logo svg
logo

July 13, 2026

Updated: July 13, 2026

Iranian APT Groups: Names, Aliases, Targets, and Defenses

A source-led guide to major Iranian APT groups, vendor naming differences, recent advisories, target patterns, OT risk, and prioritized enterprise defenses.

Mohammed Khalil

Mohammed Khalil

Featured Image

Iranian APT groups are intrusion sets and cyber operators that credible public sources associate with Iranian state interests. Priority examples include APT33, OilRig/APT34, Magic Hound/APT35, APT42, MuddyWater, APT39, Fox Kitten, UNC1860, and the OT-focused CyberAv3ngers. This is not a definitive ranking: vendors may assign different names to overlapping but not necessarily identical activity. Temporary clusters, access providers, destructive units, and public personas further complicate the picture. This guide reconciles source-owned names cautiously, distinguishes assessed relationships from confirmed cross-references, and turns the observed behavior into defensive priorities for enterprise, cloud, identity, and OT teams.

Key takeaways

How to use this guide: Use the naming crosswalk to reconcile labels, the at-a-glance table to compare scope, the behavior matrix to plan detection, and the decision tree to set defensive priority. This is an evergreen decision guide, not a live IOC feed.

Methodology and relationship labels

Scope and verification methodology: This guide includes actors with credible public-source assessments connecting their activity to Iranian state interests. Inclusion reflects source quality, recency, operational relevance, and distinct defensive implications not a claim to list every Iranian actor. Names follow the organizations that originated or maintain them. “Active” is used only when dated reporting supports recent activity. Current infrastructure and indicators are time-sensitive, while an absence of recent reporting does not prove inactivity. Attribution remains an analytic assessment, not mathematical certainty.

Relationship labelMeaning in this article
Verified or explicit cross-referenceA reliable source directly maps the names, although vendor scopes can still differ.
Associated or overlapping activityA source reports meaningful commonality without establishing complete equivalence.
RelatedAn operational, organizational, tooling, or targeting connection that does not prove identity.
Temporary or developing clusterA provisional label, such as a Mandiant UNC or Microsoft Storm-#### designation.
Persona or frontA public identity used to claim, amplify, or obscure operations.
Disputed or unconfirmedEvidence is incomplete, contested, or inconsistent across sources.

What Are Iranian APT Groups?

In this context, an advanced persistent threat is an intrusion set that researchers track over time because its objectives, resources, access methods, or operating patterns suggest sustained, coordinated activity. “APT” describes analytical tracking and operational persistence; it is not a universal certification of sophistication.

Public sources use several attribution terms:

These terms are not interchangeable. For example, U.S. Cyber Command identifies MuddyWater as a subordinate element of Iran’s Ministry of Intelligence and Security, while MITRE describes APT33 more cautiously as a suspected Iranian group. For wider context, see DeepStrike’s guide to state-sponsored hacking and APT threats.

Not every Iranian hacktivist channel, data-leak account, cybercriminal, or geopolitical persona is an APT. A persona may front for a state unit, amplify stolen data, exaggerate responsibility, or operate independently. Attribution can also change when researchers obtain new telemetry or split a previously broad cluster into narrower groups.

Why Are Iranian Threat-Actor Names So Confusing?

Threat-intelligence vendors name what they can observe. One vendor may track an operational team; another may track shared infrastructure, a phishing program, a malware deployment cluster, or activity believed to serve the same sponsor. Their observation windows and evidence differ.

Microsoft currently assigns weather-themed names by assessed origin Sandstorm for Iran and uses Storm-#### for temporary or developing clusters. MITRE maintains group pages that list “associated groups,” but association should not automatically be interpreted as exact identity. Mandiant uses numbered APT labels for established groups and UNC labels for uncategorized clusters. The Microsoft naming taxonomy and MITRE ATT&CK group catalog therefore serve related but different purposes.

Is APT42 the same as APT35 or Charming Kitten?

