The role of Iranian threat actors has been more or less muted in the ongoing conflict and, there are reasons for that. While some attribute this lull to a lack of internet connectivity, the real explanation merits a deeper understanding of Iran’s strategic posture across the physical world and in cyberspace. Today’s blogpost takes a more nuanced look at what Iranian threat actors are up to and the measures enterprises can take to protect themselves.

Before we move forward, don’t forget to check out our previous post on How the Iran crisis is impacting cyber space, here.

Let’s first address a couple of myths.  

Myth one: Iranian cyber chain of command has broken down due to lack of communication.

Just like its counterpart in the armed forces, Iran’s cyber threat wings operate via a mosaic model. This means that teams have a certain level of functional autonomy and operate through a tiered leadership structure. In addition, the members of Iranian APT groups are spread across the country and follow operational playbooks that define actions to be taken when connectivity fails. Iranian cyber teams were well aware of the possibility of connectivity failure impacting operations during a war and they have gamed this very scenario into their operational resilience models.

It is very apparent to anyone who knows a bit about war-like situations that connectivity is never taken for granted.

Myth two: The overall capability of Iranian threat actors has been degraded due to structural attrition  

Yes there has been some impact but to write them off or to assume that their operations will now cease will be a mistake.

Operation Epic Fury has effectively severed command-and-control, degraded operational infrastructure, and eliminated key senior leaders who oversaw cyber operations. This has led many to assume that Iranian APT groups are now operationally isolated and are not in a position to launch operations on their own. However, considering the redundancies Iran has built into its leadership apparatus, the ongoing lull is more likely temporary as teams absorb the impact of Operation Epic Fury.

Iran has experienced leadership elimination before and therefore knows the importance of having structures that enable operational continuity. This is why we were able to observe Muddywaters operating in slots through probes across the Middle East region over the last 3 days.

One also has to understand that Iranian actors have been active for over a decade now. We have seen their IOCs pop up in the least expected places. These are fairly mature that actors and to assume they lack the ability to respond autonomously would be an overextension of the available knowledge and evidence.

Known Iranian APT actors and their current operational status

The following table summarizes the principal Iranian APT groups and our assessment of their operational status at the time of writing, based on our analysis and research.  

Why the silence?

The absence of large-scale confirmed attacks does not mean the battlefield is empty. Iranian APT groups had established long-term footholds in Middle Eastern critical infrastructure via credential theft and VPN compromise since early 2025. These pre-positioned implants are passive: they beacon, they persist and they still provide Iranian APT groups an opportunity to exploit.

 When a nation-state cyber apparatus sustains the level of damage Iran has experienced, operators often shift from offensive to pause/defensive mode. They are said to be focusing on preserving what remains: protecting surviving infrastructure, identifying which tools and footholds have been burned by the adversary, rotating command infrastructure, and assessing damage. This is said to be consistent with historical precedent. Some threat analysts are drawing a parallel to the immediate aftermath of the Stuxnet incident in the last decade wherein, Iranian cyber actors went through an extended period of internal auditing, regrouping, playbook revisions and infrastructure rebuilding before emerging with more sophisticated campaigns.

While this could be one of the reasons, we have to understand that Iran has invested significantly in building resilience. While analysts are happy to endorse the mosaic model for Iranian armed forces, some analysts are not willing to extrapolate this line of thinking to the Iranian threat actors. Iranian APT groups have been an integral part of Iranian statecraft since a while and it would have figured out ways to wriggle out of such situations on all fronts.  

The lull in operations could be because of any of these reasons:

·  The groups have received a fresh mandate and are in the process of operationalizing that mandate. This mandate may have been issued relatively late, following the onset of hostilities.

· The identities (of threat actors), nodes and tools may be kept silent to avoid attracting any unwanted attention from adversaries and to preserve the strike capability

· Sophisticated campaigns are being planned against new targets

· The groups are in a wait and watch mode to strike at the right time

· Tasks assigned to group leaders who perished in the strikes are being reassigned

·Iran wants to focus on destruction in the kinetic domain and has its hands full

Some or most of the elements of Iranian Threat Actor groups have survived the strikes so far, as is evident from the periodic recon attacks that are being logged globally. These groups have also retained several affiliates present outside the geographic borders of Iran. These groups represent the final operational layer within the broader Iranian threat actor ecosystem.

