Following the June 22, 2025 United States strikes on Iranian nuclear infrastructure, the Sysdig Threat Research Team (TRT) anticipates a spike in cyber activities by Iranian state-sponsored advanced persistent threats (APTs) and pro-Iranian hacktivists, similar to what we observed at the beginning of the Russia-Ukraine war in February 2022.
In this bulletin, Sysdig TRT provides forward-looking guidance, threat intelligence based on known and expected behaviors, and detections for security teams preparing to defend against potential attacks by these groups. We also highlight key state-sponsored Iranian groups previously linked to attacks on cloud and Linux environments, along with the tools and tactics they commonly employ.
General Recommendations
- Enforce MFA on all cloud accounts and enable detections for unusual logins
- Sysdig’s CIEM and Compliance can show cloud accounts that are not protected by MFA, enabling corrective action to be taken.
- Look for signs of web shells on exposed systems using runtime detections and file analysis
- The following rules are effective at uncovering webshell activity:
- Suspicious Command Executed by Web Server (Sysdig Runtime Notable Events)
- Run shell untrusted (Sysdig Runtime Notable Events)
- Reverse Shell Detected (Sysdig Runtime Threat Detection)
- The following rules are effective at uncovering webshell activity:
- Ensure any exposed appliances (e.g., Ivanti, Netscaler, Pulse Secure …) are patched and have access controls to limit the blast radius
- Sysdig Risks and Inventory shows systems that are exposed to the Internet and have vulnerabilities
- Monitor workloads for unauthorized open-source security tool usage
- Ensure the following are enabled:
- Offensive Security Tool Detected (Sysdig Runtime Threat Detection)
- Offensive Security Tool Contacting Cloud Instance Metadata Service (Sysdig Runtime Notable Events)
- DNS Lookup for Offensive Security Tool Domain Detected (Sysdig Runtime Threat Intelligence)
- Launch Suspicious Network Tool in Container (Sysdig Runtime Notable Events)
- Launch Suspicious Network Tool in Host (Sysdig Runtime Notable Events)
- Ensure the following are enabled:
- Detect connections to known tunneling/proxy websites by IP or DNS monitoring
- Enable Sysdig Runtime Threat Intelligence policy
- Verify back-ups are operating correctly because common payloads for these groups include ransomware and disk wipers
- Enable a Malware Detection policy that uses malicious hashes and Yara rules
Key Iranian Threat Actors
While not a comprehensive list of Iranian APTs, below we provide specific examples of groups that often target cloud and Linux-based infrastructure.
APT35 / Charming Kitten / Phosphorus
APT35 is an Iranian government-sponsored group that has been in operation since 2014. They have been known to target U.S., European, and Middle Eastern military, diplomatic, and government personnel as well as researchers, media, energy, and defense contractors.
- Cloud Account Compromise: APT35 specializes in stealing credentials from Microsoft 365, Gmail, and cloud VPN portals using phishing, password spraying, and token theft. Microsoft observed the group targeting over 250 Office 365 tenants using stolen credentials and password spraying tactics.
- Hyperscrape to Exfiltrate Cloud Emails: APT35 developed a tool called Hyperscrape designed to log in and silently exfiltrate emails from victim Gmail and Microsoft accounts.
- PowerLess and BellaCiao Malware: APT35 developed PowerLess (a PowerShell backdoor that executes without invoking powershell.exe) and BellaCiao (a dropper delivering tailored implants based on victim geolocation).
- Tunneling Through Cloud Infrastructure: APT35 leverages Fast Reverse Proxy (FRP) to tunnel RDP and C2 traffic through attacker-controlled infrastructure, including cloud services such as Azure or VPS providers, thereby bypassing firewalls and maintaining persistence.
- Linux Exploitation: APT35 has exploited vulnerabilities, such as Log4j, in Apache servers, Exchange, and VPN appliances, some of which run on Linux (e.g., Fortinet, Zimbra, etc.). While their implants are typically Windows-based, their initial access methods can impact Linux cloud services through the use of reverse shells and credential harvesting.
Resources:
- https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
- https://www.bitdefender.com/en-us/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware
- https://www.avertium.com/resources/threat-reports/in-depth-look-at-apt35-aka-charming-kitten
- https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/
APT33 / Peach Sandstorm / Refined Kitten
APT33 is an Iranian government-sponsored group that has been in operation since 2013. They are known to have targeted the United States, Saudi Arabia, and South Korea. Specifically, the aviation sector and the oil sector.
- Cloud-First Intrusions: APT33 uses Azure Active Directory (AAD) and Azure subscriptions as C2 infrastructure. Their custom malware, Tickler, was observed communicating with attacker-controlled Azure resources.
- Credential Access via Password Spraying: APT33 conducts massive password-spraying campaigns against Microsoft 365 and AAD tenants, using TOR exit nodes and open-source tools such as Roadtools and AzureHound for post-compromise reconnaissance.
- Azure Resources: APT33 has been observed creating and operating malicious Azure infrastructure (e.g., C2 servers and beaconing endpoints) to blend in with legitimate cloud activity.
- Indirect Linux Targeting: While APT33’s malware typically runs on Windows, their operations frequently impact Linux-hosted services in cloud environments, including Linux-based Azure VMs, VPN appliances, and cloud web services.
- Social Engineering: APT33 uses LinkedIn profiles to trick targets into sharing credentials. These phishing campaigns can result in access to cloud IAM portals, GitHub, or Linux servers accessed via SSH.
Resources:
- https://attack.mitre.org/groups/G0064/
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
- https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/
Pioneer Kitten / Lemon Sandstorm / RUBIDIUM
Pioneer Kitten is an Iran-based cyber group associated with the Iranian government, conducting cyber operations since 2017. They collaborate with ransomware gangs to target education, finance, healthcare, defense contractors, and government entities in the U.S., Israel, U.A.E., and Azerbaijan.
- Initial Access Broker for Ransomware: Pioneer Kitten is an Iran‑aligned APT group that exploits VPN and network device vulnerabilities (e.g., Citrix Netscaler, F5 BIG-IP, Pulse Secure, and more) to gain initial access, maintain persistence via web shells, and then sells that access to ransomware affiliates like BlackCat/ALPHV, NoEscape, and Ransomhouse.
- Persistence with Web Shells: Pioneer Kitten is known for using deeply buried web shells (such as hiding in /var/vpn/themes/imgs/) to survive reboots and updates. They often avoid malicious binaries and instead use fileless or inline bash command execution to stay under the radar.
- Off the Shelf Toolset: The group uses a combination of living-off-the-land tools (like ligolo, socat, proxychains) and post-exploitation frameworks (like Havoc, MeshCentral, and custom C2 binaries) across Linux and cloud systems.
- Ransomware and Espionage Workflows: Once inside, Pioneer Kitten frequently leverages SSH tunnels, proxy tools (e.g., ngrok, ligolo), or compromised Linux systems to reach Windows and cloud systems. These footholds enable either selling access or executing ransomware.