Not as a universal cross-vendor identity. Mandiant tracks APT42 as an IRGC Intelligence Organization-linked espionage group and reports activity overlap with labels including Charming Kitten, Mint Sandstorm, Phosphorus, and TA453. MITRE nevertheless states that APT42 and Magic Hound have overlapping behavior and software but “appear to be distinct entities” and preserves the originating vendor’s separation. Defenders should retain both scopes unless a specific source explicitly maps a particular campaign.

Is MuddyWater the same as APT34 or OilRig?

Maintained sources track them separately. Microsoft maps MuddyWater-related activity to Mango Sandstorm, while OilRig/APT34 maps to Hazel Sandstorm. MITRE also maintains separate MuddyWater and OilRig profiles. Similar regional targeting, government affiliation, or tooling is not sufficient evidence to merge them.

Crosswalk of Iranian APT group names across MITRE, Microsoft, Mandiant, and other threat-intelligence taxonomies, with exact and partial relationships labeled.

Iranian threat-actor names reflect different vendor scopes; a shared line does not always mean identical groups.

Legend: Solid connectors indicate an explicit source cross-reference. Dashed connectors indicate associated or overlapping activity. “Related” does not mean identical; temporary labels remain provisional; uncertain relationships remain unconfirmed. Sources: Microsoft’s naming taxonomy, MITRE ATT&CK profiles, and Google Threat Intelligence research.

Iranian APT Groups at a Glance

Article labelNames explicitly mapped by named sourcesAssessed affiliationPrimary missionCommonly reported targetsRecent public reportingRelationship confidenceBest sources
APT33Peach Sandstorm (Microsoft); Elfin and HOLMIUM listed by MITRESuspected Iranian; Microsoft assesses an IRGC connectionIntelligence collection and accessAerospace, satellite, energy, government; U.S. and Middle EastMicrosoft reported April–July 2024 activity on Aug. 28, 2024Verified cross-references; vendor scopes may differMITRE; Microsoft
OilRig / APT34Hazel Sandstorm (Microsoft); OilRig and APT34 cross-referenced by MITRESuspected Iranian government nexus; specific unit not publicly settledEspionage and persistent accessGovernment, energy, finance, chemicals, telecom; especially Middle EastTrend Micro published Earth Simnavaz observations on Oct. 11, 2024Explicit cross-references; broad vendor scopesMITRE; Trend Micro
Magic Hound / APT35Mint Sandstorm (Microsoft); Charming Kitten, Phosphorus and TA453 listed by MITREIranian-sponsored; public sources commonly assess IRGC linksEspionage and targeted social engineeringOfficials, military personnel, researchers, journalists and civil societyMicrosoft described activity beginning in Nov. 2023, published Jan. 17, 2024Explicit associations within each source; composite scope caveatMITRE; Microsoft
APT42Mandiant’s APT42; overlap reported with Charming Kitten, Mint Sandstorm and TA453Mandiant assesses with high confidence that it operates for the IRGC Intelligence OrganizationEspionage, surveillance and credential collectionNGOs, media, academia, legal services, policy personnel and activistsGoogle TAG reported expanded phishing activity on Aug. 14, 2024Associated/overlapping, not universal equivalence with APT35MITRE; Mandiant; Google TAG
MuddyWaterMango Sandstorm (Microsoft); Seedworm, Mercury and Static Kitten listed by MITREU.S. Cyber Command identifies it as subordinate to MOISEspionage, access and intelligence collectionGovernment, telecom, finance, defense, energy and other organizations globallySymantec and Unit 42 published U.S.-focused reporting in March 2026Explicit cross-references with scope differencesMITRE; U.S. Cyber Command; Symantec
APT39Chafer and Remix Kitten listed by MITRE; Rana is a DOJ-linked front, not an aliasU.S. authorities link APT39/Rana activity to MOISSurveillance and intelligence collectionTravel, hospitality, telecom, government and academiaMaintained profile used; no recent campaign claim is made hereExplicit government linkage; Rana classified as a frontMITRE; DOJ
Fox Kitten / Pioneer KittenLemon Sandstorm (Microsoft); UNC757, Parisite, Pioneer Kitten and RUBIDIUM in MITRE/CISAIran-based; precise organizational affiliation remains less settled publiclyInitial access, intelligence support and ransomware enablementGovernment, defense, healthcare, finance, education and technologyJoint advisory AA24-241A, Aug. 28, 2024Explicit campaign cross-references; unit-level confidence lowerMITRE; CISA AA24-241A
UNC1860Mandiant provisional label; parallels with Shrouded Snooper, Scarred Manticore and Storm-0861Mandiant assesses likely MOIS associationProbable initial access and persistent footholdsMiddle Eastern government and telecommunications networksMandiant report, Sept. 19, 2024Temporary/developing cluster; overlaps do not establish identityMandiant
CyberAv3ngersShahid Kaveh Group mapped by CISA for prior activity; Soldiers of Solomon is related in MITREU.S. agencies associate prior activity with IRGC Cyber-Electronic CommandOT disruption and public claimsWater, energy and other operators using exposed PLCsAA26-097A, Apr. 7, 2026, cites similar 2023 activity but does not name the 2026 actorExplicit for prior CyberAv3ngers/Shahid Kaveh mapping; new activity unattributed at group levelMITRE; CISA AA26-097A

