Crisis in Iran: Are We Entering a New Chapter in a 20-Year Ongoing Cyber Conflict?
Summary/Title Text
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco.
Summary
The February 28, 2026, geopolitical developments have increased the risk of potential Iranian cyber retaliation against Western interests. While no new Iranian-attributed cyber activity has been confirmed at this time, the potential for delayed threat escalation remains.
This blog post provides context on the situation and outlines the historically observed modus operandi of known Iranian cyber threat actors, including the tactics, techniques, and operational patterns they have leveraged in past retaliatory campaigns. Understanding this baseline tradecraft is critical to assessing risk in the current environment.
Howler Cell is actively monitoring the situation and maintaining elevated defensive readiness across client environments.
Current Situational Awareness
No new confirmed threat activity
-
There are currently no newly identified Iranian cyber campaigns tied to the February 28 operation.
-
No confirmed Iranian-attributed attacks have emerged in direct response.
Known infrastructure, not new IOCs
-
Recently circulated IP addresses associated with Iranian operations are not newly identified infrastructure.
-
These indicators are consistent with previously documented Iranian activity.
-
Cyderes was already blocking and monitoring these IOCs prior to this event and continues to do so.
Proactive intelligence monitoring
-
Howler Cell is actively hunting for any new indicators of compromise or emerging tactics and techniques.
-
Monitoring spans the full attack lifecycle, from initial access through potential data destruction or ransomware activity.
-
Any credible new intelligence will trigger direct advisories and proactive threat hunting engagement.
Elevated MDR vigilance
-
Cyderes MDR services are operating at heightened vigilance in response to the increased geopolitical risk.
-
Detection coverage across known Iranian tradecraft has been validated and reinforced.
-
Clients should expect continued monitoring, rapid intelligence updates, and proactive defense measures.
Why Historical Context Matters
Iranian cyber retaliation has historically followed recognizable patterns, often leveraging established infrastructure, trusted access, destructive tooling, or proxy actors. While retaliation is not always immediate, it has consistently reflected strategic messaging objectives aligned with geopolitical events. The sections that follow examine previously observed Iranian threat actor behaviors to help security leaders better understand what to watch for in the days and weeks, and months ahead.
Increasing Uncertainty Due to Regime Upheaval
On February 28, 2026, the United States of America and the State of Israel executed a coordinated joint military operation codenamed Epic Fury in order “to dismantle the Iranian regime’s security apparatus, prioritizing locations that posed an imminent threat. Targets included Islamic Revolutionary Guard Corps (IRGC) command and control facilities, Iranian air defense capabilities, missile and drone launch sites, and military airfields” [1]. During this operation, the death of Iran’s Supreme Leader, Ayatollah Ali-Khamenei. The death of Iran’s Supreme Leader, Ayatollah Ali Khamenei was confirmed to be a product of this operation both by the Iranian, American, and Israeli government officials.
The Islamic Republic of Iran has spent the better part of two decades cultivating and deploying cyber capabilities as a core instrument of national power. Iranian threat groups gained their notoriety due to their growing amount of offensive cybersecurity operations post-Stuxnet. Iran switched for a purely defensive cyber-strategy to one that also included offensive operations intending to project force, acquire academic research produced in countries with embargos on the country, exact retribution, and exert asymmetric pressure on targets with stronger military forces.
Outside of cyberspace, the death of Ayatollah Ali-Khamenei represents arguably the most politically disruptive event since the Iranian revolution in 1979 wherein Khamenei was installed [2]. According to Washington, the remaining members of the fractured IRGC now are interested in negation following the death of Khamenei [3]. Meanwhile, Telegram channels allegedly unofficially affiliated with IRGC are claiming that The Public Relations of IRGC department has issued a statement via Iranian Official media stating, “The criminal and terrorist act of the [United States and Israel] is a violation of the obvious religious, moral, legal and customary standards; therefore, the Iranian nation will [seek to inflict] decisive and regretful punishment of the murderers of [Ayatollah Ali-Khamenei]” [4].
This uncertainty leaves organizations and institutes wondering, “what potential cybersecurity blowback should we be prepared for, if any?”.
