{ "id": "58b7c4f8-26cb-4d68-94cf-f2a9bbf4f289", "created_at": "2026-04-06T00:14:06.017569Z", "updated_at": "2026-04-10T13:11:49.215181Z", "deleted_at": null, "sha1_hash": "03d66b79d6ceb13aa532b979a1a872b9feb3fac5", "title": "Iran’s Cyber Playbook in the Escalating Regional Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2608360, "plain_text": "Iran’s Cyber Playbook in the Escalating Regional Conflict\r\nBy Rapid7\r\nPublished: 2026-03-11 · Archived: 2026-04-05 15:57:50 UTC\r\nFollowing our recent published advisories, this publication is intended to outline a summary of the cyber activities\r\nassociated with the tension. Based on the available information, we believe the conflict is beginning to show signs\r\nof expanding beyond a strictly regional crisis. Initial threat reporting pointed to a measurable increase in cyber\r\nactivity linked to the crisis predominantly focused on hacktivist mobilization, with reports of phishing campaigns,\r\nand claims of data theft and disruptive operations. For a companion piece focused around our customers, dive into\r\nRapid7 Detection Coverage for Iran-Linked Cyber Activity.\r\nCyber activity by groups associated with Iran and their affiliated ecosystems have begun to surface. Much of the\r\nvisible activity currently appears to have limited immediate operational impact as it consists primarily of website\r\ndefacements, distributed denial-of-service (DDoS) attacks, coordinated messaging campaigns, phishing attempts,\r\nand reconnaissance against exposed digital infrastructure. While these incidents may appear opportunistic or\r\nsymbolic, historical patterns of such behavior suggest that this activity can represent early-stage signaling,\r\npressure, and preparatory shaping operations rather than isolated disruption.\r\nIran’s cyber ecosystem operates through a layered structure that includes state-linked advanced persistent threat\r\n(APT) groups, proxy actors, hacktivist personas, and sympathetic foreign collectives. Even when not centrally\r\ncoordinated, these actors often converge on the same narratives and target sets during geopolitical crises, enabling\r\nsimultaneous visible disruption and covert intelligence-driven intrusion activity. As the conflict evolves, this\r\necosystem provides a scalable and deniable tool for retaliation that can gradually intensify.\r\nIt is very likely that the cyber risk will widen accordingly as the current conflict continues. Governments and\r\norganizations located in regions hosting U.S. military infrastructure or closely aligned with U.S. and Israeli\r\npositions may face increased exposure, particularly across sectors such as logistics, critical infrastructure, public\r\nadministration, energy, and telecommunications.\r\nStrategic context and operational trends\r\nIran does not operate according to a single publicly articulated cyberwarfare doctrine. Instead, its cyber strategy\r\nhas evolved pragmatically as part of the country’s broader asymmetric security model. Since 2010, there has been\r\nan expansion of its cyber capabilities as instruments for intelligence gathering, internal control, retaliation,\r\ncoercive messaging, and regional influence. Cyber operations are therefore best understood not as a separate\r\nmilitary domain with a fully transparent doctrine, but as an adaptable component of the regime’s survival and\r\nstrategic competition against outsiders.\r\nBroadly speaking, Iranian cyber activity tends to serve three overlapping strategic objectives. The first is regime\r\nsecurity and domestic control, in which cyber tools support surveillance, information control, and disruption of\r\ndissident or opposition networks. The second is strategic intelligence collection, in which state-linked actors target\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 1 of 10\n\ngovernments, defense organizations, technology providers, telecommunications firms, and critical infrastructure to\r\ngather political, military, and economic intelligence. The third is coercive signaling and regional influence, in\r\nwhich cyber operations impose costs on adversaries, shape perceptions, and demonstrate retaliatory capability\r\nwhile remaining below the threshold of overt interstate war.\r\nA key feature of this regime’s approach is the development of long-term access. Iranian APT groups often conduct\r\nsustained intrusion campaigns focused not only on immediate collection but also on access persistence, credential\r\nharvesting, and network familiarity. In a crisis environment, these pre-existing footholds can become strategically\r\nimportant, supporting either intelligence collection or later disruptive operations. This is one reason current low-visibility intrusions deserve as much analytical attention as public hacktivist claims. The visible DDoS or\r\ndefacement campaign may dominate headlines, but the more significant strategic risk often lies in covert access\r\nestablished inside other targets. \r\nAnother defining feature of Iran’s cyber strategy is its layered operational model. State-linked APT groups\r\nfrequently operate alongside contractors, proxies, persona-driven influence actors, and hacktivist collectives. This\r\nstructure offers several advantages: it creates deniability, increases operational tempo; broadens the range of\r\npossible targets; and allows Iran-aligned ecosystems to combine disruptive spectacle with intelligence-driven\r\ndepth. During periods of heightened tension, this blended model enables visible pressure operations to coexist\r\nwith quieter espionage or pre-positioning campaigns. Current reporting on the conflict strongly supports this\r\ninterpretation, with activist and proxy campaigns surging in parallel to concern over state-linked phishing,\r\nmalware, wipers, and infrastructure-focused targeting.