Nothing Like AugurHow It WorksGet AccessLearn More

THREAT RESEARCH:

IRAN 2026

THREAT POSTURE ASSESSMENT

Threat Research Team
Download PDF

KEY TAKEAWAYS

  • MuddyWater (MOIS) is an Iranian threat actor whose infrastructure is currently tracked and active, with predictions recorded as recently as January 2026.
  • Observed data indicate a sustained shift in Iranian infrastructure acquisition behavior between 2019 and 2022, during which coverage of OilRig and APT33 dropped to zero. This reflects a change in how actors obtain and configure infrastructure, not a cessation of operations.
  • Two MuddyWater-attributed clusters show a notable burst of new infrastructure in September 2025, seven CIDRs flagged over 72 hours, followed by an additional detection in January 2026, approximately one month before the February 28 US-Israel strikes on Iran.
  • The September 2025 and January 2026 infrastructure is hosted across three distinct providers (AS62005 BV-EU-AS, AS62240 Clouvider, AS203020 HostRoyale), consistent with a deliberate provider diversification strategy.
  • The broader Iranian hacktivist ecosystem has expanded significantly following the February 28 strikes, with dozens of aligned groups now engaging in retaliation.
  • Despite lulls in direct Iranian cyber action, affiliate groups remain active and continue to retaliate against regional targets alongside Iran’s kinetic retaliation.

1. Background and Analytical Scope

This report assesses Iranian state-sponsored and state-aligned threat-actor infrastructure using data from the Augur Security Predictive Intelligence platform, corroborated by open-source intelligence. The platform produces IP- and CIDR-level insights from behavioral and infrastructure fingerprinting, grouping predictions into clusters that represent likely shared-actor infrastructure.

The assessment covers the following Iranian actors active in 2024-2026: MuddyWater (MOIS), OilRig/APT34 (MOIS), APT35/Charming Kitten (IRGC-IO), APT33/Peach Sandstorm (IRGC), Cotton Sandstorm/Emennet Pasargad (IRGC), CyberAv3ngers (IRGC-CEC), and Handala (assessed MOIS-linked). Augur’s data is included only where predictions are directly tagged with verified Iranian actor identifiers or associated malware families. 

Augur assesses with medium-high confidence that Iran’s current cyber posture has been weakened by sustained U.S. and Israeli strikes on military sites. As known bases and fallback locations continue to come under aircraft and drone attack, the lull in Iranian operations likely reflects real disruption to operator safety and supporting digital infrastructure. Iran’s total internet blackouts on January 8, 2026, and February 28, 2026, further support that assessment, with traffic falling to 4% (NetBlocks) in the first few days of the campaign, then dropping below 1% in early March. Augur tracking of operator infrastructure and OSINT also confirms this quieter posture among core Iranian operators.

At the same time, the Iranian response is far from silent. Alongside Iran's initial retaliation of drones and missiles, Western and Gulf states have seen a surge in activity from Iran-aligned affiliate groups such as Handala Hack Team, APT Iran, and the Russian DDoS group NoName057. These actors have carried out more of the visible response through sustained DDoS attacks, phishing, and disruptive operations in response to U.S. and Israeli strikes. Handala’s destructive attack on U.S. medical provider Stryker is one example, but Augur believes the operation was opportunistic and consistent with the tradecraft seen in prior Handala activity, not as evidence of a broader expansion in Iranian cyber activity or targeting of the healthcare industry. The attack deployed a wiper that erased servers, employee devices, and some personal devices, which Handala justified by describing Stryker as a “Zionist rooted corporation.” 

The traditional Iranian APT model, now under heavier scrutiny from researchers and law enforcement due to a 2025 internal document leak, has increasingly given way to state-directed hacktivist groups and affiliate personas. While Iran’s threat level remains high, Augur believes that many publicly claimed intrusions during the February to March 2026 conflict were opportunistic or exaggerated. Despite this, organizations in the region or otherwise exposed to Iran-aligned activity should prioritize patching edge devices, updating outdated software, and remediating known vulnerabilities.

1.1 GEOPOLITICAL CONTEXT AND CYBER ESCALATION TIMELINE

The following timeline captures the key kinetic and cyber escalation milestones shaping the current threat environment:

Date Event
Oct 2023 Hamas attack on Israel; Iran-linked APT and hacktivist cyber campaigns immediately intensify across MENA targets, operators prioritized reconnaissance on ISP peering points to prepare for long-term espionage.
Nov 2023 Iran-linked MuddyWater targeted telecommunications organizations in Egypt, Sudan, and Tanzania in an espionage campaign. Active targeting of critical infrastructure continues across the Gulf.
Jun 13 2025 Israel launches a sustained air campaign against Iranian military infrastructure, triggering a declaration of direct state conflict.
Jun 15 2025 After a strike on the Shahran oil depot, Iranian hacktivists and state proxies immediately launched 120+ Telegram-coordinated cyber campaigns across energy, telecom, and manufacturing sectors across the Middle East. Gulf regions and Western nations begin to experience DDOS attacks, defacement, and breach attempts.
 Jun 22 2025  Following Iranian missile strikes on U.S. positions in Qatar and Iraq, pro-Iran hacktivist activity surged online; SOCRadar tracked 600+ cyberattack claims across 100+ Telegram channels in roughly 15 days, though many claims were exaggerated or unverified.
Jun 24 2025 A US-brokered ceasefire was declared between Israel and Iran. Iran reports 610+ killed. Cyber threat posture remains elevated despite the kinetic pause.
Jun 30 2025 CISA, FBI, NSA, and DC3 warned that Iranian state-sponsored or affiliated actors may target vulnerable U.S. / MENA networks and entities of interest, especially through DDoS and opportunistic attacks against critical infrastructure.
Jul 2025 SOCRadar reports a 700% surge in Iranian cyber operations. Open-source reporting assessed a sharp rise in Iran-related cyber activity after the June conflict, driven largely by hacktivist disruption, influence operations, and continued regional targeting by established Iranian threat groups.
Aug 2025 West Point Lieber Institute confirms Iran is increasingly leveraging cyber as a strategic offset. Unit 42 ended its active monitoring brief on Aug. 14, 2025, noting it had not observed a dramatic uptick in Iranian-directed cyberattacks, though the risk of further escalation, disruptive activity, and continued pre-positioning remained. APT35 (Charming Kitten) begins AI-augmented spearphishing campaigns targeting cybersecurity researchers, dissidents, and academics in the region.
Aug 28 2025 France, the UK, and Germany trigger the UN snapback sanctions mechanism on Iran for the first time in a decade. Iran's geopolitical and economic isolation deepens, increasing the incentive for asymmetric cyber retaliation.
Sep 2025 Public reporting on IOCONTROL, linked to the Iran-backed CyberAv3ngers, continued to underscore Iran’s ability to target routers, firewalls, PLCs, and embedded Linux devices, making these threats more relevant to businesses using operational technology, edge infrastructure, and exposed management tools. Augur Security recommends updating and patching affected devices immediately.
Sep 26 2025 The UN Security Council rejects Russia and China's effort to stop snapback sanctions. Iran faces maximum international pressure. IRGC cyber units are assessed to be in an active posture for retaliation.
Nov 1 2025 Mediators urge both the US and Iran back to the negotiating table. Despite this, Augur assesses that regional targets across MENA were still being targeted for phishing and credential harvesting with no slowdown in operational pacing.
Nov 7 2025 Trump signals willingness to negotiate with Iran on sanctions. Temporary diplomatic back-channel opens. Iranian cyber activity is assessed to decrease slightly as diplomatic efforts are explored.
Dec 28 2025 Mass protests erupt across Iran as the Rial collapses. Iranian domestic instability increases. Iran shuts down internet and phone services internally on 8 January 2026. IRGC crackdown kills thousands. Internal crises may redirect cyber resources internally, but they also bolster Iran’s appetite for external aggression. Maintaining cyber operations internationally allows Iran to project strength to distract a global audience from its domestic issues.
Jan 10 2026 Mediators meet with Iranian President Pezeshkian, SNSC Secretary Larijani, and FM Araghchi in Tehran to begin a new round of US-Iran engagement. The diplomatic option resumes, leading to a partial cessation of cyber activity across the region.
Jan 13 2026 Trump cancels meetings with Iran, warns 'help is on the way.' The US begins the largest naval and air buildup in the Middle East in decades. US 5th Fleet ships depart Bahrain for sea posture. Risk of US strike on Iran assessed as HIGH.
Feb 2 2026 Critical Threats / ISW assessment: Iranian regime conducting diplomatic, informational, and military campaign to deter US attack. Regional states, like Jordan, privately warn the US against striking Iran, citing the risk of Iranian missile retaliation against MENA critical infrastructure.
Feb 17 2026 US-Iran talks held in Geneva. Iran briefly closes the Strait of Hormuz as a signal of leverage. One-fifth of all globally traded oil transits this chokepoint. Amidst this economic threat, cyber nuisance operations (DDOS, defacement, phishing) increased across the region.
Feb 24 2026 Trump's State of the Union address explicitly warns Iran over its nuclear and missile programs. IRGC conducts military exercises in the Strait of Hormuz and the southern coast, the largest since the June 2025 war.
Feb 25 2026 IRGC Ground Forces complete a two-day exercise at Madinah ol Munawarah Operational Base in Bandar Abbas, the closest IRGC headquarters to the Strait of Hormuz. Assessed as preparation for potential conflict posture.
Feb 26 2026 Third round of US-Iran nuclear talks in Geneva ends without agreement. The US demands zero enrichment, the destruction of Fordow/Natanz/Isfahan sites, and removal of all enriched uranium. Iran refuses. Talks collapse.
Feb 27 2026 Mediators announce Iran agreed to degrade uranium to the lowest possible levels. Despite Iran’s pledge, Trump says all options remain available. Israeli strike preparations confirmed by Western intelligence assessments.
FEB 28 2026 ISRAEL LAUNCHES NEW COORDINATED STRIKES ON IRANIAN TARGETS INCLUDING TEHRAN. US military involvement confirmed. Iran vows retaliation. DHS issues national terrorism advisory. Former NATO commander, Admiral James Stavridis, warns Iran may go big, including closing the Strait of Hormuz, cyber attacks on arbitrary MENA infrastructure, and activation of proxy cells. Cyber threat to regional assets and US infrastructure assessed as HIGH.
March 1, 2026 Iran broadens retaliatory strikes across the region with missile and drone attacks. Gulf nations assist in missile defense and drone deterrence operations in the region. Regional instability heightens an already growing threat and increases the risk of arbitrary cyber retaliation.
March 2, 2026 Iran’s retaliation expands from military targets to government and commercial infrastructure. Reuters reported major disruptions affecting AWS data centers in Bahrain and the UAE due to bombardment with outages at Abu Dhabi Commercial Bank after Iranian strikes on Gulf states' infrastructure.
March 3, 2026 Diplomats across MENA are evacuated while regional allies remained alert amidst the barrage. Businesses and government sites across the region are hit with waves of DDOS / disruption attacks.
March 4, 2026 Sustained strikes across the region continue to threaten regional security, disrupt travel and prolong the cyber threat. With no active mediators or attempts at diplomacy, military operations and a prolonged escalation continue undeterred.
March 5, 2026 Iranian missile attacks continue as the conflict sustains. Regional air travel and civilian evacuations are disrupted, with many flight carriers suspending service in the region.
March 7, 2026 Israeli strikes expand and begin to target Iranian oil and refinery infrastructure near Tehran.
 March 11, 2026  Iran warns against targeting oil interests and threatens to shut down the Strait of Hormuz to all ships. Iranian-aligned Handala Hack Team claims wiper attack against Stryker, a medical company with ties to the US and Israel. All company servers and devices (alongside some employee devices) are wiped clean with a Pro-Iranian message.
 March 13, 2026  The Strait of Hormuz becomes a central battleground in the conflict. Iran threatens to block access to all western nations, only allowing Iran-allied vessels to pass (and threatening to only allow oil backed by yuan through). IRGC also claimed to have heavily mined the Strait to prevent unauthorized passage by merchant ships.
March 16, 2026 Israeli/US airstrikes continue with Iranian retaliation expanding to Gulf airports like Dubai International. Israel reported to be considering a ground campaign in Lebanon to weaken Iranian proxy forces. The US military dispatched 5,000 troops to the region for peacekeeping, reported to be considering a mission to render Iranian nuclear material into friendly borders.
March 17, 2026 Israeli air strikes continue across Iran, with missiles claiming the lives of Iranian security chief Ali Larijani and Gholamreza Soleimani, commander-in-chief of the Basij militias. Iran claims to arrest dozens of intelligence operatives embedded by Israel, as well as the seizure of hundreds of Starlink terminals used by dissidents and Israeli operatives. 
March 18, 2026 EU sanctions Iranian businesses used as front companies for cyber operations, mainly targeting the Emennet Pasargad firm for links to cyberattacks in France, Sweden, and across Eastern Europe. Israeli strikes on the 18th also claimed the life of Iranian Intelligence Minister Esmail Khatib, pushing Iran to again reject attempts at negotiation, surrender, or dialogue.

