search menu Contact Us
Top Categories
Spotlight

todayJuly 12, 2025

News Mjolnir Security

The Mjolnir Security Threat Report: Unearthing Uncharted Artifacts in Windows 11

Drawing on insights from 582 full-spectrum DFIR investigations, Mjolnir Security reveals the uncharted forensic landscape of Windows 11. This intelligence briefing moves beyond legacy artifacts to expose the critical evidence sources modern adversaries leverage, including the Windows Subsystem for Android (WSA), covert channels in Microsoft Teams, and the persistent ledger [...]

Week News
Top Voted

The Asymmetric Battlefield: An Anthropological and Geopolitical Analysis of Iranian Cyber Threats to North American Critical Infrastructure

News + Threat Intelligence + Skuggaheimar Mjolnir Security todayJune 24, 2025 332

Background
share close

Executive Summary

Iranian state-sponsored Advanced Persistent Threat (APT) groups represent a sophisticated and escalating cyber threat to United States and Canadian critical infrastructure. This threat is not merely technical but is deeply rooted in Iran’s strategic culture, geopolitical objectives, and a unique operational ecosystem. Key actors, including Charming Kitten (APT35/APT42), APT33 (Elfin), and APT34 (OilRig), operate under the direction of state bodies like the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Their motivations are driven by a doctrine of asymmetric warfare, using cyberspace to retaliate against perceived aggression, conduct espionage, and project power without risking direct military confrontation.

Their Tactics, Techniques, and Procedures (TTPs) range from the highly sophisticated social engineering and credential harvesting campaigns of Charming Kitten to the destructive industrial sabotage capabilities of APT33 and the broad, stealthy espionage of APT34. These operations are increasingly potent and pose a direct risk to sectors such as healthcare, energy, water and wastewater systems (WWS), and transportation.

The current geopolitical landscape, marked by heightened tensions between Iran, Israel, and the United States, significantly amplifies this threat. Any kinetic military action, such as U.S. airstrikes, is almost certain to trigger retaliatory cyber operations against Western targets. These responses will likely be calibrated for maximum psychological impact and disruption, targeting the control and public confidence in critical services.

Mitigating this persistent threat requires a multi-layered, intelligence-driven defense posture that moves beyond reactive security. A proactive framework, combining advanced threat intelligence, 24/7 security operations, continuous vulnerability management, and expert-led threat hunting, is essential. Mjolnir Security’s comprehensive suite of services is designed to provide this resilience, enabling organizations to detect, counter, and respond to the nuanced and evolving tactics of Iranian APTs, thereby safeguarding critical national infrastructure in the U.S. and Canada.

The Asymmetric Battlefield: Iran’s Strategic Cyber Doctrine

1.1. From Stuxnet to Statecraft: The Origins of Iran’s Cyber Program

Iran’s emergence as a formidable cyber power was not a proactive choice but a reactive necessity, forged in the aftermath of the 2010 Stuxnet attack.1 The sophisticated malware, widely attributed to the United States and Israel, sabotaged centrifuges at Iran’s Natanz nuclear facility, serving as a “digital Pearl Harbor” for Tehran.2 This event starkly demonstrated Iran’s vulnerability in the cyber domain and catalyzed a massive state-level investment in developing both defensive and offensive capabilities.4 Iran’s cyber program was thus born from a defensive posture, fundamentally shaping its doctrine around the principles of asymmetric warfare—using cyberspace to level the playing field against militarily and economically superior adversaries.5

The regime’s journey began with the mobilization of patriotic hacker groups and the establishment of entities like the Iranian Cyber Army, which initially focused on website defacements and promoting pro-regime ideology.3 However, recognizing the strategic potential of cyber operations, Iran quickly evolved its approach, professionalizing its efforts and forming organized, state-directed APT groups under the command of its primary intelligence and military bodies.1 This evolution transformed cyberspace from a domain of harassment into a core instrument of Iranian statecraft, integral to its national security strategy and foreign policy objectives.

1.2. A Culture of Retaliation: Geopolitics as the Primary Driver

The central tenet of Iran’s offensive cyber strategy is its reactive and retaliatory nature. Operations are rarely initiated in a vacuum; instead, they are almost always a direct response to a perceived geopolitical provocation, functioning as a “tit-for-tat” mechanism of state policy.4 This strategic linkage means that the intensity, targeting, and timing of Iranian cyber campaigns are direct reflections of the broader geopolitical climate.

This pattern is consistently observable throughout the history of Iran’s cyber activities. For instance, following the U.S. withdrawal from the Joint Comprehensive Plan of Action (JCPOA) in 2018, Iranian APTs launched an aggressive phishing campaign within 24 hours, indicating a prepared response to a political trigger.4 Similarly, the imposition of economic sanctions has historically been met with increased cyber operations targeting financial and industrial sectors in the West.4 The regime also uses cyber proxies to retaliate against regional rivals; attacks on Saudi Arabian oil and gas infrastructure, for example, are often contextualized within the ongoing proxy conflicts in Yemen and Syria.1

This behavior reveals a critical truth for Western defenders: predicting Iranian cyber threats requires a deep understanding of Tehran’s geopolitical calculus. A purely technical analysis of malware and infrastructure is insufficient. Threat intelligence must be fused with geopolitical analysis, monitoring diplomatic incidents, military posturing, and economic sanctions as primary indicators of potential cyber escalation. The actions of Iranian APTs are not random; they are a direct extension of the nation’s foreign policy playing out in the digital realm.1

1.3. The Human Factor: Ideology, Nationalism, and Asymmetric Advantage

Iran’s cyber doctrine is deeply imbued with cultural, ideological, and religious drivers that animate its operations. The regime frequently frames its cyber activities as a necessary defense against a “Western cultural attack,” positioning itself as a guardian of Islamic values against foreign influence.4 This narrative serves to justify both domestic internet censorship and external offensive operations. It is complemented by a strong sense of national pride and an ambition to achieve regional and global leadership in technological innovation, a goal often articulated by state and military officials.4

Strategically, Iran masterfully exploits the inherent characteristics of cyberspace to its asymmetric advantage. The domain’s low cost of entry, ambiguity, and the principle of plausible deniability make it the perfect theater for a state that seeks to harass and challenge more powerful adversaries without triggering a full-scale military conflict.6 By operating through a complex web of proxies and front companies, Iran can project power, conduct espionage, and execute disruptive attacks while maintaining a veneer of deniability, complicating attribution and slowing international response.4 This approach allows Iran to pursue its strategic objectives with a level of risk far below that of conventional military action, making cyberspace a central pillar of its asymmetric conflict strategy.

