Iranian Cyber Threat Actors
Live Monitoring
IRGC & MOIS Operatives
IRGC • MOIS • APT35 • RANA
January 2026: These actors are linked to the ongoing internet blackout and GPS jamming affecting 50,000+ Starlink terminals.
IRGC Cyber Ecosystem (2014–2026)
Forensic map of IRGC offensive cyber: contractor model, corporate fronts, operators, and cyber-kinetic convergence.
IRGC Cyber Dossier (2024–2026)
Full intelligence dossier on IRGC/MOIS cyber-kinetic convergence, Department 40 documents, and transnational repression networks.
Cyber Adversary PII Deep Dive
Identity resolution of Iranian state-sponsored cyber adversaries: Mabna Institute, Rana Intelligence (APT39), ITSecTeam, Mersad, and Emennet Pasargad.
Filter by Available Data
Mohammad Najafloo
محمد نجف لو
Former senior official, Department 40 (IRGC external cyber operations)
Mohammad Reza Jafari Bandar-Abadi
محمدرضا جعفری بندرآبادی
Malware developer targeting dissidents - APT39/Chafer operative
Navid Nilchi
Cyberbannews operative, Shahid Kaveh cyber unit
Niloofar Bagheri
نیلوفر باقری
IRGC Commander - Head of Sister's Team (Aqiq/واحد خواهران) within Department 40
Mahmoud Mehri
محمود مهری
Social engineering and data collection specialist - APT39/Chafer operative
Mahdi Hejabi
مهدی حجابی
Network security operations specialist - APT39/Chafer operative
Abolfazl Hosseinpour Davoodi
ابوالفضل حسینپور داوودی
Social engineering operative - APT39/Chafer hacking expert
Mohammad Reza Basharat
محمدرضا بشارت
Network security and penetration testing specialist - APT39/Chafer
Seyyeed Hossein Raja
Senior network/security specialist at DSPRI
Mehrnush Rezali
APT35/Charming Kitten operative, Sisters Team member
Nader Saedi
نادر ساعدی
DDoS attack expert, Mersad employee, Former Sun Army member
Mostafa Sadeghi
مصطفی صادقی
Hacker for Mabna Institute / Silent Librarian APT - Compromised 1,000+ university professor accounts
Gholamreza Rafatnejad
غلامرضا رفعتنژاد
Founding member of Mabna Institute - Organized the hacking campaign
Ehsan Mohammadi
احسان محمدی
Founding member of Mabna Institute - Coordinated university breaches
Abdollah Karima
عبدالله کریما
Operator of Megapaper.ir and Gigapaper.ir - Sold stolen academic data
Seyed Ali Mirkarimi
سید علی میرکریمی
Mabna Institute contractor - Spearphishing specialist
Sajjad Tahmasebi
سجاد طهماسبی
Mabna Institute contractor - Network surveillance specialist
Roozbeh Sabahi
روزبه صباحی
Mabna Institute contractor - Credential organization
Mohammed Reza Sabahi
محمدرضا صباحی
Mabna Institute contractor - Created professor targeting lists
Abuzar Gohari Moqadam
ابوذر گوهری مقدم
Iranian professor - Exchanged stolen credentials with Mabna
Gholamreza Radmard Iranagh
غلامرضا رادمرد ایراناق
RANA Intelligence programmer - APT39/Chafer operative
Mohsen Raeisi Nafchi
محسن رئیسی نافچی
RANA Intelligence hacking expert - APT39/Chafer
Seyed Mohammad Ghaffariananberan
سید محمد غفاریان
RANA Intelligence manager - APT39/Chafer
Maysam Jalali
میثم جلالی
RANA Intelligence programmer - APT39/Chafer
Mohsen Noori
محسن نوری
RANA Intelligence operative - APT39/Chafer
Mostafa Sedaghati
مصطفی صداقتی
RANA Intelligence operative - APT39/Chafer
Abbas Rahrovi
عباس رهروی
Commander of Department 40 - IRGC Intelligence Division 1500 cyber operations chief
Mohammad Erfan Hamidi Aref
محمد عرفان حمیدی عارف
Department 40 - Infrastructure operations lead (Brothers Team/Pelak1)
Mahdi Sharifi
مهدی شریفی
Department 40 - Karaj Hacker Team (P8) Leader - Led Dubai Police breach
Vahid Molawi
وحید مولوی
Department 40 - Karaj Hacker Team (P8) core operator
Esmaeil Heydari
اسماعیل حیدری
Department 40 - Karaj Hacker Team (P8) core operator
Alireza Feizi
علیرضا فیضی
Department 40 - Karaj Hacker Team (P8) hacker
Amirhossein Aminnezhad
امیرحسین امیننژاد
Department 40 - Karaj Hacker Team (P8) hacker
Amirhossein Inanloo
امیرحسین اینانلو
Department 40 - Karaj Hacker Team (P8) hacker
Manoochehr Vosoughi Nayeri
منوچهر وثوقی نایری
IRGC Intelligence Organization authority - Front company official
Davood Ghanbari
داوود قنبری
Department 40 - Brothers Team (Pelak1) logistics
Masoud Jalili
مسعود جلیلی
IRGC/Basij cyber operative - 2024 US Election targeted hacking operation
Seyyed Ali Aghamiri
سید علی آقامیری
IRGC/Basij cyber operative - 2024 US Election targeted hacking operation
Yasar Balaghi
یاسر بلاغی
IRGC/Basij cyber operative - 2024 US Election targeted hacking operation (alias: Wool3n.H4t)
Ahmad Khazai
احمد خزایی
MOIS Deputy Head of Counterintelligence - Robert Levinson kidnapping
Mohammad Baseri
محمد باصری
MOIS Head of US Team - Robert Levinson kidnapping
Ali Larijani
علی لاریجانی
Secretary of Supreme National Security Council - Coordinator of Protest Crackdown
Mohammad Reza Hashemifar
محمدرضا هاشمیفر
Commander of Law Enforcement Forces - Lorestan Province
Nematollah Bagheri
نعمتالله باقری
IRGC Commander - Lorestan Province
Azizollah Maleki
عزیزالله ملکی
LEF Commander - Fars Province
Yadollah Buali
یدالله بوعلی
IRGC Commander - Fars Province
Mehdi Rashno
مهدی رشنو
Board Member - Nikan Pezhvak Aria Kish Company (Shadow Banking)
Bashir Abbaspour Qomi
بشیر عباسپور قمی
Board Member - Nikan Pezhvak Aria Kish Company (Shadow Banking)
Hamid Reza Khamer
حمیدرضا خامر
Board Member - Nikan Pezhvak Aria Kish Company (Shadow Banking)
Masoud Mahdavi Ardakani
مسعود مهدوی اردکانی
Chairman - Tejarat Hermes Energy Qeshm (Sanctions Evasion)
Masoud Shamani
مسعود شامانی
Director - Tejarat Hermes Energy Qeshm (Sanctions Evasion)
Akbar Givari
اکبر گیواری
Vice Chairman - Tejarat Hermes Energy Qeshm (Sanctions Evasion)
Mohammad Amin Aghamiri
محمدامین آقامیری
Architect of Absolute Digital Isolation - 2026 Internet Blackout
Mehdi SeifAbadi
مهدی سیفآبادی
Manager of Infrastructure Security Unit - Internet Shutdown Operations
Ali Hakim-Javadi
علی حکیمجوادی
Former Head of IT Organization - Architect of New Filtering Model
Mohammad Hossein Madadi
محمدحسین مددی
IT and Network Infrastructure Operative
Eisa Zarepour
عیسی زارعپور
Minister of Communications - Internet Shutdown Coordinator
Ahmad Vahidi
احمد وحیدی
Minister of Interior - Oversees Law Enforcement Forces
Hossein Sajedinia
حسین ساجدینیا
Deputy Operations Commander - Law Enforcement Forces
Yadollah Javani
یدالله جوانی
Deputy Political Commander - IRGC
Vahid Mohammad Naser Majid
وحید محمد ناصر مجید
