Key Takeaways
Background
Iran’s Approach to Cyberwar
Iran emphasizes asymmetric tactics in conflicts, where mismatched opponents exploit each other’s vulnerabilities through unconventional methods. This includes launching attacks that hinder retaliation due to legal constraints and employing proxy hacker groups to bolster limited conventional power. Additionally, Iran incorporates psychological elements, such as public statements about relaxing online restrictions, which may serve as disinformation to divert attention while ramping up regime-aligned cyber intrusions.
Historically, Iran has had a robust cyber operations arsenal. APT groups have posed a threat to the US, Israel, and their allies worldwide as well as to any opposition within Iran. Key elements of Iran’s cyber framework include building safeguards for national systems, tools to curb internal dissent, aggressive measures against foreign digital targets in the West, and efforts to reduce external, primarily Western, cultural impacts. It is also worth noting from an analyst’s perspective that Iran’s cyber activity often appears to be reactive rather than proactive.
The Usual Suspects For Retaliatory Attacks
The following is an overview of Iran nexus ATP groups known to exhibit activity within the past two years. Any cyber threat actors conducting retaliatory activity in an official capacity on behalf of Iran are likely to belong to these threat actor groups or related groups.
Charming Kitten
Charming Kitten, active since 2014 and linked to the IRGC, specializes in espionage through spear-phishing with fake personas and compromised emails to deliver POWERSTAR malware, exploiting Microsoft Exchange vulnerabilities, deploying Android malware, and using password-spraying. Recently in 2024, they targeted US election accounts and Israeli cybersecurity experts with phishing via benign PDFs for credential harvesting; in June 2025, they attacked Israeli academics for espionage purposes.
Refined Kitten
Refined Kitten, also known as Peach Sandstorm, has been active since 2013 and linked to the IRGC, focusing on destructive attacks and espionage via spear-phishing to deliver SHAMOON wiper malware, exploiting industrial control systems, and using custom droppers like POWERTON for satellite communications targeting. In 2024, they compromised a US local government in a swing state and deployed Tickler malware against US and UAE satellite, government, and energy sectors.
Imperial Kitten
Imperial Kitten, active since 2015 and linked to the IRGC, engages in espionage and dissident monitoring through spear-phishing with malicious links to deliver VINETHORN malware, exploiting Android vulnerabilities, and using cloud-based C2 servers. In 2024, they targeted US election accounts and Israeli NGOs with phishing using benign PDFs; in 2023, they struck Israel’s tech and transportation sectors.
Static Kitten
Static Kitten, active since 2017 and associated with Iran’s MOIS, performs espionage via spear-phishing with malicious documents to deliver POWERSTATS malware, utilizing open-source tools, exploiting Microsoft Office vulnerabilities, and deploying PowerShell backdoors. In 2024, they employed DarkBeatC2 and BugSleep backdoors in phishing campaigns targeting Israeli entities.
Pioneer Kitten
Pioneer Kitten, active since 2017 and linked to the IRGC, conducts ransomware attacks and espionage by exploiting VPN/firewall vulnerabilities like CVE-2019-11510, deploying ransomware, using SSH tunneling, and harvesting credentials..
Tortoiseshell
Tortoiseshell, active since 2018 and linked to the IRGC, engages in espionage through spear-phishing with job-themed lures to deliver MINIBIKE/MINIBUS backdoors, leveraging cloud infrastructure like Azure for C2, and targeting supply chains. In 2024, they targeted Israeli aerospace with phishing campaigns posing as the “Bring Them Home Now” movement to deploy MINIBUS.
Curious Serpens
Curious Serpens, active since 2020 and suspected of IRGC ties, focuses on espionage using spear-phishing with tailored lures, exploiting zero-day vulnerabilities, deploying custom backdoors, and targeting supply chains. In June 2025, they attacked Israeli defense contractors through phishing and supply chain compromises.
Haywire Kitten
Haywire Kitten, also known as Cotton Sandstorm, has been active since 2018, employing spear-phishing with malicious documents to deliver DNSpionage malware, exploiting Microsoft Exchange vulnerabilities, and using PowerShell scripts. In 2024, operating as Aria Sepehr Ayandehsazan, they hacked Israeli IP cameras and a French provider to protest Israel’s Olympics participation, incorporating AI for influence operations.
Remix Kitten
Remix Kitten, active since 2014 and associated with Iran’s MOIS, conducts espionage via spear-phishing with malicious attachments to deliver custom malware, exploiting Microsoft Exchange vulnerabilities like ProxyShell, using remote access tools for persistence, and harvesting credentials. In 2024, they targeted Middle Eastern telecommunications by exploiting ProxyShell to steal data.
