Operation Epic Fury has triggered a slow yet persistent response from Iranian threat actors such as Charming Kitten, MuddyWater, OilRig, Agrius and Cotton Sandstorm. All these groups are active the time of writing and the slow and gradual rise in the operational tempo of these actors since the crisis began indicates more about the operational goals of Iranian cyber threat entities than what we has been discussed across the web.

Iranian APT groups have become increasingly aggressive and adaptive in the last few weeks (they were possibly on standby). Their operations are no longer limited to defacements or opportunistic phishing or simply attacking not so significant targets. Instead, they are now tightly integrated into Tehran’s geopolitical playbook, serving as an additional layer of offensive posturing as well as defensive deterrence. Here is a structured analysis of their activities, tradecraft, and implications for regional businesses especially operators of operational technology (OT) environments.

Before we move forward, don’t forget to check out our previous blog post on “Cyber threats in the Middle East: What organizations need to know right now” here.  

Iranian APT Groups: Escalation since the crisis

On February 28, 2026, the United States and Israel launched coordinated strikes under Operation Epic Fury / Roaring Lion, triggering what could be referred to as the most complex convergence of kinetic warfare and cyber operations the Middle East region has ever witnessed.

The Architecture of Iranian Cyber Power

Iran’s cyber army is architected in a very unique way. Unlike its counterparts in Russia and China which are operationally managed exclusively by state entities, Iranian APT groups have a redundant leadership layer that is triggered during times of conflict or emergency. During such situations, this leadership layer that comprises a mix of veteran state-backed hackers and former intelligence agents offers transitionary leadership to ensure operational continuity.   

After nearly a decade-and-a-half of sustained investments and learning, Iran now has a mature, dual-track cyber capability that comprises a state-sponsored APT tier controlled by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), and an expanding ecosystem of hacktivist proxies or affiliates that provide operational scale, targeting options and plausible deniability simultaneously.

Such a distinction matters enormously for defenders. The IRGC runs groups that are fundamentally oriented toward sabotage, critical infrastructure access, network manipulation and psychological operations. MOIS serves as a collector of intelligence for the state intelligence apparatus. Both these actor clusters share tooling, infrastructure, and in some cases even targets. When you hear about MuddyWater establishing initial access at a regional energy entity, there is a documented pattern of OilRig trailing behind to conduct sustained exfiltration or to cover the tracks.

Threat actor profiles: The active players

As of this writing, the following groups represent the most operationally active and tactically relevant actors in the current crisis environment:

OilRig (APT34) aka Helix Kitten / Earth Simnavaz / Cobalt Gypsy

Affiliation: MOIS

Iran's most persistent espionage arm. Active since 2014, OilRig targets energy, government, and financial sectors across the Middle East with a long-dwell, intelligence-collection mandate. By 2025, the group shifted significantly into cloud-native attack paths, using compromised Microsoft 365 accounts and Azure persistence mechanisms to maintain access. Their tooling now includes four new custom downloaders viz., OilBooster, OilCheck, ODAgent, and SC5k. They are all using legitimate Microsoft cloud APIs (OneDrive, Graph, Exchange EWS) as covert C2 channels. The deliberate abuse of trusted cloud services makes detection extraordinarily difficult without behavioral analytics.

MuddyWater

Affiliation: MOIS

The most operationally active Iranian group in the current crisis window. Their TTPs blend living-off-the-land (LOtL) techniques PowerShell, RDP abuse, Mimikatz with legitimate tools such as SimpleHelp and Atera RMM for persistent remote access. The Aclip backdoor, which abuses the Slack API for C2, represents their willingness to weaponize trusted SaaS platforms.

APT42 / Charming Kitten aka TA453 / Mint Sandstorm / Educated Manticore

Affiliation: IRGC-IO

The human intelligence collection machine. APT42 doesn't go broad — it goes deep. Journalists, researchers, policy experts, academics, and diaspora activists are targeted through months-long relationship cultivation before any technical intrusion occurs. Check Point Research observed multi-channel social engineering campaigns leveraging messaging apps to funnel targets into credential-harvesting kits. In the current environment, this group is actively targeting individuals with privileged access: journalists covering the conflict, analysts at defense contractors, and anyone with proximity to decision-makers.

CyberAv3ngers aka Shahid Kaveh / IRGC Cyber Electronic Command

Affiliation: IRGC-IO

The OT specialist. CyberAv3ngers represents Iran's most direct capability against industrial control systems. Previously linked to attacks against Unitronics PLCs at U.S. water utilities, they have recently re-used C2 infrastructure associated with the IOCONTROL malware framework — a custom OT-focused tool designed to interact with PLCs, HMIs, and SCADA components. Flashpoint intelligence documents claimed breaches of a Jordanian grain silo company, including alleged manipulation of temperature controls and weighing systems. Whether fully realized or partly fabricated, the targeting intent against OT is unmistakable.

Cotton Sandstorm aka Haywire Kitten / Emennet Pasargad / MarnanBridge

[IRGC-Affiliated]

The fast-reaction influence operator. Cotton Sandstorm's playbook combines website defacement, DDoS, email hijacking, and data theft with immediate information operation amplification. Their custom infostealer WezRat is delivered through spearphishing campaigns masquerading as urgent software updates. In some Israeli-targeting cases, intrusions were followed by deployment of WhiteLock ransomware. This group moves fast — it is designed for tempo, not stealth.

