Iran APT Threat Advisory — Operation Epic Fury

📋

Executive Summary

⚠️ CRITICAL ALERT: On February 28, 2026, the United States and Israel launched a joint kinetic-cyber offensive against Iran — Operation Epic Fury (US) / Operation Roaring Lion (Israel). Iran's internet connectivity dropped to 1–4%, described by experts as the largest cyberattack in history. Iran is now retaliating with a multi-vector cyber campaign across the Middle East, with GCC nations as primary targets.

This advisory synthesizes intelligence from over 10 sources including HawkEye Hunt, Unit 42, SentinelOne, Nozomi Networks, Canadian Centre for Cyber Security, LevelBlue, and internal HawkEye CSOC telemetry. It provides a comprehensive operational picture of the Iranian cyber threat landscape as of March 6, 2026.

Key Findings

Multi-front retaliation: Iran has activated state-sponsored APT groups (MuddyWater, APT33, APT34, APT35, APT42), destructive operators (VoidManticore, Cyber Av3ngers), and 60+ hacktivist proxy groups in a coordinated campaign targeting Israel, the US, and Gulf Cooperation Council (GCC) nations.
Infrastructure attacks: AWS me-central-1 UAE data centers were struck by drone strikes on March 1. DieNet claimed attacks on airports in Bahrain, Sharjah, and the UAE. Critical infrastructure across the Gulf is under active targeting.
133% attack increase: Attacks against Israel and allied nations have surged 133% since February 28, with the UAE intercepting 90,000–200,000 cyberattacks per day.
Novel tradecraft: MuddyWater has deployed blockchain-based C2 infrastructure, AI-enhanced malware (RustyWater, GhostFetch), and Telegram-based backdoors. APT34 is using Cloudflare fronting and certificate SAN pivoting to evade detection.
OT/ICS at risk: Nozomi Networks reports the Middle East region has 61% HIGH/CRITICAL vulnerabilities (vs 48% global average), with attackers in an exploratory/positioning phase — a critical window before destructive escalation.
Psyops active: Iran's BadeSaba prayer app (5M+ users) was hacked for psychological operation messages. Tehran traffic cameras have been compromised for years, used to track Iranian officials.

⏱️

Situation Overview & Timeline

The current crisis represents the most significant escalation in cyber conflict involving Iran since the 2020 Soleimani assassination response. The combined kinetic-cyber operation has fundamentally altered Iran's internet infrastructure and triggered a cascade of retaliatory actions across the digital domain.

February 28, 2026

Operation Epic Fury / Roaring Lion Launched

US and Israel launch joint offensive. Iran's internet drops to 1–4% connectivity — the largest cyberattack in recorded history. The "Electronic Operations Room" hacktivist umbrella forms within hours to coordinate retaliation.

February 28, 2026

Hacktivist Mobilization — 60+ Groups

60+ hacktivist groups begin coordinated attacks. Handala Hack claims Israeli energy company compromise. Dark Storm Team launches DDoS against Israeli banks. Pro-Russian groups (Killnet, HydraC2) align with Iranian interests.

March 1, 2026

AWS me-central-1 Drone Strike & GCC Targeting

Physical drone strikes hit AWS data centers in the UAE (me-central-1 region), crossing the kinetic-cyber boundary. DieNet claims attacks on Bahrain, Sharjah, and UAE airports. 313 Team targets Kuwait Armed Forces and Ministry of Defense.

March 1–2, 2026

MuddyWater Infrastructure Activation

Sliver C2 detected at 157[.]20[.]182[.]49:31337 (Hosterdaddy AS136557), active for only 1 day — rapid rotation. Blockchain-based C2 operational at 185[.]236[.]25[.]119:3001. HawkEye Hunt detects Mythic C2 at 79[.]175[.]189[.]207 (Afranet).

March 2–4, 2026

APT34 Dark Scepter Campaign Expands

Certificate SAN pivoting reveals additional Dark Scepter C2 nodes at 92[.]243[.]65[.]243 (Akton d.o.o.) and 185[.]76[.]79[.]125 (EDIS GmbH). 12+ domains identified with Cloudflare fronting.

March 3–5, 2026

GCC Infrastructure Targeting Intensifies

UAE reports 200,000 daily attack attempts. Camera reconnaissance against Hikvision/Dahua across GCC. Vishing scams impersonating UAE Ministry of Interior for EID theft. FAD Team claims SCADA/PLC access to 24 Israeli security devices.

March 5–6, 2026

Psyops & Intelligence Operations

BadeSaba prayer app (5M+ users) compromised for psyop messages. Tehran traffic camera network — compromised for years — revealed as intelligence collection platform tracking Iranian officials. APT35 WezRAT campaign targets Israeli organizations.

