This article focuses on analyzing the most active threat actors in the context of the conflict involving Iran, United States, and Israel, as well as the U.S. operation known as Operation Epic Fury. The goal is to gain a deeper understanding of their operations, modus operandi, victimology, and other key aspects of their activity. In this installment, the focus is on cyber operations linked to the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security of Iran (MOIS).
On February 28, 2026, the United States and Israel launched a large-scale joint offensive known as Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). Following the initial strikes, Iran responded with a multi-front retaliatory campaign that gradually escalated over the following days, evolving into a large-scale transregional conflict.
As the conflict enters its second week, several Iranian hacktivist collectives have claimed responsibility for various disruptive operations, while Iranian state-linked actors continue to remain active despite the internet shutdown imposed after the initial strikes by the United States and Israel. On March 8, state-linked actors associated with both the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security of Iran (MOIS) conducted multiple campaigns targeting Israeli and U.S. entities. At the same time, researchers have observed an increase in campaigns aimed at government organizations across the Middle East, attributed both to known groups and to previously unseen threat actors linked to China, Belarus, Pakistan, and Hamas. These campaigns frequently use the conflict itself as thematic lure content and, in many cases, rely on compromised government accounts to distribute phishing emails.
Before examining these activities in detail, it is important to understand how the current government structure of Iran is organized, as it directly influences the country’s political decision-making and strategic direction. The system is built around a distribution of power. At the top sits the Supreme Leader of Iran, who serves as commander-in-chief of the armed forces and holds the authority to declare war or approve major military operations. Prior to authorizing such actions, the Supreme Leader consults the Supreme National Security Council (SNSC), the body responsible for coordinating both foreign and domestic security policy. The council includes senior officials appointed by the Supreme Leader as well as commanders and representatives from various military and security institutions.
The SNSC coordinates with the General Staff of the Armed Forces of Iran and the Khatam‑al Anbiya Central Headquarters, which in turn communicate with the country’s main military branches, IRGC and Artesh. Although Iran also has a president who leads the executive branch, the presidency does not exercise direct control over the armed forces. This structure makes Iran unusual among modern states, as the executive branch does not hold ultimate authority over the military, according to assessments from U.S. government sources.
Both the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security of Iran are known for the high level of sophistication of their cyber operations. Their campaigns typically target a broad range of strategic entities, from diplomatic missions to Iranian dissidents living abroad, illustrating how Iran has increasingly integrated cyber capabilities into its covert and intelligence operations.
Minijunk continuous campaign
Since 2025, threat actors linked to the IRGC, specifically the group Smoke Sandstorm, have been running a campaign known as Iranian Dream Job, in which they deploy a variant of the MiniBike malware. This operation revisits a theme previously used in 2022 during the Minijunk campaign. In this new phase, the attacks have primarily targeted the healthcare sector across Europe and the Middle East, leveraging infrastructure controlled by the threat actor through subdomains hosted on Microsoft Azure (azurewebsites.net), such as systemmedicaleducation, mentalhealth-support, healthdataanalyticsrecors, and symptom-recordchecker, among others.
One of the most notable aspects of the campaign is the payload deployment technique. Smoke Sandstorm abuses the Windows Search Order mechanism by combining techniques such as DLL sideloading and DLL hijacking. The attack chain relies on the executable MigAutoPlay.exe, which sideloads the library userenv.dll. This DLL incorporates evasion techniques designed to hinder static analysis by dynamically resolving API calls, including GetModuleHandle, which is used to obtain the memory address of a module or the executable itself. The threat actor also leverages an undocumented behavior of this function to retrieve the path of the binary, which is later passed to the low-level API RtlCreateProcessParameters. This allows the malware to create the process Microsoft Defender SenseSampleUploader.exe, manipulate the Windows search order, and force the loading of xmllite.dll from the same directory as MigAutoPlay.exe. Finally, xmllite.dll moves both MigAutoPlay.exe and Minijunk into the AppData\Local\Microsoft directory, helping the malware maintain persistence on the compromised system.
DinDoor
In this case, the MOIS, specifically the group Mango Sandstorm, launched a campaign known as DinDoor. The operation targeted non-governmental organizations in the United States and Canada, as well as technology companies in Israel. The campaign relies on malware related to Smokest Stealer, which uses Deno to leverage its capabilities for information theft, reflecting techniques commonly associated with cybercriminal groups.
In this variant, Mango Sandstorm adopts some of the information-gathering functions of Smokest Stealer to extract system data, while omitting other types of sensitive information such as cryptocurrency wallets or user credentials. The infection chain begins with a VBS script that triggers a second PowerShell script obfuscated in Base64. This script checks whether Deno is installed on the system and, if not, downloads it before executing the final stage involving DinDoor. Furthermore, data exfiltration is carried out using rclone to the IP address 18.223.24[.]218, infrastructure previously associated with other MOIS-linked campaigns.
Notably, analysis of the sample revealed metadata connected to earlier Smokest Stealer campaigns, suggesting both an expansion of the group’s capabilities and potential overlaps between Mango Sandstorm’s operations and the cybercrime ecosystem.
Coordinated influence & Disinformation campaigns
In the context of the conflict, Iranian state-linked actors have intensified their disinformation and influence campaigns in an effort to shape international public perception. These operations seek to exploit the extensive media coverage surrounding the war and often focus on narratives highlighting civilian casualties, alleged military failures, and broader geopolitical instability. To disseminate these messages, the threat actors primarily rely on social media platforms, sympathetic media outlets, and networks of coordinated accounts, aiming to influence public opinion and erode trust in the institutions of rival countries.
Among the most common themes are accusations of war crimes allegedly committed by Israel, narratives that exaggerate or fabricate military losses suffered by Israel or the United States, and unverified claims portraying Iranian cyber retaliation as highly successful. These narratives are frequently reinforced with manipulated or decontextualized material, such as old images, edited videos, or content generated with artificial intelligence, which is rapidly circulated online to increase credibility and maximize reach.
This type of activity forms part of a broader information warfare strategy in which disinformation is combined with cyber operations and influence campaigns to create uncertainty, polarize audiences, and weaken the narratives of adversaries on the international stage.
Python Backdoor – FakeSet
As part of the toolkit used by the MOIS, this Python-based backdoor was deployed in a campaign targeting entities in the United States and Canada, specifically non-governmental organizations (NGOs). In this operation, the group Mango Sandstorm leveraged several storage servers from Backblaze B2, reflecting a tactic frequently observed among Iranian state-linked actors who rely on legitimate services as part of their intrusion infrastructure. In this case, the service was used within the infection chain known as FakeSet.
The backdoor is triggered through the execution of a C/C++ executable that creates a directory containing the file main.py, which is responsible for communicating with the command-and-control (C2) server. Notably, the executable initially contains a certificate associated with the names Amy Cherne or Donald Gay, the latter of which has been observed in previous MOIS campaigns. This reuse of digital artifacts highlights the continuity of tooling and infrastructure across multiple Iranian cyber operations.
In addition, FakeSet is considered a variant of CastleLoader, a Malware-as-a-Service (MaaS) platform that provides various tools and services to the cybercrime ecosystem. The link between CastleLoader and the MOIS is reflected, for instance, in the digital certificate used in the FakeSet samples. One unusual characteristic of FakeSet is the presence of adult videos and other documents that are created within the same directory as the malware during execution.
During the analysis of the command-and-control (C2) domain mazafakaerindahouse[.]info, it is observed the phrase Mother F*cker in the House. When considered alongside the presence of the embedded videos and additional files, this detail suggests potential links with threat actors from the cybercrime ecosystem. Such types of easter eggs are rarely seen in recent campaigns attributed to Iranian state-linked groups but are more commonly associated with ransomware operators or MaaS developers, reinforcing the hypothesis MOIS’affiliations within a cybercriminal network.
Spear Phishing
In another observed campaign, threat actors linked to the IRGC used spear-phishing techniques by impersonating Michael McManus, head of research at the Henry Jackson Society. The attackers used the email address McManus.Michael@hotmail[.]com to target a researcher at a think tank in the United States. The email included a PDF document titled Air Defense Depletion & Deterrence in the Middle East.pdf. When opened, the document redirected the victim to a Microsoft OneDrive link that already contained the victim’s email address embedded in the URL, a technique designed to build trust and simulate a legitimate document-sharing interaction.
The attacker later sent a second link from the domain transfergocompany[.]com, which ultimately redirected the victim to a phishing page hosted on fileportalshare.netlify[.]app. This page mimicked a OneDrive file-sharing portal and was intended to capture the victim’s login credentials.
Cybercrime Affiliations
In recent years, several Iranian state-linked actors have intensified their cooperation with groups from the cybercrime ecosystem, particularly ransomware operators, on order to expand and strengthen their operational capabilities. In particular, actors associated with the MOIS have increasingly relied on tools and services commonly used in cybercrime, including Malware-as-a-Service, shared infrastructure, access brokers, underground marketplaces, and collaborations with other threat actors. These relationships allow them to leverage resources already established within the criminal ecosystem, improving the effectiveness of their campaigns while also complicating attribution efforts.
Among these interactions are the sale or exchange of network access with both access brokers and ransomware operators such as ALPHV and RansomHouse. In many cases, these initial accesses are obtained through the exploitation of known vulnerabilities within victims’ infrastructure. Additionally, several reports have pointed to possible links between the MOIS and criminal networks such as the Zindashti Network, led by Naji Ibrahim Sharifi-Zindashti. This organization, associated with drug trafficking and other illicit activities, has reportedly cooperated with MOIS in extraterritorial repression operations targeting Iranian dissidents in Germany, the United States, and other allied countries, including kidnappings, intimidation, and assassinations.
At the same time, several pro-Iranian collectives have claimed responsibility for attacks against regional infrastructure and organizations. Among them is Dark Storm Team, which has been linked to DDoS and extortion campaigns targeting Israeli banks and websites, along with other groups such as DieNET, Cyber Av3ngers, 313 Team, Sylhet Gang, and Evil Markhors. Operations attributed to these actors have affected a wide range of targets, from Israeli technology and energy companies such as VigilAir, to Turkish media outlets, SCADA/PLC systems in Israel and other countries, and various forms of regional infrastructure.
Reported targets have included airports in Bahrain, Sharjah, and Riyadh, as well as financial institutions such as Riyad Bank and Bank of Jordan. These activities have also included doxing campaigns targeting Israeli officials. In some instances, the operations have been linked to attempted sabotage against critical infrastructure in Jordan, highlighting the growing convergence between state-linked operations, aligned hacktivist groups, and cybercriminal actors within the broader pro-Iranian cyber ecosystem.
TTPs
To understand how Iranian state-linked actors from both the MOIS and the IRGC conduct their cyber operations, we can apply the Diamond Intrusion Model. This framework allows us to identify the key hallmarks of the campaigns carried out at the onset of Operation Epic Fury and Operation Roaring Lion, making it easier to understand their modus operandi and how they adapt to different targets. It provides not only a clearer picture of Iranian state-linked actors’ strategies but also tools to anticipate and counter future attacks.
By breaking down the model into its components, infrastructure, capabilities, victims, and techniques, we gain a more detailed view of the tactics employed by these groups. The infrastructure component shows how both the IRGC and MOIS manage their resources and conceal themselves behind fraudulent domains and services, while the capabilities reveal the sophistication level and the tools they use to carry out their operations.
Victimology
Analysis of the victimology associated with Iranian operations during the conflict shows that their primary targets are concentrated in the United States, United Arab Emirates, and Israel. These countries are frequently targeted due to their geopolitical significance and their connections to actors that both the IRGC and the MOIS consider adversaries.
The sectors most affected include government entities, critical infrastructure, telecommunications companies, non-governmental organizations (NGOs), and defense-related institutions. These sectors are often the focus of espionage campaigns and initial access operations, reflecting Iranian state-linked actors’ strategic interest in gathering intelligence and maintaining a foothold in high-value environments.
Overall, Iran continues to advance its cyber operations with increasing sophistication. Their approach combines innovative tools with compromised infrastructure and legitimate cloud services, enabling the deployment of malware and exfiltration of sensitive information in a more discreet manner.
Studying these campaigns is essential to understanding the tactics, techniques, and procedures employed by actors linked to the IRGC and MOIS. This knowledge supports the generation of strategic and actionable intelligence, enhancing capabilities for prevention, detection, and response against advanced threats.
For more information on the Indicators of Compromise (IoCs) associated with these campaigns, specialized representatives are available to provide guidance.
Speak Your Mind