Executive Summary
Escalating tensions following Israel’s “Operation Rising Lion” and US “Operation Midnight Hammer” can potentially trigger retaliatory cyberattacks, with IRGC-linked groups targeting US and Israeli critical infrastructure. These state-sponsored actors may deploy sophisticated malware and phishing to disrupt operations and steal intelligence, posing significant risks to global security.
Key Takeaways
- Iranian cyber threat actors may engage the US, Israel, or their allies in retaliation for recent military operations targeting Iranian assets.
- Most of Iran’s cyber threat actors, such as Imperial Kitten and Static Kitten, have strong ties to Iran’s Islamic Revolutionary Guard Corps or Ministry of Intelligence and Security.
- Iran’s cyber arsenal includes AI-enhanced social engineering, ransomware collaboration, and supply chain attacks, indicating a shift toward psychological impact and long-term espionage.
Background
Escalating tensions between Iran, Israel, and the US have heightened global concerns, particularly following Israel’s “Operation Rising Lion” and US strikes on Iranian nuclear sites under “Operation Midnight Hammer.” Israel’s initial attacks on June 13, followed by US involvement, aimed to cripple Iran’s nuclear program, which both nations claim was nearing weaponization—a charge Iran denies. Iran retaliated with missile strikes on Israel and a US base in Qatar, while imposing a near-total internet blackout to counter alleged Israeli cyberattacks.
This conflict has the potential to spill into cyberspace, with Iranian hackers targeting US critical infrastructure, such as water and energy sectors. US agencies, including CISA, warned of potential Iranian cyberattacks on American networks, possibly involving ransomware or wiper malware, as retaliation for the strikes. Israel faces increased DDoS attacks and disinformation campaigns from pro-Iranian hacktivists, while pro-Israel groups like Predatory Sparrow have disrupted Iranian banks and crypto exchanges. Experts suggest any retaliatory cyberattacks originating from Iran may focus on psychological impact and disruption, targeting US infrastructure to exploit vulnerabilities, especially if the conflict escalates further or a fragile ceasefire collapses.
A Brief Synopsis of Iran’s Cyber Threat Actors and Capabilities (2000-2024)
Since the early 2000s, Iran has developed a robust cyber capability, driven by geopolitical tensions and the 2010 Stuxnet attack, which targeted its nuclear program. Initially focused on domestic surveillance and basic website defacements, Iran’s cyber operations evolved into sophisticated campaigns by the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS). The 2012 Shamoon wiper attack on Saudi Aramco marked Iran’s shift to destructive cyberattacks.
Over time, groups like APT33, APT34, and APT35 targeted critical infrastructure, including US water systems, Israeli tech, and Middle Eastern energy sectors. Tactics include spear-phishing, password spraying, and exploiting vulnerabilities in VPNs and firewalls. By 2024, Iran was considered a first-tier cyberpower, with hacktivist fronts like CyberAv3ngers masking state-sponsored operations. These actors prioritize espionage, disruption, and influence operations, posing ongoing risks to global infrastructure.
Threat Actor Groups Likely to Engage in Retaliatory Attacks
PolySwarm analysts have identified the top ten Iran nexus threat actor groups most likely to target the US, Israel, or their allies amid the ongoing political tensions in the region. We selected these threat actor groups based on the following criteria:
- Recent Activity (since 2024): Demonstrated cyberattacks, including spear-phishing, ransomware, or wiper malware, showing active operational capability.
- IRGC/MOIS Affiliations: Strong links to the Islamic Revolutionary Guard Corps or Ministry of Intelligence and Security, indicating state-sponsored intent.
- Targeted Sectors: History of attacking US/Israeli critical infrastructure or government entities, aligning with Iran’s retaliatory strategy.
- Geopolitical Alignment: Attack patterns consistent with targeting the US, Israel, or allies like the UAE.
Below is an overview of each of these threat actor groups.
Charming Kitten
Charming Kitten, also known as APT35, Phosphorus, Mint Sandstorm, and NewsBeef, has been active since at least 2014. Charming Kitten engages in espionage and is linked to the Islamic Revolutionary Guard Corps (IRGC).
TTPs
Charming Kitten conducts spear-phishing with fake personas and compromised email accounts to deliver POWERSTAR malware. They exploit Microsoft Exchange vulnerabilities, deploy Android malware, and use password-spraying.
Targeted Verticals and Regions
Targets government, defense, and academia in the US, Israel, Europe, and Middle East, plus dissidents and media.
Recent Activities
In 2024, Charming Kitten targeted US election accounts and Israeli cybersecurity experts with phishing, using benign PDFs to harvest credentials. In June 2025, they attacked Israeli academics for espionage.
Potential Role in Retaliation
As an IRGC-backed group, they are most likely to retaliate by intensifying phishing campaigns against US and Israeli government officials, aiming to steal intelligence or disrupt operations post-“Operation Midnight Hammer.” Their dissident focus suggests influence operations to sow discord among allies, potentially targeting US electoral systems or Israeli military networks with advanced social engineering.
Refined Kitten
Refined Kitten, also known as Peach Sandstorm, APT33, and Holmium, has been active since at least 2013. The group is known for destructive attacks and espionage and is linked to the IRGC.
TTPs
Peach Sandstorm has used spear-phishing to deliver SHAMOON wiper malware, exploits industrial control systems, and deploys custom droppers like POWERTON. They target satellite communications for espionage.
Targeted Verticals and Regions
Targets energy, aviation, and defense in the US, Saudi Arabia, UAE, and South Korea.
Recent Activities
In 2024, Peach Sandstorm compromised a US local government in a swing state and used Tickler malware to target US and UAE satellite, government, and energy sectors.
Potential Role in Retaliation
In 2025, they are most likely to retaliate with destructive wiper attacks on US energy infrastructure or Israeli defense systems, disrupting operations in response to military strikes. Their IRGC ties suggest the potential for escalated targeting of Saudi Arabia or UAE energy sectors, leveraging satellite breaches for strategic intelligence.
CyberAv3ngers
CyberAv3ngers has been active since 2020. The group is known for hacktivist style activity, with geopolitically motivated attacks. They are thought to be affiliated with the IRGC.
TTPs
CyberAv3ngers exploits weak credentials on internet-facing devices, like Unitronics Vision Series PLCs, to manipulate operational technology (OT) systems. They deploy defacement messages and use Telegram for attack claims.
Targeted Verticals and Regions
Targets water, energy, shipping, and distribution in the US, Israel, and globally.
Recent Activities
In 2024, CyberAv3ngers compromised US water facilities, displaying anti-Israel messages on PLCs, and claimed attacks on Israeli PLCs.
Potential Role in Retaliation
No specific 2025 activities are reported, but their IRGC ties position them to escalate attacks on US water or energy systems, causing physical disruptions. Against Israel, they may target utilities for psychological impact, potentially affecting allies like the UAE with OT-focused attacks.
Imperial Kitten
Imperial Kitten, also known as APT42 and Yellow Garuda, has been active since 2015. They are known to engage in espionage and monitor dissident behavior. They are linked to the IRGC.
TTPs
Imperial Kitten uses spear-phishing with malicious links to deliver VINETHORN and other malware, exploits Android vulnerabilities, and employs cloud-based C2 servers.
Targeted Verticals and Regions
Targets government, healthcare, and academia in the US, Israel, Europe, and Iranian dissidents.
Recent Activities
In 2024, Imperial Kitten targeted US election accounts and Israeli NGOs with phishing, using benign PDFs. In 2023, they hit Israel’s tech and transportation sectors.
Potential Role in Retaliation
IRGC-backed, they are likely to retaliate with intensified phishing and mobile surveillance against US/Israeli officials, stealing sensitive data or monitoring dissidents. They could disrupt allied healthcare or academia, exploiting Android flaws to escalate cyberattacks.
Static Kitten
Static Kitten, also known as MuddyWater, Seedworm, and Earth Vetala, has been active since at least 2017. They engage in espionage activity and are associated with Iran’s Ministry of Intelligence and Security (MOIS).
TTPs
Static Kitten conducts spear-phishing with malicious documents to deliver POWERSTATS malware, uses open-source tools, and exploits Microsoft Office vulnerabilities. They deploy PowerShell backdoors.
Targeted Verticals and Regions
Targets government, defense, and telecommunications in the Middle East (Turkey, Iraq, UAE), North America, and Asia.
Recent Activities
In 2024, Static Kitten used DarkBeatC2 and BugSleep backdoors, targeting Israeli entities with phishing. In March and July, they focused on Israeli espionage.
Potential Role in Retaliation
MOIS-linked, they are likely to retaliate by targeting Israeli government networks or US allies in the region with phishing to steal intelligence, supporting Iran’s regional strategy post-military strikes.
Pioneer Kitten
Pioneer Kitten, also known as UNC757, Parisite, and Fox Kitten, has been active since at least 2017. They are known to engage in ransomware attacks and espionage and are linked to the IRGC.
TTPs
Pioneer Kitten exploits VPN/firewall vulnerabilities (e.g., CVE-2019-11510), deploys ransomware, uses SSH tunneling, and conducts credential harvesting.
Targeted Verticals and Regions
Targets telecommunications, healthcare, and IT in the US, Israel, and Europe.