2. Augur Coverage: Iranian Actor Clusters

We observed that across all predictive clusters for Iranian actor tags, associated malware families, and relevant CVEs, the corpus of profiles spanned from 2012 to March 2026. After filtering for clusters with verified Iranian-specific identifiers, the following profiles constitute the dataset used for this assessment. Within that dataset, Iranian digital threat posture remains mixed. Recent activity is more limited among core operators, while affiliated actors and older infrastructure continue to shape the overall threat picture.

2.1 Currently Active Clusters

Profile Actor Tags Active CIDRs Last Predicted
137113

muddywater, bugsleep

 6

2026-01-28
152131 muddywater, bugsleep 10 2025-09-20

Both clusters carry BugSleep tags alongside muddywater, consistent with MuddyWater's documented use of BugSleep malware and operational focus on Middle Eastern nexus targeting. Profile 137113 has 11 total predictions across three distinct phases dating to October 2020. Profile 152131 has 14 predictions across three phases dating to March 2022.

2.2 Recently Inactive Clusters (2020-2023)

Profile Actor Tags Predictions Active CIDRs Last Predicted
146971

muddywater, seedworm, static_kitten, temp_zagros

 14 3

2023-09-21
90022 apt33, charming_kitten, cleaver 27 27 2020-06-28
128727 muddywater, bugsleep 2 2 2020-05-06
108388 muddywater, cotton_sandstorm, emennet_pasargad, powgoop 2 2 2019-08-24

Profile 146971 carries the broadest set of MuddyWater-associated aliases in the dataset, including seedworm, static_kitten, and temp_zagros alongside muddywater, reflecting the consolidation of multiple tracking designations for the same actor group under a single cluster. Its most recent prediction dates to September 2023, placing it in a transitional position between the active clusters above and the fully dormant pre-2020 clusters below. The three active CIDRs on this profile represent infrastructure that has not been refreshed since that date and may no longer be operationally relevant for Iranian-linked threat actors.