\r\nIran’s threat actor landscape\r\nState sponsored \r\nIran’s cyber capabilities are distributed across a hybrid ecosystem of state institutions, intelligence services,\r\nmilitary structures, and semi-official operators. Rather than relying on a single centralized cyber command, Tehran\r\nappears to allocate responsibilities across different organs, primarily the Islamic Revolutionary Guard Corps and\r\nthe Ministry of Intelligence and Security, with support from contractors, front entities, and affiliated personas.\r\nStrategic coordination of the cyber domain is overseen by the Supreme Council of Cyberspace, while operational\r\nactivities are carried out through a mix of official and semi-official channels.\r\nIRGC-linked actors\r\nThe Islamic Revolution Guard Corp (IRGC) maintains one of Iran’s most visible offensive cyber capabilities\r\nand has been associated with cyber espionage, influence operations, credential theft, and politically aligned\r\ndisruptive activity. Among the principal IRGC-linked actors are APT35 (also known as Charming Kitten or Mint\r\nSandstorm), which has long conducted spear-phishing and credential-harvesting operations against diplomats,\r\njournalists, researchers, and policy communities; APT42 is an actor particularly associated with surveillance and\r\nsocial engineering targeting dissidents, activists, journalists, and policy experts. Cotton Sandstorm (also known\r\nas Holy Souls and Emennet Pasargad), meanwhile, has been linked to both espionage and influence-oriented\r\noperations targeting regional adversaries and Western institutions. Recent reporting also highlights continued\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 2 of 10\n\nconcern around malware associated with this broader actor set, including infostealing and espionage tooling used\r\nin phishing-led operations.\r\nMOIS-linked actors\r\nThe Ministry of Intelligence and Security (MOIS) operates parallel cyber capabilities that tend to emphasize\r\nintelligence collection, long-term access, and strategic espionage. The most prominent groups in this cluster\r\ninclude MuddyWater and OilRig (also known as APT34). CISA has previously described MuddyWater as an\r\nIranian government-sponsored actor conducting cyber espionage and malicious cyber operations across multiple\r\nsectors, while current reporting continues to place the group among the most operationally relevant Iranian state-linked threats in the present crisis environment. OilRig remains a longstanding espionage actor focused on\r\ngovernments, financial institutions, energy entities, and other strategic organizations.\r\nThese actors illustrate Iran’s distributed cyber-operational model: Intelligence-driven access development,\r\ninfluence, psychological pressure, and opportunistic disruptive action are not separate lines of effort but parts of a\r\nbroader strategic continuum.\r\nParallel hacktivist and proxies\r\nBeginning in June 2025, a noticeable surge in hacktivist and proxy cyber activity accompanied the broader\r\nescalation of tensions in the Middle East. This reflects a recurring pattern observed during previous geopolitical\r\ncrises, in which ideologically aligned non-state cyber actors mobilize alongside, or in parallel with, state-linked\r\ncyber operations. In the current confrontation, this dynamic has again expanded the cyber landscape beyond\r\ntraditional state-directed espionage or sabotage.\r\nBy early March 2026, several dozen hacktivists or proxy collectives emerged related to the conflict. These groups\r\nvary significantly in capability and reliability. Some focus on distributed denial-of-service (DDoS) attacks, while\r\nothers conduct website defacements or hack-and-leak campaigns. Some primarily amplify claims of compromise\r\nthat are exaggerated or only partially verifiable. Their significance, therefore, lies less in technical sophistication\r\nthan in the cumulative pressure they place on defenders and the broader information environment.\r\nIn crisis situations, this activity can produce strategic effects. Numerous low-impact incidents can consume\r\ndefensive resources, complicate attribution, and obscure more sophisticated intrusions occurring simultaneously.\r\nHacktivist campaigns may therefore function as distractions, signals, or psychological pressure while more\r\ncapable actors pursue quieter access to high-value networks. For this reason, the analytical distinction between\r\nadvanced persistent threat (APT) activity and hacktivism can become blurred during periods of geopolitical\r\nconfrontation.