[Hacktivist Proxy]

Evil 33

Formed on February 28, 2026 just hours after the first strikes Evil33 serves as a coordination hub for pro-Iranian hacktivist cells. This group, linked to MOIS, blends data exfiltration with operational targeting of Israeli energy, manufacturing, defense, and healthcare organizations. Analysis of Telegram messages across 150 groups shows attack timing synchronized with kinetic events on the ground and we can say with a fairly high level of confidence that this is not spontaneous activism.

Tactics, Techniques and Procedures

Iranian APT TTPs have evolved considerably become more sophisticated since the Shamoon era. The shift is now toward cloud abuse, LOtL techniques, and AI-assisted operations. Such tactics represents a deliberat adaptation to modern defensive environments while increasing the chances of success.  

Initial access (MITRE TA0001)

 Persistence and command plus control (MITRE TA0003 / TA0011)

The toolkit

Multiple investigations have confirmed that CyberAv3ngers uses GPT models specifically for conducting PLC research, querying programmable logic controller documentation, attack surfaces, and firmware vulnerabilities. AI is actively accelerating the pace at which less technically sophisticated operators can develop OT-capable intrusion capabilities. The democratization of ICS attack research is a structural shift, not a temporary trend.

Specific advisory for OT/ICS operators

Iran has a demonstrated, active, and now operationally committed interest in attacking operational technology across levels and countries. This is not an aspirational capability. The Shamoon campaigns against Saudi Aramco (2012, 2017) destroyed 35,000 workstations. The TRITON/TRISIS attack against a Saudi petrochemical facility targeted Safety Instrumented Systems specifically to cause physical damage. CyberAv3ngers have disrupted water treatment operations in the United States in the past.

The current threat environment adds several new dimensions to this established pattern. Agrius-linked infrastructure was observed actively scanning for vulnerable IP cameras across Israel during the June 2025 conflict. This was likely for post-attack battle damage assessment (BDA). Cameras at energy facilities, physical security systems, substations, and port infrastructure were in scope. This is reconnaissance behavior with a physical targeting intent.

Mitigation measures

Immediate actions

· Audit all internet-facing assets including VPNs, firewalls, Exchange/OWA, RDP gateways and apply patches for all critical CVEs

·  Bring more user privileges under approve and deploy mode

· Enforce phishing-resistant MFA (FIDO2/hardware keys) on all M365, Google Workspace, and VPN accounts. SMS-based MFA is insufficient

· Review and restrict RMM tool access. Block or require explicit authorization for all remote management sessions

· Pull M365 audit logs and look for anomalous OAuth application grants, Graph API calls, and EWS access  

· Stand up or review DDoS mitigation coverage for all public-facing web properties and operational portals

Short term measures

· If running Unitronics Vision or UniStream PLCs, immediately audit for unexpected network connections and firmware integrity. Check for MQTT traffic on port 8883 to external IPs

· Verify and validate OT/IT network segmentation — confirm purdue model enforcement is actually enforced, not just documented

· Disable remote access to any OT system not operationally required

· Conduct a rapid inspection of IP cameras, HMIs, and network-connected safety systems for default credentials and open ports

· Brief field operators on social engineering awareness. That job offer may be a trap

What to lookout for

· Spike in DNS queries to unfamiliar domains OilRig DNS tunneling. Implement DNS logging and anomaly detection

· Unusual PowerShell execution, especially encoded (Base64) commands. Enable Script Block Logging and AMSI

· Unexpected outbound connections to OneDrive, SharePoint, or Exchange from non-standard processes

· New local admin accounts or service accounts created outside change management windows

· Telegram API calls from workstations and servers

· Volume shadow copy deletion or disk enumeration at abnormal hours — precursor to wiper deployment

 Other recommendations

·  Run an interim risk assessment on your infrastructure covering controls and governance

· Subscribe to a threat intelligence feed covering Iranian APT IOCs   

· Run an incident response exercise simulating a MuddyWater intrusion reaching your OT network. Test responses and efficiency

· Ensure your incident response plan explicitly covers destructive malware (wiper) scenarios

· Work with your OEM/supliers to strengthen supply chain security

· Keep an eye on leaks in the Dark Web and prepare your communications team for potential hack-and-leak operations

 It has to be noted that Iran frequently exaggerates the impact of its cyberattacks for psychological effect. But that should not deter you from elevating your security levels. At the same time, do not dismiss DDoS and defacement as 'low impact.' Such attacks could be the start of a larger campaign that may well involve OT systems and prolonged recovery. The best option available is to get your defenses in order and be prepared.

Book a free consultation on security posture, threat intelligence management, infrastructure monitoring, OT security and IEC 62443 compliance, here.

Additional resources
Cyber threat advisory on the Iran crisis.

IEC 62443-Based Zoning Implementation and Validation Checklist

NERC CIP-015-1 Compliance Checklist and KPI Tracker

State of OT Security: Common ICS/SCADA/PLC Ports exposed to the Internet