July 13, 2026
Updated: July 13, 2026
A source-led guide to major Iranian APT groups, vendor naming differences, recent advisories, target patterns, OT risk, and prioritized enterprise defenses.
Mohammed Khalil

Iranian APT groups are intrusion sets and cyber operators that credible public sources associate with Iranian state interests. Priority examples include APT33, OilRig/APT34, Magic Hound/APT35, APT42, MuddyWater, APT39, Fox Kitten, UNC1860, and the OT-focused CyberAv3ngers. This is not a definitive ranking: vendors may assign different names to overlapping but not necessarily identical activity. Temporary clusters, access providers, destructive units, and public personas further complicate the picture. This guide reconciles source-owned names cautiously, distinguishes assessed relationships from confirmed cross-references, and turns the observed behavior into defensive priorities for enterprise, cloud, identity, and OT teams.
How to use this guide: Use the naming crosswalk to reconcile labels, the at-a-glance table to compare scope, the behavior matrix to plan detection, and the decision tree to set defensive priority. This is an evergreen decision guide, not a live IOC feed.
Scope and verification methodology: This guide includes actors with credible public-source assessments connecting their activity to Iranian state interests. Inclusion reflects source quality, recency, operational relevance, and distinct defensive implications not a claim to list every Iranian actor. Names follow the organizations that originated or maintain them. “Active” is used only when dated reporting supports recent activity. Current infrastructure and indicators are time-sensitive, while an absence of recent reporting does not prove inactivity. Attribution remains an analytic assessment, not mathematical certainty.
| Relationship label | Meaning in this article |
|---|---|
| Verified or explicit cross-reference | A reliable source directly maps the names, although vendor scopes can still differ. |
| Associated or overlapping activity | A source reports meaningful commonality without establishing complete equivalence. |
| Related | An operational, organizational, tooling, or targeting connection that does not prove identity. |
| Temporary or developing cluster | A provisional label, such as a Mandiant UNC or Microsoft Storm-#### designation. |
| Persona or front | A public identity used to claim, amplify, or obscure operations. |
| Disputed or unconfirmed | Evidence is incomplete, contested, or inconsistent across sources. |
In this context, an advanced persistent threat is an intrusion set that researchers track over time because its objectives, resources, access methods, or operating patterns suggest sustained, coordinated activity. “APT” describes analytical tracking and operational persistence; it is not a universal certification of sophistication.
Public sources use several attribution terms:
These terms are not interchangeable. For example, U.S. Cyber Command identifies MuddyWater as a subordinate element of Iran’s Ministry of Intelligence and Security, while MITRE describes APT33 more cautiously as a suspected Iranian group. For wider context, see DeepStrike’s guide to state-sponsored hacking and APT threats.
Not every Iranian hacktivist channel, data-leak account, cybercriminal, or geopolitical persona is an APT. A persona may front for a state unit, amplify stolen data, exaggerate responsibility, or operate independently. Attribution can also change when researchers obtain new telemetry or split a previously broad cluster into narrower groups.
Threat-intelligence vendors name what they can observe. One vendor may track an operational team; another may track shared infrastructure, a phishing program, a malware deployment cluster, or activity believed to serve the same sponsor. Their observation windows and evidence differ.
Microsoft currently assigns weather-themed names by assessed origin Sandstorm for Iran and uses Storm-#### for temporary or developing clusters. MITRE maintains group pages that list “associated groups,” but association should not automatically be interpreted as exact identity. Mandiant uses numbered APT labels for established groups and UNC labels for uncategorized clusters. The Microsoft naming taxonomy and MITRE ATT&CK group catalog therefore serve related but different purposes.
Not as a universal cross-vendor identity. Mandiant tracks APT42 as an IRGC Intelligence Organization-linked espionage group and reports activity overlap with labels including Charming Kitten, Mint Sandstorm, Phosphorus, and TA453. MITRE nevertheless states that APT42 and Magic Hound have overlapping behavior and software but “appear to be distinct entities” and preserves the originating vendor’s separation. Defenders should retain both scopes unless a specific source explicitly maps a particular campaign.
Maintained sources track them separately. Microsoft maps MuddyWater-related activity to Mango Sandstorm, while OilRig/APT34 maps to Hazel Sandstorm. MITRE also maintains separate MuddyWater and OilRig profiles. Similar regional targeting, government affiliation, or tooling is not sufficient evidence to merge them.