\r\nSeveral collectives active in the current environment publicly position themselves as ideologically aligned with\r\nIran or with members of the so-called “Axis of Resistance.” Among the more visible groups are Handala Hack\r\nTeam, Dienet, FAD Team, APT IRAN, Cyber Islamic Resistance, and Fatimion cyber team. These actors\r\nfrequently frame their operations as retaliatory cyber campaigns targeting Israeli, Western, or allied regional\r\nentities, claiming responsibility for activities such as website defacements, DDoS attacks, and hack-and-leak\r\noperations targeting mainly government, telecommunications, energy, and financial entities. Although many\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 3 of 10\n\nclaims remain difficult to verify independently, their messaging strategy often emphasizes their psychological and\r\nreputational impact.\r\nIn parallel, several pro-Russia hacktivist groups have also engaged in operations linked to the confrontation,\r\nincluding NoName057(16), Sever Killer, and Russian Legion. These groups typically conduct large-scale DDoS\r\ncampaigns targeting government portals, financial services, and transportation or telecommunications\r\ninfrastructure in states perceived as supporting Israel or broader Western policy positions. Their participation\r\nillustrates how regional conflicts can attract cyber actors from outside the immediate theater when ideological\r\nalignment or strategic narratives converge.\r\nCyber activities linked to the ongoing conflict\r\nIranian APT group operations \r\nBeyond the highly visible hacktivist activity circulating on social media, defacement platforms, and Telegram\r\nchannels, a quieter but more strategically significant layer of cyber operations is unfolding through Iranian state-linked APT groups. These operations appear ongoing and aligned with broader geopolitical objectives tied to the\r\ncurrent conflict environment.\r\nRecent threat reporting indicates continued operations by the Iranian APT group, MuddyWater, which is widely\r\nassessed to be linked to MOIS. Since at least early February 2026, reporting has suggested potential compromises\r\nor attempted intrusions targeting organizations associated with the United States and allied interests. \r\nAccording to public reporting, activity linked to the group was reportedly observed within the networks of a\r\nUnited States–based bank, a United States airport, a nonprofit organization operating across the United States and\r\nCanada, and a software company with operations in Israel. In several of these incidents, threat actors reportedly\r\ndeployed a previously undocumented backdoor known as Dindoor, suggesting a coordinated, ongoing campaign\r\nrather than isolated compromise events.\r\nHacktivist and proxy disruption activities\r\nThe most visible form of cyber activity so far remains hacktivist and proxy-led disruption.\r\nDDoS attacks are among the most common tactics employed by hacktivist groups. Pro-Russia groups such as\r\nNoName057(16) and Server Killers, along with other pro-Iran collectives affiliated with them, have been linked to\r\nwaves of coordinated DDoS attacks against Israel, Qatar, Bahrain, and other politically symbolic targets. These\r\nattacks are generally inexpensive and cause only short-term technical damage, but they remain strategically useful\r\nbecause they disrupt public services, tie up defense resources, generate media coverage, and fuel the narrative of a\r\nsustained cyber response.\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 4 of 10\n\nFigure 1: Telegram post from pro-Russia hacktivist groups claiming responsibility for targeting an Israeli website\r\nin support of Iran\r\n⠀\r\nWebsite defacement also remains a common tactic. Groups such as FAD Team, 313, and Cyber Islamic\r\nResistance have been associated with claims of attacks on several websites. Although defacements are technically\r\nsimple to execute, they remain analytically significant: They are highly visible, rapidly disseminated, and\r\npsychologically impactful, often creating an exaggerated perception of widespread systemic compromise.\r\nData breaches represent a far more significant dimension of cyber operations. The Iranian-aligned group\r\nHandala, in particular, continues to blend political messaging with claims of data theft and the selective release of\r\nallegedly compromised information. The group recently asserted that it had infiltrated a Saudi energy company\r\nand exfiltrated internal documents, framing the operation as a combination of data exfiltration, coercive pressure,\r\nand psychological warfare targeting the energy sector. Even when the full authenticity of released datasets cannot\r\nbe independently verified, the publication of partially credible material can still generate substantial reputational\r\ndamage and potential operational disruption for affected organizations.\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 5 of 10\n\nTargeting critical infrastructure has emerged as one of the most concerning aspects of the current cyber activity\r\nby pro-Iran hacktivists and proxy collectives. Groups operating in this ecosystem, including Iranian APTs,\r\nHandala, and networks associated with the Cyber Islamic Resistance umbrella, have publicly claimed operations\r\ntargeting infrastructure across the region. Recent Telegram posts indicate that an Iranian APT group claimed\r\nresponsibility for attempts to sabotage Jordanian critical infrastructure, while other Iran-aligned hacktivist\r\npersonas have asserted access to sectors including fuel systems, water utilities, and other operational technology\r\nenvironments.