Other relevant Iranian-linked clusters and personas

These examples should not be treated as equivalent categories:

Recent context: Symantec's March 2026 overview also covers Marshtreader (Pink Sandstorm/Agrius) and DieNet. Keep these source-specific labels outside the core APT table; they are not aliases for the groups above.

Priority Actor Profiles

APT33 / Peach Sandstorm

OilRig / APT34 / Hazel Sandstorm

Magic Hound / APT35 / Mint Sandstorm

APT42

MuddyWater / Mango Sandstorm

APT39 / Chafer / Rana-linked activity

Fox Kitten / Pioneer Kitten / Lemon Sandstorm

UNC1860

CyberAv3ngers / Shahid Kaveh Group

What Recent Advisories Show: 2024–2026

DateIssuerActor or activity label used by issuerAffected assets or sectorsWhat was observedDefender actionWhat the source does not prove
2024-08-28CISA, FBI, DC3 and NSAFox Kitten, Pioneer Kitten, UNC757, Parisite, RUBIDIUM and Lemon SandstormEducation, municipal government, finance, healthcare and other exposed networksIran-based actors developed access and enabled ransomware affiliatesPatch exposed products, restrict remote administration, investigate beyond the edge device and reset affected credentialsIt does not attribute every ransomware incident involving an exposed product to this group. AA24-241A
2024-10-16FBI, CISA, NSA and international partnersIranian cyber actors; no enduring group name assignedHealthcare, government, IT, engineering and energyPassword spraying, MFA push bombing, valid-account use and modification of MFA registrationsUse phishing-resistant MFA, detect distributed spraying and abnormal prompts, and review account registration changesSome later activity or indicators may belong to criminal buyers of access; an indicator alone is not sufficient attribution. AA24-290A
2025-06-30NSA, CISA, FBI and DC3Iranian government-affiliated actors and potentially aligned hacktivistsVulnerable U.S. networks and strategically relevant entitiesAgencies warned of potential targeting where systems were outdated or used weak/default credentialsPatch internet-facing systems, remove defaults, strengthen authentication and monitor remote accessThis was a risk warning, not proof that a named group had compromised a particular organization. Joint statement
2026-03-05Symantec Threat Hunter TeamSeedworm/MuddyWaterSelected U.S. companies and a Canadian NGO, including finance, aviation and softwareActivity beginning in February 2026 used legitimate tools and sought data from several environmentsReview account and remote-tool use, endpoint execution, staging and outbound transfersThis vendor-observed sample is not a complete victim count or government attribution of every event. Symantec research
2026-04-07CISA, FBI, NSA, EPA, DOE and CNMFIranian-affiliated APT actors; prior similar activity linked to CyberAv3ngers/Shahid KavehInternet-facing PLCs in government services, water/wastewater and energyPLC access, operational disruption and manipulation of HMI/SCADA-related data or displaysRemove direct PLC exposure, use secure gateways and MFA, retain offline configurations and monitor control changesThe advisory does not name the March 2026 actor as CyberAv3ngers or prove all PLC brands face identical exposure. AA26-097A