Profile 90022 is the only APT33-attributed cluster, and its last prediction in June 2020 marks the latest time APT33-associated infrastructure was observed. The 27 predictions and 27 active CIDRs on this profile indicate a meaningful footprint at the time of last observation. Profile 128727 is a second MuddyWater/BugSleep cluster that went inactive in May 2020, within weeks of the APT33 cluster, suggesting a broader infrastructure switch observed among multiple Iranian actors during that period. Profile 108388 is notable for hosting both muddywater and cotton_sandstorm/emennet_pasargad on the same cluster, which may reflect shared infrastructure between MOIS and IRGC-affiliated operators. 

2.3 Historical OilRig/APT34 Clusters (2016-2019)

Profile Actor Tags Predictions Active CIDRs Last Predicted
88555

oilrig, helix_kitten, ismdoor

 195 92 2019-08-03
77245 oilrig, helix_kitten, ismdoor 39 32 2018-06-10
74406 oilrig, helix_kitten, alma_communicator, quadagent 36 36 2017-11-11
51928 oilrig, helix_kitten, greenbug, shamoon, shamoon2 18 14 2016-08-31
10743 apt34, oilrig, cleaver 19 12 2016-02-22

Profile 88555 is the densest single-actor cluster in the Iranian corpus with 195 predictions and 92 active CIDRs at the time of last observation in August 2019, and represents the platform’s most complete historical coverage of OilRig infrastructure. The ismdoor tag across profiles 88555, 77245, and 51928 reflects consistent detection of OilRig’s custom backdoor across multiple infrastructure clusters spanning 2016 to 2019, indicating the fingerprint was stable enough for the model to track across multiple acquisition cycles during that period.

Profile 51928 is the earliest OilRig cluster in the dataset, first predicted in December 2015, and is the only cluster carrying both Shamoon and Shamoon2 tags alongside the OilRig/helix_kitten identifiers. This co-occurrence places OilRig-attributed infrastructure in proximity to the destructive wiper campaigns targeting Saudi Arabian organizations in 2016 and 2017, consistent with open-source reporting on OilRig’s role within the broader Iranian offensive cyber ecosystem during that period. Profile 10743 carries apt34 alongside oilrig and cleaver, reflecting the overlap between those three tracking designations in the 2014 to 2016 timeframe before the intelligence community settled on more standardized nomenclature.

3. Infrastructure Acquisition Behavior: A Tracked Transition

One of the most significant findings from our dataset is the trajectory of prediction coverage across Iranian actor clusters over time. The data documents not the absence of Iranian actors, but a documented shift in how those actors acquire and configure infrastructure.

3.1 Phase 1: Direct Allocation (2015-2019)

OilRig/APT34 infrastructure was the most densely predicted category in the Iranian corpus. Profile 88555 alone accounts for 195 predictions, with 92 active inet records, representing the largest single-actor cluster in the dataset. Profiles 77245, 74406, and 51928 add further coverage through 2018. The prediction model consistently fingerprinted this infrastructure, suggesting a relatively stable, detectable acquisition pattern during this period.

APT33 and Charming Kitten infrastructure appear in profiles 90022 and several earlier clusters, with the most recent APT33-tagged prediction recorded in June 2020. MuddyWater appears in historical clusters 62189 and 51553 as early as 2015, with tools including PhonyC2, Phishery, and early versions of what would later be classified as the Seedworm/Static Kitten toolset.

3.2 Phase 2: Transition and Coverage Gap (2019-2022)

OilRig predictions cease entirely after August 2019. APT33 last appeared in June 2020. This is not assessed to reflect actor retirement. Iranian actors are well documented in open-source intelligence to have rotated their infrastructure acquisition methods during this period, moving toward leased BPH provider space, front-company registrations, and permissive Western hosting. The platform's fingerprinting model, calibrated to the prior acquisition pattern, lost signal when the underlying behavior changed.

This gap represents a known limitation of prediction-based systems: infrastructure behavioral models require recalibration when actors change procurement methods. The absence of OilRig and APT33 signals from 2020 onward should be treated as a coverage gap rather than evidence that those actors are inactive.

3.3 Phase 3: Re-acquisition on BPH-Adjacent Infrastructure (2020-Present)

MuddyWater re-emerges at the beginning of October 2020 with profile 137113, followed by profile 152131 in March 2022. Critically, the new infrastructure sits on a different hosting class than the 2015-2019 OilRig clusters. The recent MuddyWater detections are observed on HostRoyale (AS203020, India-registered, Albania-geolocated space), BV-EU-AS (AS62005, Estonian-registered ASN allocated in February 2022), and Clouvider (AS62240, UK-registered general hosting). This is consistent with the BPH-adjacent infrastructure pattern.

