Cotton Sandstorm

Cotton Sandstorm is an Iranian threat actor affiliated with the Islamic Revolutionary Guard Corps, specifically described in multiple sources as operating under or affiliated with the IRGC Cyber-Electronic Command (IRGC-CEC). It is also identified as Emennet Pasargad and has been referred to by the U.S. government as Shahid Shushtari. Reported aliases include Haywire Kitten, Marnanbridge, Neptunium, Aria Sepehr Ayandehsazan, Ayandeh Sazan Sepehr Arya, Eeleyanet Gostar, Net Peygard Samavat Company, Vice Leaker, and in some reporting Emennet Pasargad is also known as Anzu Team or Holy Souls. The group has conducted both intrusion activity and cyber-enabled influence operations. It was sanctioned for interfering in the 2020 U.S. presidential election, where it stole confidential voter information and sent threatening emails while posing as far-right extremists. Microsoft reporting cited in the content describes this as a cyber-enabled influence operation in which the group spoofed the Proud Boys and used access to voter registries to lend credibility to the narrative. U.S. officials and later reporting state the group has targeted critical infrastructure and sectors including news, shipping, travel, energy, financial services, and telecommunications across the United States, Europe, and the Middle East. Additional countries explicitly mentioned as targets include Israel, France, and Sweden. Recent reporting describes sustained operations against Israel and regional targets, including hack-and-leak and influence activity under personas such as Altoufan Team. The group revived the Altoufan Team persona to claim website hacks in Bahrain and has been described as conducting hack-and-leak campaigns and influence operations under that persona. Check Point Research reported that Cotton Sandstorm pre-positioned access before the February 28 strikes and deployed the WezRat modular information stealer, in some cases followed by WhiteLock ransomware, including against Israeli targets. The content also states Cotton Sandstorm deployed WezRat and WhiteLock for hack-and-leak amplification. The group has also been linked to operations in Europe. Emennet Pasargad was sanctioned by the EU in 2026 for malicious cyber activity including the 2023 theft of Charlie Hebdo subscriber data, compromise of a French display provider during the Summer Olympics, hijacking advertising billboards during the 2024 Paris Olympic Games to display propaganda, and compromise of a Swedish SMS service. Microsoft tracked Emennet Pasargad as Neptunium and described it as an Iranian nation-state actor. Tradecraft directly mentioned in the content includes spear-phishing, phishing and malware delivery, broad reconnaissance, targeted intrusion activity, use of false-flag personas, and delivery of DNSpionage malware via spear-phishing and exploitation of Microsoft Exchange vulnerabilities. The group is also described as maintaining a fairly consistent pace of phishing and malware delivery activity since 2020. Known personas and fronts mentioned in the content include Altoufan Team and multiple front-company names used over time, including Emennet Pasargad, Aria Sepehr Ayandehsazan, Ayandeh Sazan Sepehr Arya, Eeleyanet Gostar, and Net Peygard Samavat Company.