The Iranian Cyber Ecosystem: Structure, Culture, and Motivation

2.1. The Dual Command: IRGC vs. MOIS

Iran’s state-sponsored cyber operations are directed primarily by two powerful, and at times competing, entities: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).1 Understanding their distinct mandates and reporting structures is key to deciphering the motivations behind different APT campaigns.

  • Islamic Revolutionary Guard Corps (IRGC): The IRGC is an elite military and ideological force reporting directly to the Supreme Leader, bypassing the elected government.11 Its cyber arm, the IRGC Cyber-Electronic Command (IRGC-CEC), is tasked with defending the regime from internal and external threats.12 IRGC-sponsored operations are often more aggressive, ideologically driven, and focused on targets of military, defense, and political significance. APT groups assessed to be affiliated with the IRGC include
    Charming Kitten (APT35/APT42) and APT33 (Elfin), whose targeting of dissidents, defense contractors, and critical infrastructure aligns with the IRGC’s core mission.11
  • Ministry of Intelligence and Security (MOIS): The MOIS is Iran’s main civilian foreign intelligence service, reporting to the President.11 Its cyber operations are more aligned with traditional espionage, focusing on broad intelligence collection to support national security and economic interests. MOIS-sponsored groups tend to target a wider array of sectors, including government, telecommunications, and finance, on a global scale.
    APT34 (OilRig) and MuddyWater are prominent APTs linked to the MOIS, known for their large-scale espionage campaigns and sophisticated custom malware.11

While both entities serve the state, their relationship is characterized by competition and overlapping missions, creating a complex and sometimes fragmented intelligence apparatus.11

2.2. A Web of Proxies: The Role of Contractors, Front Companies, and “Faketivists”

To execute their objectives and maintain plausible deniability, both the IRGC and MOIS rely on a sprawling ecosystem of non-state actors. This operational model involves leveraging private IT companies, academic institutions, and freelance hacking groups as contractors.1 For example, U.S. sanctions have identified front companies like Afkar System and Najee Technology as entities conducting cyber operations on behalf of the IRGC-IO.11 This structure not only provides a layer of obfuscation but also grants the regime access to a broader and more flexible talent pool than it could maintain in-house.6

A particularly potent tactic within this model is the creation and use of “faketivists”—state-sponsored hacking groups that pose as independent, ideologically motivated hacktivists. The most prominent recent example is “CyberAv3ngers,” a persona that claimed responsibility for disruptive attacks on U.S. water facilities.12 While presenting as a pro-Iranian hacktivist collective, U.S. and allied agencies have formally attributed the group as an IRGC-affiliated cyber persona.12 This strategy deliberately blurs the lines between state and non-state actors, blending propaganda with disruptive cyberattacks to complicate attribution, shape public perception, and create a climate of fear and uncertainty.20

This operational model is a strategic asset for Iran, but it also introduces inherent vulnerabilities. The reliance on contractors and proxies, who may be motivated more by profit than ideology, creates a less stable and professionalized force compared to the state-controlled cyber armies of Russia or China. This instability was starkly illustrated in 2019 when a disgruntled insider leaked a significant portion of APT34’s hacking tools and victim data on Telegram, a catastrophic operational security failure that exposed the group’s methods and infrastructure to the world.22 This event highlights that while the proxy model aids in obfuscation, it also creates internal risks and potential avenues for counter-intelligence exploitation.

2.3. The Operator’s Mindset: A Blend of Professionalism, Amateurism, and Deception

An anthropological analysis of Iranian cyber operators reveals a fascinating and exploitable paradox. On one hand, they demonstrate remarkable sophistication and patience, particularly in the realm of social engineering. Groups like Charming Kitten are masters of deception, capable of creating elaborate fake personas, building rapport with targets over months or even years, and crafting highly convincing lures that exploit professional interests or emotional vulnerabilities.6 This dedication to the human element of hacking is a hallmark of their tradecraft.

On the other hand, Iranian APTs are frequently plagued by a surprising degree of amateurism and poor operational security (OPSEC). Researchers have often found operator mistakes, such as leaving personal aliases, email addresses, or other identifying information within malware code or domain registration records.25 Their infrastructure can be predictable, and they often fail to employ the advanced obfuscation techniques common among other top-tier state actors.9 This carelessness suggests a lack of rigorous, professionalized training and oversight.

This dichotomy likely stems from the regime’s struggle to balance ideological purity with technical skill. The government and IRGC prioritize loyalists, but the most talented hackers may not be the most ideologically committed.6 The result is a human infrastructure that is capable and dangerous, yet also prone to errors. For network defenders and threat intelligence analysts, this blend of sophistication and sloppiness provides unique opportunities for detection, attribution, and disruption. Understanding these cultural tells and operational habits is as crucial as analyzing their malware.

Threat Actor Dossiers: The “Kitten” Cohort

To provide decision-makers with a concise overview, the following table summarizes the key attributes of the primary Iranian APT groups discussed in this report.

Table 1: Iranian APT Group Comparison

Group Name & AliasesAssessed State SponsorPrimary MotivationKey Target SectorsSignature TTPs
Charming Kitten (APT35, Phosphorus, Magic Hound, APT42)Islamic Revolutionary Guard Corps (IRGC) 14Espionage, surveillance of dissidents, influence operations 26Government, Media, Activists, Academia, Legal Services 26Elaborate social engineering, credential harvesting, use of fake personas, exploitation of N-day vulnerabilities 24
APT33 (Elfin, Refined Kitten, Magnallium, Peach Sandstorm)Islamic Revolutionary Guard Corps (IRGC) 15Industrial espionage, destructive attacks, sabotage preparation 15Aerospace, Defense, Energy, Petrochemical, Transportation 15Destructive wiper malware (Shamoon-like), job-themed spear-phishing with HTA files, password spraying 15
APT34 (OilRig, Helix Kitten, Earth Simnavaz)Ministry of Intelligence and Security (MOIS) 16Broad intelligence gathering, economic espionage, supply chain compromise 34Government, Financial, Telecom, Energy, Chemical 18DNS tunneling for C2, supply chain attacks, custom PowerShell backdoors, web shells 18

3.1. Charming Kitten (APT35/Phosphorus/Magic Hound/APT42): The Masters of Deception

  • History, Affiliation, and Motivations: Active since at least 2014, Charming Kitten is a prolific espionage group operating on behalf of the IRGC.14 Its primary mission is intelligence collection and surveillance targeting individuals and organizations deemed a threat to the Iranian regime. Victims include journalists, academics specializing in Iranian studies, human rights activists, political dissidents, and government officials in the U.S., Europe, and the Middle East.26 The group is highly adaptive, able to quickly pivot its targeting focus in response to evolving geopolitical events and intelligence requirements, such as targeting the pharmaceutical sector during the COVID-19 pandemic.17
  • Signature TTPs: The group’s defining characteristic is its mastery of social engineering and spear-phishing.14 Operators create highly convincing fake personas, often posing as journalists or academics, and engage targets on social media platforms like LinkedIn to build trust over extended periods.14 Once rapport is established, they deliver malicious links to credential harvesting pages disguised as legitimate services like Google Drive or password reset portals.14 They are adept at exploiting known N-day vulnerabilities, such as Log4Shell and ProxyShell, to gain initial access.30 To evade detection, they frequently leverage legitimate cloud services like Dropbox and Google Drive for command-and-control (C2) and payload delivery.14 Their TTPs are extensively mapped in the MITRE ATT&CK framework, including
    T1566 (Phishing), T1585 (Establish Accounts), T1111 (Multi-Factor Authentication Interception), and T1539 (Steal Web Session Cookie).38
  • Malware Arsenal:
    • HYPERSCRAPE: A custom tool written in.NET designed specifically to steal the contents of a victim’s Gmail, Yahoo!, or Microsoft Outlook mailbox after their credentials have been compromised. It mimics legitimate browser behavior to avoid detection.26
    • PowerLess Backdoor: A PowerShell-based backdoor that provides capabilities for keylogging, stealing browser data, executing arbitrary commands, and downloading additional malware modules.30
    • Other Tools: The group employs a wide range of custom and publicly available tools for persistence (e.g., modifying registry run keys, creating scheduled tasks), credential theft, and defense evasion.14

3.2. APT33 (Elfin/Refined Kitten/Magnallium): The Industrial Saboteur

  • History, Affiliation, and Motivations: Operating since at least 2013, APT33 is an IRGC-linked group with a dual mission of espionage and destructive capability.15 While many of its operations are focused on intelligence gathering, the group is strongly suspected of having ties to destructive wiper malware attacks, most notably those involving Shamoon.15 Its targeting is highly focused on strategic industries critical to Iran’s adversaries, including the aerospace, defense, energy, and petrochemical sectors in the United States, Saudi Arabia, and South Korea.15
  • Signature TTPs: APT33 heavily relies on spear-phishing campaigns with recruitment-themed lures. These emails often contain malicious HTML Application (.hta) files or links that, when opened, execute PowerShell scripts to download payloads.15 The group is known for conducting password spraying attacks (
    T1110.003) to brute-force credentials and for exploiting known vulnerabilities in software like WinRAR (CVE-2018-20250).33 Once inside a network, they use a variety of publicly available tools like LaZagne and Mimikatz for credential dumping (
    T1003.001) and leverage FTP for data exfiltration.33
  • Malware Arsenal:
    • SHAPESHIFT / STONEDRILL: A destructive data-wiping malware that shares code similarities with the notorious Shamoon virus. It is designed to overwrite the Master Boot Record (MBR) and destroy data on infected systems.31
    • DROPSHOT: A dropper malware used to deliver and execute other malicious payloads, including TURNEDUP and SHAPESHIFT.31
    • TURNEDUP: A custom backdoor that can upload/download files, report system information, and establish a reverse shell for remote command execution.31
    • POWERTON: A PowerShell-based backdoor implant that uses encrypted C2 communications for stealth.32
    • Tickler: A newer backdoor observed in a 2024 campaign that utilized compromised and fraudulently created Azure subscriptions for its C2 infrastructure, demonstrating an evolution in tactics.41

3.3. APT34 (OilRig/Helix Kitten): The Espionage Engine

  • History, Affiliation, and Motivations: Active since at least 2014, APT34 is a highly sophisticated espionage group attributed to Iran’s Ministry of Intelligence and Security (MOIS).11 Its primary mandate is conducting broad, long-term intelligence gathering operations to support Iran’s geopolitical and economic objectives.34 The group targets a wide range of sectors, including government, finance, energy, chemical, and telecommunications, with a primary focus on the Middle East but with victims identified globally.18
  • Signature TTPs: APT34 is well-known for conducting supply chain attacks (T1195), where it compromises a trusted third-party, such as an IT service provider, to gain access to its ultimate, higher-value targets.18 The group makes extensive use of PowerShell for execution and lateral movement and has developed a large arsenal of custom scripts and backdoors.34 A key and defining technique is its use of DNS tunneling (
    T1572) for C2 communications, which allows it to blend malicious traffic with legitimate DNS queries, making it difficult to detect.34 Initial access is often achieved through spear-phishing emails containing malicious Microsoft Office documents that exploit vulnerabilities like
    CVE-2017-11882.35
  • Malware Arsenal: APT34 possesses a large and constantly evolving toolkit. In 2019, a significant portion of this arsenal was leaked online, providing unprecedented insight into their operations.22
    • HELMINTH: A complex, multi-component backdoor written in PowerShell that gives attackers extensive control over a compromised system, including keylogging, data exfiltration, and command execution capabilities.35
    • QUADAGENT: Another PowerShell-based backdoor used for establishing persistence and remote access.35
    • BONDUPDATER: A PowerShell framework used for command and control.34
    • Leaked Tools: The 2019 leak exposed several tools, including Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask, revealing a mature development capability.22
    • Other Malware: The group utilizes a wide variety of custom droppers, backdoors, and information stealers, including OopsIE, Karkoff, ISMAgent, and SideTwist.44

Escalation Calculus: Geopolitical Flashpoints and Cyber Retaliation

The connection between kinetic military action and retaliatory cyber operations is a cornerstone of Iran’s asymmetric strategy. Official warnings from U.S. government agencies, including the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), explicitly confirm that the ongoing conflicts involving Iran, Israel, and the United States have created a “heightened threat environment” for U.S. and allied critical infrastructure.20