📊

Threat Landscape Visualization

Attacks by Sector

C2 Infrastructure by Hosting Provider

APT Group Activity Level (HawkEye Hunt Tracking)

Iranian APT Sponsorship Distribution

🎯

Iranian APT Group Profiles

Iran maintains one of the world's most sophisticated state-sponsored cyber programs, split between the MOIS (Ministry of Intelligence and Security) and the IRGC (Islamic Revolutionary Guard Corps). The following 10 groups represent the most active threat actors in the current campaign, tracked through HawkEye Hunt, and allied intelligence feeds.

MOISMuddyWater — Most Active Iranian APT

Also known as: Seedworm, Mango Sandstorm, Static Kitten, Mercury, TA450

Sponsoring Agency

MOIS (Ministry of Intelligence and Security)

Primary Targets

Government, Telecom, Energy, Oil & Gas

Geographic Focus

Middle East, Europe, North America

Tracking (HawkEye Hunt)

264 IPs · 432 Hosts · 128 SHA-256 Hashes

Active Campaigns

Operation Olalampo — Targeting META region (Middle East, Turkey, Africa) with overlapping RedKitten campaign. C2 domain: codefusiontech[.]org. Pivoted from espionage to active disruption of government and telecom infrastructure.

Infrastructure Discovery Chain

An open directory at 209[.]74[.]87[.]100 (NameCheap) exposed FMAPP.exe, a tunneling proxy. Hash pivoting on FMAPP.exe (e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b) revealed a second server at 157[.]20[.]182[.]49 (Hosterdaddy, AS136557).

This second server hosted Sliver C2 on port 31337, detected March 2 but active for only 1 day — indicative of operational security rotation. The dropper reset.ps1 uses ethers.js + WebSocket for blockchain-based C2 at 185[.]236[.]25[.]119:3001, which also hosts Tsundere botnet panels on ports 80/3000.

Tooling Arsenal

Sliver C2: Open-source implant framework, blending with cybercriminal tooling
RustyWater: AI-enhanced Rust-based RAT with advanced anti-debugging
GhostFetch: AI-enhanced data exfiltration tool
CHAR Backdoor: Uses Telegram bot (stager_51_bot) for C2
udp_3.0.py: Custom Python UDP C2 on port 1269
reset.ps1: PowerShell dropper leveraging blockchain for C2
FMAPP.exe: Tunneling proxy for network traversal

HawkEye Hunt C2 Tracking

IP	ASN / Hosting	Framework	First Seen	Last Seen	Status
217[.]60[.]249[.]120	AS198154 / ParsAbr	Sliver	Feb 11	Mar 6	ACTIVE
79[.]175[.]189[.]207	AS25184 / Afranet	Mythic	Mar 1	Mar 4	RECENT
78[.]38[.]80[.]242	AS58224 / Amozesh	Metasploit	Feb 11	Mar 3	RECENT
185[.]209[.]42[.]105	AS209836 / Toesegaran	Sliver	Feb 11	Feb 12	DORMANT

MITRE ATT&CK:
T1566.001T1190T1059.001T1059.005T1053.005T1574.002T1071T1071.004T1573T1041

Infrastructure Pattern: MuddyWater shows a clear preference for NameCheap and Hosterdaddy (AS136557) hosting. They deliberately use publicly available tools (Sliver, Mythic) to blend with cybercriminal operations and complicate attribution.

IRGCAPT34 / OilRig — Dark Scepter Campaign Active

Also known as: Helix Kitten, Earth Simnavaz, Greenbug, Dark Scepter (overlap)

Sponsoring Agency

IRGC Intelligence Organization

Primary Targets

Government, Financial, Telecom, Defense, Energy

Geographic Focus

Middle East (primary), US, Europe

Specialty

DNS Tunneling, Supply Chain, Cloud Credential Harvesting

Dark Scepter Campaign

A C2 server at 38[.]180[.]239[.]161 (M247 Europe SRL) was identified via web page title fingerprinting — displaying a distinctive "Wonders Above" webpage. Certificate SAN pivoting revealed two additional nodes:

92[.]243[.]65[.]243 — Akton d.o.o. (AS25467)
185[.]76[.]79[.]125 — EDIS GmbH (AS57169)

The campaign employs Cloudflare fronting to obscure C2 traffic. APT34 uses DNS tunneling for exfiltration and maintains supply chain compromises for "sleeper" access in US/Gulf financial and aviation networks.

Domain Infrastructure (12+ domains)

Domain	Purpose	Status
web14[.]info	C2 Communication	ACTIVE
anythingshere[.]shop	Phishing / C2	ACTIVE
cside[.]site	C2 Communication	ACTIVE
footballfans[.]asia	C2 Redirect	ACTIVE
menclub[.]lt	C2	ACTIVE
musiclivetrack[.]website	C2	ACTIVE
stone110[.]store	Staging	ACTIVE
justweb[.]click	C2	ACTIVE
girlsbags[.]shop	Phishing	ACTIVE
lecturegenieltd[.]pro	C2	ACTIVE
ntcx[.]pro	C2	ACTIVE
retseptik[.]info	C2	ACTIVE

Malware Arsenal

Tonedeaf: Custom backdoor with command execution and file manipulation
Helminth: DNS tunneling backdoor for C2
Karkoff: Lightweight .NET backdoor leveraging Exchange
PoisonFrog: PowerShell-based backdoor
BONDUPDATER: PowerShell DNS tunneling backdoor

Cloud Credential Harvesting

APT34 is actively harvesting credentials from Azure and Microsoft 365 environments across Gulf financial and aviation sectors. Audit Azure AD sign-in logs for suspicious OAuth consent requests and impossible-travel authentication events.

MITRE ATT&CK:
T1566.001T1190T1059.001T1053.005T1078T1003T1071.004T1090.004T1573T1041T1027

IRGCAPT35 / Charming Kitten — WezRAT & Mobile Targeting

Also known as: Phosphorus, TA453, Mint Sandstorm

Sponsoring Agency

IRGC

Primary Targets

Defense Officials, Journalists, Think Tanks, Academia

Geographic Focus

Israel, US, Europe, Middle East

Tracking (HawkEye Hunt)

79 IPs · 2,211 Hosts · 67 SHA-256 Hashes

⚠️ Active Campaign: WezRAT infostealer targeting Israeli organizations by impersonating the Israeli National Cyber Directorate (INCD). Malicious RedAlert APK impersonates the Israeli Home Front Command app.

WezRAT Capabilities

Remote command execution
Screenshot capture
Keylogging
Clipboard monitoring
Browser cookie theft

Mobile Attack Vector

Malicious RedAlert APK (83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72) masquerades as the official Israeli Home Front Command rocket alert app. Distributed via WhatsApp spearphishing with spoofed websites including whatsapp-meeting[.]duckdns[.]org.

C2 Infrastructure Leak

A late 2025 leak exposed APT35's C2 infrastructure including server IPs, usernames, and passwords — enabling defenders to proactively hunt and block their infrastructure. Despite the leak, the group remains highly active with refreshed infrastructure.

MITRE ATT&CK:
T1566.001T1566.002T1059.001T1056.001T1113T1005T1071.001T1573

IRGCAPT42 / Charming Cypress — AI-Enhanced Surveillance

Also known as: Charming Cypress

Sponsoring Agency

IRGC Intelligence Organization

Primary Targets

Senior Defense/Government Officials, Policy Influencers, NGOs

Geographic Focus

US, Israel, Europe, Middle East

Tracking (HawkEye Hunt)

54 IPs · 233 Hosts · 44 SHA-256 Hashes

TameCat Backdoor

TameCat is a modular PowerShell-based backdoor with plugin-based extensibility, supporting dynamic module loading for targeted post-compromise capabilities.

RedKitten Operations

The RedKitten campaign employs generative AI for hyper-personalized surveillance — AI-generated social media personas, tailored phishing content, and deepfake-enhanced social engineering targeting senior officials.

AI-Enhanced Threat: APT42's use of generative AI for social engineering marks a paradigm shift. Traditional indicators like poor grammar or generic templates are no longer reliable detection methods.

MITRE ATT&CK:
T1566.001T1059.001T1078T1056.001T1071.001

IRGCAPT33 / Elfin — Destructive Wiper Operations

Also known as: Refined Kitten, Peach Sandstorm

Sponsoring Agency

IRGC

Primary Targets

Aerospace, Aviation, Energy, Manufacturing, Government

Geographic Focus

US, Saudi Arabia, South Korea, Middle East

Activity Level

Most Active (tied with MuddyWater — Nozomi 2H 2025)

⚠️ DESTRUCTIVE CAPABILITY: APT33 is Iran's primary destructive arm, deploying Tickler and SHAPESHIFT wiper malware targeting aerospace and petrochemical in US and Saudi Arabia.

APT33 uses password spraying against internet-facing services and supply chain compromise for initial access. Nozomi Networks 2H 2025 telemetry ranks them as one of the two most active Iranian groups (alongside MuddyWater).