A Brief History of Iran’s Offensive Cybersecurity Operations
Broadly speaking, we can break Iranian cybersecurity operations into the following macrosegments:
Awakening and Retaliation: 2005 – 2018
During this period, Iran transitioned from a cyber victim to a capable offensive actor, with campaigns driven largely by retaliation and regional competition. By the mid-2010s, Iran's cyber forces had grown from reactive hacktivism and crude wipers into a mature, multi-tiered intelligence and offensive apparatus. Groups developed custom tooling, leveraged cloud infrastructure, and began conducting operations that paralleled the sophistication of Russian and Chinese APTs.
|
Years |
Group(s) |
Operation / Campaign |
Targeting Profile |
|
2009–2012 |
Iranian Cyber Army |
Twitter/Baidu/VOA defacements; Operation Ababil DDoS |
U.S. financial institutions, opposition media [5], [6] |
|
2012 |
Cutting Kitten / IRGC proxies |
Shamoon. Saudi Aramco wiper |
Saudi and Qatari energy infrastructure [7], [8]. |
|
2012–2014 |
Cutting Kitten |
Operation Cleaver |
Aviation, defense, oil & gas across 16 countries [9]. |
|
2014 |
IRGC proxies |
Las Vegas Sands attack |
U.S. private sector (politically motivated) [10]. |
|
2014–2017 |
APT33 (Elfin / Magnallium) |
Aerospace and energy espionage |
U.S., Saudi Arabia, South Korean aviation and energy [11]. |
Global Repression of Political Dissidents: 2019 - 2022
Between 2019-2022, a string of events in quick succession converged to force Iran to strategically pivot their cyber operations inward.
2019
OilRig (APT34) Toolset Leaked: An anonymous actor publicly dumped APT34's full hacking toolkit, command-and-control infrastructure, and even internal training videos on Telegram [12]. This catastrophically burned a decade of tooling investment and forced Iran to rebuild, ultimately creating a natural pause in large-scale external operations.
Nationwide Fuel Protests: Iran's government shut down the internet entirely for nearly a week to suppress protests following sudden fuel price increases [13]. The regime recognized that diaspora networks, journalists, and opposition media were organizing dissent at unprecedented scale using digital tools.
2020
Killing of Qassem Suleimani: Following the U.S. drone strike, Iran's cyber apparatus was placed on high retaliatory alert, but the expected large external cyber operation never materialized at scale. Instead, intelligence suggests Iran's IRGC turned significant resources inward toward monitoring individuals who might exploit the instability [14]. During this window, Charming Kitten (APT35) began its well-documented pivot toward journalists and dissidents, launching a media impersonation campaign in 2019–2020 that targeted Iranian opposition journalists, academics, and government critics by posing as reporters from the Wall Street Journal, CNN, and Deutsche Welle to harvest credentials.
2022
The 2022 Mahsa Amini protests were particularly significant. Direct correlation was documented between surges in domestic and diaspora targeting by Iranian state cyber actors and periods of internal political protest [15]. When Iranians took to the streets globally, Iranian APTs followed them into their inboxes. Iranian sponsored-state threat actors are chiefly tasked with internal security as its primary mission. As the regime faced its most serious domestic legitimacy challenges since 1979, it pulled its most sophisticated operators toward transnational repression rather than geopolitical sabotage [16].
|
Years |
Group(s) |
Operation / Campaign |
Targeting Profile |
|
2019–2020 |
APT35 / Charming Kitten |
Media impersonation campaign |
Iranian opposition journalists, government critics, academics |
|
2019 |
IRGC |
Capture of journalist Ruhollah Zam |
Exiled journalist lured from Paris to Iraq via digital manipulation, captured by IRGC. |
|
2020–2021 |
APT42 (Agent Serpens) |
Surveillance of diaspora and NGO workers |
Iranian diaspora communities globally; rights organizations. |
|
2020 |
APT35 / Magic Hound |
COVID-themed lure campaigns |
Medical researchers, pharmaceutical organizations (intelligence collection). |
|
2021 |
APT35 / Charming Kitten |
Operation SpoofedScholars |
Think tank researchers, academic staff; policy-focused institutions. |
|
2022 |
APT42 / Charming Kitten |
HRW/Amnesty campaign |
Human Rights Watch staff, 18+ journalists, researchers, diplomats working on Middle East issues. |
|
2022 |
APT42 |
Mahsa Amini protest-era surveillance surge |
Diaspora activists, protest organizers, opposition media. |
External Response to the War in Palestine: 2023 - Present
Iran retooled and re-strategized after the war in Palestine began. Iran maintained their internal and external suppression and retaliation to dissidents within the global Iranian diaspora. The 2022–2023 period onward also saw Iran dramatically expand its hacktivist proxy ecosystem. By June 22, 2025, 120 hacktivist groups were reportedly active in response to the war [17], which allowed it to maintain deniable external pressure while state APTs focused on higher-value human intelligence collection against dissidents and strategic espionage. Critically, Iranian cyber-operations did not abandon the inward-facing posture. Instead, they operate on both tracks simultaneously with distinct groups assigned to each track.