Therefore, it is assessed with high confidence that any significant kinetic strike against Iranian sovereign interests—such as the hypothetical scenario of U.S. airstrikes on nuclear facilities—would almost certainly trigger a state-directed cyber response.48 This is not speculation but an observation based on historical precedent and an understanding of Iran’s strategic doctrine. The regime has consistently used its cyber capabilities to retaliate for events it perceives as acts of aggression, including the assassination of General Qassim Soleimani and the imposition of crippling economic sanctions.4 For Iran, cyber retaliation is a primary tool for projecting power, signaling resolve, and imposing costs on its adversaries without crossing the threshold into conventional warfare.20

4.2. Likely Retaliatory Scenarios against US and Canadian Critical Infrastructure

In the event of a major escalation, Iran’s cyber retaliation would likely follow a calibrated ladder of responses, designed to match the perceived severity of the kinetic action. The following scenarios, ranging from high-likelihood harassment to high-impact destructive attacks, outline the potential threat landscape for U.S. and Canadian critical infrastructure.

  • Scenario 1: Low-Level Harassment and Influence Operations (High Likelihood): In response to any notable U.S. military action, a wave of low-level cyber activity is highly probable. This would primarily be conducted by pro-Iranian hacktivist groups and “faketivist” personas. Activities would include widespread website defacements of government and private sector sites, Distributed Denial-of-Service (DDoS) attacks to disrupt online services, and social media-based influence campaigns designed to spread propaganda, sow discord, and create a sense of chaos.20
  • Scenario 2: Disruptive Attacks on “Soft” Critical Infrastructure (High Likelihood): This scenario involves state-directed attacks against what DHS terms “poorly secured” critical infrastructure.46 The primary targets would be sectors where disruption can cause significant public fear and media attention with relatively low technical sophistication. The late 2023 attacks by the IRGC-affiliated
    CyberAv3ngers on Israeli-made Unitronics PLCs in U.S. Water and Wastewater Systems (WWS) serve as a direct blueprint for this type of retaliation.12 Similar attacks could target healthcare facilities, transportation networks, or municipal services in both the U.S. and Canada. The goal is disruption and psychological impact, not necessarily permanent destruction.20
  • Scenario 3: Data-Driven Extortion and Destructive Ransomware (Medium Likelihood): As a more forceful response, Iran could leverage its APT groups to conduct ransomware campaigns against critical infrastructure, not purely for financial gain but as an act of statecraft. Such attacks would aim to encrypt systems, disrupt operations for an extended period, and exfiltrate sensitive data for intelligence or public leaking.20 The healthcare sector, which holds sensitive patient data and has low tolerance for downtime, is a particularly attractive target.20
  • Scenario 4: Destructive Wiper Attacks (Lower Likelihood, High Impact): This represents the most severe cyber response. In retaliation for a highly damaging or humiliating kinetic strike (e.g., the successful destruction of a major nuclear or military command site), Iran could choose to deploy destructive wiper malware, such as the SHAPESHIFT or Shamoon variants used by APT33. This would target a high-value critical infrastructure asset in the U.S. or a key ally like Canada, with the intent of causing irreversible data loss, prolonged operational shutdown, and potentially cascading physical consequences.1 This remains a lower-likelihood scenario due to the high risk of it triggering a massive conventional military response from the U.S.

The strategic logic underpinning these scenarios suggests that Iran’s retaliation will be carefully calibrated. The regime’s asymmetric doctrine is designed to counter superior military force, not to invite an overwhelming response. Therefore, attacks on targets like water systems and hospitals, which generate significant public fear without causing mass casualties, are more probable. They will aim to undermine public confidence and demonstrate reach, likely stopping short of an attack so catastrophic that it would guarantee a massive military reprisal.

4.3. The Blurring Line: Differentiating State-Directed Attacks from State-Sponsored Hacktivism

A key element of Iran’s escalation strategy is the deliberate cultivation of ambiguity. By operating through a network of proxies and front groups, Iran can execute attacks that serve state interests while maintaining a degree of plausible deniability.20 The case of

CyberAv3ngers is the canonical example of this doctrine in action. The group initially presented itself as an independent hacktivist collective motivated by anti-Israel sentiment. However, subsequent forensic analysis by the FBI, CISA, and other international partners led to a formal attribution of the persona to the IRGC.12

This reveals a deliberate strategy where state entities provide tools, resources, and direction to groups that are then presented to the world as non-state activists.20 For network defenders and national security policymakers, this blurring of the lines has a critical implication: the distinction is functionally irrelevant from a defensive standpoint. An attack on critical infrastructure from a “hacktivist” group with clear pro-Iranian messaging, especially one using custom tools or targeting operational technology, must be treated with the same urgency and severity as a direct intrusion by a known APT group. The persona is merely a tool of statecraft designed to complicate attribution and manipulate the information environment.

Defending Critical Infrastructure: A Proactive Framework with Mjolnir Security

5.1. Mapping Threats to Defenses: A Strategic Overview

Defending against persistent, well-resourced, and geopolitically motivated adversaries like Iranian APTs requires a strategic, multi-layered security framework. A reactive, perimeter-focused approach is insufficient. Protection must be proactive, intelligence-led, and deeply integrated into an organization’s operations. The following matrix directly maps the specific threats posed by Iranian APTs, as detailed in this report, to the targeted mitigation services offered by Mjolnir Security, demonstrating a clear path from threat identification to risk reduction.