\r\nIn a separate case, the Handala Hack Team has alleged that it compromised both Oil and gas companies in the\r\nUnited Arab Emirates and Israel, claiming to have exfiltrated more than 1.3 TB of sensitive data from oil and gas\r\nsector networks. These claims, which would represent a significant intrusion into Middle Eastern energy\r\ninfrastructure if confirmed, have circulated primarily through hacktivist communication channels and social media\r\nreporting and have not been independently verified.\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 6 of 10\n\nFigure 2: IRAN APT group claimed attempts to target Jordanian critical infrastructure\r\n⠀\r\nAlthough many of these claims remain difficult to independently verify, the recurring focus on industrial control\r\nsystems and essential services is analytically significant. Hacktivist collectives aligned with Iranian geopolitical\r\nnarratives frequently leverage infrastructure-related claims as part of information operations designed to amplify\r\nperceived impact, generate psychological pressure, and signal the potential for escalation into operational\r\ntechnology environments. Even when technical disruption is limited or exaggerated, the persistent narrative\r\naround infrastructure compromise can shape defensive priorities and highlight potential escalation pathways\r\nwithin the broader cyber conflict.\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 7 of 10\n\nSectoral exposure and risk landscape\r\nIn the current geopolitical context, cyberattacks extend far beyond military networks and defense institutions.\r\nModern cyber operations increasingly aim to affect the broader ecosystem that supports government activity,\r\neconomic stability, and public trust. Consequently, adversaries seek not only technically vulnerable targets but also\r\norganizations whose compromise or disruption can increase visibility, influence public perception, or create\r\ncascading effects across interconnected systems.\r\nA successful intrusion into a widely used service provider, a major infrastructure operator, or a publicly accessible\r\ninstitution can quickly produce consequences that extend far beyond the initial target, affecting supply chains,\r\nservice availability, and public confidence. In this context, cyber operations often serve multiple purposes\r\nsimultaneously: intelligence gathering, strategic positioning within critical networks, and generating disruption or\r\nexerting influence during periods of heightened geopolitical tension.\r\nAt present, several sectors appear particularly exposed:\r\nGovernment institutions and public administration\r\nDefense and aerospace industry\r\nEnergy sector, including oil, gas, and electricity\r\nTelecommunications providers\r\nFinancial services\r\nTransportation systems\r\nHowever, the risk landscape extends beyond these sectors themselves. Organizations that form part of the broader\r\ndigital supply chain supporting these industries may also represent attractive entry points. This includes cloud\r\nservice providers, managed service providers, technology vendors, and other third-party platforms that maintain\r\nprivileged access to client environments. Compromising such intermediaries can allow adversaries to reach high-value targets indirectly. By gaining access to a supplier or service provider, attackers may obtain pathways into\r\nmultiple networks simultaneously, access sensitive information, or move laterally across interconnected\r\noperational systems. Supply chain compromise, therefore, offers both scale and stealth, making it an increasingly\r\ncommon tactic in sophisticated cyber campaigns.\r\nGeopolitical alignment can also influence targeting decisions. Organizations based in countries that host United\r\nStates military assets or are publicly aligned with United States or Israeli policy positions may attract additional\r\nattention from adversaries. In these cases, targeting can carry symbolic, political, or strategic value beyond the\r\nimmediate technical impact of the intrusion. Within this environment, cyber exposure can generally be understood\r\nthrough three overlapping targeting dynamics.\r\nSymbolic targets include municipalities, universities, media outlets, and public institutions. These organizations\r\nmay be targeted primarily for visibility, messaging, or propaganda purposes. Even limited disruption or data\r\nexposure can generate headlines and amplify the perceived reach of the attackers.\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 8 of 10\n\nOperational targets include sectors that support everyday economic and social activity, such as\r\ntelecommunications providers, transportation systems, payment networks, and fuel distribution infrastructure.\r\nDisruptions in these areas can quickly affect daily life, creating public anxiety and increasing pressure on\r\nauthorities to respond.