Widening the Attack Surface: Iran’s Expanding Cyber Activities in Retaliation to the American-Israeli Campaign As the Middle East conflict rapidly escalates into a broader regional crisis, Iran’s cyber apparatus has become an active component of the regime’s retaliatory posture , operating alongside conventional military capabilities. This shift follows a prolonged effort to strengthen offensive cyber capacity and transition toward increasingly aggressive operations. In the aftermath of the June 2025 “12 Days War,” Iranian leadership was not deterred; instead, it recalibrated its cyber organizations to function as a dedicated retaliation force in the event of renewed conflict. In practical terms, since June, Iranian cyber actors have emphasized weaponized data leaks as a strategic tool. Groups such as Handala , linked to the Ministry of Intelligence, have targeted healthcare infrastructure (including the recent Clalit medical data breach) as well as sensitive personal data of political leaders. These operations were not structured as ransomware campaigns and did not involve extortion demands. Their primary objective was psychological impact : to intimidate civilian populations in adversary countries and generate public fear. At the same time, there has been a notable proliferation of pro-Iranian hacktivist entities since June, including groups such as C.E. Army, DieNet, and Unknowns Cyber Team. While these actors present themselves as independent global hacktivists, evidence suggests they receive funding, tooling, or infrastructure support from Iranian-linked operators, including shared resources and operational coordination. Long regarded as a strategic instrument of the regime, Iran’s cyber units have, since February 28, aligned closely with the country’s broader wartime doctrine. The pillars of this doctrine are: “punishing” adversaries by significantly targeting civilian infrastructures, expanding Iran’s attack surface to include European and Gulf states , and maintaining strict digital control over domestic opposition . The bottom line: Iranian APT groups are now operating with near-total operational freedom , no longer restrained by the limitations that previously governed their activity. zafran.io info@zafran.io On the ground, following the launch of the Israeli-American campaign on February 28, numerous Iranian-linked groups have issued unverified claims of successful cyber operations: Handala claimed to have hacked Jordanian gas stations, Saudi’ oil company Aramco and an Israeli energy exploration company; the so-called Cyber Islamic Resistance asserted it compromised Israeli air defense systems; Iraq’s “Resistance Hub” announced SQL injection activity and PII exposure in US entities ; Evil Markhors, an Iranian group specialized in credential harvesting, said it is currently targeting banks ’ websites ; and other actors reported disruptions to manufacturing and energy distribution networks. Alongside these likely exaggerated claims by Iranian threat actors, several hacktivist groups worldwide have mobilized in support of Tehran, primarily targeting Israeli and U.S. entities. Although most of these actors are considered relatively unsophisticated, they include groups such as NoName057(16) - a Russia-based collective known for conducting geopolitically motivated disruptive DDoS campaigns, including recent attacks against the French postal service and Romania’s national water management agency. While many of these claims likely serve propaganda purposes and may be exaggerated or false, there is still credible evidence of increased operational activity : an online campaign bringing together known actors - including Handala, the recently emerged Sicarii ransomware group, and the HydraC2 DDoS botnet - has initiated reconnaissance activity consistent with early-stage DDoS preparation; well-known Iranian APTs such as MuddyWater and APT33 are reportedly retooling and scanning critical infrastructure in the energy, water, and financial sectors ; the Fatimiyoun Electronic Team , affiliated with Afghan militia networks and reportedly operating under the guidance of IRGC Quds Force Unit 10,000, has been observed attempting to deploy wiper malware against Western financial and energy organizations; and activity by Hydro Kitten, an IRGC group focused on DDoS operations against the financial sector, has also been observed. At a tactical level, Iranian actors have recently been observed using Starlink IP ranges and compromised Israeli commercial VPN infrastructure to conduct vulnerability scanning against critical sectors, including energy and defense . This does not represent a fundamental shift in modus operandi; rather, it reflects infrastructure adaptation designed to obscure traffic origin and bypass IOC-based detection mechanisms ahead of potential escalation. In any case, we observe that Iranian actors continue to exploit known vulnerabilities rapidly after public disclosure, alongside other methods. In recent years, FortiOS edge-device zafran.io info@zafran.io vulnerabilities were heavily leveraged, and legacy issues such as ProxyShell and Log4Shell remained targets long after patches were available. The state-linked actor Lemon Sandstorm has also extensively exploited edge-device vulnerabilities across platforms including Check Point, Ivanti NetScaler, Palo Alto, and F5 BIG-IP, at times in coordination with major ransomware groups. Given these developments, U.S. corporations must recognize that they are entering a period of heightened cyber risk . Iranian state-sponsored actors have consistently demonstrated both intent and capability to conduct retaliation through persistent, multi-stage campaigns that establish footholds well before visible disruption occurs. The threat extends beyond data theft or temporary outages to include long-term operational degradation, systemic compromise, and reputational harm. Traditional perimeter-based defenses are insufficient against an adversary that is adaptive, patient, and willing to exploit any exposed surface. Organizations must adopt a proactive, dynamic defense posture. Modern Continuous Threat Exposure Management (CTEM) platforms such as Zafran are critical in this environment. Zafran enables continuous visibility into exposure to Iranian threat groups, identifies exploitable attack paths, prioritizes remediation based on real-world risk, and integrates with existing security tools to mitigate threats before they materialize. Appendix A Mitigation recommendations against the Iranian cyber threats 1. Define an “Iranian Tracker” inside your CTEM platform , continuously monitoring your level of exposure to CVEs commonly exploited by Iranian threat groups. zafran.io info@zafran.io 2. Add a “Iranian Exposure Mean Time to Remediate (MTTR)” CTEM metric. 3. Use your CTEM platform to leverage your current security tools and apply detection and protection rules to mitigate CVEs used by Iranian actors. 4. Accelerate edge-device patching, and apply firmware and software updates to VPNs, firewalls, ADCs (Ivanti, Fortinet, Citrix, Palo Alto, F5) within 48 hours of release. 5. Issue configuration jobs with your CTEM console that both patch and execute post-upgrade actions: session revocation, credential rotation, logging to remote syslog. 6. Configure external attack-surface scanners to often refresh for appliances on ports most often targeted in Iranian campaigns - 443, 8443, 4500, 8888. 7. Mandate phishing-resistant MFA, require hardware keys or certificate-based authentication for all privileged accounts (VPN, cloud, email, OT gateways). 8. Monitor for credential theft & abuse - Alert on newly created domain accounts or sudden role changes. 9. Conduct continuous threat hunting for Iranian IOCs. zafran.io info@zafran.io Appendix B Vulnerabilities known to be exploited by Iranian threat groups ● CVE-2024-30088 – Windows Kernel (Win32k) privilege escalation ● CVE-2024-3400 – Palo Alto PAN-OS / GlobalProtect command-injection RCE ● CVE-2024-24919 – Check Point Security Gateway VPN information-disclosure ● CVE-2024-21887 – Ivanti Connect Secure command-injection RCE ● CVE-2023-46805 – Ivanti Connect Secure authentication bypass ● CVE-2023-3519 – Citrix NetScaler ADC / Gateway unauthenticated RCE ● CVE-2023-27350 – PaperCut MF/NG pre-auth RCE ● CVE-2023-38831 – WinRAR archive-processing code execution ● CVE-2022-47966 – Zoho ManageEngine pre-auth RCE ● CVE-2022-42475 – Fortinet FortiOS SSL-VPN heap-overflow RCE ● CVE-2022-1388 – F5 BIG-IP iControl REST authentication-bypass / RCE ● CVE-2021-34473 – Microsoft Exchange ProxyShell remote code execution ● CVE-2021-34523 – Microsoft Exchange ProxyShell privilege escalation ● CVE-2021-31207 – Microsoft Exchange ProxyShell post-auth RCE ● CVE-2021-44228 – Apache Log4j (Log4Shell) RCE ● CVE-2022-30190 – Microsoft MSDT (Follina) RCE ● CVE-2022-26134 – Atlassian Confluence OGNL-injection RCE ● CVE-2022-47986 – IBM Aspera Faspex remote code execution ● CVE-2020-1472 – Netlogon (ZeroLogon) privilege escalation ● CVE-2019-19781 – Citrix ADC / Gateway directory-traversal RCE ● CVE-2019-11510 – Pulse Secure VPN arbitrary file read ● CVE-2018-13379 – Fortinet SSL-VPN path-traversal RCE ● CVE-2017-11774 – Microsoft Outlook EWS rule-injection RCE ● CVE-2025-53770 – Microsoft SharePoint “ToolShell” ● CVE-2025-55182 – React “React2Shell” ● CVE-2025-9491 – Windows .LNK shortcut vulnerability ● CVE-2026-1731 - BeyondTrust RCE ● CVE-2026-1281 - Ivantoi EPMM zafran.io info@zafran.io Appendix C TOP MITRE TTPs used by Iranian Threat Groups ● T1566.001 — Spearphishing Attachment ● T1190 — Exploit Public-Facing Application ● T1078 — Valid Accounts ● T1078.004 — Valid Accounts: Cloud Accounts (Azure AD) ● T1059.001 — Command & Scripting Interpreter: PowerShell ● T1071.001 — Application Layer Protocol: Web Protocols ● T1003.001 — OS Credential Dumping: LSASS Memory ● T1087.002 — Account Discovery: Domain Account ● T1047 — Windows Management Instrumentation ● T1053.005 — Scheduled Task/Job: Scheduled Task ● T1105 — Ingress Tool Transfer ● T1589 — Gather Victim Identity Information ● T1110.003 — Password Spraying ● T1133 — External Remote Services ● T1621 — Multi-Factor Authentication Request Generation (MFA Fatigue) ● T1556.006 — Modify Authentication Process: MFA Abuse ● T1098.005 — Account Manipulation: Register New MFA Device ● T1021.001 — Remote Services: Remote Desktop Protocol (RDP) ● T1059.001 — Command and Scripting Interpreter: PowerShell ● T1562.001 — Impair Defenses: Disable or Modify Security Tools ● T1486 — Data Encrypted for Impact ● T1485 — Data Destruction ● T1498 — Network Denial of Service ● T1595 — Active Scanning zafran.io info@zafran.io Appendix D Iranian Threat Actors’ Recent IOCs General: 159.100.6[.]69 169.150.227[.]230 95.181.161[.]50 164.132.237[.]65 5.199.133[.]149 104.200.128[.]71 104.200.128[.]206 31.192.105[.]28 185.118.66[.]114 194.187.249[.]102 185.162.235[.]29 144.202.84[.]43 64.176.173[.]77 64.176.172[.]101 64.176.172[.]235 Prince of Persia: 45.80.148[.]35 45.80.151[.]24 45.80.148[.]195 45.80.151[.]179 45.80.148[.]128 45.80.151[.]71 zafran.io info@zafran.io 179.43.190[.]13 F13.ddnsking[.]com t13.ddnsking[.]com Hkdhhwsafvnef.hbmc[.]net Uiavuflyjqodj.conningstone[.]net Uiavuflyjqodj.hbmc[.]net Pioneer Kitten: cloud[.]sophos[.]one MuddyWater: Screenai[.]online C:\Users\Public\Documents\ManagerProc.log C:\ProgramData\sysprocupdate.exe 777040bed9d26f5da97e8977c6efc0586beae064 f5a129ba4141361ca266950dc4adcb2c548aa949 62ed16701a14ce26314f2436d9532fe606c15407 5c1500296857ed0b0bb7230a1cb17993d25ab69b 80cea18e19665c5a57e7b9ca0bf36aad06096e93 d97d21536c061e7a7151a453242d36f3ab196a14 f77499a8fc6e615e21bf111a88c658ba3d5f0f81 zafran.io info@zafran.io Appendix E Iranian Threat Actors’ Groups and Alias Names ● APT35 - Charming Kitten, Magic Hound, Phosphorus, Mint Sandstorm, COBALT ILLUSION, ITG18, TA453, Newscaster ● APT42 - CALANQUE, overlaps/associated naming seen as TA453 / Mint Sandstorm / Charming Kitten in some reporting (vendor clustering differs) ● APT33 - Elfin, Refined Kitten, HOLMIUM, Peach Sandstorm (and other vendor-specific names) ● APT34 - OilRig, Helix Kitten, Hazel Sandstorm, EUROPIUM, COBALT GYPSY, Crambus, Evasive Serpens, Earth Simnavaz (and others) ● APT39 - Chafer, Remix Kitten, ITG07 (plus additional vendor aliases) ● MuddyWater - Seedworm, TEMP.Zagros, TA450, Mango Sandstorm, Static Kitten, Earth Vetala (and other vendor-specific aliases) ● Fox Kitten - Pioneer Kitten, Parisite, UNC757, RUBIDIUM, Lemon Sandstorm (and self-identifiers like “Br0k3r” / “xplfinder” cited in gov reporting) ● Agrius - Pink Sandstorm, AMERICIUM, Agonizing Serpens, BlackShadow, DEV-0022 ● Moses Staff - Marigold Sandstorm, DEV-0500, COBALT SAPLING ● CyberAv3ngers - CyberAveng3rs / Cyber Avengers, Soldiers of Soloman ● Handala zafran.io info@zafran.io