Table 2: Mjolnir Security Mitigation Matrix for Iranian APT Threats

Iranian APT Tactic/TTPAssociated RiskPrimary Mjolnir ServiceHow it Mitigates the Risk
Spear-phishing & Social Engineering (Charming Kitten) 24Credential compromise, initial access, malware deliveryCybersecurity Training & Mjolnir Shield Penetration Testing 54Trains employees to recognize and report sophisticated phishing. Simulates real-world Iranian social engineering tactics to test and validate employee awareness and response procedures.
Exploitation of Unpatched Vulnerabilities (e.g., ProxyShell, Log4j) 30Network breach, ransomware deployment, lateral movementVulnerability Assessment & SOCaaS 54Systematically identifies and prioritizes critical, internet-facing vulnerabilities for patching. Provides 24/7 monitoring for exploitation attempts against known and unknown weaknesses.
Password Spraying & Credential Theft (APT33) 20Unauthorized account access, privilege escalationDark Web Threat Intelligence & SOCaaS 54Proactively discovers compromised employee credentials on the dark web before they can be used in attacks. Detects and alerts on brute-force attempts and anomalous login patterns in real-time.
Stealthy C2 & Data Exfiltration (e.g., DNS Tunneling by APT34) 34Undetected long-term persistence, covert data theftThreat Hunting as a Service (THaaS) 54Proactively hunts for behavioral indicators and anomalies (e.g., unusual DNS traffic patterns) that evade signature-based tools, uncovering hidden APT communications channels.
Destructive Wiper Malware & OT Attacks (APT33, CyberAv3ngers) 12Irreversible data loss, operational shutdown, physical disruptionIncident Response & Digital Forensics (DFIR) 54Rapidly contains the attack to limit damage, preserves critical evidence for attribution and legal action, and provides expert guidance for safe recovery and system restoration.
Use of “Living off the Land” & Legitimate Tools 52Evasion of traditional antivirus and detection toolsSOCaaS with Behavioral Analytics & THaaS 54Monitors for anomalous use of legitimate system tools (e.g., PowerShell, WMI) and proactively hunts for TTPs associated with fileless malware and dual-use tools.

5.2. Countering Infiltration and Deception with Intelligence and Training

The initial access phase is the most critical to defend, as it relies heavily on exploiting human behavior and technical vulnerabilities. Mjolnir Security provides services specifically designed to harden this frontline.

  • Dark Web Threat Intelligence: Iranian actors frequently use brute-force methods like password spraying with credentials stolen from previous third-party breaches.20 Mjolnir’s intelligence service proactively monitors dark web marketplaces and forums to discover if an organization’s credentials are for sale, allowing for password resets and account lockouts before they can be weaponized.54
  • Cybersecurity Training: The primary attack vector for groups like Charming Kitten is sophisticated social engineering.24 Mjolnir’s training programs are tailored to counter these specific threats, educating employees to identify personalized phishing lures, verify suspicious requests, and report potential incidents, transforming the workforce from a vulnerability into a line of defense.54
  • Mjolnir Shield Penetration Testing: To validate these defenses, Mjolnir’s Red Team and social engineering assessments simulate the exact TTPs used by Iranian APTs. By attempting to trick employees and exploit systems in a controlled manner, these tests provide invaluable, real-world data on the effectiveness of existing security controls and awareness levels, allowing for targeted improvements.54

5.3. Detecting and Responding to Intrusions with 24/7 Operations

Should an attacker bypass initial defenses, the ability to rapidly detect and respond is paramount. Mjolnir’s operational services are built to counter adversaries who are already inside the network.

  • Security Operations Center as a Service (SOCaaS): APTs operate across all time zones and often act during a target’s off-hours. A 24/7 SOC is non-negotiable. Mjolnir’s SOC provides continuous monitoring of network, endpoint, and cloud environments, correlating alerts with up-to-the-minute threat intelligence on Iranian IOCs and TTPs. This allows for the detection of anomalous activity—such as the use of Mimikatz for credential dumping or unusual PowerShell execution—that signals an active intrusion.52
  • Threat Hunting as a Service (THaaS): Iranian APTs, particularly APT34, are known for “living off the land” and using stealthy techniques like DNS tunneling that evade traditional signature-based detection.36 Mjolnir’s THaaS provides expert, human-led hunting expeditions into a client’s network. These analysts proactively search for the subtle behavioral anomalies and faint signals indicative of a persistent adversary, based on hypotheses derived from threat intelligence, to uncover threats that automated systems miss.54
  • Digital Forensics & Incident Response (DFIR): In the event of a high-impact incident, such as a disruptive attack by a group like CyberAv3ngers or a ransomware deployment, Mjolnir’s DFIR team is activated. They provide rapid containment to stop the threat from spreading, conduct deep forensic analysis to understand the attacker’s methods and the full scope of the compromise, preserve evidence for law enforcement engagement, and guide the organization through a safe and structured recovery process to minimize operational impact.54

5.4. Hardening the Infrastructure and Strategy

Long-term resilience requires a strategic approach to reducing the attack surface and maturing the overall security program.

  • Vulnerability Assessment: Iranian actors are opportunistic, consistently exploiting known, unpatched vulnerabilities in internet-facing systems like Microsoft Exchange and Fortinet VPNs.52 Mjolnir’s vulnerability assessment services provide a systematic and continuous process to identify, prioritize, and manage these weaknesses before they can be exploited.54
  • Cloud Security Assessment: As APTs increasingly leverage cloud platforms for C2 and data exfiltration, securing these environments is critical.14 Mjolnir assesses the configuration and security posture of client cloud environments like Microsoft 365 to close security gaps, enforce proper access controls, and monitor for malicious activity.
  • Virtual CISO (vCISO): For organizations in critical sectors, cybersecurity is a board-level concern. Mjolnir’s vCISO service provides executive-level strategic guidance, helping leadership align security investments with the specific threat landscape posed by Iran, develop robust incident response playbooks tailored to APT scenarios, and ensure adherence to the complex regulatory and compliance standards governing critical infrastructure.54

Navigating the Persistent Threat

The Islamic Republic of Iran has cultivated a mature, capable, and highly motivated cyber program that serves as a core component of its national security strategy. Its APT groups are not merely cybercriminals; they are instruments of statecraft, driven by a geopolitical doctrine of asymmetric retaliation and ideological conviction. The threat they pose to U.S. and Canadian critical infrastructure is direct, persistent, and demonstrably escalating in sophistication and boldness. Actors like Charming Kitten, APT33, and APT34 have proven their ability to compromise sensitive networks, steal data, and, most alarmingly, disrupt the physical operations of vital services.

Current geopolitical flashpoints have created a tinderbox environment where any significant kinetic military action against Iran will almost certainly be met with a cyber response. This retaliation will likely be calibrated to inflict maximum psychological and disruptive impact on civilian-facing infrastructure—such as water, healthcare, and energy systems—while attempting to remain below the threshold that would trigger a massive conventional military reprisal. The use of “faketivist” personas and other obfuscation techniques further complicates the threat landscape, requiring defenders to treat all ideologically aligned attacks with the utmost seriousness.

In this high-stakes environment, a passive or purely reactive security posture is a recipe for failure. Defending against the Iranian cyber threat demands a paradigm shift toward a proactive, intelligence-led, and multi-layered strategy. Organizations must combine robust technical controls with a deep understanding of the adversary’s culture, motivations, and TTPs. Achieving this level of resilience requires a partnership with a security provider that possesses the advanced technology, global threat visibility, and expert human analysis to counter a nation-state threat. Mjolnir Security provides this comprehensive framework, enabling critical infrastructure organizations to move beyond mere defense and build a security posture capable of anticipating, detecting, and neutralizing the persistent threat from Iran’s cyber forces.

Appendix A: Consolidated MITRE ATT&CK TTPs

Table 3: Detailed MITRE ATT&CK TTPs for Key Iranian APT Groups

TacticTechnique IDTechnique NameUse by Charming Kitten (APT35/42)Use by APT33 (Elfin)Use by APT34 (OilRig)
ReconnaissanceT1592Gather Victim Host InformationGathers extensive OSINT to map organizations and identify key individuals to target.14Targets specific individuals within aerospace and defense sectors based on their roles.15Employs OSINT via LinkedIn harvesting and corporate email pattern analysis to map targets.35
Resource DevelopmentT1585Establish AccountsCreates fake email and social media accounts to build personas for social engineering.38Registers domains impersonating legitimate aerospace and defense companies like Boeing and Northrop Grumman.31Establishes fake VPN portals and job application websites to lure victims.36
Initial AccessT1566.002Spearphishing LinkCore TTP. Sends highly personalized emails with links to credential harvesting sites disguised as Google Drive, news articles, or password resets.14Sends spearphishing emails with links to malicious HTML Application (.hta) files, often with job-themed lures.31Uses spearphishing links sent via email and LinkedIn messages, often as part of supply chain attacks.18
Initial AccessT1190Exploit Public-Facing ApplicationExploits N-day vulnerabilities like Log4Shell and ProxyShell to gain initial access to unpatched servers.30Exploits known vulnerabilities in software like WinRAR (CVE-2018-20250) to achieve remote code execution.33Exploits vulnerabilities in Microsoft Office (e.g., CVE-2017-11882) via malicious document attachments.40
ExecutionT1059.001Command and Scripting Interpreter: PowerShellUses PowerShell-based backdoors like PowerLess for post-exploitation activities.30Utilizes PowerShell to download files from C2 servers and execute various malicious scripts.33Core TTP. Extensively uses PowerShell for execution, persistence, and C2 via custom backdoors like HELMINTH and QUADAGENT.34
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderModifies registry keys to maintain persistence for its backdoors.38Deploys tools like DarkComet to the Startup folder and uses Registry Run Keys for persistence.33Modifies registry for autostart execution to maintain persistence for its malware.34
PersistenceT1053.005Scheduled Task/JobCreates scheduled tasks to ensure its malware runs periodically.38Creates scheduled tasks to execute malicious VBScript files for persistence.33Creates scheduled tasks to run VBScripts that execute payloads like BONDUPDATER.36
Privilege EscalationT1003.001OS Credential Dumping: LSASS MemoryUses publicly available tools to dump credentials from memory.14Uses tools like Mimikatz, LaZagne, and ProcDump to dump credentials from LSASS memory.33Uses tools like Mimikatz and LaZagne to dump credentials from LSASS.36
Defense EvasionT1036.005Masquerading: Match Legitimate Name or LocationStages payloads masquerading as legitimate applications like VPN installers.38N/A in provided data.Names malware to mimic legitimate system executables (e.g., Adobe.exe) to blend in with normal system activity.36
Credential AccessT1555.003Credentials from Password Stores: Credentials from Web BrowsersUses custom malware to steal saved credentials and session cookies from web browsers.29Uses tools like LaZagne to steal credentials stored in web browsers.33Uses tools like PICKPOCKET, CDumper, and EDumper to steal credentials and cookies from various web browsers.36
Lateral MovementT1021.001Remote Services: Remote Desktop ProtocolN/A in provided data.N/A in provided data.Uses RDP for lateral movement, often tunneling the traffic through other protocols like SSH to evade detection.36
Command and ControlT1102Web ServiceUses legitimate web services like Dropbox and Google Drive for C2 and to stage payloads.14Uses HTTP over non-standard ports (808, 880) for C2 communication.33Uses HTTP for C2, but is most known for its use of DNS Tunneling.
Command and ControlT1572Protocol TunnelingN/A in provided data.N/A in provided data.Hallmark TTP. Uses DNS tunneling extensively to conceal C2 communications within legitimate-looking DNS traffic, making it very difficult to detect.34
ExfiltrationT1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 ProtocolN/A in provided data.Uses FTP to exfiltrate stolen files, separate from its primary C2 channel.33Exfiltrates data over protocols like FTP and through compromised Exchange Web Services, separate from its primary C2.36
ImpactT1486Data Encrypted for ImpactHas been linked to ransomware operations like Momento, which encrypts data for extortion.30Associated with destructive wiper malware like SHAPESHIFT that destroys data by overwriting the MBR.31Linked to destructive attacks using wiper malware like ZeroCleare, which performs disk wiping and data destruction.34

Appendix B: Known Indicators of Compromise (IOCs)

This appendix provides a non-exhaustive list of IOCs associated with the discussed Iranian APT groups. Network defenders should use these indicators to hunt for malicious activity within their environments.

Charming Kitten (APT35/Phosphorus)

  • IP Addresses 30:
    • 209.51[.54]
    • 243.108[.14]
    • 83.97.73[.]198 (Data exfiltration endpoint)
    • 108.181.182[.]143 (Data exfiltration endpoint)
    • 104.226.39[.]18 (C2 endpoint)
    • 103.253.40[.]87 (C2 endpoint)
  • Domains 29:
    • *.relay.splashtop[.]com (C2 & data exfiltration endpoint)
    • review[.]modification-check[.]online (Credential harvesting)
    • nterview[.]site (Credential harvesting)
    • admin-stable-right[.]top (Credential harvesting)

APT33 (Elfin/Refined Kitten)

  • IP Addresses 52:
    • 91.214.124[.]143 (Associated with Iranian government cyber activity)
    • 162.55.137[.]20 (Associated with Iranian government cyber activity)
    • 154.16.192[.]70 (Associated with Iranian government cyber activity)
  • Domains 31:
    • Domains impersonating Boeing, Alsalam Aircraft Company, Northrop Grumman, and Vinnell.

