Sysdig Risk Bulletin: Iranian Cyber Threats

Following the June 22, 2025 United States strikes on Iranian nuclear infrastructure, the Sysdig Risk Analysis Staff (TRT) anticipates a spike in cyber actions by Iranian state-sponsored superior persistent threats (APTs) and pro-Iranian hacktivists, much like what we noticed on the starting of the Russia-Ukraine warfare in February 2022. 

On this bulletin, Sysdig TRT supplies forward-looking steerage, risk intelligence based mostly on recognized and anticipated behaviors, and detections for safety groups making ready to defend towards potential assaults by these teams. We additionally spotlight key state-sponsored Iranian teams beforehand linked to assaults on cloud and Linux environments, together with the instruments and techniques they generally make use of.

• Implement MFA on all cloud accounts and allow detections for uncommon logins
  • Sysdig’s CIEM and Compliance can present cloud accounts that aren’t protected by MFA, enabling corrective motion to be taken.
• Search for indicators of net shells on uncovered methods utilizing runtime detections and file evaluation
  • The next guidelines are efficient at uncovering webshell exercise:
    • Suspicious Command Executed by Internet Server (Sysdig Runtime Notable Occasions)
    • Run shell untrusted (Sysdig Runtime Notable Occasions)
    • Reverse Shell Detected (Sysdig Runtime Risk Detection)
• Guarantee any uncovered home equipment (e.g., Ivanti, Netscaler, Pulse Safe …) are patched and have entry controls to restrict the blast radius
  • Sysdig Dangers and Stock reveals methods which might be uncovered to the Web and have vulnerabilities
• Monitor workloads for unauthorized open-source safety instrument utilization
  • Guarantee the next are enabled:
    • Offensive Safety Device Detected (Sysdig Runtime Risk Detection)
    • Offensive Safety Device Contacting Cloud Occasion Metadata Service (Sysdig Runtime Notable Occasions)
    • DNS Lookup for Offensive Safety Device Area Detected (Sysdig Runtime Risk Intelligence)
    • Launch Suspicious Community Device in Container (Sysdig Runtime Notable Occasions)
    • Launch Suspicious Community Device in Host (Sysdig Runtime Notable Occasions)
• Detect connections to recognized tunneling/proxy web sites by IP or DNS monitoring
  • Allow Sysdig Runtime Risk Intelligence coverage
• Confirm back-ups are working accurately as a result of frequent payloads for these teams embody ransomware and disk wipers
  • Allow a Malware Detection coverage that makes use of malicious hashes and Yara guidelines

Whereas not a complete record of Iranian APTs, beneath we offer particular examples of teams that usually goal cloud and Linux-based infrastructure.

APT35 / Charming Kitten / Phosphorus

APT35 is an Iranian government-sponsored group that has been in operation since 2014. They’ve been recognized to focus on U.S., European, and Center Japanese army, diplomatic, and authorities personnel in addition to researchers, media, power, and protection contractors.

• Cloud Account Compromise: APT35 makes a speciality of stealing credentials from Microsoft 365, Gmail, and cloud VPN portals utilizing phishing, password spraying, and token theft. Microsoft noticed the group focusing on over 250 Workplace 365 tenants utilizing stolen credentials and password spraying techniques.
• Hyperscrape to Exfiltrate Cloud Emails: APT35 developed a instrument referred to as Hyperscrape designed to log in and silently exfiltrate emails from sufferer Gmail and Microsoft accounts. 
• PowerLess and BellaCiao Malware: APT35 developed PowerLess (a PowerShell backdoor that executes with out invoking powershell.exe) and BellaCiao (a dropper delivering tailor-made implants based mostly on sufferer geolocation). 
• Tunneling Via Cloud Infrastructure: APT35 leverages Quick Reverse Proxy (FRP) to tunnel RDP and C2 visitors via attacker-controlled infrastructure, together with cloud companies comparable to Azure or VPS suppliers, thereby bypassing firewalls and sustaining persistence.
• Linux Exploitation: APT35 has exploited vulnerabilities, comparable to Log4j, in Apache servers, Trade, and VPN home equipment, a few of which run on Linux (e.g., Fortinet, Zimbra, and many others.). Whereas their implants are usually Home windows-based, their preliminary entry strategies can impression Linux cloud companies via the usage of reverse shells and credential harvesting.

Sources:

APT33 / Peach Sandstorm / Refined Kitten

APT33 is an Iranian government-sponsored group that has been in operation since 2013. They’re recognized to have focused america, Saudi Arabia, and South Korea. Particularly, the aviation sector and the oil sector.

• Cloud-First Intrusions: APT33 makes use of Azure Energetic Listing (AAD) and Azure subscriptions as C2 infrastructure. Their customized malware, Tickler, was noticed speaking with attacker-controlled Azure assets.
• Credential Entry through Password Spraying: APT33 conducts huge password-spraying campaigns towards Microsoft 365 and AAD tenants, utilizing TOR exit nodes and open-source instruments comparable to Roadtools and AzureHound for post-compromise reconnaissance.

• Azure Sources: APT33 has been noticed creating and working malicious Azure infrastructure (e.g., C2 servers and beaconing endpoints) to mix in with respectable cloud exercise.
• Oblique Linux Focusing on: Whereas APT33’s malware usually runs on Home windows, their operations steadily impression Linux-hosted companies in cloud environments, together with Linux-based Azure VMs, VPN home equipment, and cloud net companies.
• Social Engineering: APT33 makes use of LinkedIn profiles to trick targets into sharing credentials. These phishing campaigns may end up in entry to cloud IAM portals, GitHub, or Linux servers accessed through SSH.

Sources:

Pioneer Kitten / Lemon Sandstorm / RUBIDIUM

Pioneer Kitten is an Iran-based cyber group related to the Iranian authorities, conducting cyber operations since 2017. They collaborate with ransomware gangs to focus on schooling, finance, healthcare, protection contractors, and authorities entities within the U.S., Israel, U.A.E., and Azerbaijan.  

• Preliminary Entry Dealer for Ransomware: Pioneer Kitten is an Iran‑aligned APT group that exploits VPN and community system vulnerabilities (e.g., Citrix Netscaler, F5 BIG-IP, Pulse Safe, and extra) to achieve preliminary entry, keep persistence through net shells, after which sells that entry to ransomware associates like BlackCat/ALPHV, NoEscape, and Ransomhouse.
• Persistence with Internet Shells: Pioneer Kitten is thought for utilizing deeply buried net shells (comparable to hiding in /var/vpn/themes/imgs/) to outlive reboots and updates. They typically keep away from malicious binaries and as an alternative use fileless or inline bash command execution to remain beneath the radar.
• Off the Shelf Toolset: The group makes use of a mix of living-off-the-land instruments (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and customized C2 binaries) throughout Linux and cloud methods. 
• Ransomware and Espionage Workflows: As soon as inside, Pioneer Kitten steadily leverages SSH tunnels, proxy instruments (e.g., ngrok, ligolo), or compromised Linux methods to succeed in Home windows and cloud methods. These footholds allow both promoting entry or executing ransomware.

Sources: