Iranian Cyber Activity Spikes Amid Regional Conflict

Published Date: July 17, 2025
Category: ShadowOpsIntel
Share:

Amid rising geopolitical tensions, Nozomi Networks Labs reported a 133% surge in cyberattacks linked to Iranian threat actors in May-June 2025. The attacks primarily targeted Transportation and Manufacturing sectors. Key Iranian APT groups involved include MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice. These campaigns show a shift from espionage to more aggressive, disruptive operations. The attacks align with Iranian state interests and target critical infrastructure.

Severity Level: High

Threat Details

1. Malware Involved:

  • OrpaCrab / IOCONTROL reused by CyberAv3ngers, designed to manipulate OT systems and disrupt industrial operations at the PLC layer.

2. Threat Actor:

  • Six Iranian-linked APTs (MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, Homeland Justice) have operated in parallel across sectors, with overlapping infrastructure and TTPs.
  • Groups range from espionage-focused (APT33, OilRig) to sabotage-prone (CyberAv3ngers, Homeland Justice), suggesting coordinated escalation matching geopolitical tensions.

3. Campaign Scale:

  • 28 attacks in May–June (vs. 12 in Mar–Apr) reflect a 133% increase, correlating with Iran’s response to escalating regional conflict.

4. Malicious Operation:

  • Cyber Espionage: Stealing confidential data from strategically valuable sectors (energy, aerospace, government).
  • Infrastructure Disruption: Targeting critical infrastructure, especially via destructive campaigns (e.g., Homeland Justice in Albania).
  • Pre-positioning and Persistence: Establishing long-term access for future sabotage (Fox Kitten).
  • Politically Motivated Operations: Attacks aligned with Iran’s geopolitical objectives (e.g., CyberAv3ngers).

5. Infection Mechanism:

  • Spear-Phishing: Most groups (e.g., OilRig, MuddyWater) leverage social engineering emails to deliver malware.
  • Custom Malware Tooling: Groups use tailored malware to bypass defenses and maintain persistence.
  • Zero-Day Exploits: CyberAv3ngers known to exploit previously unknown vulnerabilities.
  • Remote Access Tools (RATs): Used to establish C2 communication and exfiltrate sensitive information.
  • Credential Harvesting & Web Shells: Common in Fox Kitten and APT33 for lateral movement and data access.

6. Infrastructure:

  • Iranian infrastructure reused for staging attacks—actors frequently recycle VPS hosts, domains, and IP ranges across multiple campaigns.
  • Nozomi noted IP reuse by CyberAv3ngers, specifically tied to their past deployment of OT-focused OrpaCrab malware.
  • Shared infrastructure clusters observed across APT groups, indicating centralized coordination or shared resources within Iranian cyber operations.

Recommendations

  1. Disable PowerShell where unnecessary, block macro execution from internet-sourced documents.
  2. Identify and disconnect OT and ICS assets from the public internet.
  3. Use Role-Based Access Controls (RBAC) and conditional access policies for cloud service or managed service providers.
  4. Implement phishing-resistant MFA for accessing OT networks from any other network.
  5. Prioritize monitoring user access logs for remote access to the OT network and for implementation of any firmware or configuration changes.
  6. Ensure business continuity and incident response plans are in place for a swift recovery, including implementing full system and data backups to facilitate any recovery efforts.
  7. Consider how exfiltrated data, such as leaked credentials, could be leveraged to conduct further malicious activity against your network, and ensure security mechanisms are in place to reduce the impact of a potential leak.
  8. Apply the manufacturer’s latest software patches for internet-facing systems to ensure protection against known vulnerabilities.
  9. Block IOCs at their respective controls https://www.virustotal.com/gui/collection/a0a22c30586a1cec1a61078e0aa4619a026a04f2ba332bfa3b169efb4e45abda/iocs

Source:

  • https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict
  • https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.