Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Iran

Also known asiran

Iran is identified as a significant cyber threat actor targeting the United States, alongside China, Russia, and North Korea. Iranian cyber operations are considered a persistent threat to U.S. national security and critical infrastructure. While the provided content does not detail specific tactics, techniques, or procedures (TTPs) used by Iranian actors, it is clear that Iran is grouped with other nation-state adversaries known for exploiting well-known software vulnerabilities and targeting critical infrastructure. There is no mention of specific Iranian sub-groups or aliases in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

36 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics43 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
5 techniques
T1589×4
Gather Victim Identity Information
T1590
Gather Victim Network Information
T1591
Gather Victim Org Information
T1592×2
Gather Victim Host Information
T1595×5
Active Scanning
TA0042
Resource Development
6 techniques
T1583×3
Acquire Infrastructure
T1583.001
Domains
T1584×2
Compromise Infrastructure
T1585×7
Establish Accounts
T1586×2
Compromise Accounts
T1587×2
Develop Capabilities
T1587.001×2
Malware
T1588
Obtain Capabilities
T1588.005
Exploits
TA0001
Initial Access
5 techniques
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1190×3
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1199
Trusted Relationship
T1566×9
Phishing
T1566.001×2
Spearphishing Attachment
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
TA0003
Persistence
1 technique
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
TA0004
Privilege Escalation
1 technique
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
TA0005
Stealth
3 techniques
T1036×2
Masquerading
T1078×2
Valid Accounts
T1078.004
Cloud Accounts
T1218
System Binary Proxy Execution
TA0006
Credential Access
1 technique
T1110
Brute Force
T1110.003
Password Spraying
TA0007
Discovery
2 techniques
T1046
Network Service Discovery
T1654×3
Log Enumeration
TA0009
Collection
3 techniques
T1119×2
Automated Collection
T1125
Video Capture
T1213×3
Data from Information Repositories
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
5 techniques
T1485×3
Data Destruction
T1489×2
Service Stop
T1498×4
Network Denial of Service
T1565
Data Manipulation
T1657
Financial Theft
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping36

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.