The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

An Eye on Iran

Jul 8, 2025 12:01:19 PM / by The Hivemind

AN EYE ON IRAN

Executive Summary

Escalating tensions following Israel’s “Operation Rising Lion” and US “Operation Midnight Hammer” can potentially trigger retaliatory cyberattacks, with IRGC-linked groups targeting US and Israeli critical infrastructure. These state-sponsored actors may deploy sophisticated malware and phishing to disrupt operations and steal intelligence, posing significant risks to global security.

Key Takeaways

  • Iranian cyber threat actors may engage the US, Israel, or their allies in retaliation for recent military operations targeting Iranian assets. 
  • Most of Iran’s cyber threat actors, such as Imperial Kitten and Static Kitten, have strong ties to Iran’s Islamic Revolutionary Guard Corps or Ministry of Intelligence and Security.
  • Iran’s cyber arsenal includes AI-enhanced social engineering, ransomware collaboration, and supply chain attacks, indicating a shift toward psychological impact and long-term espionage.

Background

Escalating tensions between Iran, Israel, and the US have heightened global concerns, particularly following Israel’s “Operation Rising Lion” and US strikes on Iranian nuclear sites under “Operation Midnight Hammer.” Israel’s initial attacks on June 13, followed by US involvement, aimed to cripple Iran’s nuclear program, which both nations claim was nearing weaponization—a charge Iran denies. Iran retaliated with missile strikes on Israel and a US base in Qatar, while imposing a near-total internet blackout to counter alleged Israeli cyberattacks. 

This conflict has the potential to spill into cyberspace, with Iranian hackers targeting US critical infrastructure, such as water and energy sectors. US agencies, including CISA, warned of potential Iranian cyberattacks on American networks, possibly involving ransomware or wiper malware, as retaliation for the strikes. Israel faces increased DDoS attacks and disinformation campaigns from pro-Iranian hacktivists, while pro-Israel groups like Predatory Sparrow have disrupted Iranian banks and crypto exchanges. Experts suggest any retaliatory cyberattacks originating from Iran may focus on psychological impact and disruption, targeting US infrastructure to exploit vulnerabilities, especially if the conflict escalates further or a fragile ceasefire collapses.

A Brief Synopsis of Iran’s Cyber Threat Actors and Capabilities (2000-2024)

Since the early 2000s, Iran has developed a robust cyber capability, driven by geopolitical tensions and the 2010 Stuxnet attack, which targeted its nuclear program. Initially focused on domestic surveillance and basic website defacements, Iran’s cyber operations evolved into sophisticated campaigns by the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS). The 2012 Shamoon wiper attack on Saudi Aramco marked Iran’s shift to destructive cyberattacks. 

Over time, groups like APT33, APT34, and APT35 targeted critical infrastructure, including US water systems, Israeli tech, and Middle Eastern energy sectors. Tactics include spear-phishing, password spraying, and exploiting vulnerabilities in VPNs and firewalls. By 2024, Iran was considered a first-tier cyberpower, with hacktivist fronts like CyberAv3ngers masking state-sponsored operations. These actors prioritize espionage, disruption, and influence operations, posing ongoing risks to global infrastructure.

Threat Actor Groups Likely to Engage in Retaliatory Attacks

PolySwarm analysts have identified the top ten Iran nexus threat actor groups most likely to target the US, Israel, or their allies amid the ongoing political tensions in the region. We selected these threat actor groups based on the following criteria:

  • Recent Activity (since 2024): Demonstrated cyberattacks, including spear-phishing, ransomware, or wiper malware, showing active operational capability.
  • IRGC/MOIS Affiliations: Strong links to the Islamic Revolutionary Guard Corps or Ministry of Intelligence and Security, indicating state-sponsored intent.
  • Targeted Sectors: History of attacking US/Israeli critical infrastructure or government entities, aligning with Iran’s retaliatory strategy.
  • Geopolitical Alignment: Attack patterns consistent with targeting the US, Israel, or allies like the UAE.

Below is an overview of each of these threat actor groups.

Charming Kitten 

Charming Kitten, also known as APT35, Phosphorus, Mint Sandstorm, and NewsBeef, has been active since at least 2014. Charming Kitten engages in espionage and is linked to the Islamic Revolutionary Guard Corps (IRGC).

TTPs

Charming Kitten conducts spear-phishing with fake personas and compromised email accounts to deliver POWERSTAR malware. They exploit Microsoft Exchange vulnerabilities, deploy Android malware, and use password-spraying.

Targeted Verticals and Regions

Targets government, defense, and academia in the US, Israel, Europe, and Middle East, plus dissidents and media.

Recent Activities

In 2024, Charming Kitten targeted US election accounts and Israeli cybersecurity experts with phishing, using benign PDFs to harvest credentials. In June 2025, they attacked Israeli academics for espionage. 

