstorm
Initial access brokering, ransomware partnerships
Crimson Sandstorm
IRGC
Imperial Kitten · TortoiseShell · Phosphorus
Supply chain, defense sector espionage, AI phishing
MuddyWater
MOIS
Mango Sandstorm · Seedworm · Static Kitten · Mercury
Espionage, pre-positioning, RaaS collaboration (Qilin)
OilRig / APT34
Joint
Helix Kitten · Evasive Serpens
Long-term espionage, credential harvesting, Gulf targets
Agrius
MOIS
Pink Sandstorm · Agonizing Serpens · Marshtreader
Wiper malware disguised as ransomware, destructive ops
Void Manticore NEW
MOIS
Handala · Homeland Justice · Karma · Banished Kitten
Wiper-first, hack-and-leak, Albania attacks 2022, Stryker 2026
Cyber Toufan Al-Aqsa NEW
MOIS-linked
Cyber Toufan
Largest Iran-linked data leak campaign vs Israel, post-Oct7 2023
DarkBit / DEV-1084
MOIS
Storm-1084
Post-intrusion destructive ops, Technion attack 2023
Domestic Kitten
MOIS
Persian Kitten
Internal surveillance, diaspora tracking, mobile spyware
UNK_CraftyCamel NEW
IRGC-aligned
UAE aerospace/transport targeting, polyglot file delivery, Sosano backdoor
Microsoft Designations

Storm IDs & cyber personas

Storm ID Common Name Affiliation Personas Key Activity
Storm-1084DarkBit / DEV-1084MOISDarkBitPost-intrusion destructive ops
Storm-0842Pink Sandstorm / AgriusMOISMalek Team · Homeland Justice · MoneyBirdWipers, fake ransomware, destructive ops vs Israel
Mango Sandstorm / MuddyWaterMOISTears of War · No Voice · HuntersEspionage, pre-positioning, RaaS collaboration
Storm-1364Unknown clusterIRGCAdil Ali · Open Hands · Saif al-QudsInfluence operations
Marigold Sandstorm / Cobalt SaplingIRGCMoses Staff · Abraham's AxHack-and-leak, influence ops vs Israel
Storm-0784Shahid Kaveh / CyberAv3ngersIRGC-CECCyber Avengers · Soldiers of SolomonICS/OT targeting, critical infrastructure
Cotton Sandstorm / Emennet PasargadIRGC-EWCDAnzu Team · Cyber Cheetahs · For HumanityElection interference, influence ops, disinformation
Mint Sandstorm / APT35IRGC-IOCyber Flood · Al-Toufan · Forces of LightEspionage, election targeting, AI-enhanced ops
Pioneer Kitten / Fox KittenIRGC+IABBr0k3r · xplfinder · Lemon SandstormInitial access brokering, ransomware partnerships
Void ManticoreMOISHandala · Homeland Justice · KarmaWiper attacks, hack-and-leak, Stryker 2026
Cyber Toufan Al-AqsaMOIS-linkedCyber ToufanLargest Iran-linked data leak vs Israel, post-Oct7
CyberAv3ngersIRGC-CECSandcatICS/SCADA, US water systems, PLC exploitation, AI recon
Sources — all open source
CISA Advisories · FBI Cyber · U.S. Treasury / OFAC · MITRE ATT&CK Groups · Unit 42 · CrowdStrike · Google TAG · Microsoft MSTIC · Mandiant · Sekoia · Check Point Research · CSIS

Based on open-source reporting · FBI/CISA/NSA advisories · Updated June 2026 · All assessments derived from publicly available intelligence.