Trajectory: What comes next

The current lull will not hold indefinitely. Iran's cyber capabilities took a while to build and will not be permanently destroyed by a single round of strikes, however devastating. Historical precedent right from post-Stuxnet reconstitution to post-Suleimani adaptation shows that Iranian cyber actors recover, adapt, and often emerge more sophisticated. We expect the trajectory to evolve in phases:

Likely near-term attack vectors

Based on current OSINT, the following attack vectors carry the highest near-term probability, ordered by likelihood and readiness of threat actors to deploy:

• Spear-phishing and credential theft: APT35 / Charming Kitten and Educated Manticore (IRGC-IO-aligned) will continue to scale operations and register a major attack to grab attention

• DDoS and defacement by hacktivist proxies: The Electronic Operations Room, Handala Hack, Cyber Fattah, and affiliated groups will continue high-volume, low-sophistication operations. These generate headlines but rarely cross the threshold of significant disruption.

• Pre-positioned malware activation: The highest-risk near-term scenario. If Iranian handlers restore communications and decide to activate pre-placed implants in energy or water infrastructure, the impact could be significant and rapid. Defenders in these sectors should prioritize threat hunting immediately.

• ICS/OT targeting via exposed internet-facing assets: IRGC-CEC-affiliated actors have historically exploited default credentials on PLCs and HMIs. A joint DoD/CISA advisory from June 2025 documented this TTP explicitly. Organizations using Israeli-manufactured industrial control equipment worldwide carry elevated risk.

Defensive recommendations for organizations

Given current threat dynamics, organizations especially those in critical infrastructure, financial services, defense supply chains, and any entity with business ties to Israel or the United States should take the following actions immediately:

Immediate actions (0–30 Days)

• Threat hunt for known Iranian APT IOCs and TTPs using published indicators. Assume pre-positioned access may exist in high-value environments.

• Audit all internet-facing assets, VPN appliances, and remote access gateways for unauthorized accounts, configuration changes, and signs of credential compromise. Patch urgently against known Iranian-exploited CVEs.

• Enforce phishing-resistant MFA across all Google, Microsoft 365, and enterprise SSO accounts. APT35/Charming Kitten has made credential-harvesting via fake login pages their primary initial access vector.

• Suspend or closely monitor commercial VPN exit node traffic. This is where you may see an activity of interest.   

• Ensure at least one copy of critical data is stored offline (air-gapped) to mitigate against wiper malware deployment.  

Medium-term actions (30–90 Days)

•  Define and rehearse escalation playbooks consistent with CISA's "Shields Up" guidance. Include specific criteria for heightened monitoring posture, change freezes, and staff augmentation.

• Implement conditional access and session controls to mitigate adversary-in-the-middle (AiTM) and token-theft attacks, which remain a core Iranian APT initial access technique.

• For OT/ICS environments: verify no factory-default credentials remain on PLCs, HMIs, or SCADA interfaces. Segment industrial networks from corporate IT and disable non-essential internet-facing services.

• Continuously align with DHS, ENISA, NCSC, and sector-specific ISAC advisories. Integrate updated IOCs and TTP signatures into SIEM detection engineering on a rolling basis.

The reduced visibility of Iranian state-sponsored APT activity in the wake of Operation Roaring Lion and Operation Epic Fury is real, but it is situational and temporary. The causes are structural: 96 percent+ connectivity loss inside Iran, decapitation of senior IRGC and MOIS leadership, the shift to wait and watch mode, and the strategic value of not burning remaining pre-positioned access prematurely. The proxy hacktivist layer is filling the gap with noise fast, but not with the destructive, dwell-heavy campaigns that have come to define Iran's APT tradecraft.

Iran has rebuilt from strategic setbacks before. Post-Stuxnet, it emerged with capabilities that took Saudi Aramco offline, crippled Sands Casino, and targeted U.S. financial infrastructure with sustained DDoS campaigns. Post-Suleimani assassination, its cyber actors adapted, expanded their targeting surface, and built relationships with ransomware ecosystems for additional revenue and deniability. There is no reason to expect a different outcome this time.

The window between now and Iran's cyber reconstitution is not a ceasefire. It is a finite and precious opportunity for defenders to hunt, harden, and prepare for the future. Organizations that treat this period as a return to normalcy will find themselves underprepared when the signal returns louder and more sophisticated than ever before. At that point, time may no longer be a forgiving factor.

Book a free consultation on security posture, threat intelligence management, infrastructure monitoring, OT security and IEC 62443 compliance, here.

Additional resources
Cyber threat advisory on the Iran crisis.

IEC 62443-Based Zoning Implementation and Validation Checklist

NERC CIP-015-1 Compliance Checklist and KPI Tracker

State of OT Security: Common ICS/SCADA/PLC Ports exposed to the Internet