|
Years |
Group(s) |
Operation / Campaign |
Target Profile |
|
2023 - present |
APT42 |
Ongoing surveillance and credential harvesting of diaspora and civil society targets. Beginning to enhance spear phishing with generative AI. |
Iranian diaspora globally, journalists, NGOs, human rights defenders, opposition figures |
|
2023 - present |
Agrius / Agonizing Serpens (Pink Sandstorm) |
Wiper campaigns against Israeli education and technology sectors |
Israeli academic institutions, technology companies |
|
2023 - present |
MuddyWater (Boggy Serpens) |
BizSandstorm phishing campaigns; legitimate tool abuse |
Middle Eastern governments, telecom, energy, academia |
|
2023 - present |
Moses Staff |
Destructive encryption combined with public Telegram data leak campaigns |
Israeli government ministries, financial institutions, public sector organizations. |
|
2023 - present |
Cyber, Cyber Fattah, Fatimion Cyber Team, Cyber Islamic Resistance, Cyb3rAvengers, Karma, Abnaa Al-Saada, Al-Toufan, |
Hacktivism: Coordinated DDoS, defacement, data theft operations timed to Iranian geopolitical events and Telegram-based leak operations |
U.S. and Israeli government websites, financial institutions, energy utilities, pro-Western media, organizations perceived as hostile to Iran or Islam |
MITRE ATT&CK Technique Profile: Iranian APT TTPs
Significant TTPs used by Iranian-based threat actors include but are not limited to:
Initial Access
|
MITRE ATT&CK® Technique |
Groups |
Detect |
Protect |
|
T1190 – Exploit Public-facing Application |
Moses Staff, MuddyWater, Pink Sandstorm, Magic Hound, APT39, Fox Kitten |
Chain correlation: abnormal HTTP/S request patterns to public endpoints -> elevated 4xx/5xx errors or WAF blocks -> web/app server process spawns shell or LOLbins -> optional outbound C2 callback; monitor ESXi OpenSLP, VPN appliance, and Exchange server logs specifically for Iranian-favored CVEs (CVE-2018-13379, CVE-2021-44228, CVE-2019-0604, ProxyShell variants) [18]. |
Aggressive patch management (M1051); Web Application Firewall deployment (M1050); application isolation and sandboxing (M1048); network segmentation with DMZ for internet-facing systems (M1030); restrict public exposure of services to only what is required (M1035); vulnerability scanning on a continuous cadence (M1016). |
|
T1566 - Phishing |
Magic Hound, APT42, MuddyWater, APT33, APT23, |
Correlate email metadata with file creation and network activity post-delivery; alert on macro-enabled Office documents spawning child processes; monitor for anomalous link clicks from collaboration and SaaS platforms; detect credential submission to newly registered or low-reputation external domains; alert on MFA bypass attempts following phishing delivery [19]. |
Email authentication enforcement via SPF, DKIM, DMARC (M1054); anti-virus/anti-malware with sandboxed attachment detonation (M1049); network intrusion prevention to scan and block malicious links and attachments (M1031); restrict execution of high-risk attachment types (.scr, .exe, .iso, .lnk, .docm) (M1021); mandatory user awareness training with simulated phishing (M1017). |
|
T1189 – Drive-by Compromise |
Magic Hound |
Monitor web proxy and DNS logs for access to newly registered or low-reputation domains; alert on browser processes spawning unexpected child processes or writing files to disk; detect drive-by via exploit kit indicators (unusual JavaScript, iframe redirects, heap spray patterns in browser telemetry) [20]. |
Restrict web-based content and enforce browsing policies via proxy (M1021); application isolation and sandboxing for browsers (M1048); keep browser software and plugins fully patched (M1051); exploit protection via Defender for Endpoint / EMET (M1050). |
Persistence
|
MITRE ATT&CK® Technique |
Groups |
Detect |
Protect |
| T1053.005 – Scheduled Task/Job: Scheduled Task | Magic Hound, APT35, APT42, MuddyWater, APT33, Fox Kitten, OilRig | Monitor the creation, modification, or deletion of scheduled tasks via Task Scheduler, WMI, PowerShell, or API; alert on tasks created under SYSTEM context or pointing to user-writable directories (AppData, TEMP); monitor for hidden tasks created by deleting the associated SD registry value and schtasks /create executions with encoded or obfuscated arguments [21]. | Configure scheduled tasks to run under authenticated user context rather than SYSTEM via GPO (M1028); limit schtasks creation rights to authorized administrators only (M1018); Increase Scheduling Priority to Administrators group via GPO (M1026); audit scheduled task inventory regularly for deviations from baseline (M1047). |
| T1505.003 – Server Software Component: Web Shell | Pink Sandstorm, Moses Staff, Magic Hound, OilRig, Fox Kitten, HomeLand Justice, APT35 | Implement file integrity monitoring on web server directories; alert on new .aspx, .php, .jsp, .jspx files in web roots; detect web server processes (w3wp.exe, apache2, nginx) spawning command shells (cmd.exe, powershell.exe, /bin/sh) or script interpreters; alert on outbound connections originating from web server processes; and anomalous file creations and network connections outgoing from IIS/web processes [22]. | Disable unnecessary server-side scripting features (M1042); enforce principle of least privilege by limiting write access to web directories to only authorized deployment accounts (M1018); deploy file integrity monitoring; consider immutable infrastructure patterns for web-tier systems. |
| T1112 - Modify Registry | Magic Hound, APT42, MuddyWater | Monitor Registry for modifications to sensitive keys; alert on changes to Run/RunOnce keys, service configurations, and security tool registry values; correlate with process that made the change [23]. | Restrict write access to sensitive registry hives via ACLs (M1024); limit which accounts can modify security-relevant registry keys (M1026); enable tamper protection in Microsoft Defender to prevent modification of security tool registry entries. |
| T1547.001 - Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder | APT33, MuddyWater, Magic Hound | Monitor HKCU\Software\Microsoft\Windows\ CurrentVersion\Run and HKLM\Software\Microsoft\Windows\ CurrentVersion\Run for new or modified entries; alert on files written to the Startup folder by non-administrative processes; baseline known autorun entries and alert on deviations [24]. |
Restrict write access to autorun registry hives and Startup folders to authorized administrators (M1024); application control policies (AppLocker/WDAC) to prevent unauthorized executables from running at startup (M1038). |
Lateral Movement
|
MITRE ATT&CK® Technique |
Groups |
Detect |
Protect |
|
T1021.001 – Remote Services: Remote Desktop Protocol |
Pink Sandstorm, Magic Hound, Void Manticore, Fox Kitten, OilRig, HomeLand Justice, APT39 |
Alert on RDP logons from unusual source systems, off-hours, new geolocations, or accounts with no RDP history; correlate RDP logon events with subsequent unusual process execution, file access, or lateral movement; monitor for RDP session initiation from internet-facing hosts into internal servers [25]. |
Disable RDP where not required (M1042); enforce MFA for all RDP access (M1032); use Remote Desktop Gateways and restrict direct RDP exposure (M1035); network segmentation: block RDP between network zones at the firewall; do not expose RDP to the internet (M1030); audit Remote Desktop Users group membership regularly (M1047); enforce session. timeout policies via GPO (M1028). |
|
T1021.002 - Remote Services: SMB/Windows Admin Shares |
Moses Staff, APT33 |
Monitor for lateral movement via SMB; alert on access to ADMIN$, C$, and IPC$ shares from non-administrative or unexpected source hosts; correlate with subsequent process execution on the destination host [26]. |
Restrict access to administrative shares to only authorized systems (M1030); enforce privileged account management; ensure admin credentials are not reused across systems (M1026); enable host-based firewall rules to restrict SMB (port 445) laterally across network segments (M1037). |
|
T1210 - Exploitation of Remote Services |
MuddyWater, Fox Kitten |
Monitor for exploitation indicators on internal services (anomalous service crashes, unexpected process spawns from network service processes); alert on CVE-specific signatures for Iranian-favored vulnerabilities on internal systems; correlate with lateral movement from a previously compromised host [27]. |
Patch internal services and systems as aggressively as internet-facing systems (M1051); network segmentation to limit blast radius of any single exploited internal host (M1030); application isolation for sensitive internal services (M1048); vulnerability scanning of internal attack surface (M1016). |
Collection & Exfiltration
|
MITRE ATT&CK® Technique |
Groups |
Detect |
Protect |
|
T1005 – Data from Local System |
APT33, OilRig, Magic Hound, APT42, MuddyWater, Moses Staff |
Alert on bulk file access or enumeration of sensitive directories (Documents, Desktop, AppData) by non-standard processes; UEBA baselines for abnormal file read volumes per user/process; monitor for staging archives (.zip, .rar, .7z) created in unusual locations (TEMP, AppData) [28]. |
Data Loss Prevention (DLP) policies on endpoint to detect bulk file staging (M1057); enforce least privilege by restricticting process access to sensitive file paths (M1026); endpoint detection and response (EDR) behavioral rules for mass file enumeration. |
|
T1114 – Email Collection |
OilRig, Magic Hound, APT42, MuddyWater |
Alert on unusual access to Outlook OST/PST files or .eml archives by non-email processes; monitor Exchange/M365 audit logs for bulk mail export, unusual forwarding rule creation (Event: New-InboxRule), or mail access by accounts not owned by the mailbox owner; alert on Graph API calls performing large-scale mailbox reads [29]. |
Enforce MFA and Conditional Access on mail access (M1032); disable legacy mail protocols that bypass MFA (Basic Auth) (M1028); audit inbox rules regularly for unauthorized forwarding (M1047); DLP policies on mail export and forwarding (M1057); restrict application permissions for mail access via Microsoft Graph to only what is required. |
|
T1041 – Exfiltration Over C2 Channel |
APT33, OilRig, MuddyWater, APT35, Moses Staff |
Anomalous outbound traffic volume baselines: alert on sustained large POST requests to external IPs; monitor for DNS tunneling indicators (high-volume, long-string DNS queries to low-reputation domains); UEBA baselines for data transfer thresholds per host; NetFlow analysis for beaconing patterns [30]. |
DLP at the proxy/CASB layer to detect large outbound transfers (M1057); network traffic filtering and egress controls — restrict outbound connections from servers to only approved destinations (M1037); DNS security filtering to block C2 callback domains (M1031). |
|
T1048.003 – Exfiltration Over Alternate Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
OilRig, MuddyWater, Fox Kitten |
Monitor for unusual use of plaintext protocols (HTTP, FTP, DNS) for large-volume outbound data transfers; alert on DNS query strings exceeding normal length thresholds; detect FTP connections to external hosts from systems that do not normally initiate FTP; correlate with data staging activity on the same host [31]. |
Enforce encrypted and approved-only egress channels; block plaintext FTP outbound at perimeter where not operationally required (M1037); deploy DNS security filtering with analytics for tunneling detection (M1031); CASB to enforce approved cloud egress paths (M1057). |
Impact
|
MITRE ATT&CK® Technique |
Groups |
Detect |
Protect |
|
T1485 – Data Destruction |
Cyber Toufan, Pink Sandstorm, APT33, Void Manticore |
Alert on mass file overwrite or deletion operations; monitor for recursive del, rm -rf, or SDelete-style patterns; detect politically motivated image file writes to disk replacing data content; alert on MBR/VBR write activity outside of OS update context; EDR behavioral rules for wiper-family signatures (Apostle, DEADWOOD, Shamoon, Meteor) [32]. |
Implement and test IT disaster recovery plans with immutable, air-gapped, or WORM-protected backups (M1053); MFA delete for cloud storage resources (M1032); enforce least privilege by restricting which accounts are capable of bulk file deletion or raw disk write operations (M1018). |
|
T1491.002 - Defacement |
Pink Sandstorm, Iranian Cyber Army, APT33, CyberAv3ngers |
Monitor web server file integrity for unauthorized changes to web root content; alert on web server processes writing to HTML/JS/CSS files outside of authorized deployment pipelines; detect politically motivated image files being staged on web-tier systems [33]. |