 

Potential Role in Retaliation

As an IRGC-backed group, they are most likely to retaliate by intensifying phishing campaigns against US and Israeli government officials, aiming to steal intelligence or disrupt operations post-“Operation Midnight Hammer.” Their dissident focus suggests influence operations to sow discord among allies, potentially targeting US electoral systems or Israeli military networks with advanced social engineering.

Refined Kitten

Refined Kitten, also known as Peach Sandstorm, APT33, and Holmium, has been active since at least 2013. The group is known for destructive attacks and espionage and is linked to the IRGC.

TTPs

Peach Sandstorm has used spear-phishing to deliver SHAMOON wiper malware, exploits industrial control systems, and deploys custom droppers like POWERTON. They target satellite communications for espionage.

Targeted Verticals and Regions

Targets energy, aviation, and defense in the US, Saudi Arabia, UAE, and South Korea.

Recent Activities 

In 2024, Peach Sandstorm compromised a US local government in a swing state and used Tickler malware to target US and UAE satellite, government, and energy sectors. 

 

Potential Role in Retaliation

In 2025, they are most likely to retaliate with destructive wiper attacks on US energy infrastructure or Israeli defense systems, disrupting operations in response to military strikes. Their IRGC ties suggest the potential for escalated targeting of Saudi Arabia or UAE energy sectors, leveraging satellite breaches for strategic intelligence.

CyberAv3ngers

CyberAv3ngers has been active since 2020. The group is known for hacktivist style activity, with geopolitically motivated attacks. They are thought to be affiliated with the IRGC. 


TTPs

CyberAv3ngers exploits weak credentials on internet-facing devices, like Unitronics Vision Series PLCs, to manipulate operational technology (OT) systems. They deploy defacement messages and use Telegram for attack claims.

Targeted Verticals and Regions

Targets water, energy, shipping, and distribution in the US, Israel, and globally.

Recent Activities

In 2024, CyberAv3ngers compromised US water facilities, displaying anti-Israel messages on PLCs, and claimed attacks on Israeli PLCs. 

 

Potential Role in Retaliation

No specific 2025 activities are reported, but their IRGC ties position them to escalate attacks on US water or energy systems, causing physical disruptions. Against Israel, they may target utilities for psychological impact, potentially affecting allies like the UAE with OT-focused attacks.

Imperial Kitten 

Imperial Kitten, also known as APT42 and Yellow Garuda, has been active since 2015. They are known to engage in espionage and monitor dissident behavior. They are linked to the IRGC.

TTPs

Imperial Kitten uses spear-phishing with malicious links to deliver VINETHORN and other malware, exploits Android vulnerabilities, and employs cloud-based C2 servers.

Targeted Verticals and Regions

Targets government, healthcare, and academia in the US, Israel, Europe, and Iranian dissidents.

Recent Activities

In 2024, Imperial Kitten targeted US election accounts and Israeli NGOs with phishing, using benign PDFs. In 2023, they hit Israel’s tech and transportation sectors. 

 

Potential Role in Retaliation

IRGC-backed, they are likely to retaliate with intensified phishing and mobile surveillance against US/Israeli officials, stealing sensitive data or monitoring dissidents. They could disrupt allied healthcare or academia, exploiting Android flaws to escalate cyberattacks.

Static Kitten 

Static Kitten, also known as MuddyWater, Seedworm, and Earth Vetala, has been active since at least 2017. They engage in espionage activity and are associated with Iran’s Ministry of Intelligence and Security (MOIS).

TTPs

Static Kitten conducts spear-phishing with malicious documents to deliver POWERSTATS malware, uses open-source tools, and exploits Microsoft Office vulnerabilities. They deploy PowerShell backdoors.

Targeted Verticals and Regions

Targets government, defense, and telecommunications in the Middle East (Turkey, Iraq, UAE), North America, and Asia.

Recent Activities

In 2024, Static Kitten used DarkBeatC2 and BugSleep backdoors, targeting Israeli entities with phishing. In March and July, they focused on Israeli espionage.

 

Potential Role in Retaliation

MOIS-linked, they are likely to retaliate by targeting Israeli government networks or US allies in the region with phishing to steal intelligence, supporting Iran’s regional strategy post-military strikes.

Pioneer Kitten 

Pioneer Kitten, also known as UNC757, Parisite, and Fox Kitten, has been active since at least 2017. They are known to engage in ransomware attacks and espionage and are linked to the IRGC.

TTPs

Pioneer Kitten exploits VPN/firewall vulnerabilities (e.g., CVE-2019-11510), deploys ransomware, uses SSH tunneling, and conducts credential harvesting.

Targeted Verticals and Regions

Targets telecommunications, healthcare, and IT in the US, Israel, and Europe.

Recent Activities

In 2024, Pioneer Kitten collaborated with ALPHV, targeting US healthcare and IT with ransomware. 