OilRig
OilRig, active since 2014 and linked to Iran’s MOIS, specializes in cyberespionage with modular malware, PowerShell-based tools, DNS tunneling for C2, custom backdoors like Helminth and QUADAGENT, exploiting vulnerabilities, and using stolen credentials for lateral movement. In 2025, they targeted US transportation and manufacturing organizations, evolving tactics after a 2019 tool leak to enhance credential theft and network persistence.
Nemesis Kitten
Nemesis Kitten, active since 2021 and suspected of IRGC affiliation, engages in ransomware attacks disguised as hacktivism by deploying ransomware with hacktivist branding, exfiltrating data before encryption, and leaking it on websites or social media for psychological impact. From 2024-2025, they combined encryption attacks with fear-mongering messages to undermine confidence in US critical infrastructure and other targets.
Iran’s Cyber Capabilities Face Setbacks
At this time, based on OSINT, it appears the attacks on Iran may have severely disrupted Iran’s cyber capabilities. This has affected Iran’s network infrastructure, its leadership hierarchy, and its intelligence capabilities. Quantifying setbacks in cyber programs is inherently speculative, as it involves rebuilding hardware, networks, human expertise, and codebases, factors more distributed than traditional military assets. Based on analogous events like Stuxnet, the current multi-domain assault could delay Iran's cyber maturation by roughly 1-3 years
Infrastructure Disruption
Iran has been experiencing a near-total internet blackout, with connectivity dropping to single-digit percentages of normal levels. Monitoring groups and analysts link this both to intentional regime blackout policies and possible infrastructure damage from cyber and kinetic strikes.
According to General Dan Caine, Chairman of the US Joint Chiefs of Staff, “The first movers were USCYBERCOM and USSPACECOM, layering non-kinetic effects, disrupting and degrading and blinding Iran's ability to see, communicate and respond… Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively… Across every domain, land, air, sea, cyber, the US Joint Force delivered synchronized and layered effects designed to disrupt, degrade, deny and destroy Iran's ability to conduct and sustain combat operations.”
This has led to leadership communication breakdowns, segmented national intranet failures, and unstable critical services, effectively hampering coordinated offensive cyber operations in the short term.
Based on monitoring from NetBlocks and Cloudflare, the following major Iranian ASNs are likely among those disrupted in the current event:
The ongoing internet blackout in Iran can make it easier for the US or Israeli military and intelligence agencies to monitor outgoing internet traffic from the country. During such shutdowns, Iran's regime typically implements a "whitelisting" system, where only a select few government-approved networks, datacenters, and users retain access. This drastically reduces overall traffic volume, currently at around 1-4% of normal levels, inverting the signal-to-noise ratio and creating a bottleneck effect. Everyday civilian or benign communications drop off, making the remaining activity, which is more likely tied to regime operations, stand out and easier to fingerprint, track, and analyze for patterns or intent.
For instance, APT groups linked to Iran often use innocuous government infrastructure as cover for cyberattacks. In a blackout, these become the primary exit nodes, revealing their true purpose rather than blending into normal traffic. This aligns with historical patterns from Iran's previous shutdowns where limited connectivity exposed key paths used by state sponsored threat actors. The blackout also serves as a defensive measure for Iran, limiting external reconnaissance and cyberattacks against its own infrastructure by reducing the attack surface. Overall, the net effect leans toward enhanced monitoring opportunities for entities like the US, as the sparse, prioritized traffic becomes more conspicuous in global networks.
Leadership Upheaval
Based on official US and Israeli reports, it appears the following individuals in Iran’s political and military hierarchy have been eliminated:
Among these individuals were key IRGC commanders with potential cyber ties:
Iran's cyber capabilities are primarily managed under the IRGC-CEC, which reports to the IRGC commander and integrates with other branches for hybrid warfare. Eliminated leaders like Pakpour and Mousavi were part of the chain of command that directed these efforts, especially in the lead-up to and during the current conflict, where cyber has played a role in disruptions. These strikes have disrupted Iran's command-and-control, potentially weakening coordinated cyber retaliation. Iran has since appointed Ahmad Vahidi as the new IRGC commander, a veteran with ties to the Quds Force, but his cyber involvement remains unclear.
Intelligence Hindered
As noted above, multiple high ranking IRGC intelligence officials were lost in the attacks. Reports indicate Iran's intelligence agencies were "decimated," which likely extends to cyber oversight, disrupting strategic direction and resource allocation. However, lower-level APTs operate semi-autonomously and may not be as affected. Due to reduced intelligence capabilities, which likely had an impact on their cyber intelligence as well, choosing what targets to strike and when becomes an issue. Effective strategy relies on good intelligence. As a result, Iranian threat actors likely have neither the capacity or the direction to do anything significant at the moment without painting targets on themselves.
