(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. which iranian threat actors have been active over the past few months?
2. How have Iranian threat actors adapted their tactics in response to recent cybersecurity defenses and geopolitical developments?
3. What might we expect from these groups in the coming weeks and months?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

How are Iranian cyber threat actors adapting their exploitation of VPN and firewall vulnerabilities (e.g., CVE-2024-21887, CVE-2024-3400) in response to recent patching and detection efforts by U.S. critical infrastructure and cloud/SaaS providers? Understanding these adaptations is critical to preempting next-generation intrusion techniques.

TL;DR

Key Points

1. • Iranian state-sponsored and affiliated actors have escalated cyber operations in 2025, targeting U.S. and global critical infrastructure, cloud/SaaS, and private sectors, with a focus on exploiting VPN and firewall vulnerabilities.
   • Organizations must prioritize patching, detection, and proactive defense against exploitation of CVEs such as CVE-2024-21887, CVE-2024-3400, and CVE-2024-24919.
2. • Pioneer Kitten and other Iranian groups are collaborating with ransomware affiliates (NoEscape, Ransomhouse, ALPHV/BlackCat), blending espionage, sabotage, and financially motivated attacks.
   • Enhanced incident response, ransomware-specific tabletop exercises, and immutable backups are critical to mitigate operational and financial impact.
3. • Iranian actors are employing advanced persistence and evasion techniques, including passive web shells, scheduled tasks with DLL side-loading, protocol tunneling (Ligolo, NGROK), and disabling security tools.
   • Endpoint detection and response (EDR), threat hunting, and continuous monitoring for Iranian TTPs are essential for early detection and containment.
4. • Cloud/SaaS environments and supply chain vendors are increasingly targeted for lateral movement and data exfiltration.
   • Cloud Security Posture Management (CSPM), zero-trust architecture, and rigorous third-party risk management are required to reduce exposure.
5. • The Iran-Israel conflict is driving a surge in hacktivist operations and multi-sector targeting, with anticipated regulatory and policy responses in the U.S. and allied nations.
   • Intelligence sharing, interagency coordination, and compliance with frameworks like NIST SP 800-161 are necessary for sector-wide resilience.

Executive Summary

Iranian cyber threat actors have evolved into highly capable, multi-motivated operators, leveraging both state sponsorship and ransomware affiliate partnerships to conduct espionage, sabotage, and financially motivated attacks. In 2025, the Iran-Israel conflict has catalyzed a surge in sophisticated campaigns targeting U.S. and allied critical infrastructure, energy, government, cloud/SaaS, and telecommunications sectors. Notably, groups such as Pioneer Kitten (Fox Kitten, UNC757) exploit high-profile VPN and firewall vulnerabilities (e.g., CVE-2024-21887, CVE-2024-3400) to gain initial access, deploy web shells (TEMPLEDOOR), and maintain persistence through advanced evasion techniques.

These actors increasingly collaborate with ransomware groups (NoEscape, Ransomhouse, ALPHV/BlackCat), enabling hybrid operations that combine espionage with disruptive and extortion-driven attacks. The operational model includes credential harvesting, account manipulation, protocol tunneling, and supply chain compromise, mapped to MITRE ATT&CK techniques such as T1190, T1505.003, T1078.002, and T1657.

The threat landscape is further complicated by the targeting of cloud/SaaS environments and third-party vendors, expanding the attack surface and facilitating lateral movement. Anticipated trends include the adoption of AI-driven evasion, expansion into new sectors and geographies, and increased hacktivist activity aligned with Iranian state objectives.

Defensive recommendations emphasize rapid patching of critical vulnerabilities, robust identity and access management (MFA, UEBA), advanced EDR and threat hunting, CSPM deployment, zero-trust adoption, and ransomware-specific incident response planning. Intelligence sharing and compliance with emerging regulatory frameworks are essential for resilience.

Organizations should expect continued escalation, with Iranian actors adapting TTPs to circumvent advanced defenses and exploit supply chain weaknesses. Proactive, multi-layered defense and sector-wide collaboration are imperative to mitigate the evolving threat.

Research & Attribution

Historical Context

Iranian cyber threat actors have evolved over the past decade from primarily espionage-focused groups to sophisticated operators conducting destructive and financially motivated attacks. Groups such as APT33, APT34 (OilRig), APT35 (Charming Kitten), and UNC1860 have targeted regional adversaries and global entities, especially in the Middle East and Western countries. The Iran-Israel conflict has significantly escalated cyber operations, with Iranian actors increasingly engaging in cyber espionage, sabotage, ransomware, and supply chain attacks. In 2025, these activities have intensified, reflecting Iran's strategic use of cyber capabilities to project power, retaliate, and disrupt critical infrastructure globally.

Timeline

• Pre-2017: Early Iranian cyber espionage campaigns targeting regional adversaries.
• 2017-2020: Expansion of operations with destructive malware like Shamoon and increased targeting of energy and government sectors.
• 2021-2023: Rise in ransomware and financially motivated attacks linked to Iranian actors; collaboration with ransomware affiliates.
• 2024: Increased exploitation of VPN and firewall vulnerabilities; campaigns targeting U.S. education, finance, healthcare, and defense sectors.
• 2025: Escalation of cyber campaigns linked to the Iran-Israel conflict, targeting U.S. and global critical infrastructure, energy, government, and cloud/SaaS sectors.

Origin

Iranian cyber threat actors are primarily state-sponsored or state-affiliated groups operating under the direction or influence of the Government of Iran (GOI). Attribution is supported by technical indicators, targeting patterns, and geopolitical context linking these actors to Iranian state interests. Some groups operate with direct GOI support, while others collaborate with ransomware affiliates for financial gain, sometimes independently of official sanction.

