Full Report
Following the joint military operation known as Operation Epic Fury, the Tenable Research Special Operations (RSO) team is providing an update regarding potential cyber counteroffensive operations conducted by Iran-linked threat actors.Key takeaways:Following Operation Epic Fury, Iran-linked threat actors are expected to launch counteroffensive operations against critical infrastructure and opportunistic targets. Several Iranian-linked threat groups are affiliated with organizations including the IRGC and MOIS, including the revived Altoufan Team and HANDALA. Review and patch the known vulnerabilities exploited by these threat actors and prepare for heightened DDoS and botnet activity in the near term. BackgroundOn February 28, 2026, the United States and Israel launched Operation Epic Fury, a series of military operations against Iran. As a result, Iran-linked threat actors are expected to launch cyber counteroffensive operations against the United States, Israel and other countries. Critical infrastructure providers as well as other opportunistic targets are likely at risk.AnalysisOver the last several years, Iranian-nexus threat groups have shifted from stealthy espionage activity to destructive and retaliatory attacks as geopolitical tensions have risen. Wiper malware and ransomware attacks have ramped up in frequency and destructive capabilities as attackers have pivoted to targeting critical infrastructure, including those in Western countries.Iranian Threat Actor AffiliationsIranian state-sponsored cyber operations span across multiple groups, from advanced persistent threat (APT) actors to hacktivist fronts linked to both military and civilian agencies. These groups operate under, or maintain ties to, the following organizations:Islamic Revolutionary Guard Corps (IRGC): Military-intelligence organization separate from Iran's regular armed forcesIRGC Intelligence Organization (IRGC-IO): The intelligence arm within the IRGC, focused on surveillance and counterintelligenceIRGC Cyber-Electronic Command (IRGC-CEC): The IRGC's dedicated cyberwarfare unitMinistry of Intelligence and Security (MOIS): Iran's civilian intelligence ministry, combining roles analogous to the CIA and FBIGroupAliasesAffiliationOperational FocusBanished KittenVoid Manticore, Red Sandstorm, Storm-0842, DuneMOISConducts destructive operations under hacktivist-style personas including HomeLand Justice, Karma, and HANDALACyberAv3ngers-IRGC-CECTargets operational technology (OT) and programmable logic controllers (PLCs) in water and wastewater systemsAPT34OilRig, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, COBALT GYPSY, Crambus, TA452, Evasive Serpens, ITG13MOISExploits internet-facing infrastructure to conduct espionage against energy, telecommunications and government targetsMuddyWaterMango Sandstorm, Static Kitten, Seedworm, Earth Vetala, MERCURY, TEMP.Zagros, TA450MOISUses legitimate remote monitoring and management (RMM) tools to target telecommunications and government organizationsAPT42Damselfly, UNC788, Yellow Garuda, CharmingCypress, Educated Manticore, Mint Sandstorm*IRGC-IOHarvests credentials from journalists, academics, activists and policy researchers through social engineeringCotton SandstormHaywire Kitten, Marnanbridge, NEPTUNIUMIRGC-CECConducts hack-and-leak campaigns and influence operations under personas including Altoufan TeamAPT35Charming Kitten, Mint Sandstorm*, TA453, ITG18, Newscaster, COBALT ILLUSION, Agent SerpensIRGCConducts espionage campaigns targeting government, defense and energy organizationsPioneer KittenFox Kitten, Lemon Sandstorm, UNC757, Parisite, RUBIDIUM, Br0k3r, xplfinderIRGCExploits internet-facing devices and brokers access to ransomware affiliatesAgriusPink Sandstorm, Agonizing Serpens, AMERICIUM, BlackShadow, Spectral KittenMOISDeploys wiper malware disguised as ransomware against Israeli organizationsImperial KittenTortoiseshell, Crimson Sandstorm, TA456, Yellow Liderc, CURIUMIRGCUses social engineering to target Israeli transportation and logistics organizationsCyberToufan-UnknownTargets Israeli corporations with data theft and leak operations* Note: Mint Sandstorm is a composite label spanning both APT35 and APT42Recent reports of Iranian cyber-operations activityFollowing the military operations on February 28, researchers have reported probing and staging activities linked to Iranian threat actors, including the revival of the ALTOUFAN TEAM persona tied to Cotton Sandstorm. There have been reports on social media from Iran government-linked hackers warning of “massive cyber attacks in the coming hours.” It’s unclear if successful attacks have taken place. Cyber-analysts should expect increased botnet and distributed denial-of-service (DDoS) activity.Ongoing monitoringTenable’s RSO continues to monitor for new intelligence on counteroffensive attacks by Iran-linked threat actors. We will publish updates as these developments are confirmed.Identifying affected systemsIranian threat actors have historically exploited known vulnerabilities in internet-facing devices and applications. A list of Tenable plugins for the vulnerabilities known to be associated with Iranian threat actors can be found here.Get more informationFrequently Asked Questions About Iranian Cyber OperationsJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
The provided context details the expected cyber counteroffensive following "Operation Epic Fury." Since the request asks for summaries focused on specific threat actors mentioned in the table, I will synthesize the information for the groups explicitly listed: **Banished Kitten**, **CyberAv3ngers**, **APT34**, **MuddyWater**, **APT42**, **Cotton Sandstorm**, **APT35**, **Pioneer Kitten**, **Agrius**, **Imperial Kitten**, and **CyberToufan**.
