Mapping Iran’s hacking threats
From espionage to destructive wipers, a network of state-aligned actors expands the cyber front of the current crisis.
As tensions with Iran reach a peak, the confrontation is not confined to missiles, militias or diplomatic maneuvering. A parallel campaign is unfolding in cyberspace, one that security researchers say is likely to intensify and broaden well beyond the immediate battlefield.
According to analysis from Check Point Research, Iran’s cyber ecosystem is operating through a layered network of state-aligned units, intelligence services, deniable operators and “hacktivist” personas. Together, these actors pursue a blended strategy of espionage, disruption and influence operations, often in rapid response to regional events.
Unlike previous escalations, researchers warn that the potential target set may now extend far beyond Israel.
“Unlike previous escalations, in which activity was primarily concentrated on Israel, we are now seeing the potential for an expansion of target scope, including the United States and Gulf states, particularly the United Arab Emirates,” said Sergey Shykevich, group manager at Check Point Research.
The ecosystem he describes includes entities aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), along with clusters that operate under pseudonyms or revived online identities. Their methods combine conventional cyber intrusion with narrative warfare, pairing data theft or network disruption with coordinated amplification campaigns.
The result, researchers say, is a confrontation no longer bounded by geography.
“The Iranian ecosystem operates through a multi-layered model in which espionage, disruption, and influence operations are integrated,” Shykevich said. “The confrontation in cyberspace is no longer confined to a specific geographic boundary, but is unfolding across a broader international arena.”
Among the most prominent actors identified in the current environment is Cotton Sandstorm, also known as Emennet Pasargad and Aria Sepehr Ayandehsazan, and tracked by others as MarnanBridge or Haywire Kitten. Affiliated with the IRGC, the group is known for “fast-reaction” campaigns that escalate alongside real-world events.
Its operations blend website defacements, distributed denial-of-service (DDoS) attacks, account hijacking and data theft, followed by “hack-and-leak” dissemination using fake personas and impersonation to shape public narratives.
In recent years, Cotton Sandstorm’s activity has expanded beyond Israel. Researchers cite unauthorized access into a U.S.-based IPTV streaming company to broadcast AI-generated messages related to the Gaza war, largely affecting viewers in the United Arab Emirates. The group has also repeatedly targeted Bahraini government entities and infrastructure, framing its operations with anti-monarchy messaging tied to regional normalization agreements.
In the months preceding the current crisis, Check Point observed the group using a consistent malware toolset, including WezRat, a modular infostealer delivered through spear-phishing emails disguised as urgent software updates. In some Israeli cases, intrusions were followed by deployment of WhiteLock ransomware. Researchers caution there is little technical barrier to expanding such operations to other countries.
Within a day of the current conflict’s escalation, Cotton Sandstorm revived “Altoufan Team,” a dormant persona previously focused on Bahrain, signaling what researchers describe as a reactive and opportunistic posture.
Another cluster, Educated Manticore, aligned with the IRGC Intelligence Organization and overlapping with activity attributed to APT35/APT42, focuses on high-trust impersonation.
Rather than pursuing broad disruption, this group seeks relationship-based access. Its targets often include journalists, researchers, academics and foreign-based critics of the Iranian regime, individuals whose email accounts or shared drives may provide proximity to decision-makers.
Recent campaigns have involved spear-phishing and multi-channel social engineering, including messaging apps that direct targets to credential-harvesting sites disguised as WhatsApp, Microsoft Teams or Google Meet. In some cases, researchers say, the campaigns have enabled surveillance capabilities, including access to location data.
As tensions escalate, this strategy carries particular risk: infiltration at the level of trusted intermediaries can yield intelligence far beyond the initial compromise.
MuddyWater, also known as Mango Sandstorm or Static Kitten, is widely assessed to be tied to Iran’s MOIS. The group has a long record of espionage-driven intrusions targeting government, telecommunications and energy sectors across the Middle East, with occasional activity beyond the region.
Its methods rely heavily on remote monitoring and management tools delivered through large-scale phishing waves, sometimes to hundreds of recipients at once. For higher-value targets, MuddyWater deploys custom malware and short-lived tools that are quickly rotated. Some recent campaigns suggest that elements of its tooling may have been developed with AI assistance.
Despite its profile, the group’s tactics remain consistent: abuse of built-in Windows tools, credential theft, lateral movement via compromised internal email accounts, and exploitation of legitimate file-sharing services.
Other actors emphasize impact over stealth.
Void Manticore, operating under the persona “Handala Hack Team,” surfaced in late 2023 as a pro-Palestinian hacktivist identity. Assessed as MOIS-affiliated, it specializes in opportunistic “hack-and-leak” campaigns, often targeting Israeli entities but occasionally expanding beyond when it serves a strategic objective.
Researchers have observed supply-chain compromises, rapid publication of stolen material to amplify reputational damage, and probing of externally facing applications for weak credentials. During nationwide protests in Iran earlier this year, some Handala-linked activity originated from Starlink IP ranges.
Agrius, another actor linked in public reporting to MOIS, has focused on destructive operations since 2020. Its operations often deploy wiper malware or pseudo-ransomware, masking sabotage as criminal activity, and exploit internet-facing servers before establishing persistence through webshells and publicly available tools.
During a 12-day conflict between Israel and Iran in June 2025, researchers observed Agrius-linked infrastructure scanning for vulnerable cameras across Israel, likely to enable post-attack visibility and damage assessment.
