Cyber Operations
We track Iranian state-aligned cyber actors, their infrastructure, and the operations they run against targets inside and outside Iran. Our work informs media coverage and government investigations into Iranian cyber activity.
We document the people, infrastructure, and operations that constitute Iran’s cyber apparatus. The aperture is wide: APT groups linked to the Ministry of Intelligence and the Islamic Revolutionary Guard Corps, contractor networks operating on behalf of state customers, and the infrastructure these actors deploy and reuse over time.
Iranian cyber operations sit inside a broader system of state activity that connects directly to influence operations, sanctions evasion, and the information environment we cover in adjacent focus areas. Understanding any single actor in isolation produces incomplete analysis. We treat the cyber pillar as one face of a system, and our work in this domain is informed by what we see across the others.
Our published research and dossiers in this area have informed coverage at major international media outlets and supported government enforcement and investigative work. The work is cited regularly by peer research organizations and used by security teams in industries with Iran exposure.
Five sub-areas inside the cyber pillar.
Threat Actor Profiling
Specific APT groups, their tooling, targeting patterns, organizational relationships, and evolution over time. We maintain an internal directory of Iranian threat actors that informs our published research.
Infrastructure Analysis
The servers, domains, hosting relationships, and tooling that Iranian actors deploy. Reuse patterns across campaigns. Operational tradecraft observed in the wild.
Contractor Networks
Private companies providing offensive and defensive cyber capabilities to MOIS, IRGC, and other state customers. Personnel, ownership structures, and the financial relationships that sustain them.
Campaign Documentation
Specific operations as they develop. Targets, methods, timing, and the analytical question of why a campaign is running now and what it tells us about state intent.
Attribution Research
Linking observed activity to specific actors with documented methodology. We treat attribution as a discipline. Claims are sourced. Methodology is documented. We treat the claims we publish as ones we will defend.
Our work in cyber draws on Persian-language source networks, our internal directory of Iranian threat actors, and the operational visibility we maintain into Iranian network conditions.
Most analysis of Iranian cyber operations is produced by generalist threat-intelligence firms covering many regions, often with limited Persian-language capability. We work in Persian as a primary research language and maintain source relationships in Iranian-language closed channels that most Western firms cannot reach. This is the single most important factor separating depth from surface in this domain.
Read our full approach →Selected research and analysis on cyber operations.
Iran Digital Pulse: The Cybersecurity Debt of a Blackout
Iran's 81-day internet shutdown beginning February 28, 2026, severed all standard update paths for Android, iOS, Windows, macOS, and Linux systems, leaving devices and servers unpatched against over 100 vulnerabilities disclosed during that period, including CVE-2026-28950 (iOS notification retention) and CVE-2026-42945 (18-year nginx heap overflow, CVSS 9.2). Organizations with Internet Pro partial connectivity now operate heterogeneous networks where unpatched devices serve as lateral movement vectors, while Security Operations Centers and Intrusion Detection Systems run on pre-shutdown signature databases. The shutdown compressed the attack surface domestically while degrading the defenses needed to detect internal compromise, inverting the stated security justification.
Read on Digital Impact Lab Substack →Security Alert: IranGuard Spyware Campaign
A spear-phishing campaign distributing surveillance malware named IranGuard. Delivered via emails impersonating an Iranian law enforcement intelligence agency. Distributes both Android (APK) and Windows (EXE) variants of the spyware.
Read on CERTFA Radar →Mobile Phone: New Android Surveillance Malware Targeting Persian Speakers
A malicious Android application disguised as a mobile phone utility. Analysis shows a sophisticated surveillance tool with strong indicators linking it to Domestic Kitten (APT-C-50), an Iranian state-backed group associated with the IRGC.
Read on CERTFA Radar →The cyber pillar sits alongside three other domains of Iranian state activity online.
Information Operations
State media ecosystems, IRGC-linked information networks, coordinated inauthentic behavior, and the narratives Tehran promotes online.
Sanctions & Procurement
Front companies, financial evasion, beneficial ownership structures, and the procurement networks that sustain sanctioned activity.
Network Infrastructure
Iranian internet architecture, censorship and surveillance systems, connectivity patterns, and the AI-driven analysis we use to monitor conditions on Iranian networks at scale.