 

Potential Role in Retaliation

No 2025 activities are reported, but their IRGC ties suggest retaliation via ransomware attacks on US critical infrastructure, like hospitals, or Israeli telecoms, blending financial and espionage motives to disrupt operations.

Tortoiseshell 

Tortoiseshell, also known as UNC1549, has been active since at least 2018. The group engages in espionage and is linked to the IRGC.

TTPs

Tortoiseshell uses spear-phishing with job-themed lures to deliver MINIBIKE/MINIBUS backdoors, leverages cloud infrastructure (e.g., Azure) for C2, and targets supply chains.

Targeted Verticals and Regions

Targets aerospace, defense, and IT in Israel, UAE, Turkey, and potentially the US.

Recent Activities

In 2024, Tortoiseshell targeted Israeli aerospace with phishing, posing as the “Bring Them Home Now” movement, deploying MINIBUS. 

 

Potential Role in Retaliation

In 2025, they are likely to retaliate by compromising US/Israeli defense contractors via supply chain attacks, stealing military data to counter “Operation Rising Lion.” Their IRGC ties suggest targeting UAE IT sectors to disrupt allied operations.

Curious Serpens

Curious Serpens has been active since at least 2020. They engage in espionage and are suspected to have ties to the IRGC. 


TTPs

Curious Serpens uses spear-phishing with tailored lures, exploits zero-day vulnerabilities, and deploys custom backdoors. They target supply chains for espionage.

Targeted Verticals and Regions

Targets defense, aerospace, and IT in Israel, UAE, and potentially the US.

Recent Activities 

Curious Serpens targeted Israeli defense contractors with phishing and supply chain attacks, as reported in June 2025. 

 

Potential Role in Retaliation

IRGC-linked, they are likely to retaliate by targeting US/Israeli aerospace with zero-day exploits, stealing military technology or disrupting supply chains to weaken defense capabilities post-conflict escalation.

Haywire Kitten

Haywire Kitten, also known as Emennet Pasargad, Lyceum, and Cotton Sandstorm, has been active since at least 2018.

TTPs

Haywire Kitten uses spear-phishing with malicious documents to deliver DNSpionage malware, exploits Microsoft Exchange vulnerabilities, and employs PowerShell scripts.

Targeted Verticals and Regions

Targets telecommunications and energy in the Middle East (Israel, Saudi Arabia) and Europe.

Recent Activities 

In 2024, Haywire Kitten, as Aria Sepehr Ayandehsazan, hacked Israeli IP cameras and a French provider to protest Israel’s Olympics participation, using AI for influence operations. 

 

Potential Role in Retaliation

In 2025, their potential IRGC ties suggest retaliatory attacks on Israeli/US telecoms or energy sectors with destructive malware or propaganda, potentially targeting Saudi Arabia to disrupt allied infrastructure.

Remix Kitten 

Remix Kitten, also known as APT39 and Chafer, has been active since at least 2014. The group conducts espionage operations and is associated with Iran’s MOIS.

TTPs

Remix Kitten conducts spear-phishing with malicious attachments to deliver custom malware, exploits Microsoft Exchange vulnerabilities (e.g., ProxyShell), and uses remote access tools for persistence. They perform credential harvesting to maintain network access.

Targeted Verticals and Regions

Targets telecommunications, travel, and government sectors in the Middle East, particularly Saudi Arabia, and occasionally the US and Europe.

Recent Activities

In 2024, Remix Kitten targeted Middle Eastern telecommunications, exploiting ProxyShell vulnerabilities to steal data, as noted by Picus Security. 

 

Potential Role in Retaliation

No specific 2025 activities are reported, but their MOIS affiliation and focus on Saudi Arabia suggest a retaliatory role against US allies. They could target Israeli government networks for espionage or disrupt US-affiliated telecoms via supply chain attacks, supporting Iran’s response to military strikes. Their persistent espionage tactics make them a credible threat to regional allies.


Analyst Commentary

The recent conflict involving Israel’s “Operation Rising Lion” and US “Operation Midnight Hammer” has the potential to unleash a wave of retaliatory Iranian cyberattacks, with IRGC-backed groups targeting critical infrastructure in the US, Israel, and allied nations. These actors are capable of leveraging advanced tactics to disrupt operations, steal intelligence, and sow discord. As Iran’s cyber capabilities continue to evolve, the threat to global security intensifies. PolySwarm analysts are actively tracking Iran nexus threat actor groups and their associated malware. We remain committed to reporting on significant developments, providing timely insights to help mitigate risks and enhance defenses against this growing cyber threat.

Topics: Charming Kitten, APT35, Wiper Malware, Iranian cyberattacks, Peach Sandstorm, CyberAv3ngers, APT33, US critical infrastructure, Israeli defense, IRGC cyber operations

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts