CYBER ADVERSARY DOSSIER

01Strategic Context: The Industrialization of Iranian State Cyber Capabilities

The evolution of the Islamic Republic of Iran's offensive cyber capabilities represents one of the most significant shifts in the modern asymmetric warfare landscape. Following the watershed Stuxnet event, the Iranian regime—specifically the Supreme Council of Cyberspace (SCC), the Islamic Revolutionary Guard Corps (IRGC), and the Ministry of Intelligence and Security (MOIS)—initiated a comprehensive doctrine of "active defense" that has since mutated into a persistent, global offensive posture.

Unlike the centralized military cyber commands typical of Western or Russian doctrines, the Iranian model is characterized by a high degree of fragmentation and privatization. The regime relies heavily on a "contractor ecosystem"—a network of ostensibly private technology firms that function as fronts or specialized vendors for state intelligence requirements.

Target Dossier: Key Contractor Ecosystem Operatives

Personal Identifiable Information (PII) for notable indicted operatives

WANTED

GHOLAMREZA RAFATNEJAD

Mabna Institute Founder

DOBMay 23, 1979

POBTabriz, Iran

ID137-582394-9

INDICTED MAR 2018

WANTED

EHSAN MOHAMMADI

Mabna Managing Director

DOBDec 25, 1980

POBTehran, Iran

ID006-718237-2

INDICTED MAR 2018

WANTED

BEHZAD MESRI

Net Peygard CEO / HBO Hacker

DOBAug 26, 1988

POBNaghadeh, Iran

INDICTED NOV 2017

WANTED

MOHAMMAD HOSEIN MUSA KAZEMI

Emennet Pasargad Operator

DOBJun 18, 1997

POBIran

ID0020372604

INDICTED NOV 2021

Click to go to next section →

02The Mabna Institute Cluster: Industrial-Scale Intellectual Property Theft

The Mabna Institute serves as the archetype of the IRGC contractor model, illustrating the seamless blend of state objectives and private criminal enterprise. Founded in 2013, the institute was established with the specific mandate of assisting Iranian universities and scientific organizations in circumventing international sanctions to access research and technology.

Through subsidiary websites such as "Megapaper" and "Gigapaper," the principals of Mabna sold access to stolen academic journals and credentials to Iranian students and institutions, effectively creating a secondary market for their espionage products.

2.1 Leadership and Management Cadre

Gholamreza Rafatnejad (Founding Member)

Rafatnejad is identified as the primary architect of the Mabna Institute's hacking infrastructure. His role extended beyond mere management; he actively organized the campaigns, managed the stolen credentials, and maintained the critical liaison with the IRGC.

Ehsan Mohammadi (Managing Director)

Serving as co-founder alongside Rafatnejad, Mohammadi functioned as the Managing Director of the institute. His responsibilities included handling the financial aspects of the operations and the commercialization of stolen data through the institute's front companies.

Abdollah Karima (Commercial Facilitator)

Karima represents the commercial nexus of the group, owning and operating "Falinoos Company," the corporate entity behind the "Megapaper" website.

2.2 Operational Personnel and Contractors

Mostafa Sadeghi (Hacker / Affiliate)

Sadeghi is noted as a prolific hacker within the network, personally responsible for compromising over 1,000 professor accounts.

Seyed Ali Mirkarimi (Hacker / Contractor)

Sajjad Tahmasebi (Contractor)

Abuzar Gohari Moqadam (Professor / Affiliate)

Mohammed Reza Sabahi (Contractor)

Roozbeh Sabahi (Contractor)

Click to go to next section →

03Rana Intelligence Computing Company (APT39): The Surveillance Apparatus

While the Mabna Institute focused on external intellectual property theft, Rana Intelligence Computing Company—tracked in the cybersecurity community as APT39, Chafer, or Cadelspy—functioned as the internal surveillance arm of the Ministry of Intelligence and Security (MOIS).

Rana's mandate was explicitly focused on the monitoring of Iranian citizens, dissidents, journalists, and refugees, as well as foreign travel and telecommunications firms.

The MOIS utilizes a "knowledge-based" recruitment strategy, turning top-tier computer science graduates into tools of state repression under the guise of legitimate employment.

04ITSecTeam and Mersad: The Financial Sector Aggressors

The ITSecTeam (Amn Pardazesh Kharazmi) and Mersad Company represent an earlier, yet foundational generation of IRGC contractors. They are infamous for Operation Ababil—the massive Distributed Denial of Service (DDoS) campaigns against the U.S. financial sector between 2011 and 2013.

4.1 ITSecTeam Personnel

Ahmad Fathi (Director)

Fathi was the leader of the ITSecTeam defendants and supervised the botnet operations.

Hamid Firoozi (Network Manager)

Firoozi is a particularly significant figure due to his role in procuring the servers used in the attacks and his specific intrusion into the Bowman Dam SCADA system in Rye, New York.

Amin Shokohi (Hacker)

Shokohi helped build the ITSecTeam botnet and created malware used in DDoS attacks. Crucially, Shokohi received credit towards his mandatory military service for his computer intrusion work.

4.2 Mersad Company Personnel

Mersad Company was founded by members of former hacktivist groups "Sun Army" and "Ashiyane Digital Security Team," illustrating the pipeline from "patriotic hacktivist" to state contractor.

Sadegh Ahmadzadegan (Co-Founder)

Omid Ghaffarinia (Co-Founder)

Nader Saedi (Employee)

Sina Keissar (Employee)

Click to go to next section →

05Emennet Pasargad (Charming Kitten): The Election Interference Nexus

The group tracked as Charming Kitten (also known as APT35 or Phosphorus) serves as a prime case study in the "burn and pivot" tactic utilized by Iranian cyber actors. Following the exposure and designation of Net Peygard Samavat Company in 2019, the group's leadership did not disband. Instead, they reformed under the name Emennet Pasargad to continue their operations.

This reconstituted entity was directly responsible for the attempted interference in the 2020 U.S. Presidential Election, utilizing threatening emails and disinformation campaigns.

5.1 Leadership and Continuity of Command

Mohammad Bagher Shirinkar (aka Mojtaba Tehrani)

Shirinkar serves as the critical continuity figure connecting the old Net Peygard Samavat entity to the new Emennet Pasargad.

5.2 The 2020 Election Interference Cell

Seyyed Mohammad Hosein Musa Kazemi (aka Hosein Zamani)

Sajjad Kashian (aka Kiarash Nabavi)

5.3 The Predecessor: Net Peygard Samavat

Behzad Mesri (aka "Skote Vahshat")

Mesri gained international notoriety for the hack and extortion attempt against HBO.

06The MuddyWater (MOIS) Nexus and Training Infrastructure

Intelligence analysis has revealed the internal workings of the MOIS cyber operations, specifically the group known as MuddyWater (also tracked as Static Kitten, Seedworm, and Yellow Nix).

6.1 Ravin Academy: The Training Ground

Ravin Academy is identified not merely as an educational institution but as an operational front for the MOIS. It trains individuals in offensive cyber techniques—such as malware analysis, penetration testing, and social engineering.

6.2 Identified MuddyWater Operators

Seyed Mojtaba Mostafavi

Mostafavi is a central figure who has been sanctioned. He co-founded Ravin Academy and is directly linked to the MuddyWater intrusion set. Prior to Ravin, he held the position of Chief Strategy Officer (CSO) at ArvanCloud (2015-2019).

Farzin Karimi (aka Farzin Karimi Mazlganchai)

Karimi is alleged to be a former leader of MuddyWater operations who transitioned into a training and mentorship role at Ravin Academy.

07Emerging Threats and Peripheral Nodes

Beyond the primary clusters of Mabna, Rana, and Emennet, the research identifies peripheral entities that support the broader cyber ecosystem of the regime.