File integrity monitoring on all web-facing content directories; immutable infrastructure/web content deployment via CI/CD pipelines only by restricting direct write access to web roots (M1018); restrict web server process permissions to read-only on content directories (M1042). |
|
T1561 – Disk Wipe |
Pink Sandstorm, APT33, Void Manticore |
Alert on raw disk write API calls (\\.\PhysicalDrive) outside of OS or authorized software context; monitor for driver loading associated with raw disk access (RawDisk driver as used in Shamoon); detect MBR/partition table modification via Sysmon or EDR driver telemetry; alert on Volume Shadow Copy deletion (vssadmin delete shadows) which often precedes wiper deployment [34]. |
Immutable backups on separate, network-isolated infrastructure (M1053); restrict raw disk access APIs to only authorized system-level processes via application control (M1038); enforce MFA and privileged access management for accounts capable of loading drivers or accessing raw disk interfaces (M1026), (M1032). |
|
T1486 - Data Encrypted for Impact |
APT33, Magic Hound, Void Manticore |
Alert on rapid file encryption patterns, mass rename with new extensions, high-volume file modification events in short time window; monitor for Volume Shadow Copy deletion commands (vssadmin, wmic shadowcopy delete); detect ransom note file creation (readme.txt, HOW_TO_DECRYPT) in multiple directories; EDR behavioral ransomware rollback triggers [35]. |
Immutable, tested offline or air-gapped backups (M1053); EDR with ransomware behavioral protection and automated rollback; disable vssadmin and wmic shadowcopy delete for non-administrative accounts via AppLocker/WDAC (M1038); MFA on all privileged access to prevent credential-enabled ransomware deployment (M1032). |
References
[1] USCENTCOM, “U.S. Forces Launch Operation Epic Fury,” U.S. Central Command. Accessed: Mar. 01, 2026. [Online]. Available: https://www.centcom.mil/MEDIA/PRESS-RELEASES/Press-Release-View/Article/4418396/us-forces-launch-operation-epic-fury/
[2] Wikipedia, “Iranian Revolution,” Wikipedia. Wikipedia, Mar. 01, 2026. Accessed: Mar. 01, 2026. [Online]. Available: https://en.wikipedia.org/w/index.php?title=Iranian_Revolution&oldid=1341143280
[3] J. Bowden, “Trump says Iran wants to negotiate after assassination of supreme leader,” The Independent. Accessed: Mar. 01, 2026. [Online]. Available: https://www.independent.co.uk/news/world/americas/us-politics/trump-iran-negotiations-khamenei-death-b2929782.html
[4] Army News | Speahnews.ir, “سپاه نیوز | sepahnews.ir,” Telegram. Accessed: Mar. 01, 2026. [Online]. Available: https://t.me/s/sepahnewsir403?before=10513
[5] RadioFreeEurope/Radio Liberty, “Twitter Attacker Claims Iran Link,” Radio Free Europe/Radio Liberty, Dec. 19, 2009. Accessed: Mar. 02, 2026. [Online]. Available: https://www.rferl.org/a/Twitter_Hacked__Attacker_Claims_Iran_Link/1908075.html
[6] Reuters, “China’s Baidu website defaced by Twitter hackers,” Reuters, Jan. 12, 2010. Accessed: Mar. 02, 2026. [Online]. Available: https://www.reuters.com/article/business/media-telecom/chinas-baidu-website-defaced-by-twitter-hackers-idUSTOE60B05U/
[7] R. Falcone, “Shamoon 2: Return of the Disttrack Wiper,” Unit 42. Accessed: Mar. 02, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/
[8] R. Falcone, “Shamoon 3 Targets Oil and Gas Organization,” Unit 42. Accessed: Mar. 02, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
[9] Cylance, “Wayback Machine.” Accessed: Mar. 02, 2026. [Online]. Available: https://web.archive.org/web/20150108041942/http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
[10] B. Elgin and M. Riley, “Iranian Hackers Hit Sheldon Adelson’s Sands Casino in Las Vegas - Businessweek,” archive.org. Accessed: Mar. 02, 2026. [Online]. Available: https://web.archive.org/web/20150101020028/https://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#p2
[11] J. O’Leary, J. Kimble, K. Vanderlee, and N. Fraser, “APT33 Targets Aerospace & Energy Sectors | Spear Phishing,” Google Cloud Blog. Accessed: Mar. 02, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt33-insights-into-iranian-cyber-espionage
[12] H. C. Yuceel, “Inside the Shadows: Understanding Active Iranian APT Groups,” Picus Security. Accessed: Mar. 02, 2026. [Online]. Available: https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