APT34 (OilRig)

  • Malicious File Names / Scheduled Tasks 64:
    • SynchronizeTimeZone
    • GoogleChangeManagement
    • MicrosoftOutLookUpdater
    • MicrosoftOutLookUpdateSchedule

General Iranian APT Activity

  • Tools to look for in unexpected locations 52:
    • WinRAR.exe
    • FileZilla.exe
  • Vulnerabilities Actively Exploited 52:
    • CVE-2021-34473 (Microsoft Exchange ProxyShell)
    • CVE-2018-13379 (Fortinet FortiOS)
    • CVE-2020-12812 (Fortinet FortiOS)
    • CVE-2019-5591 (Fortinet FortiOS)
    • CVE-2021-44228 (Log4Shell) 53

References

Works cited

  1. Iran’s cyber capabilities and hackers – German Lawyer Ferner, accessed June 24, 2025, https://www.ferner-alsdorf.com/irans-cyber-capabilities-and-hackers/
  2. Since Stuxnet: A Brief History of Critical Infrastructure Attacks – Forescout, accessed June 24, 2025, https://www.forescout.com/blog/since-stuxnet-a-brief-history-of-critical-infrastructure-attacks/
  3. 10. Iran – The International Institute for Strategic Studies, accessed June 24, 2025, https://www.iiss.org/globalassets/media-library—content–migration/files/research-papers/cyber-power-report/cyber-capabilities-and-national-power—iran.pdf
  4. Iran’s Activity in Cyberspace: Identifying Patterns and Understanding the Strategy – INSS, accessed June 24, 2025, https://www.inss.org.il/wp-content/uploads/2020/03/Cyber4.1ENG_e-23-42.pdf
  5. The Iranian Cyber Threat – INSS, accessed June 24, 2025, https://www.inss.org.il/wp-content/uploads/2024/02/Memo230_IranianCyberThreat_ENG_digital.pdf
  6. Iranian cyber-activities in the context of regional rivalries and international tensions – CSS/ETH Zürich, accessed June 24, 2025, https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/20190507_MB_HS_IRN%20V1_rev.pdf
  7. The Iranian Cyber Threat Structure | UANI, accessed June 24, 2025, https://www.unitedagainstnucleariran.com/iranian-cyber-threat-structure
  8. Strategic Culture and State Behaviour in Cyberspace – DUO, accessed June 24, 2025, https://www.duo.uio.no/bitstream/handle/10852/96599/1/STV4992-Master-s-Thesis-Knut-Joachim-Tander–Berglyd-Spring-2022.pdf
  9. IRGC Cyber-Warfare Capabilities Giacomo Spadoni – International Institute for Counter-Terrorism, accessed June 24, 2025, https://ict.org.il/UserFiles/IRGC%20Cyber-Warfare%20Capabilities.pdf
  10. Iran is using its cyber capabilities to kidnap its foes in the real world – Atlantic Council, accessed June 24, 2025, https://www.atlanticcouncil.org/blogs/iransource/iran-cyber-warfare-kidnappings/
  11. Iran Cyber Threat Overview – Sekoia.io Blog, accessed June 24, 2025, https://blog.sekoia.io/iran-cyber-threat-overview/
  12. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors … – CISA, accessed June 24, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
  13. Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies, accessed June 24, 2025, https://home.treasury.gov/news/press-releases/jy2292
  14. Dark Web Profile: APT35 – SOCRadar® Cyber Intelligence Inc., accessed June 24, 2025, https://socradar.io/apt-profile-who-is-phosphorus/
  15. Who is Refined Kitten (APT33)? | Adversary Profile | CrowdStrike, accessed June 24, 2025, https://www.crowdstrike.com/en-us/blog/who-is-refined-kitten/
  16. Inside the Shadows: Understanding Active Iranian APT Groups – Picus Security, accessed June 24, 2025, https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
  17. APT42: Crooked Charms, Cons, and Compromises | Google Cloud Blog, accessed June 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises
  18. Inside APT34 (OilRig): Tools, Techniques, and Global Cyber Threats – Trustwave, accessed June 24, 2025, https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/inside-apt34-oilrig-tools-techniques-and-global-cyber-threats/
  19. Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks, accessed June 24, 2025, https://www.cybercom.mil/Media/News/Article/2945592/iranian-government-sponsored-actors-conduct-cyber-operations-against-global-gov/
  20. Feds Warn Healthcare Sector of Rising Iranian Cyberthreats, accessed June 24, 2025, https://www.govinfosecurity.com/feds-warn-healthcare-sector-rising-iranian-cyberthreats-a-28804
  21. Artificial Intelligence Is Accelerating Iranian Cyber Operations – Lawfare, accessed June 24, 2025, https://www.lawfaremedia.org/article/artificial-intelligence-is-accelerating-iranian-cyber-operations
  22. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram – Packt, accessed June 24, 2025, https://www.packtpub.com/sa-us/learning/tech-news/hacker-destroys-iranian-cyber-espionage-data-leaks-source-code-of-apt34s-hacking-tools-on-telegram?fallbackPlaceholder=sa-nz%2Flearning%2Ftech-news%2Fhacker-destroys-iranian-cyber-espionage-data-leaks-source-code-of-apt34s-hacking-tools-on-telegram
  23. Canadian Centre for Cyber Security warns of sophisticated Iranian social engineering campaigns – Canada.ca, accessed June 24, 2025, https://www.canada.ca/en/communications-security/news/2024/12/canadian-centre-for-cyber-security-warns-of-sophisticated-iranian-social-engineering-campaigns.html
  24. Targeted manipulation: Iran’s social engineering and spear phishing campaigns, accessed June 24, 2025, https://www.cyber.gc.ca/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns
  25. Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, accessed June 24, 2025, https://carnegieendowment.org/research/2018/01/irans-cyber-threat-espionage-sabotage-and-revenge?lang=en
  26. Charming Kitten – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Charming_Kitten
  27. Actor profile – Charming Kitten/APT35 – Highlights – Hunt & Hackett, accessed June 24, 2025, https://www.huntandhackett.com/threats/actors/charming-kitten
  28. Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets, accessed June 24, 2025, https://www.clearskysec.com/charmingkitten/
  29. Uncharmed: Untangling Iran’s APT42 Operations | Google Cloud Blog, accessed June 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
  30. An In-Depth Look at APT35 aka Charming Kitten – Avertium, accessed June 24, 2025, https://www.avertium.com/resources/threat-reports/in-depth-look-at-apt35-aka-charming-kitten
  31. Elfin Team – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Elfin_Team
  32. APT33 – Bugcrowd, accessed June 24, 2025, https://www.bugcrowd.com/glossary/apt33/
  33. APT33, HOLMIUM, Elfin, Peach Sandstorm, Group G0064 | MITRE ATT&CK®, accessed June 24, 2025, https://attack.mitre.org/groups/G0064/
  34. Dark Web Profile: OilRig (APT34) – SOCRadar® Cyber Intelligence Inc., accessed June 24, 2025, https://socradar.io/dark-web-profile-oilrig-apt34/
  35. (PDF) OILRIG (APT34) Advanced Persistent Threat Analysis – ResearchGate, accessed June 24, 2025, https://www.researchgate.net/publication/388220746_OILRIG_APT34_Advanced_Persistent_Threat_Analysis
  36. OilRig, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive …, accessed June 24, 2025, https://attack.mitre.org/groups/G0049/
  37. System Owner/User Discovery, Technique T1033 – Enterprise | MITRE ATT&CK®, accessed June 24, 2025, https://attack.mitre.org/techniques/T1033/
  38. APT42, Group G1044 – MITRE ATT&CK®, accessed June 24, 2025, https://attack.mitre.org/groups/G1044/
  39. Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society – CISA, accessed June 24, 2025, https://www.cisa.gov/sites/default/files/2024-05/joint-guide-mitigating-cyber-threats-with-limited-resources-guidance-for-civil-society-508c_3.pdf
  40. Iranian APTs: An overview | Middle East Institute, accessed June 24, 2025, https://www.mei.edu/publications/iranian-apts-overview
  41. Iranian hackers ‘tickle’ U.S. and UAE with new backdoor malware – Field Effect, accessed June 24, 2025, https://fieldeffect.com/blog/iranian-hackers-tickle-u.s.-and-uae-with-new-backdoor-malware
  42. Groups | MITRE ATT&CK®, accessed June 24, 2025, https://attack.mitre.org/groups
  43. OilRig Exposed: Unveiling the Tools and Techniques of APT34 – Picus Security, accessed June 24, 2025, https://www.picussecurity.com/resource/blog/oilrig-exposed-tools-techniques-apt34
  44. Picus Threat Library Updated for Document Malware of the OilRig (APT34) Threat Group, accessed June 24, 2025, https://www.picussecurity.com/resource/blog/oilrig-apt
  45. APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations | Cyware, accessed June 24, 2025, https://www.cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
  46. National Terrorism Advisory System Bulletin – June 22, 2025 | Homeland Security, accessed June 24, 2025, https://www.dhs.gov/ntas/advisory/national-terrorism-advisory-system-bulletin-june-22-2025
  47. US Warns of Heightened Risk of Iranian Cyber-Attacks After Military Strikes, accessed June 24, 2025, https://www.infosecurity-magazine.com/news/us-risk-iranian-cyber-attacks/
  48. Escalation in the Middle East: Tracking the Israel–Iran Conflict Across Military and Cyber Domains | Flashpoint, accessed June 24, 2025, https://flashpoint.io/blog/escalation-middle-east-israel-iran-conflict/
  49. The Latest: US claims strikes on Iran’s nuclear sites caused severe damage but full impact unclear, accessed June 24, 2025, https://apnews.com/article/israel-palestinians-iran-war-latest-06-22-2025-7ab46578cb56feecc16f4e4940a46e0a
  50. As US cities heighten security, Iran’s history of reprisal points to murder-for-hire plots, accessed June 24, 2025, https://apnews.com/article/iran-fbi-justice-department-46d6b7dec78dca861a32c901f8e3b307
  51. Retaliation from Iran likely to include cyber attacks, expert says – CBS News, accessed June 24, 2025, https://www.cbsnews.com/pittsburgh/news/iran-missile-retaliation-cyber-attacks/
  52. Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities | CISA, accessed June 24, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a
  53. Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure, accessed June 24, 2025, https://www.reversinglabs.com/blog/iran-backed-apt-actors-utilize-cves-to-carry-out-cyber-attacks-on-critical-infrastructure
  54. About Us – Mjolnir Security, accessed June 24, 2025, https://mjolnirsecurity.com/about-us/
  55. Countering Advanced Persistent Threats: Mjolnir Security’s Approach, accessed June 24, 2025, https://mjolnirsecurity.com/countering-advanced-persistent-threats-mjolnir-securitys-approach/
  56. APT Archives – Mjolnir Security, accessed June 24, 2025, https://mjolnirsecurity.com/category/apt/
  57. Cybersecurity Risks Amid Rising Iran–U.S. Tensions – Arctic Wolf, accessed June 24, 2025, https://arcticwolf.com/resources/blog/cybersecurity-risks-amid-rising-iran-u-s-tensions/
  58. Joint cyber security advisory: Iranian cyber actors using brute force to compromise critical infrastructure organizations, accessed June 24, 2025, https://www.cyber.gc.ca/en/news-events/joint-cyber-security-advisory-iranian-cyber-actors-using-brute-force-compromise-critical-infrastructure-organizations
  59. Mjolnir Security | Leading Canadian Cybersecurity Organization Since 2017 | 500+ DFIR Cases – YouTube, accessed June 24, 2025, https://www.youtube.com/watch?v=ZMBgc9lq6K4
  60. Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA, accessed June 24, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
  61. The Strategy Guide to Threat Hunting – Securonix, accessed June 24, 2025, https://www.securonix.com/blog/the-strategy-guide-to-threat-hunting/
  62. Threat Hunting – Booz Allen, accessed June 24, 2025, https://www.boozallen.com/expertise/cybersecurity/threat-hunting.html
  63. APT Security: Attack Stages & 6 Ways to Secure Your Network – Cynet, accessed June 24, 2025, https://www.cynet.com/advanced-persistent-threat-apt-attacks/apt-security-warning-signs-and-6-ways-to-secure-your-network/
  64. Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities | Cyber.gov.au, accessed June 24, 2025, https://www.cyber.gov.au/about-us/advisories/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft-exchange-and-fortinet-vulnerabilities-furtherance-malicious-activities
  65. Darktrace Identifies APT35 in Pre-Infected State, accessed June 24, 2025, https://darktrace.com/es/blog/apt35-charming-kitten-discovered-in-a-pre-infected-environment

Written by: Mjolnir Security

Previous post
Similar posts