{
	"id": "5432635c-7c3c-4ab2-8d7b-f4287c54c2d8",
	"created_at": "2026-04-06T00:17:58.533481Z",
	"updated_at": "2026-04-10T03:35:13.661868Z",
	"deleted_at": null,
	"sha1_hash": "7e929cf5fddf1b8416a199060641a25d45a70b45",
	"title": "Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 549814,
	"plain_text": "Treasury Sanctions Cyber Actors Backed by Iranian Intelligence\r\nMinistry\r\nPublished: 2026-02-13 · Archived: 2026-04-05 19:40:06 UTC\r\nWashington – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed\r\nsanctions on Iranian cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and\r\none front company. Masked behind its front company, Rana Intelligence Computing Company (Rana), the\r\nGovernment of Iran (GOI) employed a years-long malware campaign that targeted Iranian dissidents, journalists,\r\nand international companies in the travel sector. Concurrent with OFAC’s action, the U.S. Federal Bureau of\r\nInvestigation (FBI) released detailed information about APT39 in a public intelligence alert.\r\n“The Iranian regime uses its Intelligence Ministry as a tool to target innocent civilians and companies, and\r\nadvance its destabilizing agenda around the world,” said Treasury Secretary Steven T. Mnuchin. “The United\r\nStates is determined to counter offensive cyber campaigns designed to jeopardize security and inflict damage on\r\nthe international travel sector.”\r\nThese individuals and entities were designated pursuant to Executive Order (E.O.) 13553.\r\nRana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and\r\nSecurity (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries,\r\nincluding foreign governments and other individuals the MOIS considers a threat. APT39 is being designated\r\npursuant to E.O. 13553 for being owned or controlled by the MOIS, which was previously designated on February\r\n16, 2012 pursuant to Executive Orders 13224, 13553, and 13572, which target terrorists and those responsible for\r\nhuman rights abuses in Iran and Syria, respectively.\r\nRana is being designated pursuant to E.O. 13553 for being owned or controlled by MOIS. Forty-five cyber actors\r\nare also being designated pursuant to E.O. 13553 for having materially assisted, sponsored, or providing financial,\r\nmaterial, or technological support for, or goods or services to or in support of the MOIS. The identification of\r\nthese individuals and their roles related to MOIS and APT39 comes as the result of a long-term investigation\r\nconducted by the FBI Boston Division.\r\nThe 45 designated individuals served in various capacities while employed at Rana, including as managers,\r\nprogrammers, and hacking experts. These individuals provided support for ongoing MOIS cyber intrusions\r\ntargeting the networks of international businesses, institutions, air carriers, and other targets that the MOIS\r\nconsidered a threat.\r\nThe FBI advisory, also being released today, details eight separate and distinct sets of malware used by MOIS\r\nthrough Rana to conduct their computer intrusion activities. This is the first time most of these technical indicators\r\nhave been publicly discussed and attributed to MOIS by the U.S. government. By making the code public, the FBI\r\nis hindering MOIS’s ability to continue their campaign, ending the victimization of thousands of individuals and\r\norganizations around the world.\r\nhttps://home.treasury.gov/news/press-releases/sm1127\r\nPage 1 of 4\n\n“The FBI, through our Cyber Division, is committed to investigating and disrupting malicious cyber campaigns,\r\nand collaborating with our U.S. government partners to impose risks and consequences on our cyber adversaries.\r\nToday, the FBI is releasing indicators of compromise attributed to Iran’s MOIS to help computer security\r\nprofessionals everywhere protect their networks from the malign actions of this nation state,” said FBI Director\r\nChristopher Wray. “Iran’s MOIS, through their front company Rana, recruited highly educated people and turned\r\ntheir cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the\r\nregime. We are proud to join our partners at the Department of Treasury in calling out these actions. The sanctions\r\nannounced today hold these 45 individuals accountable for stealing data not just from dozens of networks here in\r\nthe United States, but from networks in Iran’s neighboring countries and around the world.\"\r\nThe MOIS, camouflaged as Rana, has played a key role in the GOI’s abuse and surveillance of its own citizens.\r\nThrough Rana, on behalf of the MOIS, the cyber actors designated today used malicious cyber intrusion tools to\r\ntarget and monitor Iranian citizens, particularly dissidents, Iranian journalists, former government employees,\r\nenvironmentalists, refugees, university students and faculty, and employees at international nongovernmental\r\norganizations. Some of these individuals were subjected to arrest and physical and psychological intimidation by\r\nthe MOIS. APT39 actors have also victimized Iranian private sector companies and Iranian academic institutions,\r\nincluding domestic and international Persian language and cultural centers. Rana has also targeted at least 15\r\ncountries in the Middle East and North Africa region.\r\nhttps://home.treasury.gov/news/press-releases/sm1127\r\nPage 2 of 4\n\nRana’s targeting has been both internal to Iran and global in scale, including hundreds of individuals and entities\r\nfrom more than 30 different countries across Asia, Africa, Europe, and North America. Rana has used malicious\r\ncyber intrusion tools to target or compromise approximately 15 U.S. companies primarily in the travel sector.\r\nMOIS cyber actors targeted a wide range of victims, including global airlines and foreign intelligence services.\r\nThe unauthorized access obtained by the individuals designated today allow the MOIS to track individuals whom\r\nit considers a threat.\r\nAs a result of today’s action, all property and interests in property of the individuals and entities above, and of any\r\nentities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked\r\npersons, that are in the United States or in the possession or control of U.S. persons, are blocked and must be\r\nreported to OFAC. Unless authorized by a general or specific license issued by OFAC or otherwise exempt,\r\nOFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States\r\nthat involve any property or interests in property of designated or otherwise blocked persons. The prohibitions\r\ninclude the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any\r\nblocked person or the receipt of any contribution or provision of funds, goods or services from any such person.\r\nhttps://home.treasury.gov/news/press-releases/sm1127\r\nPage 3 of 4\n\nView identifying information on the entites and individuals designated today.\r\nView the FBI’s Public Intelligence Alert on APT39.\r\n####\r\nSource: https://home.treasury.gov/news/press-releases/sm1127\r\nhttps://home.treasury.gov/news/press-releases/sm1127\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://home.treasury.gov/news/press-releases/sm1127"
	],
	"report_names": [
		"sm1127"
	],
	"threat_actors": [
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d",
			"created_at": "2023-01-06T13:46:38.883911Z",
			"updated_at": "2026-04-10T02:00:03.132231Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"COBALT HICKMAN",
				"G0087",
				"Radio Serpens",
				"TA454",
				"ITG07",
				"Burgundy Sandstorm",
				"REMIX KITTEN"
			],
			"source_name": "MISPGALAXY:APT39",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6b6155e4-94ec-4909-b908-550afe758ad6",
			"created_at": "2022-10-25T15:50:23.365074Z",
			"updated_at": "2026-04-10T02:00:05.2978Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"APT39",
				"ITG07",
				"Remix Kitten"
			],
			"source_name": "MITRE:APT39",
			"tools": [
				"NBTscan",
				"MechaFlounder",
				"Remexi",
				"CrackMapExec",
				"pwdump",
				"Mimikatz",
				"Windows Credential Editor",
				"Cadelspy",
				"PsExec",
				"ASPXSpy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775792113,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e929cf5fddf1b8416a199060641a25d45a70b45.pdf",
		"text": "https://archive.orkl.eu/7e929cf5fddf1b8416a199060641a25d45a70b45.txt",
		"img": "https://archive.orkl.eu/7e929cf5fddf1b8416a199060641a25d45a70b45.jpg"
	}
}