Head of Iranian Cyber Police (FATA)
Hossein Nejat
حسین نژات
IRGC Commander - Head of Sarallah (Tehran Security)
Hossein Rahimi
حسین رحیمی
Law Enforcement Forces Police Chief - Tehran
Ahmad Fathi
احمد فتحی
ITSecTeam Leader - Managed DDoS infrastructure against US financial sector
Hamid Firoozi
حمید فیروزی
ITSecTeam - Bowman Dam SCADA infrastructure attacker
Amin Shokohi
امین شکوهی
ITSecTeam - Botnet developer and DDoS specialist
Sadegh Ahmadzadegan
صادق احمدزادگان
Mersad Co-Founder (alias: Nitr0jen26) - NASA and Sun Army hacker
Omid Ghaffarinia
امید غفارینیا
Mersad Co-Founder (alias: PLuS) - NASA and Sun Army hacker
Sina Keissar
سینا کیسار
ITSecTeam/Mersad - DDoS attack operator
Hamid Homayunfal
حمید همایونفال
IRGC Cyber-Electronic Command (CEC) - Critical Infrastructure Attacks
Hamid Reza Lashgarian
حمیدرضا لشگریان
Head of IRGC Cyber-Electronic Command (CEC) / Commander in IRGC-Quds Force
Mahdi Lashgarian
مهدی لشگریان
Senior Official, IRGC-CEC / Leader of CyberAv3ngers
Milad Mansuri
میلاد منصوری
IRGC Cyber-Electronic Command (CEC) - Cyber Operations
Mohammad Bagher Shirinkar
محمدباقر شیرینکار
Leader/overseer of Shahid Shushtari (formerly Emennet Pasargad) - IRGC-CEC
Aliakbar Rashidi-Barjini
علیاکبر رشیدی بارجینی
Iranian cyber actor - Malicious cyber activities
Mohammad Shakeri Ashtijeh
محمد شاکری آشتیجه
Iranian cyber actor - Malicious cyber activities
Ahmad Khatibi Aghda
احمد خطیبی آقدا
IRGC-affiliated ransomware operator - CEO of Afkar System Yazd Company
Hossein Mohammad Harooni
حسین محمد هارونی
IRGC cyber operative - Infrastructure and server procurement specialist
Reza Kazemifar Rahman
رضا کاظمیفر رحمان
IRGC cyber operative - Malware developer and tools tester (IRGC EWCD 2014-2020)
Komeil Baradaran Salmani
کمیل برادران سلمانی
IRGC cyber operative - Tools testing and quality assurance
Alireza Shafie Nasab
علیرضا شفیعی نسب
IRGC cyber operative - Social engineering infrastructure specialist
Said Pourkarim Arabi
سعید پورکریم عربی
IRGC Intelligence Officer - Ringleader of aerospace hacking campaign
Mohammad Reza Espargham
محمدرضا اسپرغم
IRGC cyber operative - Malware developer (creator of VBScan tool) / OWASP Foundation member
Mohammad Bayati
محمد بیاتی
IRGC cyber operative - Malware support and infrastructure
Mansour Ahmadi
منصور احمدی
IRGC-affiliated ransomware operator - Owner of Najee Technology (aliases: Masoud Akbari, Parsa Unsi)
Amir Hossein Nickaein Ravari
امیرحسین نیکائین راوری
IRGC-affiliated ransomware operator (aliases: Amir Hossein Nikaeen, Amir Hosein Nika'in)
Seyyed Mohammad Hosein Musa Kazemi
سید محمدحسین موسی کاظمی
Iranian hacker - Emennet Pasargad operative, 2020 election interference (alias: Hosein Zamani)
Sajjad Kashian
سجاد کاشیان
Iranian hacker - Emennet Pasargad operative, 2020 election interference (alias: Kiarash Nabavi)
Behzad Mohammadzadeh
بهزاد محمدزاده
Website defacer - Soleimani retaliation attacks (alias: Mrb3hz4d)
Mohammad Mehdi Farhadi Ramin
محمد مهدی فرهادی رامین
Cyber theft and state-sponsored espionage specialist (alias: Mehdi Mahdavi, "Sejeal")
Hooman Heidarian
هومان حیدریان
Cyber theft partner - State-sponsored hacker (alias: "neo", "Sejeal")
Behzad Mesri
بهزاد مصری
IRGC cyber operative - HBO hacker, Monica Witt case operative
Mojtaba Masoumpour
مجتبی معصومپور
IRGC cyber operative - Monica Witt espionage case
Hossein Parvar
حسین پروار
IRGC cyber operative - Monica Witt espionage case
Mohamad Paryar
محمد پریار
IRGC cyber operative - Monica Witt espionage case
Ali Mahdavian
علی مهدویان
Emennet Pasargad employee - 2024 US election interference (alias: HADIAN, Ali)
Sayyed Mehdi Rahimi Hajjiabadi
سید مهدی رحیمی حاجی آبادی
Emennet Pasargad employee - 2024 US election interference
Fatemeh Sadeghi
فاطمه صادقی
Emennet Pasargad employee - 2024 US election interference
Elaheh Yazdi
الهه یزدی
Emennet Pasargad employee - 2024 US election interference
Mohammad Hosein Abdolrahimi
محمد حسین عبدالرحیمی
Emennet Pasargad employee - 2024 US election interference
Rahmatollah Askarizadeh
رحمتالله عسکریزاده
Emennet Pasargad employee - 2024 US election interference
Reza Mohammad Amin Saberian
رضا محمد امین صابریان
IRGC Cyber-Electronic Command (CEC) official
Mohammad Agha Ahmadi
محمد آقااحمدی
IRGC-affiliated ransomware operator
Mostafa Haji Hosseini
مصطفی حاجی حسینی
IRGC-affiliated ransomware operator
Faramarz Shahi Savandi
فرامرز شاهی ساوندی
SamSam ransomware developer and operator
Mohammad Mehdi Shah Mansouri
محمد مهدی شاه منصوری
SamSam ransomware developer and operator
Manuchehr Akbari
منوچهر اکبری
Shahid Hemmat hacking group - IRGC-CEC operative
Amir Hosein Hoseini
امیرحسین حسینی
Shahid Hemmat hacking group - IRGC-CEC operative
Mohammad Hosein Moradi
محمد حسین مرادی
Shahid Hemmat hacking group - IRGC-CEC operative
Mohammad Reza Rafatinezhad
محمدرضا رفعتینژاد
Shahid Hemmat hacking group - IRGC-CEC operative
Fatemeh Sedighian Kashi
فاطمه صدیقیان کاشی
Shahid Shushtari operative - Long-time IRGC-CEC front company employee
Behrouz Parsarad
بهروز پارسارد
Nemesis Market dark web founder and operator - Drug trafficking and money laundering
Reza Mohammad Amin Saberian
رضا محمد امین صابریان
Senior Official, IRGC-CEC - Strategic and technical guidance
Yahya Hosseini Panjaki
یحیی حسینی پنجکی
Deputy for Domestic Security, MOIS - Commands Handala/Banished Kitten
Ali Bermoudeh
علی برموده
MOIS Handala Hack Team operator - Amateur hacker
Morteza Aftabifar
مرتضی آفتابیفر
MOIS Handler - Intermediary between command and operators
Naji Ibrahim Sharifi-Zindashti
ناجی ابراهیم شریفی زیندشتی
Criminal Kingpin / MOIS Asset - Leads assassination network
Nihat Abdul Kadir Asan
نهاد عبدالقادر آسان
Zindashti Network Logistical Planner - Recruits gunmen
Ekrem Abdulkerym Oztunc
اکرم عبدالکریم اوزتونچ
Zindashti Network Lieutenant - Nephew and key operative
Shahram Ali Reza Tamarzadeh Zavieh Jakki
شهرام علیرضا تامرزاده زاویه جکی
Zindashti Network Associate - Brother-in-law
Ali Aliakbar Ansari
علی علیاکبر انصاری
Financial Facilitator - IRGC money laundering through real estate
Organizations
APT35 / Charming Kitten
Aliases: Phosphorus, Fresh Feline, NewsBeef, Ajax Security Team
Parent Organization: IRGC Intelligence Organization
State-sponsored cyber espionage group targeting journalists, activists, academics, and government officials.
RANA Intelligence Organization
Aliases: RANA, APT39, Chafer
Parent Organization: MOIS (Ministry of Intelligence)
Front company for MOIS conducting cyber operations against Iranian dissidents and foreign targets.
Department 40
Aliases: Division 1500, IRGC External Cyber Operations
Parent Organization: IRGC Intelligence Organization
External cyber operations unit conducting offensive operations against regional targets. Operates under 2017 Iranian legislation designating US military as "terrorists." Employs distributed model contracting darknet hacker-for-hire services and collaborating with proxy groups (Hezbollah, Iraqi militias, Houthi cyber units). Uses IranInfo Marketplace for data sales. Research indicates OSINT vulnerabilities in operator security.
Mabna Institute
Aliases: Silent Librarian, COBALT DICKENS, TA407, Yellow Nabu, G0122
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
Organization conducting massive credential theft campaign against 320+ universities worldwide. Stole 31+ terabytes of academic data. Operated Megapaper.ir and Gigapaper.ir for selling stolen research. 9 members indicted by DOJ February 2018, OFAC sanctioned March 2018.
APT39 / Chafer
Aliases: Remix Kitten, COBALT HICKMAN, Radio Serpens, ITG07
Parent Organization: MOIS (Ministry of Intelligence)
Iranian cyber espionage group operating through RANA Intelligence Computing Company. Targets travel sector, telecommunications, and Iranian dissidents across 30+ countries. 45 members sanctioned by OFAC September 2020. Deployed 8 distinct malware families.
IRGC Basij Cyber Unit
Aliases: Basij Resistance Force Cyber
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
Paramilitary cyber unit responsible for 2024 US Presidential Election targeted hacking operation. 3 members indicted September 2024, $10M rewards offered. Targets US government officials, campaigns, journalists, and think tanks.
Kashef Surveillance Platform
Parent Organization: Department 40 / IRGC Intelligence
Database system built by Department 40 to track dissidents through mobile phone records, travel data, and location tracking. Obtained in November 2025. Used to map connections between targets for assassination operations.
Infrastructure Security Unit
Aliases: Vahde Amniat Zirsakhtha
Parent Organization: IRGC / Supreme National Security Council
Central hub for decision-making on internet control in Iran. Managed by Mehdi SeifAbadi and Mohammad Amin Aghamiri. Orchestrated the January 2026 "Absolute Digital Isolation" strategy - the most severe internet shutdown in Iran history, blocking all international connectivity during the massacre of 16,500+ protesters.
Law Enforcement Command (LEF)
Aliases: NAJA, FARAJA, Police Force
Parent Organization: Ministry of Interior
Iranian national police force responsible for internal security and protest suppression. Deployed against protesters in 2022 Mahsa Amini and 2026 economic protests. Commands include Tehran Police Chief Hossein Rahimi and provincial commanders sanctioned by OFAC.
Supreme National Security Council (SNSC)
Aliases: Showra-ye Aali-ye Amniyat-e Melli
Parent Organization: Office of Supreme Leader
Iran highest national security and foreign policy decision-making body. Secretary Ali Larijani sanctioned January 2026 for coordinating violent crackdown on protesters on behalf of Supreme Leader Khamenei. Authorized use of lethal force against demonstrators.
Sarallah
Aliases: IRGC Tehran Security
Parent Organization: IRGC
IRGC security apparatus responsible for Tehran. Commander Hossein Nejat sanctioned October 2022. Handles capital security operations and protest suppression in Tehran metropolitan area.
Iranian Cyber Police (FATA)
Aliases: Cyber Police, Police Fata
Parent Organization: Law Enforcement Command
Iranian cyber police unit responsible for monitoring online dissent, targeting activists and journalists, and enforcing internet restrictions. Head Vahid Mohammad Naser Majid sanctioned October 2022.
Yaftar
Parent Organization: IRGC Security Contractors
Security contractor designing Starlink traffic detection systems. Part of infrastructure enabling 2026 internet blackout. Developing technology to detect and block satellite internet access.
Doran Group
Parent Organization: IRGC Security Contractors
Security contractor developing Deep Packet Inspection (DPI) updates for internet surveillance and blocking. Provides technical capabilities for internet censorship infrastructure.