Iran’s Proxies and Allies
With Iran’s cyber capabilities potentially hindered in the short term, retaliatory cyber attacks are likely to originate from outside Iran in the form of attacks conducted by proxies including hacktivist groups, terrorist networks, or Iran’s strategic allies.
Terrorist Networks
Hezbollah
Hezbollah, founded in 1982 with Iranian backing during Lebanon’s civil war, serves as Tehran’s primary proxy in the “Axis of Resistance.” Iran provides extensive funding, weapons, training, and operational guidance via the Islamic Revolutionary Guard Corps, enabling Hezbollah to project Iranian influence against Israel and the US while offering plausible deniability. Based in Lebanon, particularly southern regions and Beirut, Hezbollah controls significant territory and operates as a hybrid political-military force with 20,000-40,000 fighters. As a cyber proxy, Hezbollah possesses limited but evolving capabilities, including intelligence gathering, phishing, and disruptions, often in collaboration with IRGC units. In retaliation for 2026 US-Israeli strikes on Iran, it may conduct asymmetric cyber ops targeting infrastructure, though its focus remains kinetic.
Hamas
Hamas, founded in 1987 as a Palestinian Sunni Islamist group during the First Intifada, receives significant Iranian support. Iran provides funding, weapons, training, and strategic guidance via the IRGC to advance anti-Israel goals within the “Axis of Resistance.” It is based in the Gaza Strip (Palestine), with networks in the West Bank and diaspora communities. Hamas’s cyber capabilities are limited, emphasizing propaganda, doxing, and low-level disruptions. As an Iranian proxy, it could aid retaliatory cyber ops following the US-Israeli strikes, but its degraded state after the 2023-2024 Gaza war prioritizes kinetic survival over advanced cyber threats.
Pan-Islamic Proxies
There are a few notable examples of Iranian-aligned proxy groups with operational bases or activities extending beyond the Middle East. These are often ideologically motivated hacktivists or semi-autonomous cells that receive indirect Iranian support, allowing for plausible deniability. Their global dispersion, via diaspora networks, offshore servers, or recruitment in non-Middle Eastern countries, makes them less susceptible to monitoring or direct kinetic or cyber responses from US and Israeli forces.
Fatimiyoun Electronic Team
Fatimiyoun Electronic Team is linked to the Fatimiyoun Brigade, an Afghan Shia militia proxy of Iran. This group operates from Afghanistan or Pakistan-based networks, coordinating via Telegram. They've claimed attacks outside the Middle East, including reconnaissance on Western targets. The group has used custom wiper malware similar to Shamoon variants in attacks on financial and energy firms in Europe and the US. They have employed botnets such as those based on DieNet or Mirai variants for DDoS attacks, flooding targets with traffic to disrupt services. Fatimiyoun Electronic team is also known for social engineering via job recruitment scams or phishing emails disguised as humanitarian aid/NGO communications, often delivering backdoors like Tickler for persistence. With Iran's command disrupted, this group could ramp up opportunistic strikes on US-affiliated entities.
Cyber Islamic Resistance
Cyber Islamic Resistance is a Pan-Islamic group with cells in North Africa and Europe.They coordinate via Telegram or Reddit, avoiding direct ties to Iranian infrastructure, which allows operations from less-monitored regions. They have deployed ransomware fronts and hack-and-leak operations, exfiltrating data for public dumps to amplify propaganda. They have utilized DDoS-for-hire services or custom scripts for website takedowns, as seen in past defacement campaigns against Israeli and US sites. If they retaliate on behalf of Iran, expect escalation in low-sophistication but high-volume attacks from European or African IP ranges and defacements or leaks tied to "pro-Iranian" claims, without direct attribution.
Islamic Hacker Army
Islamic Hacker Army is a pan-Islamic hacktivist collective with claimed members in Venezuela, Indonesia and Malaysia, using offshore proxies to obscure origins. They've historically avoided Middle Eastern servers, favoring global cloud infrastructure. Their tools include custom backdoors like FalseFont or Powerless for espionage, often combined with wipers in destructive ops against energy and telecom targets. They have leveraged coordinated DDoS via botnets and vulnerability scanners for mass exploitation in past campaigns against Gulf and Western entities. Their ideological alignment could drive proxy retaliation, especially if Iran's core capabilities remain degraded.