Iranian threat-actor names reflect different vendor scopes; a shared line does not always mean identical groups.
Legend: Solid connectors indicate an explicit source cross-reference. Dashed connectors indicate associated or overlapping activity. “Related” does not mean identical; temporary labels remain provisional; uncertain relationships remain unconfirmed. Sources: Microsoft’s naming taxonomy, MITRE ATT&CK profiles, and Google Threat Intelligence research.
| Article label | Names explicitly mapped by named sources | Assessed affiliation | Primary mission | Commonly reported targets | Recent public reporting | Relationship confidence | Best sources |
|---|---|---|---|---|---|---|---|
| APT33 | Peach Sandstorm (Microsoft); Elfin and HOLMIUM listed by MITRE | Suspected Iranian; Microsoft assesses an IRGC connection | Intelligence collection and access | Aerospace, satellite, energy, government; U.S. and Middle East | Microsoft reported April–July 2024 activity on Aug. 28, 2024 | Verified cross-references; vendor scopes may differ | MITRE; Microsoft |
| OilRig / APT34 | Hazel Sandstorm (Microsoft); OilRig and APT34 cross-referenced by MITRE | Suspected Iranian government nexus; specific unit not publicly settled | Espionage and persistent access | Government, energy, finance, chemicals, telecom; especially Middle East | Trend Micro published Earth Simnavaz observations on Oct. 11, 2024 | Explicit cross-references; broad vendor scopes | MITRE; Trend Micro |
| Magic Hound / APT35 | Mint Sandstorm (Microsoft); Charming Kitten, Phosphorus and TA453 listed by MITRE | Iranian-sponsored; public sources commonly assess IRGC links | Espionage and targeted social engineering | Officials, military personnel, researchers, journalists and civil society | Microsoft described activity beginning in Nov. 2023, published Jan. 17, 2024 | Explicit associations within each source; composite scope caveat | MITRE; Microsoft |
| APT42 | Mandiant’s APT42; overlap reported with Charming Kitten, Mint Sandstorm and TA453 | Mandiant assesses with high confidence that it operates for the IRGC Intelligence Organization | Espionage, surveillance and credential collection | NGOs, media, academia, legal services, policy personnel and activists | Google TAG reported expanded phishing activity on Aug. 14, 2024 | Associated/overlapping, not universal equivalence with APT35 | MITRE; Mandiant; Google TAG |
| MuddyWater | Mango Sandstorm (Microsoft); Seedworm, Mercury and Static Kitten listed by MITRE | U.S. Cyber Command identifies it as subordinate to MOIS | Espionage, access and intelligence collection | Government, telecom, finance, defense, energy and other organizations globally | Symantec and Unit 42 published U.S.-focused reporting in March 2026 | Explicit cross-references with scope differences | MITRE; U.S. Cyber Command; Symantec |
| APT39 | Chafer and Remix Kitten listed by MITRE; Rana is a DOJ-linked front, not an alias | U.S. authorities link APT39/Rana activity to MOIS | Surveillance and intelligence collection | Travel, hospitality, telecom, government and academia | Maintained profile used; no recent campaign claim is made here | Explicit government linkage; Rana classified as a front | MITRE; DOJ |
| Fox Kitten / Pioneer Kitten | Lemon Sandstorm (Microsoft); UNC757, Parisite, Pioneer Kitten and RUBIDIUM in MITRE/CISA | Iran-based; precise organizational affiliation remains less settled publicly | Initial access, intelligence support and ransomware enablement | Government, defense, healthcare, finance, education and technology | Joint advisory AA24-241A, Aug. 28, 2024 | Explicit campaign cross-references; unit-level confidence lower | MITRE; CISA AA24-241A |
| UNC1860 | Mandiant provisional label; parallels with Shrouded Snooper, Scarred Manticore and Storm-0861 | Mandiant assesses likely MOIS association | Probable initial access and persistent footholds | Middle Eastern government and telecommunications networks | Mandiant report, Sept. 19, 2024 | Temporary/developing cluster; overlaps do not establish identity | Mandiant |
| CyberAv3ngers | Shahid Kaveh Group mapped by CISA for prior activity; Soldiers of Solomon is related in MITRE | U.S. agencies associate prior activity with IRGC Cyber-Electronic Command | OT disruption and public claims | Water, energy and other operators using exposed PLCs | AA26-097A, Apr. 7, 2026, cites similar 2023 activity but does not name the 2026 actor | Explicit for prior CyberAv3ngers/Shahid Kaveh mapping; new activity unattributed at group level | MITRE; CISA AA26-097A |
These examples should not be treated as equivalent categories:
Recent context: Symantec's March 2026 overview also covers Marshtreader (Pink Sandstorm/Agrius) and DieNet. Keep these source-specific labels outside the core APT table; they are not aliases for the groups above.
