{ "id": "8953d9de-5ed1-415c-abdd-b65bdcecacc2", "created_at": "2026-04-06T00:07:48.319876Z", "updated_at": "2026-04-10T13:11:23.116828Z", "deleted_at": null, "sha1_hash": "6f9834cabc85b9093cc50f81f86556c063e963ae", "title": "Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42896, "plain_text": "Treasury Designates Iranian Cyber Actors Targeting U.S.\r\nCompanies and Government Agencies\r\nPublished: 2026-02-13 · Archived: 2026-04-05 12:45:00 UTC\r\nWASHINGTON — Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)\r\nsanctioned two companies and four individuals involved in malicious cyber activity on behalf of the Iranian\r\nIslamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). These actors targeted more than a\r\ndozen U.S. companies and government entities through cyber operations, including spear phishing and malware\r\nattacks. In conjunction with today’s action, the U.S. Department of Justice and the Federal Bureau of Investigation\r\nis unsealing an indictment against the four individuals for their roles in cyber activity targeting U.S. entities. \r\n“Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under\r\nSecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will\r\ncontinue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”\r\nIranian cyber actors continue to target the United States using a wide range of malicious cyber activity, from\r\nconducting ransomware attacks against critical infrastructure to conducting spear phishing and other social\r\nengineering campaigns against individuals, companies, and government entities. The IRGC-CEC, one of the\r\nIranian government organizations behind malicious cyber activity, works through a series of front companies to\r\ntarget the United States and several other countries. Although front company management and key personnel\r\nknow their operations support the IRGC-CEC, much of the Iranian public is not aware that some companies in\r\nIran, such as Mehrsam Andisheh Saz Nik, are used as front companies to support the IRGC-CEC. The Iranian\r\npublic should be aware that the IRGC-CEC uses private companies and their employees to achieve illegal goals.\r\nToday’s action is being taken pursuant to the counterterrorism authority Executive Order (E.O.) 13224, as\r\namended. OFAC designated the IRGC-CEC, also known as the IRGC Electronic Warfare and Cyber Defense\r\nOrganization, pursuant to E.O. 13606 on January 12, 2018, for being owned or controlled by, or acting for or on\r\nbehalf of, the IRGC, which itself was designated pursuant to E.O. 13224 on October 13, 2017. In February 2024,\r\nOFAC designated six IRGC-CEC officials in response to recent cyber operations in which IRGC-affiliated cyber\r\nactors manipulated programmable logic controllers, which impacted critical infrastructure systems, including in\r\nthe United States. While these particular operations did not disrupt any critical services, unauthorized access to\r\ncritical infrastructure systems can enable actions that harm the public and cause devasting humanitarian\r\nconsequences.  \r\nIRGC-CEC FRONT COMPANIES AND AFFILIATED CYBER ACTORS\r\nMehrsam Andisheh Saz Nik (MASN), formerly known as Mahak Rayan Afraz, is an IRGC-CEC front company\r\nthat has supported malicious cyber activity conducted by the IRGC-CEC. The company has been associated with\r\nmultiple Iranian advanced persistent threat (APT) groups, including Tortoiseshell. The company is also associated\r\nhttps://home.treasury.gov/news/press-releases/jy2292\r\nPage 1 of 3\n\nwith other malicious cyber activity, including a multi-year campaign targeting over a dozen U.S. companies and\r\ngovernment entities, including the Department of the Treasury. \r\nAlireza Shafie Nasab is an IRGC-CEC-affiliated cyber actor who was involved in the same multi-year cyber\r\ncampaign targeting U.S. entities while employed by MASN’s predecessor, Mahak Rayan Afzar. \r\nReza Kazemifar Rahman (Kazemifar), another IRGC-CEC cyber actor, has been involved in operational testing\r\nof malware intended to target job seekers with a focus on military veterans. Kazemifar, while employed by\r\nMASN’s predecessor, Mahak Rayan Afraz, was also involved in the spear phishing campaign targeting multiple\r\nU.S. entities, including the Department of the Treasury. \r\nIRGC-CEC front company Dadeh Afzar Arman (DAA) has also engaged in malicious cyber campaigns on\r\nbehalf of the IRGC-CEC. \r\nHosein Mohammad Haruni was employed by DAA and has been associated with various spear phishing and\r\nother social engineering operations, in addition to malicious cyber activity targeting U.S. entities and the\r\nDepartment of the Treasury. \r\nKomeil Baradaran Salmani has been associated with multiple IRGC-CEC front companies and involved in\r\nspear phishing campaigns targeting multiple U.S. entities, including Department of the Treasury. \r\nMehrsam Andisheh Saz Nik, Dadeh Afzar Arman, Alireza Shafie Nasab, Komeil Baradaran Salmani, and\r\nReza Kazemifar Rahman are all being designated pursuant to E.O. 13224, as amended, for having acted or\r\npurported to act for or on behalf of, directly or indirectly, the IRGC-CEC. Hosein Mohammad Haruni is being\r\ndesignated pursuant to E.O. 13224, as amended, for having acted or purported to act for or on behalf of, directly or\r\nindirectly, Dadeh Afzar Arman. \r\nSANCTIONS IMPLICATIONS\r\nAs a result of today’s action, all property and interests in property of the designated persons described above that\r\nare in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.\r\nIn addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more\r\nby one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by\r\nOFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting)\r\nthe United States that involve any property or interests in property of designated or otherwise blocked persons. \r\nIn addition, financial institutions and other persons that engage in certain transactions or activities with the\r\nsanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.\r\nThe prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the\r\nbenefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from\r\nany such person. \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe Specially Designated Nationals and Blocked Persons List (SDN List), but also from its willingness to remove\r\npersons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring\r\nabout a positive change in behavior. For information concerning the process for seeking removal from an OFAC\r\nhttps://home.treasury.gov/news/press-releases/jy2292\r\nPage 2 of 3\n\nlist, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information\r\non the process to submit a request for removal from an OFAC sanctions list, please click here.\r\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/jy2292\r\nhttps://home.treasury.gov/news/press-releases/jy2292\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://home.treasury.gov/news/press-releases/jy2292" ], "report_names": [ "jy2292" ], "threat_actors": [ { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434068, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f9834cabc85b9093cc50f81f86556c063e963ae.pdf", "text": "https://archive.orkl.eu/6f9834cabc85b9093cc50f81f86556c063e963ae.txt", "img": "https://archive.orkl.eu/6f9834cabc85b9093cc50f81f86556c063e963ae.jpg" } }