Cyberspace has long served as a collateral theater of war within the Middle Eastern conflict. Amidst the latest escalation surrounding Iran, the vanguard at Check Point Research has illuminated the myriad Iranian syndicates currently navigating the digital ether and the sophisticated methodologies they employ.
According to the firm’s intelligence, a labyrinthine ecosystem of hacker enclaves has coalesced around the nation’s state apparatus. A faction operates under the aegis of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), whilst others masquerade beneath the cloak of “hacktivism.” Their campaigns encompass clandestine espionage, kinetic strikes against critical infrastructure, the outright obliteration of data, and psychological information operations—wherein digital breaches are orchestrated in tandem with the public dissemination of purloined materials and the mass proliferation of propagandist missives.
Prominent among these actors is the syndicate known as Cotton Sandstorm, alternatively recognized by the monikers Emennet Pasargad and MarnanBridge. Their machinations are inextricably tethered to the IRGC. The collective is renowned for orchestrating aggressive influence operations, demonstrating an alarming agility in responding to regional geopolitical tremors. Cotton Sandstorm’s arsenal is formidable, encompassing the defacement of digital domains, crippling DDoS bombardments, the usurpation of both email and user credentials, the systematic exfiltration of data, and the weaponization of subsequent leaks. These illicit spoils are subsequently propagated via fabricated personas and elaborate masquerades.
In recent years, their theater of operations has transcended the borders of Israel. Analysts highlight a brazen episode wherein the syndicate compromised an American IPTV streaming service, maliciously co-opting the platform to broadcast AI-generated communiqués concerning the Gaza conflict to an unsuspecting audience in the United Arab Emirates. Furthermore, the collective has relentlessly besieged Bahraini state infrastructure, augmenting these digital strikes with fervent anti-monarchist propaganda.
In its most recent offensives, Cotton Sandstorm has weaponized the WezRat malware. This insidious contagion proliferates via phishing epistles, deceptively masquerading as urgent software patches. WezRat plunders user credentials and facilitates the clandestine deployment of supplementary armaments. In specific instances, following a successful breach, these malefactors unleashed the WhiteLock ransomware against Israeli institutions. Merely a day following the genesis of the current escalation, the syndicate resurrected the dormant digital persona of the “Altoufan Team,” utilizing this revived moniker to broadcast declarations of impending assaults upon Bahraini targets.
Another formidable enclave is identified by analysts as Educated Manticore. This collective is deeply intertwined with the intelligence apparatus of the IRGC, its operations frequently intersecting with the machinations of APT35 and APT42, colloquially known as Charming Kitten.
Their primary stratagem is meticulously predicated upon the cultivation of personal trust. The adversaries impersonate acquaintances or colleagues, fastidiously initiating dialogues with journalists, academics, analysts, and other prominent public figures. Their crosshairs are fixed upon individuals harboring access to sensitive internal correspondences, classified documents, and high-value contacts. Once rapport is established, the quarry is lured toward sophisticated phishing portals meticulously mimicking WhatsApp, Microsoft Teams, or Google Meet. Through these deceptive facades, the assailants siphon passwords and session tokens, thereby securing unfettered access to email repositories and confidential archives. In certain operations, these techniques even permit the geographical tracking of the victim. Recent campaigns have ensnared activists and a constellation of luminaries across the Middle East and the United States.
The syndicate dubbed MuddyWater is definitively linked by experts to Iran’s Ministry of Intelligence and Security. Over its operational tenure, this cadre has executed a multitude of espionage operations targeting governmental apparatuses, telecommunications conglomerates, the energy sector, and corporate enterprises across the Middle East. The group routinely infiltrates conventional corporate networks, establishing protracted, deep-seated persistence within the infrastructure to silently harvest intelligence. To secure this access, the assailants frequently exploit legitimate remote monitoring and management (RMM) utilities, seamlessly distributed via orthodox file-sharing services. Their phishing barrages are known to inundate hundreds of corporate personnel simultaneously.
When striking at elevated targets, MuddyWater deploys bespoke malicious software and ephemeral tools, characterized by a rapid, evolutionary churn. Nevertheless, their foundational stratagem remains remarkably consistent: the adversaries “live off the land” by co-opting inherent Windows utilities such as PowerShell and WMI. They meticulously purloin credentials to facilitate lateral movement across the network, frequently usurping corporate email domains to launch internal phishing campaigns, thereby masquerading as trusted colleagues.
Security analysts devote particular scrutiny to the Handala collective, an entity that materialized in late 2023, aggressively posturing as a pro-Palestinian hacktivist vanguard. However, Check Point Research assesses that the Handala persona serves merely as a digital façade for the Void Manticore cluster, an apparatus tethered to the Ministry of Intelligence and Security. The paramount objective of Handala’s campaigns is the infliction of profound psychological duress and catastrophic reputational ruin.
These malefactors breach vulnerable architectures, exfiltrate sensitive data, and strategically publish these materials at moments calculated to maximize geopolitical distress. While the overwhelming majority of their bombardments are directed at Israeli institutions, their crosshairs occasionally wander to targets in disparate nations. Their most recent campaigns exhibit a distinctly opportunistic tenor. The assailants aggressively probe for vulnerabilities within IT service providers, exploiting these supply chain vulnerabilities as a conduit to compromise downstream clientele. Since January, analysts have also intercepted Handala operations originating from Starlink satellite IP addresses, utilizing this infrastructure to relentlessly scan external applications for configuration anomalies and fragile cryptographic defenses.
Yet another syndicate, inextricably linked to the Iranian state apparatus, operates under the designation Agrius. This collective has been notorious for its devastatingly destructive incursions within the region since 2020. In the preponderance of their operations, these assailants deploy data-annihilating “wiper” malware, meticulously camouflaging their sabotage as mundane ransomware attacks. The group predominantly initiates its penetrations by exploiting vulnerable, internet-facing web servers.
Upon successfully breaching the perimeter, the attackers implant an ASPX web shell, subsequently leveraging indigenous system utilities to conduct clandestine reconnaissance and navigate laterally through the network. During the twelve-day conflict betwixt Israel and Iran in June 2025, cybersecurity sentinels detected Agrius infrastructure actively scanning vulnerable closed-circuit television cameras within Israel. Such compromised optical apparatuses could be strategically utilized to monitor the kinetic aftermath of physical bombardments.
According to the calculus of Check Point Research, the vast majority of these Iranian syndicates operate upon a remarkably convergent paradigm. These malefactors aggressively weaponize phishing, co-opt legitimate administrative utilities, and ruthlessly exploit vulnerabilities within external-facing services.
Corporations and governmental entities can meaningfully mitigate the peril of such incursions through unwavering vigilance: meticulously monitoring for anomalous login attempts, rigorously restricting system access, consistently patching internet-facing services, and steadfastly refusing the installation of software from unverified origins. Against the backdrop of the current geopolitical conflagration, the implementation of these rigorous defensive measures provides the crucial foresight necessary to detect an intrusion in its infancy, thereby averting catastrophic consequences.