MITRE ATT&CK:
T1110T1566.001T1195T1059.001T1485T1561

STATEVoidManticore — Wiper & Government Targeting

Primary Targets

Government Entities (exploited Omani govt mailbox)

Tracking (HawkEye Hunt)

13 IPs · 1 Host · 91 SHA-256 Hashes

Specialty

Wiper Malware, Data Destruction

VoidManticore exploited an Omani government mailbox to distribute malicious Word documents targeting critical infrastructure. Known for wiper malware designed to permanently destroy data and render systems inoperable. 91 unique SHA-256 hashes indicate prolific malware development with frequent retooling.

STATEInfy / Prince of Persia — Dissident Surveillance

Targets

Iranian Dissidents, Regional Government

Tracking (HawkEye Hunt)

18 IPs · 53 Hosts · 58 SHA-256 Hashes

Active since ~2007. Updated Foudre (keylogger/infostealer) and Tonnerre (data collection/exfiltration) variants. Uses Telegram-based C2 to bypass traditional network defenses, leveraging the platform's encryption and ubiquity.

MOISAPT39 / Chafer — Telecom Surveillance

Also known as: Remix Kitten

Sponsoring Agency

MOIS

Targets

Telecom, Travel, IT, Government

Specialty

Surveillance of Dissidents, Individual Tracking

MOIS's primary surveillance arm. Targets telecommunications providers for call records, SMS metadata, and real-time location data of specific individuals — Iranian dissidents, opposition figures, and foreign intelligence targets. Also targets travel/IT companies to track movement across borders.

IRGCCyber Av3ngers — ICS/OT Water Utility Attacks

Targets

Water Utilities, ICS/OT Systems

Specialty

Unitronics PLC Exploitation, Physical Disruption

Role

Key retaliatory actor in current crisis

⚠️ PHYSICAL IMPACT: Demonstrated ability to cause physical disruption through exploitation of Unitronics PLCs at US water treatment plants. Focus on industrial controller exploitation for physical failures.

STATEFox Kitten / Pioneer Kitten — Access Broker

Targets

US/Israeli Defense Contractors, VPN/Edge Devices

Role

Initial Access Broker for Other Iranian APTs

Specialty

Fortinet, Pulse Secure, Citrix, F5 Exploitation

Iran's primary initial access broker. Exploits unpatched VPN appliances and edge devices, then provides access to other APT groups (MuddyWater, APT33, APT34) for mission-specific objectives. Targets: Fortinet FortiOS, Pulse Secure/Ivanti, Citrix ADC/Gateway, F5 BIG-IP. Organizations with unpatched perimeter devices are at highest risk.

💀

Hacktivist & Proxy Group Activity

The formation of the "Electronic Operations Room" on February 28 — an umbrella coordinating body — represents unprecedented hacktivist coordination. Over 60 groups are active, including pro-Russian groups (Killnet, HydraC2) aligned with Iranian interests. Many serve as proxies for state-sponsored operations, providing plausible deniability.

Group	Allegiance	Targets	Claimed Actions	Threat
Handala Hack	MOIS-linked	Israel, US	Israeli energy co., Clalit healthcare, i24 news, Jordan fuel, death threats	CRIT
DieNet	Pro-Iran	Bahrain, UAE, Saudi, Jordan	Bahrain airport, Sharjah airport, Riyadh Bank, UAE airport, Bank of Jordan	CRIT
Cyber Islamic Resistance	Pro-Iran umbrella	Israel, West	Drone defense system, Israeli payment infra, coordinates RipperSec/Cyb3rDrag0nzz	CRIT
FAD Team (Fatimiyoun)	Pro-regime	Israel, Turkey	SCADA/PLC access, 24 Israeli security devices, Turkish media	CRIT
Dark Storm Team	Pro-Palestinian	Israel	Israeli bank DDoS, multiple Israeli websites	HIGH
313 Team	Pro-Iran (Iraq)	Kuwait	Kuwait Armed Forces, Ministry of Defense, Govt website	HIGH
APT Iran	Pro-Iran	Jordan	Jordan critical infrastructure sabotage	HIGH
Sylhet Gang	Pro-Iran	Saudi Arabia	Saudi Ministry of Home Affairs HCM systems	HIGH
Evil Markhors	Pro-Iran	Israel	Israeli bank website	MED
HydraC2	Pro-Iran	Various	DDoS botnet, Five Families connection	HIGH
Killnet	Pro-Russian/Iran	Various	DDoS coordination aligned with Iranian interests	HIGH
Electronic Ops Room	Umbrella (Feb 28)	All	Coordinating hacktivist front across 60+ groups	CRIT

Notable Domains: Handala Hack operates via handala-redwanted.to and handala-hack.to for leak sites and threat distribution. Block and monitor for employee mentions.

🌍

GCC-Specific Threat Landscape

Gulf Cooperation Council nations face disproportionate risk as regional allies of the US and Israel. The following country-specific threat profiles are derived from hacktivist claims, APT targeting patterns, and infrastructure reconnaissance since February 28.

🇦🇪 United Arab Emirates

90,000–200,000 cyberattacks intercepted daily
AWS me-central-1 data centers struck by drone attacks (March 1)
Camera reconnaissance targeting Hikvision/Dahua devices
Vishing scams impersonating Ministry of Interior for EID theft
DieNet targeting UAE airports
APT34 sleeper access in financial/aviation networks

🇸🇦 Saudi Arabia

DieNet claims attack on Riyadh Bank
Sylhet Gang targeting Ministry of Home Affairs HCM systems
APT33 targeting petrochemical sector with wiper malware
DieNet claims Sharjah Airport compromise
Camera scanning operations ongoing

🇧🇭 Bahrain

DieNet claims Bahrain airport targeting
AWS data center struck by kinetic attack
Financial sector at elevated risk
Hacktivist DDoS campaigns ongoing

🇰🇼 Kuwait

313 Team targeting Kuwait Armed Forces
313 Team claims Ministry of Defense compromise
313 Team targeting government websites
Military sector at highest risk

🇶🇦 Qatar

Camera scanning operations observed
Infrastructure reconnaissance ongoing
Financial sector surveillance activity
Elevated risk due to regional dynamics

🇯🇴 Jordan

APT Iran targeting critical infrastructure for sabotage
Handala Hack claims fuel systems compromise
DieNet targeting Bank of Jordan
Multi-vector campaign from multiple groups

🔍

Indicators of Compromise (IOCs)

All indicators should be immediately deployed to firewalls, EDR, SIEM, and DNS filtering. Click the copy button to copy any value to your clipboard.

Command & Control Servers

IP Address	ASN	Hosting	Malware / Framework	Actor	First Seen	Last Seen
209[.]74[.]87[.]100	NameCheap	—	Open Dir / FMAPP.exe	MuddyWater	Feb 2026	Feb 26
157[.]20[.]182[.]49	AS136557	Hosterdaddy	Sliver + tools	MuddyWater	Feb 2026	Mar 2
185[.]236[.]25[.]119	—	—	Tsundere / blockchain C2	MuddyWater	Feb 2026	—
38[.]180[.]239[.]161	M247 Europe	—	"Wonders Above" C2	Dark Scepter/APT34	Feb 2026	—
92[.]243[.]65[.]243	AS25467	Akton d.o.o.	C2	Dark Scepter/APT34	Feb 2026	—
185[.]76[.]79[.]125	AS57169	EDIS GmbH	C2	Dark Scepter/APT34	Feb 2026	—
217[.]60[.]249[.]120	AS198154	ParsAbr	Sliver	Iran-based	Feb 11	Mar 6
79[.]175[.]189[.]207	AS25184	Afranet	Mythic	Iran-based	Mar 1	Mar 4
78[.]38[.]80[.]242	AS58224	Amozesh	Metasploit	Iran-based	Feb 11	Mar 3
185[.]209[.]42[.]105	AS209836	Toesegaran	Sliver	Iran-based	Feb 11	Feb 12

Malicious Domains

Domain	Actor	Category
codefusiontech[.]org	MuddyWater	C2 (Op. Olalampo)
whatsapp-meeting[.]duckdns[.]org	APT35	Phishing
web14[.]info	APT34/Dark Scepter	C2
anythingshere[.]shop	APT34/Dark Scepter	C2/Phishing
cside[.]site	APT34/Dark Scepter	C2
footballfans[.]asia	APT34/Dark Scepter	C2
menclub[.]lt	APT34/Dark Scepter	C2
musiclivetrack[.]website	APT34/Dark Scepter	C2
stone110[.]store	APT34/Dark Scepter	Staging
justweb[.]click	APT34/Dark Scepter	C2
girlsbags[.]shop	APT34/Dark Scepter	Phishing
lecturegenieltd[.]pro	APT34/Dark Scepter	C2
ntcx[.]pro	APT34/Dark Scepter	C2
retseptik[.]info	APT34/Dark Scepter	C2
handala-redwanted.to	Handala Hack	Leak Site
handala-hack.to	Handala Hack	Operations

File Hashes

SHA-256 / SHA-1	File	Actor	Type
e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b	FMAPP.exe	MuddyWater	Tunneling Proxy
83651b0589665b112687f0858bfe2832ca317ba75e700c91ac34025ee6578b72	RedAlert APK	APT35-aligned	Mobile Malware
62ED16701A14CE26314F2436D9532FE606C15407	SOCKS5 proxy	MuddyWater	Network Tool

Malware Family Inventory

RustyWater WezRAT GhostFetch SHAPESHIFT Tickler CHAR TameCat Foudre Tonnerre Sicarii Sliver Mythic Tonedeaf Helminth Karkoff PoisonFrog BONDUPDATER

Red = Custom/AI-enhanced | Amber = Custom Iranian tools | Teal = Publicly available / dual-use

Telegram C2: stager_51_bot — MuddyWater CHAR backdoor C2 via Telegram Bot API.

⚡

OT/ICS Threat Assessment

Nozomi Networks' 2H 2025 OT/ICS threat report reveals a critical exposure gap in the Middle East, with Iranian threat actors actively positioning for potential destructive operations.

ME Vulnerability Exposure

61% HIGH/CRITICAL

vs 48% global average

EPSS > 1% (Exploit Likelihood)

8% of ME vulns

vs 4% global — 2x exposure

Most Targeted Sectors

Manufacturing & Transportation

Current Phase

Exploratory / Positioning

Critical window before escalation

⚠️ CRITICAL WINDOW: Iranian attackers are in an exploratory/positioning phase within OT/ICS networks. The gap between initial compromise and destructive action is narrowing as geopolitical tension escalates.

Top MITRE Techniques in OT/ICS

Technique	Description	Prevalence	Risk
Default Credentials	Factory-default passwords on PLCs, HMIs, network devices	VERY HIGH	Immediate control system access
Valid Accounts	Stolen or compromised legitimate credentials	HIGH	Bypasses authentication
Brute Force	Password spraying against exposed OT interfaces	HIGH	Common with Unitronics PLCs
Network Scanning	Active reconnaissance of industrial networks	HIGH	Precursor to lateral movement

Key OT/ICS Threat Actors

MuddyWater & APT33: Most active per Nozomi 2H 2025 telemetry — targeting manufacturing and energy
Cyber Av3ngers: Demonstrated Unitronics PLC exploitation at US water plants — proven physical disruption
FAD Team (Fatimiyoun): Claimed SCADA/PLC access to 24 Israeli security devices and Turkish media

🔎

Infrastructure Hunting Techniques

Techniques used by HawkEye Hunt analysts to discover and track Iranian APT infrastructure. These can be replicated with access to threat hunting platforms.

1. ASN Clustering

MuddyWater prefers NameCheap and Hosterdaddy (AS136557). Monitor new infrastructure on these ASNs matching known patterns (specific ports, cert patterns, web server configs).

2. Certificate SAN Pivoting

APT34's Dark Scepter uses Cloudflare fronting. Pivoting on SANs from known certificates bypassed Cloudflare and identified C2 nodes at 92[.]243[.]65[.]243 and 185[.]76[.]79[.]125.

3. Web Page Title Fingerprinting

Dark Scepter C2 at 38[.]180[.]239[.]161 served "Wonders Above" — scanning for this title across internet-wide datasets identified the initial C2. Actors often leave distinctive artifacts.

4. Open Directory Scanning

MuddyWater's open dir at 209[.]74[.]87[.]100 exposed FMAPP.exe and operational tools. Regular scanning reveals tooling, staging files, and operational artifacts.

5. File Hash Pivoting

FMAPP.exe hash pivoted from 209[.]74[.]87[.]100 to 157[.]20[.]182[.]49 — revealing an entirely new C2 node with Sliver, blockchain C2, and additional tooling.

6. HuntSQL Infrastructure Correlation

Structured query languages for hunting platforms enable correlation across ASN, certificate, service banner, and port data to cluster infrastructure by operator.

7. JARM Fingerprinting

JARM TLS fingerprinting identifies C2 frameworks (Sliver, Mythic, Cobalt Strike) by unique TLS handshake signatures, even behind CDNs. Effective for tracking MuddyWater's Sliver instances.

🦅

HawkEye Platform Intelligence

HawkEye's 24x7 CSOC and XDR platform provides continuous visibility into Iranian APT operations. The following screenshots demonstrate active monitoring, threat hunting, and detection capabilities deployed against the current threat landscape.

HawkEye Main Dashboard

Real-time threat monitoring showing active feeds, IOC correlation, and detection metrics.

Threat Hunt Listings

Active hunts across Iranian APT campaigns and associated hacktivist groups.

Iran-Filtered Hunts

Hunts filtered for Iranian APT activity — MuddyWater, APT34, APT35, and associates.

Intelligence-Driven Hunts

Proactive hunts from HawkEye Hunt, Unit 42, and allied intelligence feeds.

IOC Hunter with CTIX Integration

Automated IOC hunting with CTIX threat intelligence platform correlation.

Threat Intercept Simulations

Attack simulation against Iranian APT TTPs — validating detection coverage.

Vibe Hunting — Iran Conversation

AI-assisted hunting analyzing Iranian APT patterns and behavioral indicators.

Vibe Hunting — Iran Query Results

AI-generated queries for Iranian APT infrastructure identification.

$Detections$

Detection Rules Library

Custom rules for PowerShell abuse, Sliver/Mythic beacons, DNS tunneling.

Extended Hunt Coverage

Additional hunts covering secondary APTs, hacktivists, and reconnaissance ops.

✅

Defensive Recommendations

🔴
Immediate Actions (24 Hours)

Block all IOC IPs, domains, and file hashes listed in this advisory at firewall, EDR, SIEM, and DNS filtering layers. Deploy to proxy, email gateway, and CASBs.
Enforce MFA on ALL VPN, RDP, and cloud accounts. Fox Kitten and MuddyWater actively target single-factor remote access. Hardware tokens or FIDO2 preferred over SMS/push.
Audit ALL internet-facing devices for default credentials. Nozomi data shows default credentials are the #1 technique in ME OT/ICS. Prioritize Unitronics PLCs, Hikvision/Dahua cameras, and network equipment.
Emergency patch VPN appliances — Fortinet FortiOS, Pulse Secure/Ivanti, Citrix ADC/Gateway, F5 BIG-IP. Fox Kitten specifically targets these for initial access brokerage.
Enable enhanced PowerShell logging (ScriptBlock, Module, Transcription). MuddyWater's reset.ps1 and APT42's TameCat rely heavily on PowerShell. Alert on encoded commands and download cradles.
Disable macros in Microsoft Office documents from external sources. VoidManticore uses malicious Word documents and multiple groups leverage macro-enabled documents.

🟡
Short-Term Actions (1 Week)

Deploy behavioral EDR with LOLBin detection. Signature-based AV misses Sliver, Mythic, and custom tools like RustyWater. Focus on process behavior, not hash matching.
Review and test DDoS mitigation plans. 60+ hacktivist groups are conducting volumetric attacks. Test failover and CDN/scrubbing capacity against botnets like HydraC2.
Segment OT/IT networks with strict firewall rules. SCADA, PLC, and HMI systems must not be reachable from corporate IT. Implement unidirectional gateways where feasible.
Audit Azure AD and M365 tenants for credential harvesting. APT34 actively harvests cloud credentials. Review OAuth consents, impossible-travel sign-ins, and conditional access.
Hunt for Sliver, Mythic, Cobalt Strike, and Metasploit beacons. Use JARM fingerprinting, JA3/JA3S hashes, and behavioral rules. MuddyWater runs Sliver on Iranian ISPs (ParsAbr, Afranet).
Monitor DNS for tunneling — high-entropy subdomains, long queries, TXT record abuse. APT34's BONDUPDATER and Helminth use DNS tunneling as primary exfiltration.

🔵
Medium-Term Actions (1 Month)

Implement zero trust architecture with micro-segmentation. Assume breach — Iranian APTs maintain long-term persistence via supply chain compromises and sleeper access.
Conduct tabletop exercise for wiper/ransomware scenarios. APT33's SHAPESHIFT and Tickler wipers cause maximum destruction. Test IR, backup integrity, and comms procedures.
Review cloud DR plans. AWS me-central-1 drone strikes show cloud infrastructure in the region is now a kinetic target. Ensure multi-region failover accounts for physical attacks.
Establish threat hunting program using MITRE ATT&CK framework. Focus on techniques in this advisory. Weekly minimum hunting cadence with hypothesis-driven hunts.
Deploy deception technology (honeypots, honeytokens, canary files). Place decoys where Iranian APTs target — domain admin creds, VPN configs, OT segments.
Engage with sector ISACs and threat intelligence sharing communities. The current crisis requires collective defense. Share IOCs, TTPs, and detection rules with trusted partners.

🗺️

MITRE ATT&CK Technique Heatmap

Frequency of MITRE ATT&CK techniques observed across all 10 Iranian APT groups. Darker shading = higher frequency across multiple groups.

ID	Technique	Tactic	Groups Using	Freq
T1566.001	Spearphishing Attachment	Initial Access	MuddyWater, APT34, APT35, APT42, APT33	5
T1059.001	PowerShell	Execution	MuddyWater, APT34, APT35, APT42, APT33	5
T1071	Application Layer Protocol	C2	MuddyWater, APT35, APT42	3+
T1573	Encrypted Channel	C2	MuddyWater, APT34, APT35	3
T1190	Exploit Public-Facing App	Initial Access	MuddyWater, APT34	2
T1078	Valid Accounts	Persistence	APT34, APT42	2
T1053.005	Scheduled Task	Persistence	MuddyWater, APT34	2
T1056.001	Keylogging	Collection	APT35, APT42	2
T1041	Exfiltration Over C2	Exfiltration	MuddyWater, APT34	2
T1071.004	DNS	C2	MuddyWater, APT34	2
T1566.002	Spearphishing Link	Initial Access	APT35	1
T1059.005	Visual Basic	Execution	MuddyWater	1
T1574.002	DLL Side-Loading	Persistence	MuddyWater	1
T1090.004	Domain Fronting	C2	APT34	1
T1003	OS Credential Dumping	Credential Access	APT34	1
T1027	Obfuscated Files	Defense Evasion	APT34	1
T1113	Screen Capture	Collection	APT35	1
T1110	Brute Force	Credential Access	APT33	1
T1195	Supply Chain Compromise	Initial Access	APT33	1
T1485	Data Destruction	Impact	APT33	1
T1561	Disk Wipe	Impact	APT33	1
T1005	Data from Local System	Collection	APT35	1

📚

Intelligence Sources

HawkEye Hunt — Internal threat hunting platform + intelligence tracking data (264+ IPs, 2,900+ hosts)
Unit 42 / Palo Alto Networks — Threat Brief: Iran-Related Cyber Operations, March 2026
Halcyon RRC — Iranian Cybercriminal Tactics and Techniques Report, 2026
SentinelOne — Iranian Cyber Activity Outlook: Escalation Scenarios
Canadian Centre for Cyber Security — Threat Bulletin: Iranian Cyber Threat, February 2026
Nozomi Networks — Iranian APT Activity During Kinetic-Cyber Escalation (OT/ICS Focus)
LevelBlue SpiderLabs — Iran Crisis: Cyber Operations Assessment
Brandefense — OilRig / APT34 Deep Profile: Dark Scepter Campaign
AttackIQ — RustyWater + WezRAT Adversary Emulation Assessments
Broadcom (Symantec) — Seedworm: Targeting US Critical Infrastructure
Check Point Research — Camera Reconnaissance Operations in the Gulf
HawkEye CSOC — Internal Threat Intelligence and Hunt Telemetry

Executive Summary

Key Findings

Situation Overview & Timeline

Threat Landscape Visualization

Attacks by Sector

C2 Infrastructure by Hosting Provider

APT Group Activity Level (HawkEye Hunt Tracking)

Iranian APT Sponsorship Distribution

Iranian APT Group Profiles

Active Campaigns

Infrastructure Discovery Chain

Tooling Arsenal

HawkEye Hunt C2 Tracking

Dark Scepter Campaign

Domain Infrastructure (12+ domains)

Malware Arsenal

Cloud Credential Harvesting

WezRAT Capabilities

Mobile Attack Vector

C2 Infrastructure Leak

TameCat Backdoor

RedKitten Operations

Hacktivist & Proxy Group Activity

GCC-Specific Threat Landscape

🇦🇪 United Arab Emirates

🇸🇦 Saudi Arabia

🇧🇭 Bahrain

🇰🇼 Kuwait

🇶🇦 Qatar

🇯🇴 Jordan

Indicators of Compromise (IOCs)

Command & Control Servers

Malicious Domains

File Hashes

Malware Family Inventory

OT/ICS Threat Assessment

Top MITRE Techniques in OT/ICS

Key OT/ICS Threat Actors

Infrastructure Hunting Techniques

1. ASN Clustering

2. Certificate SAN Pivoting

3. Web Page Title Fingerprinting

4. Open Directory Scanning

5. File Hash Pivoting

6. HuntSQL Infrastructure Correlation

7. JARM Fingerprinting

HawkEye Platform Intelligence

HawkEye Main Dashboard

Threat Hunt Listings

Iran-Filtered Hunts

Intelligence-Driven Hunts

IOC Hunter with CTIX Integration

Threat Intercept Simulations

Vibe Hunting — Iran Conversation

Vibe Hunting — Iran Query Results

Detection Rules Library

Extended Hunt Coverage

Defensive Recommendations

🔴 Immediate Actions (24 Hours)

🟡 Short-Term Actions (1 Week)

🔵 Medium-Term Actions (1 Month)

MITRE ATT&CK Technique Heatmap

Intelligence Sources

🔴
Immediate Actions (24 Hours)

🟡
Short-Term Actions (1 Week)

🔵
Medium-Term Actions (1 Month)