---
# Threat Actor: Banished Kitten (Void Manticore, Red Sandstorm, Storm-0842, Dune)
## Attribution & Identity
**Affiliation:** Ministry of Intelligence and Security (MOIS).
**Aliases:** Void Manticore, Red Sandstorm, Storm-0842, Dune.
## Activity Summary
Expected to participate in cyber counteroffensive operations following Operation Epic Fury. This actor group has shifted towards destructive and retaliatory attacks, moving away from historical stealthy espionage.
## Tactics, Techniques & Procedures
Not explicitly detailed for this group alone, but context suggests a shift towards destructive attacks, including wiper malware and ransomware, targeting critical infrastructure.
## Targeting
**Sectors:** Critical infrastructure (general expectation).
**Geography:** United States, Israel, and other countries potentially targeted in the counteroffensive.
**Victims:** Opportunistic targets are likely at risk.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
A heightened threat level due to their alignment with MOIS and tendency toward destructive outcomes.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: CyberAv3ngers
## Attribution & Identity
**Affiliation:** Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
**Aliases:** None explicitly listed beyond the primary name.
## Activity Summary
Expected to participate in cyber counteroffensive operations.
## Tactics, Techniques & Procedures
Targets Operational Technology (OT) and Programmable Logic Controllers (PLCs).
## Targeting
**Sectors:** Water and wastewater systems ($\text{OT/ICS}$).
**Geography:** Not specified, but implied targets are US/Israel/allies.
**Victims:** Critical infrastructure providers.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Direct threat to operational continuity of critical infrastructure components (PLCs).
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: APT34 (OilRig, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, COBALT GYPSY, Crambus, TA452, Evasive Serpens, ITG13)
## Attribution & Identity
**Affiliation:** Ministry of Intelligence and Security (MOIS).
**Aliases:** OilRig, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, COBALT GYPSY, Crambus, TA452, Evasive Serpens, ITG13.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Historically focuses on exploitation of internet-facing infrastructure for espionage.
## Tactics, Techniques & Procedures
Exploits internet-facing infrastructure.
## Targeting
**Sectors:** Energy, telecommunications, government targets.
**Geography:** Not specified, but implies a focus on US/Israel/allies.
**Victims:** Government entities and critical sectors.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Espionage activities may continue concurrent with destructive counteroffensive actions.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: MuddyWater (Mango Sandstorm, Static Kitten, Seedworm, Earth Vetala, MERCURY, TEMP.Zagros, TA450)
## Attribution & Identity
**Affiliation:** Ministry of Intelligence and Security (MOIS).
**Aliases:** Mango Sandstorm, Static Kitten, Seedworm, Earth Vetala, MERCURY, TEMP.Zagros, TA450.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Historically leverages legitimate tools for access.
## Tactics, Techniques & Procedures
Uses legitimate Remote Monitoring and Management (RMM) tools to maintain persistence or execute actions.
## Targeting
**Sectors:** Telecommunications and government organizations.
**Geography:** Not specified.
**Victims:** Government and telecom entities.
## Tools & Infrastructure
Legitimate RMM tools (specific names not provided).
## Implications
Attacks may blend in with legitimate administrative traffic due to RMM tool usage.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: APT42 (Damselfly, UNC788, Yellow Garuda, CharmingCypress, Educated Manticore, Mint Sandstorm*)
## Attribution & Identity
**Affiliation:** IRGC Intelligence Organization (IRGC-IO).
**Aliases:** Damselfly, UNC788, Yellow Garuda, CharmingCypress, Educated Manticore, Mint Sandstorm* (*Note: Mint Sandstorm is a composite label spanning APT35 and APT42).
## Activity Summary
Expected to participate in cyber counteroffensive operations. Focuses heavily on data harvesting via social engineering.
## Tactics, Techniques & Procedures
Harvests credentials through social engineering tactics.
## Targeting
**Sectors:** Journalists, academics, activists, and policy researchers.
**Geography:** Not specified.
**Victims:** Individuals in sensitive research or policy roles.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Risk of insider knowledge compromise or influence operations targeting key individuals.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: Cotton Sandstorm (Haywire Kitten, Marnanbridge, NEPTUNIUM)
## Attribution & Identity
**Affiliation:** IRGC Cyber-Electronic Command (IRGC-CEC).
**Aliases:** Haywire Kitten, Marnanbridge, NEPTUNIUM. Associated recently with the revival of **Altoufan Team**.
## Activity Summary
Reports indicate recent activity, including probing and staging, linked to this group, specifically reviving the **ALTOUFAN TEAM** persona. They have warned of “massive cyber attacks in the coming hours.”
