Category Archive
Iranian Cyber Threat Intelligence
24 reports · All intelligence
Iranian state and proxy cyber operations — hacktivist fronts, wipers, and ICS-focused activity, mapped to detectable behavior.
Water Systems Are Becoming Nation-State Pressure Points
Nation-state targeting of water systems shows why exposed OT, weak credentials, remote access, and poor IT/OT segmentation remain practical business risks—not just utility-sector problems.
MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline
Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.
Handala’s Cal Water Claim Shows OT Defense Starts With Segmentation
Handala’s California Water Service claim is a reminder that critical-infrastructure defense starts with proving separation between billing systems, telemetry platforms, and operational technology.
Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling
Check Point Research reports that IRGC-affiliated Nimbus Manticore resurfaced with fake Zoom and SQL Developer lures, SEO poisoning, AppDomain hijacking, and a new MiniFast backdoor. Here is what SMBs and government contractors should tighten first.
Screening Serpens Shows Recruiting Is Now an Espionage Attack Surface
Iran-nexus Screening Serpens used recruitment and meeting lures, new RAT variants, and .NET AppDomainManager hijacking. Here is what SMBs and government contractors should tighten now.
FBI Alert: Iranian MOIS Hackers Weaponize Telegram as C2 Channel to Target Dissidents Worldwide
The FBI has issued a critical alert warning that Iranian government hackers are weaponizing Telegram as a command and control (C2) channel to steal data from dissidents, opposition groups, and journalists who oppose the regime around the world. According to the FBI alert publishe
FBI Confirms Handala Hackers Breached Director Patel’s Personal Email Account
Iran-linked hackers have successfully breached the personal email account of FBI Director Kash Patel, publishing photos, documents, and email correspondence in a significant escalation of cyber operations targeting senior U.S. government officials. The Handala Hack Team, a hackti
Iranian Handala Hackers Breach FBI Director Kash Patel’s Personal Email, Leak Photos and Documents
Iran-linked hacking group Handala Hack Team has successfully breached the personal email account of FBI Director Kash Patel, publishing photographs and documents stolen from his inbox, according to The Guardian and confirmed by the FBI. Attack Details The breach was announced by
FBI Alert: Iranian MOIS Hackers Weaponize Telegram for Global Espionage Against Dissidents
The FBI has issued a public alert warning that Iranian government hackers affiliated with the Ministry of Intelligence and Security (MOIS) are actively weaponizing Telegram as a command-and-control (C2) platform to conduct espionage operations against dissidents, opposition group
Iranian Handala Hackers Breach FBI Director Kash Patel’s Personal Email Account
In a significant escalation of Iranian cyber operations against U.S. government officials, the Iran-linked hacktivist group Handala has successfully compromised the personal email account of FBI Director Kash Patel. The breach, confirmed by the FBI on March 27, 2026, resulted in
CanisterWorm Wiper Weaponizes Trivy Supply Chain to Target Iran
A cybercrime group is attempting to leverage the ongoing US-Iran conflict by deploying a destructive wiper malware that specifically targets systems configured for Iranian users, according to new research from Krebs on Security and Aikido. TeamPCP Launches Iran-Targeting Wiper Th
FBI Flash Alert: Iranian Handala Hackers Weaponize Telegram for Malware C2 Operations
The FBI has issued a flash alert warning network defenders that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) are actively using Telegram as command-and-control (C2) infrastructure in malware attacks targeting journalists, dissidents, and opposition g
Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization
A comprehensive analysis by Unit 42 reveals a fundamental shift in Iranian cyber operations: state-aligned threat actors are abandoning custom malware in favor of weaponizing enterprise administrative tools to achieve unprecedented scale and stealth. The Strategic Shift During re
Iranian Threat Actors Target Hikvision and Dahua IP Cameras for Kinetic Strike Coordination
As Iran-Israel-US military operations escalate in the Middle East, Check Point Research and Tenable have identified a significant surge in Iranian threat actors targeting IP cameras manufactured by Hikvision and Dahua. The activity, which began spiking on February 28, 2026, coinc
Pro-Iranian Hackers Expand Targeting of US Critical Infrastructure as Cyber Chaos Escalates
Pro-Iranian hackers are expanding their operations beyond the Middle East and increasingly targeting critical infrastructure in the United States, according to cybersecurity experts and recent incidents. The attacks represent a significant escalation in Iran’s cyber warfare capab
Iranian Handala Hacktivists Deploy Wiper Malware Against Medical Device Giant Stryker
Iran-linked hacktivist group Handala has claimed responsibility for a devastating wiper malware attack against Stryker Corporation, a Fortune 500 medical technology company with over 53,000 employees and $22.6 billion in annual sales. Attack Scale and Impact According to Handala’
Iranian MOIS Cyber Actors Embrace Criminal Ecosystem: From Rhadamanthys to Ransomware Affiliates
A new Check Point Research report reveals that Iranian Ministry of Intelligence and Security (MOIS)-linked threat actors are increasingly engaging with the cybercrime ecosystem, moving beyond mere imitation to directly leveraging criminal tools, services, and affiliate-style rela
Seedworm APT Deploys Dindoor and Fakeset Backdoors Inside US Critical Infrastructure Networks
Iran’s Seedworm APT group (also known as MuddyWater) has established persistent access inside the networks of multiple US organizations since early February 2026, deploying two previously unknown malware implants as geopolitical tensions between the US and Iran escalate. New Back
60+ Pro-Iranian Hacktivist Groups Activate AI-Enabled ICS Attacks Following US-Israel Strikes
In the largest single-event activation of Iranian-aligned cyber actors ever documented, more than 60 pro-Iranian hacktivist groups became active on Telegram within hours of the February 28 US-Israel military strikes on Iran. Armed with AI tools and targeting over 40,000 internet-
Iranian Cyber Threats Intensify: APT Groups and Hacktivists Target U.S. and Allied Infrastructure
Executive Summary As hostilities between Iran and the U.S./Israeli-led coalition escalate, threat intelligence indicates Iranian-aligned cyber actors pose an elevated near-term risk to organizations across North America and allied nations. These actors have a well-documented hist
Seedworm APT Targets US Banks and Airports with New Dindoor and Fakeset Backdoors
Iranian state-sponsored hackers have maintained persistent access inside multiple US critical infrastructure networks since early February 2026, establishing footholds that security researchers warn could enable devastating attacks amid escalating geopolitical tensions in the Mid
Iranian APT Infy Resurfaces with New Tornado Malware After Internet Blackout
The elusive Iranian threat group known as Infy (also tracked as Prince of Persia) has evolved its tactics and deployed new command-and-control infrastructure, resuming operations precisely when Iran’s government-imposed internet blackout ended in late January 2026. Operational Ti
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
By Tom Fakterman, Daniel Frank and Jerome Tujague READ ARTICLE Executive Summary This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sands
Iran’s APT33 targets US defense contractors with novel malware
https://www.scmagazine.com/news/iranian-threat-group-apt33-targets-us-defense-contractors-with-novel-malware