MuddyWater was again observed using new infrastructure with a different fingerprint and became detectable under the updated model. That reappearance is consistent with broader reporting showing the actor remained active, including through quieter persistence inside U.S. organizations in early February 2026. Unit42 reporting identified MuddyWater-linked backdoors in several U.S. networks, including banks, airports, and nonprofits, reinforcing that the actor has never stopped operating and has adapted its infrastructure, access patterns, and visibility profile. The platform tracked them through a behavioral transition and re-established coverage on the other side.

This matters to the current threat picture. Reduced visibility into core Iranian operators is not to be mistaken for inactivity. It is at least partly a function of infrastructure transitions, procurement changes, and a quieter operating model, allowing core operators to hide as affiliate groups generate more overt disruption.

4. Recent Infrastructure Activity: September 2025 and January 2026

The two currently active MuddyWater clusters show a concentrated pattern of new infrastructure acquisitions in the six months preceding the February 28 US-Israel strikes on Iran, designated Operation Epic Fury/Operation Roaring Lion.

4.1 Profile 152131: September 2025 Burst

CIDR DATE ASN/Operator RIR / Allocated
2.59.218.0/24 2025-09-18 AS62005 / BV-EU-AS, EE RU / 2019-03-27
146.19.49.0/25 2025-09-18 AS62005 / BV-EU-AS, EE

GB / 2021-11-11
62.204.35.0/25 2025-09-18 AS62005 / BV-EU-AS, EE EE / 2021-10-08
62.204.35.128/25 2025-09-18 AS62005 / BV-EU-AS, EE EE / 2021-10-08
213.232.236.0/25 2025-09-19 AS62240 / Clouvider, GB GB / 2021-09-20
213.232.236.128/25 2025-09-19 AS62240 / Clouvider, GB GB / 2021-09-20
188.119.122.0/24 2025-09-20 AS62240 / Clouvider, GB RU / 2018-11-23

Seven CIDRs were flagged across a 72-hour window from September 18 to 20, 2025. Five of the seven sit on AS62005 BV-EU-AS, an Estonian-registered ASN allocated in February 2022. The country codes assigned to these prefixes span Russia, the United Kingdom, and Estonia, a mixed allocation profile consistent with BPH provider behavior. The /25 pair pattern on 62.204.35.0/24 and 213.232.236.0/24 is consistent with subnet splitting observed in prior MuddyWater allocation phases. The remaining two CIDRs are on AS62240 Clouvider, a UK-based general hosting provider with a documented history of abuse by multiple threat actor groups.

This burst occurred approximately five months before the February 28 strikes, a timeframe consistent with pre-operational infrastructure staging. This assessment for the temporal correlation is made with medium confidence that this specific buildup was in preparation for post-strike operations. The pattern is consistent with pre-positioning but could also reflect routine infrastructure expansion.

4.2 Profile 137113: January 2026 Detection

 

CIDR DATE ASN/Operator RIR / Allocated
109.104.156.0/24 2026-01-28 AS203020 / HostRoyale, IN AL / 2009-09-04

A single /24 on HostRoyale (AS203020) was flagged on January 28, 2026, approximately one month before the strikes. This is the third phase of activity on profile 137113, following the October 2020 initial burst and the February 2022 cluster. HostRoyale is an Indian-registered provider operating Albanian address space, a combination consistent with layered jurisdictional obfuscation. This provider has appeared across multiple phases of the profile's history, suggesting either a persistent operator preference or a standing arrangement.

4.3 Infrastructure Provider Divergence

The September 2025 and January 2026 detections use different provider ecosystems despite being attributed to the same actor group. BV-EU-AS and Clouvider represent a distinct hosting stack from HostRoyale. This divergence is consistent with one of two assessments: either deliberate provider diversification to reduce single-point detection risk, or two operationally distinct sub-clusters within the broader MuddyWater group that use separate infrastructure procurement channels. Either interpretation suggests a maturing operational security posture relative to the 2020 acquisition patterns.

5. Open-Source Context: Iranian Actors in 2025-2026

5.1 MuddyWater / TA450 (MOIS)

MuddyWater, attributed to Iran's Ministry of Intelligence and Security, has been among the most consistently active Iranian actors across 2024-2026. Recent campaigns have employed BugSleep, MuddyViper, RustyWater, and an updated version of PhonyC2 as primary tooling. The group has continued targeting government, defense, and critical infrastructure organizations across the Middle East, with particular focus on Israel, Saudi Arabia, and Azerbaijan. Operation Olalampo, reported in February 2026, involved the deployment of AI-assisted backdoors against energy and marine-sector targets across the MENA region. MuddyWater's continued use of commodity malware alongside bespoke tooling is consistent with the mixed tool profile observed in platform clusters 137113 and 152131.