## Tactics, Techniques & Procedures
Conducts hack-and-leak campaigns and influence operations. Involved in recent warning activity suggesting immediate intent to attack.
## Targeting
**Sectors:** General targets expected for counteroffensive.
**Geography:** Global threat to US/Israel/allies.
**Victims:** Opportunistic targets, potential high-profile entities related to the geopolitical event.
## Tools & Infrastructure
The **ALTOUFAN TEAM** persona is linked to this group.
## Implications
Highest immediate threat level due to recent public warnings and observed staging activities.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: APT35 (Charming Kitten, Mint Sandstorm*, TA453, ITG18, Newscaster, COBALT ILLUSION, Agent Serpens)
## Attribution & Identity
**Affiliation:** Islamic Revolutionary Guard Corps (IRGC).
**Aliases:** Charming Kitten, Mint Sandstorm* (*Composite label, also overlaps with APT42), TA453, ITG18, Newscaster, COBALT ILLUSION, Agent Serpens.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Focuses on espionage campaigns.
## Tactics, Techniques & Procedures
Conducts broad espionage campaigns.
## Targeting
**Sectors:** Government, defense, and energy organizations.
**Geography:** Not specified.
**Victims:** State-level entities and defense contractors.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Sustained intelligence gathering against sensitive sectors may persist.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: Pioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757, Parisite, RUBIDIUM, Br0k3r, xplfinder)
## Attribution & Identity
**Affiliation:** Islamic Revolutionary Guard Corps (IRGC).
**Aliases:** Fox Kitten, Lemon Sandstorm, UNC757, Parisite, RUBIDIUM, Br0k3r, xplfinder.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Notably earns access for ransomware affiliates.
## Tactics, Techniques & Procedures
Exploits internet-facing devices and brokers access to ransomware affiliates.
## Targeting
**Sectors:** Organizations with vulnerable internet-facing entry points.
**Geography:** Not specified.
**Victims:** Entities that serve as entry points for subsequent ransomware campaigns.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Increased risk of destructive secondary attacks (ransomware) on targeted or accessed victims.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors, particularly those in internet-facing devices. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: Agrius (Pink Sandstorm, Agonizing Serpens, AMERICIUM, BlackShadow, Spectral Kitten)
## Attribution & Identity
**Affiliation:** Ministry of Intelligence and Security (MOIS).
**Aliases:** Pink Sandstorm, Agonizing Serpens, AMERICIUM, BlackShadow, Spectral Kitten.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Recent activity, typical of the group, involves deploying wiper malware.
## Tactics, Techniques & Procedures
Deploys wiper malware that is often disguised as ransomware.
## Targeting
**Sectors:** Organizations associated with Israel.
**Geography:** Israel (specific mention).
**Victims:** Israeli organizations.
## Tools & Infrastructure
Wiper malware designed to look like ransomware.
## Implications
High likelihood of destructive, non-financial data destruction targeting specific geopolitical adversaries.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: Imperial Kitten (Tortoiseshell, Crimson Sandstorm, TA456, Yellow Liderc, CURIUM)
## Attribution & Identity
**Affiliation:** Islamic Revolutionary Guard Corps (IRGC).
**Aliases:** Tortoiseshell, Crimson Sandstorm, TA456, Yellow Liderc, CURIUM.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Focuses on targeted social engineering.
## Tactics, Techniques & Procedures
Uses social engineering tactics for initial access.
## Targeting
**Sectors:** Transportation and logistics organizations.
**Geography:** Israel (specific mention).
**Victims:** Israeli transportation and logistics organizations.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Risk of disruption to physical supply chains and logistics operations.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
# Threat Actor: CyberToufan
## Attribution & Identity
**Affiliation:** Unknown (listed as Unknown in the source table).
**Aliases:** None listed.
## Activity Summary
Expected to participate in cyber counteroffensive operations. Focuses on stealing and leaking data.
## Tactics, Techniques & Procedures
Data theft and subsequent leak operations.
## Targeting
**Sectors:** Corporations.
**Geography:** Israel (specific mention).
**Victims:** Israeli corporations.
## Tools & Infrastructure
No specific tools or infrastructure mentioned in the summary section for this actor.
## Implications
Risk of reputational damage and national security data exposure through leaks.
## Mitigations
Review and patch known vulnerabilities exploited by Iranian threat actors. Prepare for heightened DDoS and botnet activity.
---
### General Implications and Mitigations (Applicable to all listed actors):
**Implications:** Iran-linked threat actors are pivoting toward **destructive and retaliatory attacks** targeting critical infrastructure in the US, Israel, and allied nations following Operation Epic Fury. Expect **heightened DDoS and botnet activity** in the near term.
**Mitigations:**
1. **Review and patch known vulnerabilities** exploited by Iranian threat actors (specific plugins provided by Tenable are noted in the source article).
2. Prepare for immediate defensive postures against **DDoS and botnet activity**.
3. Monitor closely, as several groups (like Cotton Sandstorm/Altoufan Team) have issued public warnings preceding potential attacks.