Each row describes a different source scope. The table must not be read as a single continuous campaign or a universal Iranian operating model.

Commonly Observed Behaviors and ATT&CK Patterns

Iranian-linked activity is better understood as a collection of source-specific behaviors than as one merged ATT&CK profile. The following matrix maps documented examples to defensible telemetry and control goals.

Related: DeepStrike’s phishing statistics and trends and compromised credential trends.

Observed behaviorSource-backed example and ATT&CK referenceUseful telemetryDefensive control objectiveAttribution boundary
Targeted social engineering and credential phishingAPT42 and Magic Hound reporting; T1566 PhishingEmail security, identity provider, browser, DNS and account-recovery logsProtect high-risk users; detect impersonation, unusual login transitions and recovery changesNot every phishing attempt targeting a policy role is APT42
Password spraying and valid-account accessAA24-290A; T1110.003 Password Spraying, T1078/T1078.004 Valid AccountsAuthentication failures, successful logins, source distribution, device and ASN changesRate-limit and detect spraying; require strong MFA; investigate successes after failure burstsThe advisory warns that access may later pass to criminal actors
MFA fatigue or push bombingAA24-290A; T1621 Multi-Factor Authentication Request GenerationMFA prompts, denials, approvals, help-desk and registration changesUse number matching or phishing-resistant MFA; alert on repeated prompts and new registrationsRepeated prompts indicate risk, not actor identity
Exploitation of public-facing systemsFox Kitten and UNC1860 reporting; T1190 Exploit Public-Facing Application where mappedWAF, edge, VPN, appliance, process, network and configuration logsPrioritize known exploited perimeter flaws; restrict management access; validate device integrityShared vulnerabilities are not actor-specific
Cloud and SaaS account accessAPT42 and AA24-290A; valid cloud accounts mapped in the advisoryIdentity provider, SaaS audit, OAuth consent, token, mailbox and session logsControl consent, session lifetime, account recovery and risky sign-insA cloud login alone cannot establish attribution
Legitimate administration and remote toolsMuddyWater/Seedworm research; T1219 Remote Access Software where the source maps itEndpoint process, software inventory, network egress and remote-support logsAllowlist approved tools, identify unusual operators and constrain privileged useThe same tools are used legitimately by administrators
Collection and exfiltrationMuddyWater, APT39 and APT42 reportingEndpoint, cloud storage, email, DLP, proxy and network-flow logsDetect unusual searches, staging, mailbox access and outbound transfersCollection patterns vary by actor and objective
Wipers, ransomware-like cover and hack-and-leakVoid Manticore, personas, and access-enablement reportingIdentity, virtualization, backup, endpoint, storage and admin-platform logsProtect administrative planes and backups; rehearse destructive and disclosure scenariosA public claim or ransom note is not independent attribution
Internet-exposed OT and PLC accessAA26-097A; T0883 Internet Accessible Device, T1565 Stored Data Manipulation, T1219 Remote Access ToolsFirewall, gateway, engineering workstation, PLC/HMI configuration and protocol logsRemove direct exposure, authenticate remote access, baseline logic/configuration and monitor changesThe 2026 advisory does not identify every operator or affected PLC model
DeepStrike framework mapping Iranian threat-actor behaviors to exposure reduction, identity security, detection coverage, and resilience actions.

