MalwareUsed by 2 actors

WezRat

WezRat is a custom, purpose-built modular information stealer associated with the Iranian threat actor Emennet Pasargad, also tracked as Cotton Sandstorm and Haywire Kitten. Reporting in the provided content states that the group routinely delivers WezRat via spearphishing campaigns masquerading as urgent software updates, and that it was deployed in intrusions in the months leading up to the February 28, 2026 conflict escalation. Check Point Research is cited as assessing that Cotton Sandstorm pre-positioned WezRat before the strikes, and that the malware was used alongside the Altoufan persona for hack-and-leak amplification. The content further states that WezRat has been followed in some cases by deployment of WhiteLock ransomware, including activity specifically described against Israeli targets. High-confidence context in the source material links WezRat to Iranian influence and intrusion operations targeting Israel and other countries in the Middle East, with Emennet Pasargad also described as conducting operations against the U.S., France, and Sweden. No specific file hashes, domains, or other concrete IOCs for WezRat are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Cotton Sandstorm

Cotton Sandstorm deployed WezRat and WhiteLock alongside the Altoufan persona for hack-and-leak amplification.

via centripetal threat researchcentripetal.ai

Handala

...‘WhiteLock’ ransomware, deployed after WezRat infostealer.

via checkpoint research blogresearch.checkpoint.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1190Exploit Public-Facing ApplicationEvidence1

“pivoting to exploit zero-day vulnerabilities in industrial time-management software…” and “identify and exploit public-facing applications at scale.”

T1566PhishingEvidence1

In recent years, Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access.

T1566.001Spearphishing AttachmentEvidence1

"WezRat, a custom modular infostealer delivered via spearphishing campaigns that masquerade as urgent software updates"

Stealth

2 techniques

T1036MasqueradingEvidence1

Defense evasion has remained a critical phase, where threat actors employ multiple obfuscation techniques (T1140) and masquerading (T1036) to bypass security controls.

T1140Deobfuscate/Decode Files or InformationEvidence1

“…employ multiple obfuscation techniques (T1140)…” and references to obfuscated delivery chains / packed payloads.

Credential Access

4 techniques

T1056.001KeyloggingEvidence1

The backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft

T1539Steal Web Session CookieEvidence1

browser credential and session cookie theft

T1555Credentials from Password StoresEvidence1

"WezRat, a custom modular infostealer..."

T1555.003Credentials from Web BrowsersEvidence1

During the credential access phase, Iranian-linked attackers have prioritized stealing credentials from web browsers (T1555.003)

Collection

2 techniques

T1056.001KeyloggingEvidence1

The backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft

T1113Screen CaptureEvidence1

The backdoor's capabilities span keylogging, screen capture, browser credential and session cookie theft

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

and on exfiltration over C2 channel (T1041) to maintain communication.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

“attacks using ‘WhiteLock’ ransomware, deployed after WezRat infostealer.”

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

scworldNews

Apr 2, 2026

4 steps teams can take to mitigate Iranian cyberattacks on critical infrastructure | perspective | SC Media

A remote access trojan/backdoor used by Cotton Sandstorm for pre-positioning access ahead of geopolitical escalation.

centripetal threat researchNews

Mar 20, 2026

Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A RAT deployed by Cotton Sandstorm in support of hack-and-leak operations.

Mar 2, 2026

Iran's cyberwar has begun • The Register

Custom modular infostealer used by an Iranian-linked threat group (Cotton Sandstorm/Haywire Kitten), delivered via spearphishing disguised as urgent software updates.

trellix blogNews

Mar 2, 2026

The Iranian Cyber Capability 2026

Modular information stealer with DLL-loaded capabilities including screen capture, keylogging, clipboard theft, and cookie harvesting.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.