Recent Activities
In 2024, Pioneer Kitten collaborated with ALPHV, targeting US healthcare and IT with ransomware.
Potential Role in Retaliation
No 2025 activities are reported, but their IRGC ties suggest retaliation via ransomware attacks on US critical infrastructure, like hospitals, or Israeli telecoms, blending financial and espionage motives to disrupt operations.
Tortoiseshell
Tortoiseshell, also known as UNC1549, has been active since at least 2018. The group engages in espionage and is linked to the IRGC.
TTPs
Tortoiseshell uses spear-phishing with job-themed lures to deliver MINIBIKE/MINIBUS backdoors, leverages cloud infrastructure (e.g., Azure) for C2, and targets supply chains.
Targeted Verticals and Regions
Targets aerospace, defense, and IT in Israel, UAE, Turkey, and potentially the US.
Recent Activities
In 2024, Tortoiseshell targeted Israeli aerospace with phishing, posing as the “Bring Them Home Now” movement, deploying MINIBUS.
Potential Role in Retaliation
In 2025, they are likely to retaliate by compromising US/Israeli defense contractors via supply chain attacks, stealing military data to counter “Operation Rising Lion.” Their IRGC ties suggest targeting UAE IT sectors to disrupt allied operations.
Curious Serpens
Curious Serpens has been active since at least 2020. They engage in espionage and are suspected to have ties to the IRGC.
TTPs
Curious Serpens uses spear-phishing with tailored lures, exploits zero-day vulnerabilities, and deploys custom backdoors. They target supply chains for espionage.
Targeted Verticals and Regions
Targets defense, aerospace, and IT in Israel, UAE, and potentially the US.
Recent Activities
Curious Serpens targeted Israeli defense contractors with phishing and supply chain attacks, as reported in June 2025.
Potential Role in Retaliation
IRGC-linked, they are likely to retaliate by targeting US/Israeli aerospace with zero-day exploits, stealing military technology or disrupting supply chains to weaken defense capabilities post-conflict escalation.
Haywire Kitten
Haywire Kitten, also known as Emennet Pasargad, Lyceum, and Cotton Sandstorm, has been active since at least 2018.
TTPs
Haywire Kitten uses spear-phishing with malicious documents to deliver DNSpionage malware, exploits Microsoft Exchange vulnerabilities, and employs PowerShell scripts.
Targeted Verticals and Regions
Targets telecommunications and energy in the Middle East (Israel, Saudi Arabia) and Europe.
Recent Activities
In 2024, Haywire Kitten, as Aria Sepehr Ayandehsazan, hacked Israeli IP cameras and a French provider to protest Israel’s Olympics participation, using AI for influence operations.
Potential Role in Retaliation
In 2025, their potential IRGC ties suggest retaliatory attacks on Israeli/US telecoms or energy sectors with destructive malware or propaganda, potentially targeting Saudi Arabia to disrupt allied infrastructure.
Remix Kitten
Remix Kitten, also known as APT39 and Chafer, has been active since at least 2014. The group conducts espionage operations and is associated with Iran’s MOIS.
TTPs
Remix Kitten conducts spear-phishing with malicious attachments to deliver custom malware, exploits Microsoft Exchange vulnerabilities (e.g., ProxyShell), and uses remote access tools for persistence. They perform credential harvesting to maintain network access.
Targeted Verticals and Regions
Targets telecommunications, travel, and government sectors in the Middle East, particularly Saudi Arabia, and occasionally the US and Europe.
Recent Activities
In 2024, Remix Kitten targeted Middle Eastern telecommunications, exploiting ProxyShell vulnerabilities to steal data, as noted by Picus Security.
Potential Role in Retaliation
No specific 2025 activities are reported, but their MOIS affiliation and focus on Saudi Arabia suggest a retaliatory role against US allies. They could target Israeli government networks for espionage or disrupt US-affiliated telecoms via supply chain attacks, supporting Iran’s response to military strikes. Their persistent espionage tactics make them a credible threat to regional allies.
Analyst Commentary
The recent conflict involving Israel’s “Operation Rising Lion” and US “Operation Midnight Hammer” has the potential to unleash a wave of retaliatory Iranian cyberattacks, with IRGC-backed groups targeting critical infrastructure in the US, Israel, and allied nations. These actors are capable of leveraging advanced tactics to disrupt operations, steal intelligence, and sow discord. As Iran’s cyber capabilities continue to evolve, the threat to global security intensifies. PolySwarm analysts are actively tracking Iran nexus threat actor groups and their associated malware. We remain committed to reporting on significant developments, providing timely insights to help mitigate risks and enhance defenses against this growing cyber threat.