Sources: CISA AA24-290A, CISA AA26-097A, MITRE ATT&CK, and the named primary research above. The model does not claim that every actor uses every behavior.

Which Organizations Should Prioritize This Threat?

Priority should reflect mission, exposure and consequences—not nationality or ethnicity.

Relevance signalExamplesWhy it mattersSuggested priorityFirst safe action
Strategically relevant mission or relationshipsGovernment, defense, policy, diplomacy, energy, telecom, research or organizations supporting U.S., Israeli, Gulf or Iranian-policy interestsThese roles recur in government and primary-vendor reportingHigh when combined with exposed systems or high-risk peopleReview current advisories, external exposure and identity controls
Internet-facing edge or remote accessVPNs, firewalls, public applications, remote-management services and appliancesMultiple actors pursue known vulnerabilities or weak credentialsHighInventory, patch, restrict management paths and inspect for compromise
Internet-exposed OTPLCs, HMIs, SCADA gateways and vendor remote accessAA26-097A documents operational and financial effectsImmediateRemove direct PLC exposure and involve the asset owner before changes
High-risk individualsExecutives, diplomats, researchers, journalists, activists, legal personnel and policy expertsAPT42 and Magic Hound reporting emphasizes tailored targeting and personal accountsHigh for affected rolesEnroll users in enhanced protection and phishing-resistant MFA
Legacy or weak identity controlsPassword-only access, weak MFA, unmanaged service accounts, legacy protocols and uncontrolled OAuth consentAA24-290A documents spraying, MFA push bombing and registration changesHighClose legacy paths and review recent authentication anomalies
Sensitive supplier or third-party accessTechnology providers, logistics, travel, engineering, telecom and remote OT vendorsA supplier can provide access to a strategically relevant customer or datasetElevatedMap access paths, owners, authentication and revocation procedures
No specific relevance and mature controlsNo exposed OT, limited strategic connection and well-managed identity/perimeter controlsRisk is lower, not zeroBaseline monitoringMaintain hygiene and watch official advisories
Decision tree that prioritizes Iranian APT risk using sector relevance, internet exposure, identity weaknesses, OT assets, and high-risk users.

Sources: current CISA, FBI and NSA guidance. The outcome establishes a defensive review priority; it does not predict that a particular organization will be attacked.

A Defender-First Priority Framework

LayerImmediate actionsImprovements over the next 30 daysOngoing validation
ExposureInventory public systems and OT assets; remove direct PLC exposure; eliminate default credentials; address known exploited perimeter vulnerabilitiesPut management interfaces behind controlled access; secure vendor paths; validate appliance integrity after compromiseContinuously reconcile external discovery with asset ownership; retest patches and remote-access controls
IdentityRequire phishing-resistant MFA for privileged and high-risk users; investigate spraying and abnormal MFA prompts; disable unnecessary legacy authenticationReview service accounts, OAuth consent, tokens, session lifetime, account recovery and personal-account use for sensitive workTest identity detections; review privileged paths and risky-session handling
DetectionConfirm collection of email, identity, cloud, endpoint, network and OT logs; alert on high-confidence behaviors from relevant advisoriesBaseline legitimate remote tools, administrative platforms and OT configuration changes; close telemetry gapsUse official indicators as time-bounded leads; run behavior-led hunts and retune controls after testing
ResilienceConfirm protected backups and known-good device configurations; establish escalation and evidence-preservation pathsSegment IT and OT; rehearse identity compromise, data theft, destructive attack and OT disruption scenariosRetest restoration, communications, legal, regulatory and government-reporting procedures

The first objective is not to guess the perfect actor label. It is to reduce reachable attack paths, make account misuse visible, constrain privilege and preserve recovery options.

How Authorized Security Testing Helps

Authorized, scoped testing can validate whether an organization’s actual controls match its threat model. Depending on scope and safety requirements, it may:

Testing must operate under written authorization, an approved scope, rules of engagement, safety controls and asset-owner permission. OT exercises require particular coordination with engineering and operations personnel.

A penetration test or red-team exercise does not prove attribution, recreate every capability of a named state actor, guarantee breach prevention, or replace threat intelligence, monitoring, incident response, governance and OT engineering. Organizations should also distinguish red team and blue team roles and understand vulnerability assessment versus penetration testing before choosing an engagement.

For organizations that need a controlled assessment of exposed paths, identity boundaries and detection workflows, DeepStrike’s red teaming services can support authorized validation and remediation planning within an agreed scope.

Common Mistakes

Defensive Checklist

For CISOs and security leaders

For SOC and incident-response teams

For identity and cloud teams

For OT owners and engineering teams

Frequently Asked Questions

What are the main Iranian APT groups?

Publicly prioritized examples include APT33, OilRig/APT34, Magic Hound/APT35, APT42, MuddyWater, APT39, Fox Kitten, UNC1860 and CyberAv3ngers. That is a defensively useful selection, not a ranking or exhaustive list. Some are established intrusion sets; others are provisional clusters, access specialists or OT-focused actors.

Why do Iranian APT groups have so many aliases?

Each intelligence provider observes and scopes activity differently. A label may describe a team, infrastructure cluster, campaign, malware ecosystem or sponsor-aligned program. Use the originating source’s mapping and distinguish explicit cross-references from overlap.

Are APT35 and APT42 the same group?

Not universally. Mandiant reports overlap between APT42 and several APT35/Charming Kitten-related scopes, but MITRE tracks APT42 and Magic Hound separately to preserve the originating vendor’s distinction. Defenders should not merge them without campaign-specific evidence.

Are MuddyWater and APT34 the same group?

Maintained sources say no. Microsoft maps MuddyWater to Mango Sandstorm and OilRig/APT34 to Hazel Sandstorm, while MITRE keeps separate group profiles. Similar sponsorship or tactics does not establish identity.

Which Iranian-linked actor is associated with PLC and OT targeting?

CyberAv3ngers, also associated by CISA with the Shahid Kaveh Group for prior activity, is the best-known public example. However, AA26-097A does not name CyberAv3ngers as the operator behind the new March 2026 PLC activity; it calls the actors Iranian-affiliated.

Which sectors are commonly targeted?

Public reporting repeatedly covers government, defense, energy, water, telecommunications, technology, finance, travel, logistics, research, academia, media, NGOs and civil society. Relevance depends on mission, relationships, exposed systems, sensitive data and high-risk personnel—not sector alone.

How can organizations detect Iranian APT activity?

Start with behavior: password spraying, unusual MFA prompts, valid-account misuse, suspicious account-recovery changes, exploitation of exposed systems, anomalous remote tools, unusual cloud or mailbox access, data staging and unauthorized OT changes. Correlate identity, cloud, endpoint, email, network and OT evidence before drawing attribution conclusions.

Can penetration testing or red teaming protect against an APT?

It can validate attack paths, control boundaries, telemetry and response under controlled conditions. It cannot prove attribution, reproduce every nation-state capability or guarantee prevention. Its value depends on written authorization, representative scope, safe execution, remediation and retesting.

Conclusion

Iranian threat-actor labels will continue to change as vendors divide, merge and reinterpret the activity they observe. The durable defensive priorities are clearer: reduce internet exposure, strengthen identity, monitor behavior across enterprise and OT environments, constrain legitimate administrative tools, and preserve tested recovery options.

Use the latest official advisories for time-sensitive indicators and mitigations. Validate controls through authorized testing, but keep attribution conclusions tied to evidence and the source that made the assessment.

About the Author

Mohammed Khalil is a Cybersecurity Architect and SEO Specialist at DeepStrike. He holds CISSP, OSCP, and OSWE certifications and writes about penetration testing, threat intelligence, and translating technical risk into practical defensive priorities.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us