MuddyWater
Aliases: MERCURY, Static Kitten, Seedworm, TEMP.Zagros, MuddyC2Go
Parent Organization: MOIS (Ministry of Intelligence)
Iranian cyber espionage group using MuddyC2Go command and control infrastructure. Employs PhonyC2 framework and N-able Advanced Monitoring Agent for dual-use operations. Deploys custom malware and legitimate admin tools for persistence.
IranInfo Marketplace
Aliases: iranInfo
Parent Organization: IRGC-affiliated Dark Web
Dark web marketplace for Iranian threat actor data sales. SessionApp ID: 05872c824ee1b62e81b7c661ffb64e4424f3b7c7d5b66d65568386da9ff6266755. Bitcoin wallet: bc1qe46dj38ge9nk6fnmtku2dcdgfeepgprmvzttnt. Facilitates IRGC data transactions.
HACKERSTARS
Aliases: Darknet Hacker Marketplace
Parent Organization: Tor Hidden Service
Verified hacker-for-hire marketplace with escrow services (hsssfzzzxboe66mtswcrhxpzlmiejv246pun3ttasg3x4y6xayjag5id.onion). Known verified hackers: N3gr0, Intruder, DigitalKiller, BlackChimp, SilentRoot (99% success), Baloo, KimHack, Ultrum, Joga3, Z3r0Trac3, AntiBot, Ragnazar. Pricing: BTC ~$90,970, ETH ~$3,115, XMR ~$460.
Iranian Darknet Hacker Ecosystem
Aliases: Shadow Hacker, Pr0Hacker, Find a Hacker (FaH), BlackHats
Parent Organization: Tor Hidden Services
Network of hacker-for-hire services potentially leveraged by IRGC for deniable operations. Shadow Hacker (shadowhckr@proton.me, OSWE credentials). Pr0Hacker (active since 2005). Find a Hacker (operational since 2013). FraudGPT AI tool advertised. Services offer email/social media hacking, DDoS, database extraction with escrow protection.
Mehrsam Andisheh Saz Nik (MASN)
Aliases: MASN
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
IRGC front company used in multi-year cyber campaign (2016-2021) targeting US defense contractors, Treasury Department, and State Department. Four operatives indicted April 2024: Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, Alireza Shafie Nasab.
Dadeh Afzar Arman (DAA)
Aliases: DAA
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
IRGC front company partnered with MASN for cyber operations. Exploited over 200,000 victim accounts across US government and private sector. Indicted April 2024 by DOJ.
Najee Technology Hooshmand Fater LLC
Aliases: Najee Technology, Najee
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
IRGC-affiliated ransomware operator. Owner Mansour Ahmadi indicted September 2022. Attacked US critical infrastructure including healthcare, transportation, utilities. Used ransomware-style extortion against hundreds of victims in US, UK, Israel.
Afkar System Yazd Company
Aliases: Afkar System, Afkar
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
IRGC-affiliated company involved in ransomware operations. Ahmad Khatibi Aghda served as managing director. Indicted September 2022 for attacks on critical infrastructure.
Emennet Pasargad
Aliases: Net Peygard Samavat Company
Parent Organization: IRGC / MOIS
Iranian government cybersecurity contractor responsible for 2020 US election interference. Operatives Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian indicted November 2021. Obtained confidential voter data on 100,000+ US voters, sent threatening voter intimidation emails.
Cognitive Design Production Center (CDPC)
Aliases: CDPC, مرکز تولید طراحی شناختی
Parent Organization: IRGC (Islamic Revolutionary Guard Corps)
IRGC-affiliated entity designated December 2024 by Treasury for supporting Iranian cyber operations and disinformation campaigns. Involved in producing cognitive warfare content and psychological operations targeting Western audiences.
Nemesis Market
Aliases: Nemesis Darknet Market
Parent Organization: Iran-based Dark Web
Dark web marketplace operated by Behrouz Parsarad from Iran (March 2021 - April 2025). 150,000+ users, 400,000+ orders, $30 million in drug sales including fentanyl. Seized by FBI/DEA Operation Dark Night April 2025.