Skip to content

Inside the Digital Shadows: Meet the 3 Most Notorious Iranian Hacker Groups

Few countries have embraced cyber warfare with the boldness and skill of Iran. Despite its relatively small size and modest resources compared to cyber superpowers like the U.S., Russia and China, the Islamic Republic has emerged as a formidable digital adversary over the past decade.

Iran‘s interest in hacking dates back to the late 1990s, but it was the discovery of the Stuxnet worm in 2010 that truly galvanized the regime. This sophisticated cyber weapon, reportedly a joint American-Israeli project, targeted Iran‘s nuclear facilities and caused significant damage. For Iran‘s leaders, Stuxnet was a wake-up call about the power of code as a tool for geopolitical combat.

In the years since, Iran has steadily built up its own cyber arsenal, assembling an army of skilled hackers to project power, defend the regime, and strike back at its enemies. While the government officially denies involvement, cybersecurity experts have pieced together compelling evidence tying some of the most active hacking groups to Iran‘s military and intelligence services.

Today, Iranian hackers are among the most prolific and capable in the world. They routinely target government agencies, critical infrastructure, major corporations, and dissidents, both inside Iran and around the globe. Any organization caught in the crosshairs of Iran‘s digital warriors faces a serious threat.

So who are these shadowy figures lurking behind screens in Tehran? Let‘s uncover three of the most notorious Iranian hacker groups striking fear into network defenders everywhere.

Charming Kitten: The Social Engineers

Better known by its industry designations APT35 or Phosphorus, Charming Kitten is one of Iran‘s premier hacking units. Active since at least 2014, this group specializes in social engineering, crafting persuasive spearphishing emails and building fake social media profiles to lure victims into compromising their accounts and devices.

Charming Kitten often goes after individuals rather than organizations, meticulously researching targets‘ personal and professional lives to tailor convincing phishing lures. The group has a particular interest in academics, journalists, human rights activists, and expatriate Iranians—anyone perceived as a threat to the regime. In one infamous case, they created a fake online persona claiming to be a reporter for the Atlantic magazine, even conducting a phone interview with their target to build trust before sending malware.

Technically, Charming Kitten tends to favor off-the-shelf malware and dual-use tools, many of which are available on hacking forums and GitHub. The group has used malware like Pickpocket for stealing files, Glimpse for screencapturing, and PupyRAT for remote access. They are also fond of using stolen certificates to sign their malware, making it appear legitimate.

Some of Charming Kitten‘s most ambitious hacking campaigns to date include:

  • A years-long effort to compromise email accounts of U.S. government officials, nuclear scientists, and Iran policy experts that was uncovered in 2015.
  • Hacking HBO and leaking unreleased episodes and scripts of popular shows like Game of Thrones in 2017, possibly in retaliation for a show called Tehran about an Israeli spy.
  • Posing as journalists and targeting attendees of the Munich Security Conference and similar events in 2020, including high-profile figures like the former U.S. Secretary of Homeland Security.

For all their skill at deception, Charming Kitten has made some sloppy mistakes over the years that allowed researchers to trace them back to Iran. In one case, a hacker accidentally logged into their own personal Facebook account while testing malware, revealing their identity. Another time, the group hosted malware on Iranian IP addresses. But these slip-ups haven‘t slowed them down, and Charming Kitten remains a serious threat.

APT33: The Wiper Wizards

First spotted by the firm FireEye in 2017, APT33 (aka Elfin or Refined Kitten) is another top-tier Iranian hacking group focused on cyber espionage and sabotage. The group has strong links to Iran‘s government, as evidenced by its use of a tool called TURNEDUP that was previously seen in Iranian state-sponsored attacks.

APT33 has a fearsome reputation for deploying data-destroying wiper malware in its hacks. Unlike normal malware that simply spies or causes mischief, wipers aim to wreak maximum havoc by permanently deleting files, crippling networks, and bricking devices.

One of APT33‘s weapons of choice is a wiper called Shamoon that sprung to infamy in 2012 when it ravaged 35,000 computers at the Saudi oil giant Aramco. In 2017, a variant called Shamoon 2 resurfaced and struck several Saudi government agencies and businesses. Shamoon works by overwriting files and the master boot record of infected computers, rendering them unusable. The attacks caused massive disruption and necessitated the replacement of thousands of machines.

Another wiper linked to APT33 is ZeroCleare, which was used against energy companies in the Middle East in 2019. Instead of targeting the master boot record, ZeroCleare deletes core Windows files and registry keys to make computers unbootable.

APT33 is mainly focused on gathering information and gaining footholds in networks related to the petrochemical, aerospace, and energy sectors. Their attacks usually start with password-spraying, a technique that tries logging into accounts using default or common passwords. Once inside a network, the group deploys custom backdoors like DROPSHOT for maintaining access.

Some of APT33‘s other exploits include:

  • Breaching a range of U.S. corporations and universities in a sprawling hacking campaign between 2015-2017, likely for the purposes of IP theft.
  • Using a tool called ALFASHELL to evade detection and establish remote desktop connections to targets.
  • Hacking VPN servers from Pulse Secure, Citrix, and Fortinet to gain access to companies‘ internal networks.

APT33‘s relentless assaults on industrial targets, coupled with its use of damaging wiper malware, make it an especially aggressive and worrying hacker group. As tensions remain high between Iran and rivals like Saudi Arabia and the U.S., APT33 will likely be a go-to team for retaliatory cyber strikes.

APT39: The Indefatigable Intruders

Uncovered by FireEye in 2019, APT39 (aka Chafer) is a slightly less sophisticated but highly active hacking group that nonetheless has pulled off some impressive feats. The group is known for its dogged persistence, often spending months or years continuously bombarding the same target until it finds a way in.

Unlike APT33 with its penchant for destruction, APT39 is more of a scalpel than a hammer. The group patiently focuses on stealthily infiltrating networks for the purposes of quiet espionage and data theft. APT39 primarily goes after the telecommunication and travel industries, which can provide valuable intelligence about the location and communications of persons of interest.

Rather than writing custom malware, APT39 typically relies on openly available hacking tools, security testing software, and native Windows utilities. These include Mimikatz for sniffing out credentials in system memory, Nmap for network scanning, and BITSAdmin for moving files. This makes the group‘s activities harder to differentiate from legitimate network traffic and system administration.

Once APT39 gains an initial foothold through techniques like SQL injection or password-spraying, the group employs tools like Nanocore, Netwire, and Remexi to maintain remote access. They use web shells and complex backdoors to establish multiple redundant access points, making them extremely difficult to kick out of a compromised network.

Here are a few of APT39‘s more notable operations:

  • Hacking a Middle Eastern telecom in early 2018, maintaining access for a full year, and exfiltrating hundreds of gigabytes of data.
  • Breaching government organizations across the Middle East in 2015-2016, including the Prime Minister‘s office in one country.
  • Targeting global travel reservation companies, likely to track the movements of Iranian dissidents and foreign government officials.

APT39 is proof that a group doesn‘t need to deploy zero-days or wield wipers to be an effective cyber espionage outfit. Through a combination of tried-and-true hacking techniques, publicly available tools, and sheer relentlessness, APT39 has quietly become a prolific collector of sensitive data for the Iranian regime.

The Future of Iranian Hacking

So what‘s next for Iran‘s infamous hackers? As the country faces waves of domestic unrest, international sanctions, and conflicts with rival states, Tehran will likely continue turning to shadowy groups like Charming Kitten, APT33, and APT39 as part of its asymmetric toolkit for defending the regime and projecting power.

Iran has so far been careful to avoid escalating its hacking too dramatically, perhaps fearing retaliation from superpowers like the U.S. But as new generations of Iranian cyber warriors come of age and geopolitical tensions remain high, there is always the risk of the country‘s digital soldiers going too far—an ill-timed attack on critical infrastructure or a leak of sensitive data could spiral into a tit-for-tat exchange of increasingly reckless hacks.

Even if Iran‘s hackers refrain from all-out cyber warfare, organizations around the world, especially those in government, defense, energy, and telecom, will need to remain vigilant against stealthy Iranian intrusions. As the three groups profiled here have shown, Iranian hackers have the patience, skills, and tools to penetrate even well-defended networks. And they‘ll only keep honing their techniques.

The digital shadows cast by Iran‘s hacker army have never been longer. And we‘re all caught in the darkness, whether we know it or not. Piercing the light of awareness into these shadows and implementing robust defenses is the only way to keep the most notorious Iranian hackers at bay.