ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Iran APT Landscape Report: State-Sponsored Cyber Threats in an Era of Active Conflict
2026.04.08

✅ Report Title: Iran APT Landscape Report: State-Sponsored Cyber Threats in an Era of Active Conflict



✅ Executive Summary:


- Recently, the United States and Israel conducted a joint military operation attacking Iranian military strongholds, and as military tensions have escalated, a pattern of inter-state conflict spreading into cyberspace has emerged.


- This report analyzes the attack campaigns of Iranian-backed APT groups active from 2024 through March 2026.



📌 Internal Structure


- Iran is largely composed of two core state institutions: Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS).

  - IRGC (Islamic Revolutionary Guard Corps): Military organizations under the direct control of the Supreme Leader.

  - MOIS (Ministry of Intelligence and Security): An intelligence agency under Iranian government, it performs cyber operations specialized in long-term infiltration and information collection activities.



📌 Threat Details


- A total of 10 Iranian-backed APT groups known to be active from 2024 to 2026 have been identified as APT42, APT34, MuddyWater, CyberAv3ngers, BladedFeline, Peach Sandstorm, Storm-2035, Void Manticore, APT35, and Pioneer Kitten.


- Summarizing the industry targeting status of the 10 Iranian-backed APT groups analyzed in this report, Government and Energy/Oil & Gas emerged as the most extensively targeted sectors.


- Especially for Government, most groups—excluding APT34 and CyberAv3ngers—set it as a core or recurring target, making it the most universally targeted industry across all Iranian-backed threat activities.


- Furthermore, it has been confirmed that Energy/Oil & Gas are being intensively attacked by APT34, MuddyWater, CyberAv3ngers, and Peach Sandstorm groups, suggesting that Iran consistently prioritizes the energy sector, which is linked to national strategic assets.



📌 Key Attack Trends


- An analysis of the attack campaigns of 10 Iranian-backed APT groups identified between 2024 and 2026 has revealed the following major trends.


- Expansion of Attack Targets and Scope: Iranian cyber operations have expanded extensively beyond the government, energy, and defense sectors in Middle East. Their scope now includes high-level individuals, election campaign officials, critical infrastructure (such as water resources and finance), and global IT service supply chains. Furthermore, there is a strengthening trend toward retaliatory attacks designed to induce physical destruction and social chaos.


- Advancement and Diversification of Attack Methods: There is an increasing use of custom backdoors (such as NICECURL, TAMECAT, MuddyViper, etc.) self-developed in languages like Rust, Go, and C++. These threat actors are actively employing sophisticated evasion techniques—including fileless/memory-based execution, DLL side-loading, and steganography—to significantly raise the difficulty of security detection.


- Exploitation of Legitimate Tools and Cloud Environments: Threat actors are abusing legitimate Remote Monitoring and Management (RMM) tools such as SimpleHelp, Atera, ngrok, and AnyDesk, as well as cloud services including Telegram, Discord, Google Sites, and Cloudflare Workers, as channels for C2 communication and malware distribution. By disguising their activities as legitimate traffic, they effectively obfuscate attack attribution.


- Social Engineering and MFA Bypass Techniques: After gaining trust by impersonating journalists or colleagues and using typosquatting domains, APT42 bypasses multi-factor authentication and steals cloud credentials through real-time 2FA relay attacks, such as using fake MFA prompts and exploiting app passwords.



✅ Recommended Threat Detection and Mitigation Actions:


📌 Private Sector Information Security Officer


- Authentication and Account Access Control: Minimize MFA phishing and session hijacking-based bypass attacks by implementing hardware-based MFA or FIDO/WebAuthn standards. Additionally, conduct regular audits of cloud environment access permissions and minimize the use of alternative authentication methods, such as app passwords, where MFA is not applied.


- SW and Service Usage Restrictions: To block the potential misuse of legitimate Remote Monitoring and Management (RMM) and tunneling tools such as Ngrok, AnyDesk, TeamViewer, and Ligolo, apply whitelist-based control policies restricted only to essential users.


- Security Awareness and Training: Regularly conduct tailored security education and simulation training—including cases of sophisticated social engineering spear-phishing, MFA Fatigue, and OAuth authentication phishing—to enhance security awareness among employees.



📌 Public Sector Officer


- Threat Intelligence Sharing and Alert Correlation: Recommend the proactive sharing of TTPs used by Iranian-backed APT groups among related organizations by reflecting them in national cyber risk alert system and threat intelligence sharing platforms (such as C-TAS).


- Vulnerability Assessment for Middle East-Related Institutional Assets: Public institutions and their subsidiaries in sectors such as energy, defense, and finance, which have economic or diplomatic ties to Middle East, should consider the possibility of becoming indirect targets of Iranian-backed groups. These organizations must periodically inspect the status of internet-exposed assets within their networks and verify whether patches for the CVEs listed in this report have been applied.


- Establishment of Incident Response Procedures: Since Iranian APT groups have been identified to transition into destructive attacks using Wiper-type malware during attack process, it is necessary to review and establish incident response procedures (data backup, network isolation procedures, and data recovery plans) for similar attack scenarios.


- Enhancing Industrial Control System Security: Minimize direct connections to external internet for critical Industrial Control Systems (ICS/OT), including PLCs and SCADA, and apply strict network segmentation policies between OT and IT networks.


- Additionally, introduce abnormal behavior and protocol control solutions specialized for ICS environments, apply VPN and Multi-Factor Authentication (MFA) for remote maintenance access, and restrict the use of unauthorized remote access tools in OT environments.



🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


Threat Intelligence Reports
Beast Ransomware Analysis Report
2026.04.01
Previous
News Highlights
Weekly Darkweb: April 2026, Week 1
2026.04.08
Next
List