The ongoing conflict involving Iran, Israel, and the U.S. has significantly increased the risk of cyberattacks by Iranian-backed groups and hacktivists targeting geopolitical adversaries through destructive operations, espionage, and influence campaigns. Unit 42 tracks multiple Iranian threat groups employing tactics such as spear phishing, exploitation of vulnerabilities, and AI-enhanced social engineering to conduct espionage and disruptive attacks globally. #AgentSerpens #AgonizingSerpens #GenerativeAI #IranianCyberOperations
Keypoints
- The conflict involving Iran has elevated the risk of cyber spillover, with Iranian state-sponsored groups and hacktivists potentially increasing cyber operations to disrupt, gather intelligence, or influence adversaries.
- Iranian threat actors have historically targeted critical infrastructure and sensitive industries worldwide, conducting destructive attacks, data exfiltration, and wiper malware deployment.
- Unit 42 observed Iranian groups leveraging generative AI for social engineering and influence operations as part of their expanding global cyber activities.
- Key Iranian threat groups tracked include Agent Serpens, Agonizing Serpens, Boggy Serpens, Devious Serpens, Evasive Serpens, and Industrial Serpens, each using varied tactics such as spear phishing, credential harvesting, password attacks, and exploitation of vulnerabilities.
- Current cyberattacks related to the conflict primarily involve DDoS and destructive malware targeting regional and global high-value targets, including Israeli sectors and U.S.-related organizations.
- Hacktivists and cybercriminal groups are actively exploiting the geopolitical tensions for disruptive and phishing campaigns, while potential false-flag operations may disguise origins of attacks.
- Recommended defenses include multi-layered security, patch management, employee training on phishing, incident response readiness, and continuous monitoring.
MITRE Techniques
- [T1566] Phishing – Iranian groups use spear-phishing emails and credential harvesting with fake login pages to gain initial access (‘primarily spear phishing, including credential harvesting with fake login pages’).
- [T1203] Exploitation of Vulnerability – Exploiting known vulnerabilities to deploy web shells and malware (‘exploitation of known vulnerabilities followed by deployment of web shells’).
- [T1190] Exploit Public-Facing Application – Use of watering hole attacks and fake websites to collect intelligence (‘covert Iranian infrastructure impersonating a German modeling agency to conduct cyberespionage’).
- [T1565] Data Manipulation – Deployment of destructive wiper malware to destroy systems and hinder forensic analysis (‘deployed wipers to destroy systems and hinder forensic analysis’).
- [T1499] Distributed Denial of Service – Use of DDoS attacks to disrupt internet access and influence operations (‘majority of reported cyberattacks related to this event are intentionally disruptive denial-of-service (DoS) attacks’).
- [T1059] Command and Scripting Interpreter – Use of social engineering and AI-enhanced malicious PDFs for delivering malware (‘Agent Serpens using GenAI in a malicious PDF’).
- [T1071] Application Layer Protocol – Deployment of malware and communication over legitimate channels such as PDFs and websites (‘malicious PDF masked as a document from RAND’).
Indicators of Compromise
- [File Hashes] Related to destructive malware and wiper attacks – samples observed in attacks on Israeli sectors and a crypto exchange breach (specific hashes not provided, “and 2 more hashes”).
- [Domains] Fake websites impersonating legitimate organizations – example includes a German modeling agency impersonation for cyberespionage.
- [File Names] Malicious PDFs used in AI-enhanced social engineering – example masked as a RAND document accompanying targeted malware deployment.
- [Attack Types] DDoS attacks affecting internet access targeting U.S. interests and regional adversaries; destructive attacks targeting critical infrastructure and education sectors.
Read more: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/