Other Hacktivist Groups
CyberAv3ngers
CyberAv3ngers, active since 2020 and potentially affiliated with the IRGC, conducts hacktivist-style geopolitically motivated attacks by exploiting weak credentials on internet-facing devices like Unitronics Vision Series PLCs to manipulate operational technology systems, deploying defacement messages and claiming attacks via Telegram. In 2024, they compromised US water facilities to display anti-Israel messages on PLCs and claimed similar attacks on Israeli PLCs.
Moses Staff
Moses Staff, active since 2021 with ties to Iranian interests, conducts hacktivist operations involving data theft, encryption, website defacement, and leaking stolen data via Telegram channels accompanied by ideological propaganda. In 2024, they performed data exfiltration and defacement attacks against Israeli entities, using leaks to promote anti-Israel narratives.
Handala
Handala, active since 2023 and aligned with Iranian geopolitical goals, carries out hacktivist operations with destructive elements using wiper malware, DDoS attacks, and data-wiping tools disguised as ransomware for disruption. In 2025-2026, they escalated wiper and disruptive attacks against Israeli targets amid regional conflicts, including data destruction and propaganda dissemination.
Strategic Allies
Russia
Russia and Iran have had a strategic partnership since 2015, expanded in 2021 with cyber cooperation pacts for tech transfers, surveillance tools, and joint exercises. Russia has previously supplied hardware like S-400 systems and satellites, enabling Iranian ops. Russia may engage in cyber activity on Iran’s behalf indirectly, sharing malware and exploits, coordinating disinformation, or aiding attacks via proxies to avoid escalation. Following the recent strikes on Iran, Russia condemned the attacks. It remains to be seen whether they will provide cyber-defense support or intel for retaliation.
China
China and Iran signed a 25-year cooperation deal in 2021, including cyber tech, 5G infrastructure, and AI for surveillance and ops. China could support Iranian cyber efforts via backdoors in Huawei/ZTE-built networks, satellite imagery for targeting, or AI tools for attacks. China may also provide indirect cyber-defense aid and components for ops, potentially enabling hacks on Middle East or US infrastructure.
Analyst Commentary
The coordinated US-Israeli strikes have inflicted unprecedented damage on Iran's cyber apparatus, combining physical destruction of leadership, near-total internet blackouts, and intelligence decapitation. This has created a rare, short-term suppression of state-directed offensive operations from Iranian soil, with outbound traffic now funneled through regime-controlled channels that are far easier to monitor and attribute.
Yet cyber threats do not disappear. In the immediate future, retaliation will likely manifest through proxies and aligned hacktivists, such as CyberAv3ngers, Handala, Moses Staff, or dispersed groups like Fatimiyoun Electronic Team or Islamic Hacker Army conducting opportunistic DDoS attacks, or using wipers, defacements, OT exploits, and propaganda leaks against US, Israeli, and regional targets. Russia and China may quietly amplify these efforts via indirect attacks not easily attributed to them. Medium-term risks remain elevated as allied support could accelerate reconstitution, potentially restoring Iran’s APT capabilities at an accelerated rate. Defenders must maintain aggressive threat hunting for Iranian APT and proxy linked IOCs and prepare for persistent asymmetric cyber activity as a durable element of regime survival strategy in this ongoing conflict.
IOCs
PolySwarm has samples associated with multiple threat actors noted in this report. Below is a limited selection of hashes.
Charming Kitten
0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d
dbdb14e37fc4412711a1e5e37e609e33410de31de13911aee99ab473753baa4a
07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407
5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422
bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8
c99cc10f15f655f36314e54f7013a0bc5df85f4d6ff7f35b14a446315835d334
Static Kitten
73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e
960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809
B8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca
94278fa01900fdbfb58d2e373895c045c69c01915edc5349cd6f3e5b7130c472
5df724c220aed7b4878a2a557502a5cefee736406e25ca48ca11a70608f3a1c0
3a052d56706a67f918ed3a9acec9a2da428a20065e261d8e40b73badb4c9d7f4
CyberAv3ngers
1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498
Moses Staff
3555728fb51dd3eaeb34a5c6aaf445e63cc93ece2bf560cf0c673a0d38c6e5d1
cafa8038ea7e46860c805da5c8c1aa38da070fa7d540f4b41d5e7391aa9a8079
ff15558085d30f38bc6fd915ab3386b59ee5bb655cbccbeb75d021fdd1fde3ac
2ac7df27bbb911f8aa52efcf67c5dc0e869fcd31ff79e86b6bd72063992ea8ad
9fc0f2a57aafa9100eefb7019f15b96919eea5ee5d607441ceeaaafd8bcc92a2
Handala
96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8
19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0
4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2
ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a
e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35
454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.