[13] BBC, “Iran protests: At least 12 killed at unrest over petrol price rise.” Accessed: Mar. 02, 2026. [Online]. Available: https://www.bbc.com/news/world-middle-east-50459971
[14] Insikt Group, “Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access,” Recorded Future. Accessed: Mar. 02, 2026. [Online]. Available: https://www.recordedfuture.com/research/iranian-cyber-response
[15] The Citizen Lab, “Iran,” The Citizen Lab. Accessed: Mar. 02, 2026. [Online]. Available: https://citizenlab.ca/research/iran/
[16] Insikt Group, “Despite Infighting and Volatility Iran Maintains Aggressive Cyber Operations Structure,” CTA-IR-2020-0409, Apr. 2020. Accessed: Mar. 02, 2026. [Online]. Available: https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdf
[17] Unit 42, “Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30),” Unit 42. Accessed: Mar. 02, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/
[18] MITRE Corporation, “Exploit Public-Facing Application, Technique T1190 - Enterprise | MITRE ATT&CK®.” Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1190/
[19] MITRE Corporation, “Phishing, Technique T1566 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1566/
[20] MITRE Corporation, “Drive-by Compromise, Technique T1189 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1189/
[21] MITRE Corporation, “Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Jun. 09, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1053/005/
[22] MITRE Corporation, “Server Software Component: Transport Agent, Sub-technique T1505.002 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Aug. 25, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1505/002/
[23] MITRE Corporation, “Modify Registry, Technique T1112 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: May 27, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1112/
[24] MITRE Corporation, “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Jun. 12, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1547/001/
[25] MITRE Corporation, “Remote Services: Remote Desktop Protocol, Sub-technique T1021.001 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Sep. 30, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1021/001/
[26] MITRE Corporation, “Remote Services: SMB/Windows Admin Shares, Sub-technique T1021.002 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: May 15, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1021/002/
[27] MITRE Corporation, “Exploitation of Remote Services, Technique T1210 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1210/
[28] MITRE Corporation, “Data from Local System, Technique T1005 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: May 27, 2025. [Online]. Available: https://attack.mitre.org/techniques/T1005/
[29] MITRE Corporation, “Email Collection, Technique T1114 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1114/
[30] MITRE Corporation, “Exfiltration Over C2 Channel, Technique T1041 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1041/
[31] MITRE Corporation, “Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Sub-technique T1048.003 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1048/003/
[32] MITRE Corporation, “Data Destruction, Technique T1485 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1485/
[33] MITRE Corporation, “Defacement, Technique T1491 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1491/
[34] MITRE Corporation, “Disk Wipe, Technique T1561 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1561/
[35] MITRE Corporation, “Data Encrypted for Impact, Technique T1486 - Enterprise | MITRE ATT&CK®,” MITRE ATT&CK®. Accessed: Mar. 02, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1486/
Stay informed with Howler Cell
Receive the latest Howler Cell news and research directly to your inbox.
Optional featured resource text
Howler Cell has been tracking and investigating the new variant of MedusaLocker. MedusaLocker is a well-known ransomware family active since late 2019
Ready to close your security gaps?
To stay ahead of today’s relentless threatscape, you’ve got to close the gap between security strategy and execution. Cyderes helps you act fast, stay focused, and move your business forward.