\r\nStrategic targets consist of entities whose compromise offers long-term intelligence or operational value. This\r\ncategory includes defense contractors, major financial institutions, government networks, and operators of critical\r\ninfrastructure. In these cases, adversaries may prioritize persistence and stealth to collect intelligence, monitor\r\ndecision-making processes, or maintain access that could be leveraged during future crises.\r\nTaken together, these targeting patterns illustrate a broader shift in cyber operations: Attackers are increasingly\r\nselecting targets not only for their intrinsic value, but for the broader political, economic, and societal effects that\r\ndisruption or compromise can produce.\r\nWhat should organizations monitor?\r\nIn the current phase of the conflict, organizations should continue to monitor for indicators that activity is shifting\r\nfrom opportunistic disruption toward deliberate intrusion or access preparation.\r\nInternet-facing infrastructure is often the initial entry point. Elevated scanning or probing of public websites, VPN\r\ngateways, remote access portals, cloud services, and email authentication infrastructure may indicate early\r\nreconnaissance. While some scanning is routine, sudden increases in probing activity or authentication attempts\r\nshould be treated as potential precursors to intrusion.\r\nPhishing and social engineering campaigns are also likely to intensify. Threat actors may exploit developments in\r\nthe conflict by using lures that reference civil defense alerts, battlefield updates, humanitarian messaging, or\r\nurgent requests that appear to originate from leadership or trusted partners. In some cases, malicious applications\r\nor replicas of legitimate services may be used to harvest credentials or deploy malware.\r\nCredential misuse remains a primary access vector. Security teams should monitor for abnormal authentication\r\npatterns, including logins from unusual geographic locations, access at unexpected hours, repeated failed logins\r\nfollowed by success, changes to multi-factor authentication settings, or the creation of new privileged accounts.\r\nOrganizations operating critical infrastructure should closely monitor activities within their operational\r\nenvironments. Suspicious access to remote management platforms, unusual connectivity between IT and OT\r\nnetworks, or unexpected activity involving engineering workstations or vendor access channels may signal\r\nreconnaissance within sensitive systems.\r\nFinally, monitoring the broader information environment can provide early warning and signal the need to\r\nincrease monitoring. Hacktivist groups frequently use platforms such as Telegram and X to circulate target lists,\r\nclaim attacks, or release fragments of allegedly stolen data tied to geopolitical events. Tracking these channels can\r\nhelp organizations identify potential targets and strengthen their defensive posture before malicious activity\r\nreaches their networks.\r\nAdditional reading from Rapid7 Labs, for Rapid7 customers: Rapid7 Detection Coverage for Iran-Linked Cyber\r\nActivity\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 9 of 10\n\nSource: https://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nhttps://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.rapid7.com/blog/post/tr-iran-cyber-playbook-escalating-regional-conflict/" ], "report_names": [ "tr-iran-cyber-playbook-escalating-regional-conflict" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0fef355-9eb9-4adc-8d90-a8c7494c4a81", "created_at": "2024-01-18T02:02:34.735032Z", "updated_at": "2026-04-10T02:00:05.011663Z", "deleted_at": null, "main_name": "Handala Hack Team", "aliases": [ "Operation HamsaUpdate" ], "source_name": "ETDA:Handala Hack Team", "tools": [ "Hamsa Wiper", "Handala", "Hatef Wiper" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d51a1b-38b1-4cfb-bee0-cad7ad2b9651", "created_at": "2025-05-29T02:00:03.196955Z", "updated_at": "2026-04-10T02:00:03.852653Z", "deleted_at": null, "main_name": "DieNet", "aliases": [ "Shiite_Harvest" ], "source_name": "MISPGALAXY:DieNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5869c6f-6789-4a43-8ffd-e0a76c127754", "created_at": "2025-08-07T02:03:24.774081Z", "updated_at": "2026-04-10T02:00:03.654593Z", "deleted_at": null, "main_name": "COBALT OBELISK", "aliases": [ "ChaoticOrchestra ", "Cotton Sandstorm ", "Haywire Kitten ", "Marnanbridge " ], "source_name": "Secureworks:COBALT OBELISK", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "07131850-5161-48b8-98be-6b0271d44d0e", "created_at": "2024-01-23T13:22:35.085803Z", "updated_at": "2026-04-10T02:00:03.521854Z", "deleted_at": null, "main_name": "Cotton Sandstorm", "aliases": [ "Emennet Pasargad", "Holy Souls", "MARNANBRIDGE", "NEPTUNIUM", "HAYWIRE KITTEN" ], "source_name": "MISPGALAXY:Cotton Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "51e3a492-d98d-4eed-afdc-fa940010aa06", "created_at": "2026-03-24T02:00:04.638479Z", "updated_at": "2026-04-10T02:00:03.992494Z", "deleted_at": null, "main_name": "Cyber Islamic Resistance", "aliases": [], "source_name": "MISPGALAXY:Cyber Islamic Resistance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434446, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03d66b79d6ceb13aa532b979a1a872b9feb3fac5.pdf", "text": "https://archive.orkl.eu/03d66b79d6ceb13aa532b979a1a872b9feb3fac5.txt", "img": "https://archive.orkl.eu/03d66b79d6ceb13aa532b979a1a872b9feb3fac5.jpg" } }