| Date | Issuer | Actor or activity label used by issuer | Affected assets or sectors | What was observed | Defender action | What the source does not prove |
|---|---|---|---|---|---|---|
| 2024-08-28 | CISA, FBI, DC3 and NSA | Fox Kitten, Pioneer Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm | Education, municipal government, finance, healthcare and other exposed networks | Iran-based actors developed access and enabled ransomware affiliates | Patch exposed products, restrict remote administration, investigate beyond the edge device and reset affected credentials | It does not attribute every ransomware incident involving an exposed product to this group. AA24-241A |
| 2024-10-16 | FBI, CISA, NSA and international partners | Iranian cyber actors; no enduring group name assigned | Healthcare, government, IT, engineering and energy | Password spraying, MFA push bombing, valid-account use and modification of MFA registrations | Use phishing-resistant MFA, detect distributed spraying and abnormal prompts, and review account registration changes | Some later activity or indicators may belong to criminal buyers of access; an indicator alone is not sufficient attribution. AA24-290A |
| 2025-06-30 | NSA, CISA, FBI and DC3 | Iranian government-affiliated actors and potentially aligned hacktivists | Vulnerable U.S. networks and strategically relevant entities | Agencies warned of potential targeting where systems were outdated or used weak/default credentials | Patch internet-facing systems, remove defaults, strengthen authentication and monitor remote access | This was a risk warning, not proof that a named group had compromised a particular organization. Joint statement |
| 2026-03-05 | Symantec Threat Hunter Team | Seedworm/MuddyWater | Selected U.S. companies and a Canadian NGO, including finance, aviation and software | Activity beginning in February 2026 used legitimate tools and sought data from several environments | Review account and remote-tool use, endpoint execution, staging and outbound transfers | This vendor-observed sample is not a complete victim count or government attribution of every event. Symantec research |
| 2026-04-07 | CISA, FBI, NSA, EPA, DOE and CNMF | Iranian-affiliated APT actors; prior similar activity linked to CyberAv3ngers/Shahid Kaveh | Internet-facing PLCs in government services, water/wastewater and energy | PLC access, operational disruption and manipulation of HMI/SCADA-related data or displays | Remove direct PLC exposure, use secure gateways and MFA, retain offline configurations and monitor control changes | The advisory does not name the March 2026 actor as CyberAv3ngers or prove all PLC brands face identical exposure. AA26-097A |
Each row describes a different source scope. The table must not be read as a single continuous campaign or a universal Iranian operating model.
Iranian-linked activity is better understood as a collection of source-specific behaviors than as one merged ATT&CK profile. The following matrix maps documented examples to defensible telemetry and control goals.
Related: DeepStrike’s phishing statistics and trends and compromised credential trends.
| Observed behavior | Source-backed example and ATT&CK reference | Useful telemetry | Defensive control objective | Attribution boundary |
|---|---|---|---|---|
| Targeted social engineering and credential phishing | APT42 and Magic Hound reporting; T1566 Phishing | Email security, identity provider, browser, DNS and account-recovery logs | Protect high-risk users; detect impersonation, unusual login transitions and recovery changes | Not every phishing attempt targeting a policy role is APT42 |
| Password spraying and valid-account access | AA24-290A; T1110.003 Password Spraying, T1078/T1078.004 Valid Accounts | Authentication failures, successful logins, source distribution, device and ASN changes | Rate-limit and detect spraying; require strong MFA; investigate successes after failure bursts | The advisory warns that access may later pass to criminal actors |
| MFA fatigue or push bombing | AA24-290A; T1621 Multi-Factor Authentication Request Generation | MFA prompts, denials, approvals, help-desk and registration changes | Use number matching or phishing-resistant MFA; alert on repeated prompts and new registrations | Repeated prompts indicate risk, not actor identity |
| Exploitation of public-facing systems | Fox Kitten and UNC1860 reporting; T1190 Exploit Public-Facing Application where mapped | WAF, edge, VPN, appliance, process, network and configuration logs | Prioritize known exploited perimeter flaws; restrict management access; validate device integrity | Shared vulnerabilities are not actor-specific |
| Cloud and SaaS account access | APT42 and AA24-290A; valid cloud accounts mapped in the advisory | Identity provider, SaaS audit, OAuth consent, token, mailbox and session logs | Control consent, session lifetime, account recovery and risky sign-ins | A cloud login alone cannot establish attribution |
| Legitimate administration and remote tools | MuddyWater/Seedworm research; T1219 Remote Access Software where the source maps it | Endpoint process, software inventory, network egress and remote-support logs | Allowlist approved tools, identify unusual operators and constrain privileged use | The same tools are used legitimately by administrators |
| Collection and exfiltration | MuddyWater, APT39 and APT42 reporting | Endpoint, cloud storage, email, DLP, proxy and network-flow logs | Detect unusual searches, staging, mailbox access and outbound transfers | Collection patterns vary by actor and objective |
| Wipers, ransomware-like cover and hack-and-leak | Void Manticore, personas, and access-enablement reporting | Identity, virtualization, backup, endpoint, storage and admin-platform logs | Protect administrative planes and backups; rehearse destructive and disclosure scenarios | A public claim or ransom note is not independent attribution |
| Internet-exposed OT and PLC access | AA26-097A; T0883 Internet Accessible Device, T1565 Stored Data Manipulation, T1219 Remote Access Tools | Firewall, gateway, engineering workstation, PLC/HMI configuration and protocol logs | Remove direct exposure, authenticate remote access, baseline logic/configuration and monitor changes | The 2026 advisory does not identify every operator or affected PLC model |

Sources: CISA AA24-290A, CISA AA26-097A, MITRE ATT&CK, and the named primary research above. The model does not claim that every actor uses every behavior.
Priority should reflect mission, exposure and consequences—not nationality or ethnicity.
| Relevance signal | Examples | Why it matters | Suggested priority | First safe action |
|---|---|---|---|---|
| Strategically relevant mission or relationships | Government, defense, policy, diplomacy, energy, telecom, research or organizations supporting U.S., Israeli, Gulf or Iranian-policy interests | These roles recur in government and primary-vendor reporting | High when combined with exposed systems or high-risk people | Review current advisories, external exposure and identity controls |
| Internet-facing edge or remote access | VPNs, firewalls, public applications, remote-management services and appliances | Multiple actors pursue known vulnerabilities or weak credentials | High | Inventory, patch, restrict management paths and inspect for compromise |
| Internet-exposed OT | PLCs, HMIs, SCADA gateways and vendor remote access | AA26-097A documents operational and financial effects | Immediate | Remove direct PLC exposure and involve the asset owner before changes |
| High-risk individuals | Executives, diplomats, researchers, journalists, activists, legal personnel and policy experts | APT42 and Magic Hound reporting emphasizes tailored targeting and personal accounts | High for affected roles | Enroll users in enhanced protection and phishing-resistant MFA |
| Legacy or weak identity controls | Password-only access, weak MFA, unmanaged service accounts, legacy protocols and uncontrolled OAuth consent | AA24-290A documents spraying, MFA push bombing and registration changes | High | Close legacy paths and review recent authentication anomalies |
| Sensitive supplier or third-party access | Technology providers, logistics, travel, engineering, telecom and remote OT vendors | A supplier can provide access to a strategically relevant customer or dataset | Elevated | Map access paths, owners, authentication and revocation procedures |
| No specific relevance and mature controls | No exposed OT, limited strategic connection and well-managed identity/perimeter controls | Risk is lower, not zero | Baseline monitoring | Maintain hygiene and watch official advisories |

Sources: current CISA, FBI and NSA guidance. The outcome establishes a defensive review priority; it does not predict that a particular organization will be attacked.
