Unmasking Iranian Cyber Operations: Threat Actors Target Global Critical Infrastructure
- Actor Motivations: Espionage,Exfiltration,Extortion
- Attack Vectors: Backdoor,Botnet,Dropper,Ransomware,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
Amid escalating geopolitical tensions, Iranian state-aligned and hacktivist threat groups, including MuddyWater, VoidManticore, APT42, APT35, and Infy, are actively pre-positioning infrastructure for cyber operations. By analyzing ASN patterns, TLS fingerprints, and hosting clusters, defenders can proactively track these adversaries. The groups deploy a mix of custom backdoors, public malware, and Cloudflare-fronted C2 servers to obscure their origins. Campaigns utilize spear-phishing, compromised government mailboxes, and modular scripts to target energy, financial, government, defense, and critical infrastructure sectors. Geographically, these operations focus heavily on the U.S., Israel, the MENA region, Oman, and the UAE, alongside targeting Iranian dissidents and global defense personnel.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Dissident | Verified |
| Sector | Financial | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Energy | Verified |
| Region | Israel | Verified |
| Region | Oman | Verified |
| Region | United Arab Emirates | Verified |
| Region | United States | Verified |
| Region | Middle East Countries | Verified |
Extracted IOCs
- accounts-google[.]services
- anythingshere[.]shop
- baochinhphu[.]org
- codefusiontech[.]org
- cside[.]site
- dnsbroadcaster[.]lat
- dreamy-jobs[.]com
- footballfans[.]asia
- girlsbags[.]shop
- jerusalemsolutions[.]com
- justweb[.]click
- lecturegenieltd[.]pro
- medaigenesis[.]cc
- menclub[.]lt
- moses-staff[.]io
- musiclivetrack[.]website
- novscrypt[.]net
- ntcx[.]pro
- phantomsoftwares[.]site
- retseptik[.]info
- screenai[.]online
- stone110[.]store
- stratioai[.]org
- wazayif-halima[.]org
- web14[.]info
- ejjnhkucbw.ix[.]tc
- filemanager.theworkpc[.]com
- nomercys.it[.]com
- e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b
- 103[.]57.251.153
- 103[.]68.109.208
- 104[.]248.194.233
- 128[.]199.113.162
- 135[.]181.203.1
- 136[.]243.108.10
- 136[.]243.108.11
- 136[.]243.108.12
- 139[.]99.17.158
- 143[.]198.5.41
- 144[.]217.129.176
- 15[.]235.138.155
- 157[.]20.182.49
- 159[.]198.43.141
- 159[.]198.66.153
- 159[.]198.68.25
- 162[.]0.230.185
- 178[.]33.49.126
- 185[.]227.110.78
- 185[.]236.25.119
- 185[.]76.79.125
- 191[.]101.130.244
- 209[.]38.92.52
- 209[.]74.87.100
- 212[.]32.83.1
- 212[.]32.83.11
- 38[.]180.239.161
- 44[.]215.207.48
- 54[.]39.143.117
- 8[.]221.100.222
- 92[.]243.65.243
Tip: 60 related IOCs (31 IP, 28 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.
Overlaps
Source: Huntress - March 2026
Detection (two cases): 157[.]20.182.49, 162[.]0.230.185
Source: Zscaler - March 2026
Detection (three cases): girlsbags[.]shop, lecturegenieltd[.]pro, web14[.]info
Source: Genians - February 2026
Detection (four cases): 159[.]198.66.153, 159[.]198.68.25, nomercys.it[.]com, stratioai[.]org
Source: Group IB - February 2026
Detection (six cases): 143[.]198.5.41, 159[.]198.43.141, 162[.]0.230.185, 209[.]74.87.100, codefusiontech[.]org, jerusalemsolutions[.]com
Source: CloudSEK - January 2026
Detection (four cases): 159[.]198.66.153, 159[.]198.68.25, nomercys.it[.]com, stratioai[.]org
Source: Seqrite - December 2025
Detection (two cases): 159[.]198.68.25, stratioai[.]org
Source: SafeBreach - December 2025
Detection (one case): 178[.]33.49.126
Source: Group-IB - October 2025
Detection (one case): screenai[.]online
Source: Dream - August 2025
Detection (one case): screenai[.]online
Source: cti grapevine - October 2024
Detection (one case): 135[.]181.203.1
Source: Mandiant - August 2024
Detection (two cases): dreamy-jobs[.]com, wazayif-halima[.]org
Source: Proofpoint - August 2024
Detection (one case): 54[.]39.143.117
Source: Proofpoint - July 2023
Detection (two cases): 144[.]217.129.176, filemanager.theworkpc[.]com
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Iranian State-Aligned Cyber Operations
Cybersecurity researchers have identified and mapped the underlying network infrastructure used by several Iranian-linked threat groups. By analyzing server misconfigurations, domain registrations, and digital certificates, defenders can track these attackers' movements and tools amid rising geopolitical tensions.
These operations are attributed to 19 tracked threat groups linked to Iran, including well-known state-aligned actors like MuddyWater, APT42, APT35, and Dark Scepter. These groups are known for conducting espionage, credential theft, and disruptive attacks.
The primary goal of these operations is to lay the operational groundwork for potential conflict through infrastructure reconnaissance, pre-positioning, and network intrusion. They aim to compromise critical systems to weaken an adversary's response capabilities long before any physical engagement begins.
These threat groups operate on a global scale but maintain a strong focus on adversaries and regional neighbors. Recent campaigns have specifically highlighted widespread operations across the Middle East, North Africa (MENA), the U.S., Israel, and allied regions.
Yes, these actors predominantly target critical sectors including energy, financial services, government networks, and defense-related organizations. Specific campaigns have also targeted senior defense officials, security personnel, and Iranian dissidents.
Attackers gained initial access by tricking victims with fake websites, spoofed messaging apps, or malicious documents. Once inside, they used hidden communication channels—like modified chat apps and disguised servers—to control the compromised systems without being detected.
Organizations in defense, government, and critical infrastructure hold valuable intelligence and control essential services. Compromising these entities allows threat actors to steal sensitive data or disrupt operations during geopolitical conflicts.
Organizations should proactively look for specific patterns in network traffic, such as known bad hosting providers or unusual digital certificates. Additionally, remaining vigilant against targeted phishing attempts on personal messaging apps and email is highly recommended.
While the infrastructure used by these attackers is vast, the campaigns themselves are highly targeted. They focus on specific individuals, organizations, and sectors that align with the strategic interests of the Iranian government.