February 2026 also saw MuddyWater activity, albeit less visible. Reporting identified a series of MuddyWater-linked backdoors embedded in dozens of organizations ranging from banks to airports to nonprofits. The use of the new “Dindoor” backdoor pointed to access retention and quieter foothold maintenance, more consistent with stealthy persistence than overt disruption. For Augur, this tracks with the broader assessment: MuddyWater remains operational, but through stealthier persistence and infrastructure staging.

Augur Insight IOC Type Augured On
193.17.183.0/24 MuddyWater CIDR Jan 12, 2024
103.35.190.0/24 MuddyWater CIDR Oct 04, 2023
95.164.32.0/24 MuddyWater CIDR May 18, 2023
95.164.46.0/24 MuddyWater CIDR Apr 18, 2023
185.216.13.128/25 MuddyWater CIDR Mar 23, 2023
185.248.144.128/25  MuddyWater CIDR  Dec 20, 2022
94.131.98.0/24  MuddyWater CIDR  Aug 26, 2022
94.131.109.0/24  MuddyWater CIDR  Aug 26, 2022
45.159.248.0/24  MuddyWater CIDR  Jul 04, 2022
5.252.23.0/24  MuddyWater CIDR Mar 23, 2022 

45.150.108.0/24

  MuddyWater CIDR  Mar 19, 2022
 80.71.157.128/25  MuddyWater CIDR  Feb 17, 2022
 193.200.16.0/24  MuddyWater CIDR  Sep 30, 2021
 31.171.154.32/27  MuddyWater CIDR  Oct 02, 2020
 31.171.154.64/26  MuddyWater CIDR  Oct 02, 2020
 141.98.252.0/24  MuddyWater CIDR  May 06, 2020
 45.142.212.0/24  MuddyWater CIDR  Aug 24, 2019
 51.77.97.64/27  MuddyWater CIDR  Apr 08, 2019
 194.36.189.160/27  MuddyWater CIDR  Feb 14, 2019
 185.183.98.0/24  MuddyWater CIDR  Dec 28, 2016
 185.183.96.0/24  MuddyWater CIDR  Dec 24, 2016
 185.183.97.0/24  MuddyWater CIDR  Dec 24, 2016
 178.32.30.0/30  MuddyWater CIDR  Nov 30, 2016
 46.105.84.144/30  MuddyWater CIDR  May 22, 2016
 185.141.27.0/24  MuddyWater CIDR  May 15, 2016
 91.134.169.136/30  MuddyWater CIDR  May 03, 2016
 91.121.240.96/28  MuddyWater CIDR  Apr 01, 2016
 37.187.204.24/30  MuddyWater CIDR  Mar 26, 2016
 164.132.237.64/28  MuddyWater CIDR  Mar 11, 2016
 185.117.75.0/24  MuddyWater CIDR  Feb 01, 2016
51.255.19.176/29 MuddyWater CIDR Nov 10, 2015
149.202.242.80/29 MuddyWater CIDR Oct 21, 2015
5.196.249.160/30 MuddyWater CIDR Oct 16, 2015
51.254.25.36/30 MuddyWater CIDR Aug 14, 2015
185.82.202.0/24 MuddyWater CIDR Jan 01, 2015
185.45.192.0/24 MuddyWater CIDR May 12, 2014

5.2 OilRig / APT34 / Helix Kitten (MOIS)

OilRig remained active through at least October 2025, with reporting covering spear-phishing campaigns targeting energy and financial-sector organizations, credential harvesting via custom web shells, and continued use of the RDAT backdoor and the Veaty implant. Despite the absence of OilRig-tagged predictions in the platform after August 2019, open-source reporting does not support the conclusion that OilRig infrastructure went dormant. The platform coverage gap is assessed to reflect the infrastructure acquisition transition described in Section 3.

After October, Augur threat intelligence team tracked the broader OilRig cluster through its affiliate group, BladedFeline. Mainly targeting Iraq and the Kurdistan Regional Government, BladedFeline has focused on malware development and expanding access within key industries (energy, telecommunications, intelligence, and law enforcement). Augur confirmed this link through PrimeCache, an implant utilized by BladedFeline that closely resembles OilRig’s RDAT backdoor. Augur assesses with medium confidence that the group’s sudden dormancy is not permanent but instead reflects operational disruption caused by kinetic strikes.

Augur Insight IOC Type Augured On
148.251.55.96/27 OilRig/APT34 CIDR Jan 31, 2024
136.243.203.128/27 OilRig/APT34 CIDR Sep 15, 2023
5.252.176.0/24 OilRig/APT34 CIDR Apr 01, 2020
5.39.59.96/30 OilRig/APT34 CIDR

Jul 26, 2019
194.31.55.0/24 OilRig/APT34 CIDR Jun 26, 2019
85.217.170.0/24 OilRig/APT34 CIDR Feb 07, 2019
85.217.170.0/23 OilRig/APT34 CIDR