| Layer | Immediate actions | Improvements over the next 30 days | Ongoing validation |
|---|---|---|---|
| Exposure | Inventory public systems and OT assets; remove direct PLC exposure; eliminate default credentials; address known exploited perimeter vulnerabilities | Put management interfaces behind controlled access; secure vendor paths; validate appliance integrity after compromise | Continuously reconcile external discovery with asset ownership; retest patches and remote-access controls |
| Identity | Require phishing-resistant MFA for privileged and high-risk users; investigate spraying and abnormal MFA prompts; disable unnecessary legacy authentication | Review service accounts, OAuth consent, tokens, session lifetime, account recovery and personal-account use for sensitive work | Test identity detections; review privileged paths and risky-session handling |
| Detection | Confirm collection of email, identity, cloud, endpoint, network and OT logs; alert on high-confidence behaviors from relevant advisories | Baseline legitimate remote tools, administrative platforms and OT configuration changes; close telemetry gaps | Use official indicators as time-bounded leads; run behavior-led hunts and retune controls after testing |
| Resilience | Confirm protected backups and known-good device configurations; establish escalation and evidence-preservation paths | Segment IT and OT; rehearse identity compromise, data theft, destructive attack and OT disruption scenarios | Retest restoration, communications, legal, regulatory and government-reporting procedures |
The first objective is not to guess the perfect actor label. It is to reduce reachable attack paths, make account misuse visible, constrain privilege and preserve recovery options.
Authorized, scoped testing can validate whether an organization’s actual controls match its threat model. Depending on scope and safety requirements, it may:
Testing must operate under written authorization, an approved scope, rules of engagement, safety controls and asset-owner permission. OT exercises require particular coordination with engineering and operations personnel.
A penetration test or red-team exercise does not prove attribution, recreate every capability of a named state actor, guarantee breach prevention, or replace threat intelligence, monitoring, incident response, governance and OT engineering. Organizations should also distinguish red team and blue team roles and understand vulnerability assessment versus penetration testing before choosing an engagement.
For organizations that need a controlled assessment of exposed paths, identity boundaries and detection workflows, DeepStrike’s red teaming services can support authorized validation and remediation planning within an agreed scope.
Publicly prioritized examples include APT33, OilRig/APT34, Magic Hound/APT35, APT42, MuddyWater, APT39, Fox Kitten, UNC1860 and CyberAv3ngers. That is a defensively useful selection, not a ranking or exhaustive list. Some are established intrusion sets; others are provisional clusters, access specialists or OT-focused actors.
Each intelligence provider observes and scopes activity differently. A label may describe a team, infrastructure cluster, campaign, malware ecosystem or sponsor-aligned program. Use the originating source’s mapping and distinguish explicit cross-references from overlap.
Not universally. Mandiant reports overlap between APT42 and several APT35/Charming Kitten-related scopes, but MITRE tracks APT42 and Magic Hound separately to preserve the originating vendor’s distinction. Defenders should not merge them without campaign-specific evidence.
Maintained sources say no. Microsoft maps MuddyWater to Mango Sandstorm and OilRig/APT34 to Hazel Sandstorm, while MITRE keeps separate group profiles. Similar sponsorship or tactics does not establish identity.
CyberAv3ngers, also associated by CISA with the Shahid Kaveh Group for prior activity, is the best-known public example. However, AA26-097A does not name CyberAv3ngers as the operator behind the new March 2026 PLC activity; it calls the actors Iranian-affiliated.
Public reporting repeatedly covers government, defense, energy, water, telecommunications, technology, finance, travel, logistics, research, academia, media, NGOs and civil society. Relevance depends on mission, relationships, exposed systems, sensitive data and high-risk personnel—not sector alone.
Start with behavior: password spraying, unusual MFA prompts, valid-account misuse, suspicious account-recovery changes, exploitation of exposed systems, anomalous remote tools, unusual cloud or mailbox access, data staging and unauthorized OT changes. Correlate identity, cloud, endpoint, email, network and OT evidence before drawing attribution conclusions.
It can validate attack paths, control boundaries, telemetry and response under controlled conditions. It cannot prove attribution, reproduce every nation-state capability or guarantee prevention. Its value depends on written authorization, representative scope, safe execution, remediation and retesting.
Iranian threat-actor labels will continue to change as vendors divide, merge and reinterpret the activity they observe. The durable defensive priorities are clearer: reduce internet exposure, strengthen identity, monitor behavior across enterprise and OT environments, constrain legitimate administrative tools, and preserve tested recovery options.
Use the latest official advisories for time-sensitive indicators and mitigations. Validate controls through authorized testing, but keep attribution conclusions tied to evidence and the source that made the assessment.
Mohammed Khalil is a Cybersecurity Architect and SEO Specialist at DeepStrike. He holds CISSP, OSCP, and OSWE certifications and writes about penetration testing, threat intelligence, and translating technical risk into practical defensive priorities.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us