Countries Targeted

1. United States – Targeted for critical infrastructure, government, and cloud/SaaS sectors amid geopolitical tensions.
2. Israel – Primary target in the Iran-Israel conflict, including government, telecommunications, and critical infrastructure.
3. Saudi Arabia – Regional adversary targeted for espionage and disruption.
4. United Arab Emirates – Targeted for economic and political intelligence.
5. Jordan – Threatened with attacks on critical infrastructure if supporting Israel.

Sectors Targeted

1. Critical Infrastructure – Energy grids, water systems, transportation, and utilities targeted for espionage and sabotage.
2. Energy – Oil and gas sectors targeted for economic and strategic impact.
3. Government – Ministries, defense, and diplomatic entities targeted for intelligence and influence.
4. Cloud/SaaS – Increasingly targeted for access to broader networks and data exfiltration.
5. Telecommunications – Targeted to disrupt communications and gather intelligence.

Motivation

Iranian cyber threat actors are motivated by geopolitical objectives including intelligence gathering, retaliation against adversaries (notably Israel and the U.S.), disruption of critical infrastructure, and economic impact. Their operations support Iran's strategic goals in regional dominance, deterrence, and asymmetric warfare. Financial gain through ransomware collaboration also plays a role, though some ransomware activities may be independent of GOI sanction.

Attack Types

• Exploitation of VPN and firewall vulnerabilities (e.g., CVE-2019-19781, CVE-2024-21887, CVE-2024-3400)
• Credential harvesting and brute force attacks
• Deployment of web shells and passive backdoors for persistence
• Use of custom malware frameworks (e.g., TEMPLEPLAY, VIROGREEN, Shamoon)
• Ransomware-enabled attacks in collaboration with affiliates (NoEscape, Ransomhouse, ALPHV/BlackCat)
• Supply chain and cloud/SaaS exploitation
• Data exfiltration and destructive attacks

Notable 2025 Campaign Example

In 2025, the Iranian-affiliated group Pioneer Kitten (also known as Fox Kitten, UNC757) has been observed exploiting vulnerabilities in VPN and firewall devices (including Palo Alto Networks PAN-OS and Check Point Security Gateways) to gain initial access to U.S. organizations across education, finance, healthcare, and defense sectors. After initial access, they deploy web shells and backdoors such as TEMPLEDOOR and use tools like Meshcentral and AnyDesk for remote control. The group collaborates with ransomware affiliates NoEscape, Ransomhouse, and ALPHV (BlackCat) to conduct ransomware attacks, providing access and strategizing extortion efforts. This campaign has caused significant operational disruption and data breaches, highlighting the evolving tactics of Iranian cyber actors in 2025.

Evolving Tactics and Forecast

The Iran-Israel conflict is driving Iranian cyber actors to:

• Increase targeting of cloud/SaaS environments and supply chain vendors to maximize impact
• Employ more sophisticated persistence mechanisms, including passive backdoors that evade network detection
• Expand ransomware collaborations to monetize access while maintaining plausible deniability
• Shift focus toward U.S. critical infrastructure and private sector entities as geopolitical tensions escalate
• Anticipate increased hacktivist activity aligned with state objectives, amplifying disruptive campaigns

Organizations should prepare for heightened cyber espionage, sabotage, and ransomware threats linked to this conflict, emphasizing proactive defense and threat hunting.

Technical Mapping (MITRE ATT&CK Techniques)

1. T1190 – Exploit Public-Facing Application (e.g., VPN/firewall CVEs)
2. T1596 – Search Open Technical Databases (Shodan)
3. T1505.003 – Server Software Component: Web Shell
4. T1136.001 – Create Account: Local Account
5. T1098 – Account Manipulation (exemptions to zero-trust policies)
6. T1053 – Scheduled Task/Job (DLL side-loading)
7. T1078.002 – Valid Accounts: Domain Accounts
8. T1562.001 – Impair Defenses: Disable or Modify Tools
9. T1056 – Input Capture (credential harvesting via web shells)
10. T1219 – Remote Access Software (Meshcentral, AnyDesk)
11. T1572 – Protocol Tunneling (Ligolo, NGROK)
12. T1657 – Compromise Infrastructure (ransomware collaboration)

Known Aliases

• APT33 (Elfin, Magnallium)
• APT34 (OilRig)
• APT35 (Charming Kitten, Phosphorus)
• Pioneer Kitten (Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm, Br0k3r, xplfinder)
• UNC1860 (initial access provider group)

Links to Other APT Groups

• Pioneer Kitten collaborates with ransomware affiliates NoEscape, Ransomhouse, and ALPHV (BlackCat)
• UNC1860 supports initial access operations for groups like APT34
• Iranian groups maintain operational links with ransomware affiliates to enable financially motivated attacks

Similar Threat Actor Groups

• NoEscape (ransomware affiliate)
• Ransomhouse (ransomware affiliate)
• ALPHV (BlackCat) (ransomware affiliate)

Breaches Involving This Threat Actor

• 2025 ransomware-enabled breaches in U.S. education, finance, healthcare, and defense sectors linked to Pioneer Kitten and affiliates
• Espionage and destructive campaigns targeting Israeli telecommunications and government sectors by UNC1860
• Supply chain compromises affecting cloud/SaaS providers facilitating broader network access

Recommendations, Actions, Forecasts, and Next Steps

(Subscribers Only...)