Feb 08, 2019
89.248.173.0/24 OilRig/APT34 CIDR Feb 04, 2019
185.161.208.0/22 OilRig/APT34 CIDR Oct 24, 2018
185.121.136.0/22 OilRig/APT34 CIDR Sep 29, 2018
178.33.94.40/29 OilRig/APT34 CIDR Jul 12, 2018
185.20.184.0/22 OilRig/APT34 CIDR Mar 06, 2018
185.36.188.0/22 OilRig/APT34 CIDR Mar 06, 2018
185.236.78.0/23 OilRig/APT34 CIDR

Mar 06, 2018
185.236.76.0/23 OilRig/APT34 CIDR Mar 06, 2018
138.201.209.160/28 OilRig/APT34 CIDR Dec 13, 2017
46.105.248.172/30 OilRig/APT34 CIDR Dec 06, 2017
51.254.93.40/29 OilRig/APT34 CIDR Oct 30, 2017
145.239.163.192/28 OilRig/APT34 CIDR Oct 26, 2017
185.76.78.0/23 OilRig/APT34 CIDR Jun 08, 2017
5.39.31.64/27 OilRig/APT34 CIDR Dec 01, 2016
91.121.237.224/30 OilRig/APT34 CIDR Aug 30, 2016
37.59.229.228/30 OilRig/APT34 CIDR Aug 30, 2016
51.254.50.152/30 OilRig/APT34 CIDR Aug 30, 2016
137.74.131.192/26 OilRig/APT34 CIDR

Aug 26, 2016
5.196.128.32/27 OilRig/APT34 CIDR Feb 18, 2016
151.80.211.144/28 OilRig/APT34 CIDR

Jan 31, 2016
164.132.67.128/25 OilRig/APT34 CIDR Jan 29, 2016
149.202.230.136/29 OilRig/APT34 CIDR Jan 21, 2016
164.132.2.80/28 OilRig/APT34 CIDR Jan 19, 2016
92.222.209.48/28 OilRig/APT34 CIDR Jan 16, 2016
151.80.221.0/26 OilRig/APT34 CIDR Oct 11, 2015
5.152.194.224/27 OilRig/APT34 CIDR Sep 26, 2015
31.3.225.48/28 OilRig/APT34 CIDR Aug 25, 2015
46.105.221.224/27 OilRig/APT34 CIDR Jan 07, 2015
5.196.43.128/25 OilRig/APT34 CIDR Aug 27, 2014
185.56.88.0/22 OilRig/APT34 CIDR May 01, 2014

 

5.3 APT35 / Charming Kitten / Mint Sandstorm (IRGC-IO)

Recent reporting continued to show tailored phishing, impersonation, and MFA-focused tradecraft directed at high-value individuals, including researchers and dissidents. This remained consistent with Augur's assessment of the group, which seems to have a long-standing preference for silent intelligence collection.

Since the US-Israeli strikes began, the group has sporadically appeared. Operators have quietly reemerged in phishing campaigns targeting U.S. policy experts. Despite APT35’s preference for stealthy operations, the lack of notable activity aside from infrastructural staging and phishing attempts supports Augur's belief that operators face varying logistical challenges amidst bombardment, relying on affiliate groups like Handala for disruption and strength projection.

Augur Insight IOC Type Augured On
188.214.135.160/29 APT33 CIDR Dec 05, 2025
188.214.134.0/28 APT33 CIDR Sep 27, 2025
5.252.178.0/24 APT33 CIDR Apr 01, 2020
89.32.41.128/25 APT33 CIDR Jun 01, 2019
91.134.203.56/30 APT33 CIDR May 01, 2019
2.56.214.0/24 APT33 CIDR Apr 11, 2019
54.36.73.0/24 APT33 CIDR Feb 19, 2019
185.125.204.0/22 APT33 CIDR Sep 29, 2018
109.230.215.0/24 APT33 CIDR

Jan 20, 2017
5.135.120.48/28 APT33 CIDR Jun 20, 2015
89.32.41.0/24 APT33 CIDR Jun 03, 2015
5.135.199.0/27 APT33 CIDR Aug 29, 2013
109.200.24.0/25 APT33 CIDR Jul 17, 2013

 

5.5 Cotton Sandstorm / Emennet Pasargad (IRGC)

Cotton Sandstorm, the IRGC entity operating as Emennet Pasargad, has conducted influence operations and disruptive cyber activity across multiple countries. Augur tracking continues to link the group to operations against Israel, the United States, France, and Sweden, blending information operations and staged personas for infiltration. WezRat, as Emennet Pasargad-linked tooling, was also used in support of these operations. Cotton Sandstorm tags appear in platform profile 108388 (last predicted August 2019), alongside muddywater and powgoop tags, which are notable given that those actors are assessed to MOIS rather than IRGC. This co-occurrence may reflect infrastructure overlap or a platform tagging artifact, but it is not sufficient to conclude organizational overlap.

