With the current Iran crisis at its peak, cyber activity is a relevant part of the threat picture alongside kinetic and political pressure. Iran’s ecosystem includes multiple clusters aligned with state entities, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification. This activity is expected to intensify and broaden across the Middle East, the United States, and other countries that Iran views as their opponents in the current war.
This overview summarizes key Iranian-linked threat actor clusters that may be relevant to this war, and the tactics, techniques and procedures (TTPs) they have recently used against targets in the Middle East and the USA. In the below, Check Point Research highlights how these tactics appear in real operations, the early warning signals defenders should watch for, and the mitigations that matter most right now.
With the current Iran crisis at its peak, cyber activity is a relevant part of the threat picture alongside kinetic and political pressure. Iran’s ecosystem includes multiple clusters aligned with state entities, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification. This activity is expected to intensify and broaden across the Middle East, the United States, and other countries that Iran views as their opponents in the current war.
This overview summarizes key Iranian-linked threat actor clusters that may be relevant to this war, and the tactics, techniques and procedures (TTPs) they have recently used against targets in the Middle East and the USA. In the below, Check Point Research highlights how these tactics appear in real operations, the early warning signals defenders should watch for, and the mitigations that matter most right now.
Cotton Sandstorm
Cotton Sandstorm (aka Emennet Pasargad / Aria Sepehr Ayandehsazan, also tracked as MarnanBridge/Haywire Kitten) is an Iranian cyber actor affiliated with the IRGC, best known for cyber-enabled influence operations and “fast-reaction” campaigns when regional events spike. Its playbook blends classic disruptive cyber activity with information operations: website defacements, DDoS attacks, email/account hijacking, and data theft followed by “hack-and-leak” style amplification using fake personas and impersonation to shape narratives. In recent years, Cotton Sandstorm has expanded operations beyond Israel to a broader victim set, including Gulf-focused activity. Those include gaining unauthorized access into US-based IPTV streaming company to broadcast AI-delivered messages about the war in Gaza, mostly impacting the United Arab Emirates, or repeated targeting of Bahraini government entities and infrastructure, framed with anti-monarchy messaging to protest the normalization of relations with Israel.
In the last months, Check Point Research observed a consistent malware toolset associated with Cotton Sandstorm. The actors routinely use WezRat, a custom modular infostealer delivered via spearphishing campaigns that masquerade as urgent software updates. In some cases, intrusions were followed by deploying WhiteLock ransomware specifically against Israeli targets, though there is nothing that prevents them from expanding this activity to other countries.
One day into the current conflict, Cotton Sandstorm revived their old cyber persona, Altoufan Team, which mostly specialized in targeting Bahrain and had been silent for more than a year, claiming a few new alleged targets in Bahrain. This reflects the reactive nature of the actor’s campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict.
Educated Manticore
Educated Manticore is a cluster aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and overlapping with APT35/APT42 (“Charming Kitten”) activity. The threat actor shows a strong pattern of high-trust impersonation against specific individuals: journalists, researchers, security experts, academics and foreign-based groups and individuals opposing the Iranian regime. In the current escalation environment, it is particularly important to track this actor, because this actor emphasizes relationship-based access: targeting people who can enable broader compromise – those with privileged email access, shared drives, or proximity to decision-makers.
Recent campaigns observed by Check Point Research show email spear-phishing and multi-channel social engineering, including messaging apps, that funnel targets to phishing kits. These kits masquerade as a wide range of services such as WhatsApp, Microsoft Teams, and Google Meet, and aimed at stealing credentials and session tokens and then quietly harvesting information such as emails and documents. In some cases, they are also able to perform surveillance on targets, including revealing location data. One of the latest campaigns we attribute to Educated Manticore was observed targeting activists and a limited subset of high-profile individuals across the Middle East and the USA.
MuddyWater
MuddyWater (aka Mango Sandstorm / Static Kitten) is widely assessed as tied to Iran’s Ministry of Intelligence and Security (MOIS) and has a long record of espionage-driven intrusions against Middle East government, telecom, energy, and private-sector targets. The group typically compromises standard enterprise environments and maintains access for collection and has historically pivoted to disruption when tasked. Its footprint is broad: frequently targeting organizations across Israel and the Gulf and occasionally extending beyond the Middle East.
Recent tracking shows continued reliance on remote monitoring and management (RMM) tools, often delivered via legitimate file sharing services and distributed through large-scale phishing email waves sent to hundreds of recipients. For higher-value targets, MuddyWater deploys custom malware and short-lived tools that are swapped out quickly, with some recent campaigns suggesting elements of this tooling may have been developed with AI assistance. Despite this actors broad rich and high profile, their core TTPs have remained consistent over the years: extensive use of built-in Windows tooling (PowerShell/WMI), abuse of legitimate remote monitor and management tools, and credential theft to enable lateral movement, often by taking over internal email accounts to send follow-on phishing from within the organization.
Void Manticore / Handala
Handala (often branded “Handala Hack Team”) surfaced as a pro-Palestinian hacktivist identity in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor. In the current escalation climate, it warrants close monitoring as it is optimized for psychological and reputational disruption: breaking into low-hanging systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.
The threat actor’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. Recent observed activities are opportunistic and “quick and dirty,” with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by “proof” posts to amplify credibility and intimidate targets. Starting in January, amid nationwide protests and an Iran-wide internet shutdown, Check Point Research observed Handala campaigns originating from Starlink IP ranges and probing externally facing apps for misconfigurations and weak credentials.
Agrius
Agrius (aka Pink Sandstorm / Agonizing Serpens) is an Iranian actor active since 2020, with public reporting linking it to MOIS. It is known for destructive operations in the Middle East, often with an emphasis on Israeli targets. Agrius prioritizes impact: it has conducted disruptive attacks under multiple aliases to cause network-level disruption and to shape narratives through stolen-data leaks, and it was among the earliest Iran-linked actors observed applying this playbook against Israeli and Emirati targets.
Their activity is mostly based on wiper and fake-ransomware operations that mask destructive influence operations as ransomware attacks. As an initial access vector, the group commonly exploits internet-facing web servers, often operating from commercial Israeli VPN infrastructure. They then deploy ASPX webshell and use living-off-the-land techniques (LOLBins) and publicly available tools for reconnaissance and traffic tunneling to maintain access and move laterally. Throughout the 12-days war between Israel and Iran in June 2025, Check Point Research observed Agrius-linked infrastructure actively scanning for vulnerable cameras across Israel, likely to support post-attack visibility and damage/battle-damage assessment (BDA).
Recommendations: Detection and Mitigation
The main Iran-nexus actors follow the similar playbook, which gives defenders an advantage in taking their activity and effectively reduce the attack surface.
Recommended defensive measures include:
- Monitor and triage traffic associated with common commercial VPN exit nodes (e.g., Mullvad, NordVPN, PIA, ProtonVPN)
- Audit internet-exposed assets, including IP cameras, for default credentials and unpatched known vulnerabilities (older CVEs)
- Enforce phishing-resistant MFA for Google/M365 where possible
- Treat unsolicited “interview/collaboration/review/meeting” outreach, especially from new personas or lookalike domains, as a likely sign of credential phishing
- Avoid installing unfamiliar software, particularly anything delivered via email
- Monitor for anomalous authentication, including suspicious logins and session token replay
Given the current escalation, prioritizing these measures now can help prevent opportunistic access and contain incidents before they become disruptive or publicly amplified.
Reference: Checkpoint Blog