The PolySwarm Blog

Verticals Targeted: Banking, Aviation, Defense, Healthcare
Regions Targeted: US, Canada
Related Families: Dindoor, Fakeset, Stagecomp, Darkcomp

Executive Summary

Recent reporting indicates Iranian cyber actors are expanding operations targeting US organizations while also exploiting internet-connected cameras across the Middle East for intelligence collection and battlefield awareness. These developments represent another layer in Iran’s evolving hybrid warfare strategy. Iranian APT group MuddyWater has maintained access to multiple US organizations since early February, while Iran-linked infrastructure has targeted internet-connected surveillance cameras across the Middle East. Hacktivist group Handala has recently claimed responsibility for a destructive cyberattack against medical technology firm Stryker. Taken together, these incidents suggest Iran’s cyber ecosystem is currently surviving but not thriving, maintaining operational capability despite disruption to infrastructure and command structures.

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2024 Recap series. This report provides highlights of activity perpetrated by Iran-based threat actors in 2024.

Verticals Targeted: Government, Defense, Telecommunications, Finance, NGO, IT services  

Executive Summary

Scarred Manticore, a threat actor group associated with Iran’s MOIS, was observed using Liontail framework in an espionage campaign. 

Verticals Targeted: Automotive, Communications, Engineering, Financial Services, Healthcare, Insurance, Legal, Manufacturing, Retail, Technology, Telecommunications

Executive Summary

Charming Kitten, an Iran nexus threat actor group, was recently observed using Sponsor backdoor to target at least 34 entities in Brazil, Israel, and UAE.

Related Families: Drokbk, Soldier
Verticals Targeted: Critical Infrastructure, Telecommunications, Government, Energy, Transportation. Utilities, Oil & Gas

Executive Summary

Mint Sandstorm was recently observed targeting US critical infrastructure entities. These include seaports, energy companies, transportation systems, and a US utility and gas entity.

Executive Summary

Iranian threat actors were observed targeting a hybrid environment using ransomware as a decoy for destructive attacks.

Key Takeaways

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2022 Recap series. This report highlights activity perpetrated by Iran-based threat actors in 2022.

Key Takeaways

• This report provides highlights of activity perpetrated by Iran-based threat actors in 2022.
• Threat actors featured in this report include Static Kitten, Charming Kitten, Siamese Kitten, Fox Kitten, Helix Kitten, Nemesis Kitten, Refined Kitten, Moses Staff, Cobalt Mirage, and APT42. 
• PolySwarm tracked malware associated with multiple Iran nexus threat actors in 2022.

Executive Summary

Google’s Threat Analysis Group (TAG) recently reported on Hyperscrape, a new data extraction tool used by the Iranian nexus threat actor group Charming Kitten.

Key Takeaways