Augur Insight IOC Type Augured On
85.206.169.80/28 CottonSandstorm CIDR Oct 08, 2024
194.4.49.0/24 CottonSandstorm CIDR Sep 21, 2022
45.142.212.0/24 CottonSandstorm CIDR Aug 24, 2019

 

5.6 CyberAv3ngers (IRGC-CEC)

CyberAv3ngers, attributed to the IRGC Cyber and Electronic Command, has targeted industrial control systems in water treatment, gas distribution, and energy facilities. The IOControl backdoor, designed specifically for SCADA and ICS environments, represents a significant capability uplift relative to prior campaigns. CyberAv3ngers does not appear in the current platform prediction clusters, reflecting the specialized, limited-footprint nature of ICS-focused operations rather than inactivity.

5.7 Handala

Handala emerged in late 2023 and has conducted data exfiltration and wiper operations primarily targeting Israeli organizations. The group's operational patterns and targeting profile are assessed as consistent with MOIS direction or sponsorship, though direct attribution to a specific MOIS unit has not been publicly confirmed. Handala intensified activity in January and February 2026 and is assessed to be participating in the coordinated Iranian cyber response to the February 28 strikes. The group does not appear in the current platform prediction clusters.

On March 11, as part of the broader Iran aligned cyber response, Handala Hack Team claimed responsibility for a destructive attack on U.S. medical company Stryker. Utilizing Microsoft Intune, attackers were able to push mass wiping commands throughout company servers, emails, devices, with some reporting the wiping of personal devices. Stryker confirmed the breach in public remarks the following day, revealing the incident caused a global disruption to company operations, prosthetics shipping, and even some surgical operations across the U.S. Handala framed the operation as retaliation for strikes against Iran and cast Stryker as a “Zionist rooted corporation,” with defacements referencing the company’s Israeli ties through its 2019 OrthoSpace acquisition. 

In spite of the breach’s scale, Augur surmises this attack to likely be a result of opportunistic infiltration. The attack appears better explained by available access and symbolic value rather than a new campaign against core U.S. healthcare infrastructure.

6. Post-Strike Hacktivist Mobilization

The February 28 US-Israel strikes on Iran triggered a rapid expansion of Iranian-aligned hacktivist activity. An Electronic Operations Room was established within 24 hours of the strikes, providing centralized coordination for an estimated 60 or more hacktivist groups ranging from Russia to Iran and all across the Middle East. This structure mirrors the coordination mechanisms observed following the October 2023 escalation of the Gaza conflict.

Active groups in the immediate post-strike period include Cyber Fattah, Fatimiyoun Cyber Team, the Russian NoName057, and affiliated collectives operating under Cotton Sandstorm coordination. Handala has also claimed multiple operations, with numerous more claimed to be active though none have been attributed aside from the Stryker infiltration. The group’s targeting focus continues to be Israeli and US government, financial, and critical infrastructure organizations, with a secondary focus on Gulf states accused of facilitating US/Israeli strikes.

Iranian national internet connectivity collapsed to 4 percent before later falling to 1 percent during the strike period and remains ~1 percent at the time of this assessment. Disruption to domestic infrastructure has historically correlated with increased external cyber activity from Iranian state actors, but recent Iranian-related cyber activity continues to stem from affiliates and ideological allies.

7. Malware and Tooling Reference

The following malware families are associated with Iranian actors and relevant to the infrastructure clusters documented in this report.

Malware Actor Function Platform Evidence
BugSleep MuddyWater Backdoor, data exfil Tagged in profiles 137113, 152131, 128727
MuddyC2Go MuddyWater C2 framework Tagged in profile 18813
PhonyC2 MuddyWater Custom C2 framework Tagged in profiles 62189, 18813
PowerStats / Powgoop MuddyWater PowerShell backdoor Tagged in profiles 108388, 18813
MuddyViper / RustyWater MuddyWater Backdoor variants (2025) OSINT only
DCHSpy MuddyWater Android surveillanceware

Tagged in profile 3931 (historical)
Dindoor MuddyWater JavaScript Backdoor Profile available on platform
IOControl CyberAv3ngers ICS/SCADA backdoor OSINT only
WezRat Cotton Sandstorm, APT35-linked cluster Infostealer (2024-2026) OSINT only
Tickler Cotton Sandstorm, APT35-linked cluster Multi-stage backdoor Profile available on the platform
PowerLess APT35 PowerShell backdoor OSINT only
 BellaCiao APT35  Geolocating dropper  OSINT only
 RDAT / Veaty  OilRig  Backdoor, exfil  OSINT only; Veaty tagged profile 18993
 Ismdoor  OilRig  Backdoor  Tagged in profiles 88555, 77245, 51928
 PrimeCache BladedFeline, OilRig-linked cluster RDAT-like backdoor   OSINT only
 Whisper  BladedFeline, OilRig-linked cluster  Custom backdoor  OSINT only
 Spearal  BladedFeline, OilRig-linked cluster  Persistence implant  OSINT only

The Augur Difference. Let Us Prove It To You.

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV). We can have you up and running in less than a day, and after 30 days, get an Augur report detailing:

  • Threats Augur identified
  • Advance warning timelines
  • Data-driven insight on alert reduction and improved SOC efficiency

Click here to talk to an Augur specialist now

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2026 AUGUR SECURITY