Following the joint military operation known as Operation Epic Fury, the Tenable Research Special Operations (RSO) team is providing an update regarding potential cyber counteroffensive operations conducted by Iran-linked threat actors.
Key takeaways:
- Following Operation Epic Fury, Iran-linked threat actors are expected to launch counteroffensive operations against critical infrastructure and opportunistic targets.
- Several Iranian-linked threat groups are affiliated with organizations including the IRGC and MOIS, including the revived Altoufan Team and HANDALA.
- Review and patch the known vulnerabilities exploited by these threat actors and prepare for heightened DDoS and botnet activity in the near term.
Background
On February 28, 2026, the United States and Israel launched Operation Epic Fury, a series of military operations against Iran. As a result, Iran-linked threat actors are expected to launch cyber counteroffensive operations against the United States, Israel and other countries. Critical infrastructure providers as well as other opportunistic targets are likely at risk.
Analysis
Over the last several years, Iranian-nexus threat groups have shifted from stealthy espionage activity to destructive and retaliatory attacks as geopolitical tensions have risen. Wiper malware and ransomware attacks have ramped up in frequency and destructive capabilities as attackers have pivoted to targeting critical infrastructure, including those in Western countries.
Iranian Threat Actor Affiliations
Iranian state-sponsored cyber operations span across multiple groups, from advanced persistent threat (APT) actors to hacktivist fronts linked to both military and civilian agencies. These groups operate under, or maintain ties to, the following organizations:
- Islamic Revolutionary Guard Corps (IRGC): Parallel military force separate from Iran’s regular armed forces
- IRGC Intelligence Organization (IRGC-IO): The intelligence arm within the IRGC, focused on surveillance and counterintelligence
- IRGC Cyber-Electronic Command (IRGC-CEC): The IRGC’s dedicated cyberwarfare unit
- Ministry of Intelligence and Security (MOIS): Iran’s civilian intelligence ministry, combining roles analogous to the CIA and FBI
| Group | Aliases | Affiliation | Operational Focus |
|---|---|---|---|
| Banished Kitten | Void Manticore, Red Sandstorm, Storm-0842, Dune | MOIS | Conducts destructive operations under hacktivist-style personas including HomeLand Justice, Karma, and HANDALA |
| CyberAv3ngers | – | IRGC-CEC | Targets operational technology (OT) and programmable logic controllers (PLCs) in water and wastewater systems |
| APT34 | OilRig, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, COBALT GYPSY, Crambus, TA452, Evasive Serpens, ITG13 | MOIS | Exploits internet-facing infrastructure to conduct espionage against energy, telecommunications and government targets |
| MuddyWater | Mango Sandstorm, Static Kitten, Seedworm, Earth Vetala, MERCURY, TEMP.Zagros, TA450 | MOIS | Uses legitimate remote monitoring and management (RMM) tools to target telecommunications and government organizations |
| APT42 | Damselfly, UNC788, Yellow Garuda, CharmingCypress, Educated Manticore, Mint Sandstorm* | IRGC-IO | Harvests credentials from journalists, academics, activists and policy researchers through social engineering |
| Cotton Sandstorm | Haywire Kitten, Marnanbridge, NEPTUNIUM | IRGC-CEC | Conducts hack-and-leak campaigns and influence operations under personas including Altoufan Team |
| APT35 | Charming Kitten, Mint Sandstorm*, TA453, ITG18, Newscaster, COBALT ILLUSION, Agent Serpens | IRGC | Conducts espionage campaigns targeting government, defense and energy organizations |
| Pioneer Kitten | Fox Kitten, Lemon Sandstorm, UNC757, Parisite, RUBIDIUM, Br0k3r, xplfinder | IRGC | Exploits internet-facing devices and brokers access to ransomware affiliates |
| Agrius | Pink Sandstorm, Agonizing Serpens, AMERICIUM, BlackShadow, Spectral Kitten | MOIS | Deploys wiper malware disguised as ransomware against Israeli organizations |
| Imperial Kitten | Tortoiseshell, Crimson Sandstorm, TA456, Yellow Liderc, CURIUM | IRGC | Uses social engineering to target Israeli transportation and logistics organizations |
| CyberToufan | – | Unknown | Targets Israeli corporations with data theft and leak operations |
* Note: Mint Sandstorm is a composite label spanning both APT35 and APT42
Recent reports of Iranian cyber-operations activity
Following the military operations on February 28, researchers have reported probing and staging activities linked to Iranian threat actors, including the revival of the ALTOUFAN TEAM persona tied to Cotton Sandstorm. There have been reports on social media from Iran government-linked hackers warning of “massive cyber attacks in the coming hours.” It’s unclear if successful attacks have taken place. Cyber-analysts should expect increased botnet and distributed denial-of-service (DDoS) activity.
Ongoing monitoring
Tenable’s RSO continues to monitor for new intelligence on counteroffensive attacks by Iran-linked threat actors. We will publish updates as these developments are confirmed.
Identifying affected systems
Iranian threat actors have historically exploited known vulnerabilities in internet-facing devices and applications. A list of Tenable plugins for the vulnerabilities known to be associated with Iranian threat actors can be found here.
Get more information
Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
