IRGC CYBER DOSSIER

01Executive Summary: The Dissolution of Boundaries

The operational landscape of the Islamic Republic of Iran's state-sponsored cyber apparatus has undergone a fundamental and disturbing metamorphosis between late 2023 and early 2026. Intelligence analysis reveals a strategic pivot from traditional espionage and asymmetric disruption toward a doctrine of kinetic integration.

No longer operating in isolated silos, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) have effectively dissolved the boundaries between cyber intelligence, physical assassination plots, and organized criminal enterprise.

This report provides an exhaustive, forensic examination of the individuals, units, and infrastructures driving this escalation. We have constructed a detailed order of battle for the Iranian regime's current cyber offensive.

The findings indicate a three-pronged evolution in the threat landscape:

This dossier aggregates actionable intelligence—including National Identification Numbers (Code Melli), passport data, physical addresses, and familial connections—for over two dozen high-value targets. It serves not merely as a catalog of adversaries but as an analytical instrument to understand the human terrain of a regime that views the digital domain as the primary battlefield for its survival.

Target Dossier: IRGC-CEC Leadership

Individuals with direct oversight of cyberattacks on Western critical infrastructure

WANTED

HAMID REZA LASHGARIAN

Head of IRGC-CEC / Quds Force Commander

SANCTIONED FEB 2024

WANTED

MAHDI LASHGARIAN

CyberAv3ngers Leader

AKA: Mr. Soul, Mr. Soll

DOBJune 2, 1989

NID0010365044

PassportM56717088

SANCTIONED FEB 2024

WANTED

HAMID HOMAYUNFAL

Senior Official, IRGC-CEC / Logistics

SANCTIONED FEB 2024

WANTED

MILAD MANSURI

Tactical Overseer, IRGC-CEC

SANCTIONED FEB 2024

Click to go to next section →

02The IRGC Cyber-Electronic Command (IRGC-CEC)

The Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), often referred to in intelligence circles as the Electronic Warfare and Cyber Defense Organization, stands as the apex predator within Iran's cyber ecosystem. Historically, this organization operated in the shadows, its leadership structure obscured by layers of bureaucracy and counter-intelligence protection. However, the brazen nature of its recent campaigns—specifically the targeting of U.S. municipal infrastructure—has precipitated a forceful response from Western governments, resulting in the public unmasking of its senior command staff.

The individuals detailed below are not merely administrative figureheads; they are operational commanders with direct oversight of campaigns designed to destabilize Western societies and degrade critical infrastructure.

2.1 Hamid Reza Lashgarian: The Architect of Asymmetry

Hamid Reza Lashgarian occupies a unique and formidable position within the Iranian security apparatus. His dual-hatted role—serving simultaneously as the head of the Cyber-Electronic Command and as a commander within the Quds Force—epitomizes the regime's integrated approach to unconventional warfare. The Quds Force, responsible for extraterritorial operations and support of proxy militias, requires robust intelligence and sabotage capabilities. Lashgarian is the bridge between the digital domain and the physical battlefield.

Intelligence assessments indicate that Lashgarian is the principal architect of the doctrine that classifies civilian infrastructure as a legitimate target. Under his command, the IRGC-CEC has moved away from purely retaliatory cyberattacks toward preemptive positioning within critical networks. His leadership has overseen the deployment of groups like "CyberAv3ngers," which, while masquerading as hacktivists, operate under strict military discipline to execute state objectives. The designation of Lashgarian by the U.S. Treasury in early 2024 was a strategic move to pierce the command veil, signaling that accountability for cyber-physical attacks would reach the highest echelons of the IRGC.

2.2 Mahdi Lashgarian: The CyberAv3ngers Commander

Mahdi Lashgarian represents the operational fist of the CEC. While Hamid Reza Lashgarian sets the strategic direction, Mahdi Lashgarian executes the tactical mandate. He has been positively identified as the driving force behind the "CyberAv3ngers" persona, a group that gained notoriety for its attacks on Israeli and American industrial control systems.

Forensic analysis of the group's activities reveals a sophisticated understanding of Operational Technology (OT). The group's malware, specifically the IOCONTROL suite, was designed to interface with and manipulate SCADA systems. This capability was famously deployed against Vision Series PLCs manufactured by Unitronics. By compromising these devices, which are widely used in water and wastewater treatment facilities, Mahdi Lashgarian's unit demonstrated a capability to inflict real-world harm—tampering with water pressure, chemical dosing, or system integrity.

2.3 Hamid Homayunfal: The Logistical Backbone

Hamid Homayunfal serves within the senior executive tier of the CEC. His role is less public-facing than the Lashgarians but no less critical. Intelligence suggests Homayunfal is responsible for the administrative and logistical machinery that sustains prolonged cyber campaigns. This includes the procurement of infrastructure—servers, bandwidth, and anonymization tools—often through front companies to evade sanctions. His inclusion in the February 2024 sanctions tranche alongside the operational commanders indicates his integral role in the decision-making loop that authorized the attacks on U.S. critical infrastructure.

2.4 Milad Mansuri: The Tactical Overseer

Milad Mansuri functions as a tactical operations commander. In the hierarchy of the CEC, he is likely responsible for the direct management of hacking teams—the "hands on keyboards." His purview includes the oversight of reconnaissance teams that scan global networks for vulnerabilities (such as the default passwords on Unitronics PLCs) and the exploitation teams that weaponize those findings. His identification serves to map the mid-level management layer of the IRGC's cyber forces, a critical stratum that translates orders into action.

2.5 Mohammad Bagher Shirinkar: The Nexus of Nepotism

Mohammad Bagher Shirinkar illustrates the deep intertwining of familial loyalty, corporate fronts, and state intelligence within the Iranian regime. Shirinkar is not a solitary operator; he sits at the center of a powerful network. He is the brother of Mohammad-Hossein Shirinkar, the head of the IRGC Intelligence Inspectorate, and the brother-in-law of Mehdi Hashemi Toghroljerdi, a CEO of another digital front company.

This "Shirinkar Network" manages Iman Net Pasargad, a company sanctioned for its role in attempting to influence U.S. elections. Shirinkar's transition from running a front company to a senior official role within the CEC highlights the fluidity between the IRGC's "private" contractors and its official command structure. Intelligence analysis has identified him as a central figure in the "Sayyad" group, reinforcing his status as a high-value target.

2.6 Reza Mohammad Amin Saberian: The Strategist

Reza Mohammad Amin Saberian provides senior-level strategic and technical guidance to the CEC. His background suggests a deep technical proficiency combined with operational planning capabilities.

Click to go to next section →

03The 2024 Election Interference Cell

In the run-up to the 2024 U.S. Presidential Election, the threat from Iranian cyber actors evolved from general disinformation to targeted hacking operations. Unlike the broad, noisy campaigns of 2020, this effort was characterized by precision spearphishing, deep reconnaissance, and the theft of sensitive internal documents from campaign officials.

In late 2024, a specific IRGC-affiliated cell responsible for this activity was identified. This investigation has provided a granular view of the operatives involved, their physical locations, and their tradecraft.

3.1 Masoud Jalili: The Veteran Operator

Masoud Jalili is not a newcomer to the Iranian cyber scene. His operational history dates back to at least 2012, and he has explicitly identified himself as a "Master of Information Technology." His career trajectory offers a textbook example of the IRGC's recruitment pipeline: he has been a member of the Basij, the paramilitary volunteer militia, since 2005. This long-standing ideological commitment underpins his technical work.

Jalili served as the primary operator for the 2024 election interference campaign. He utilized technical infrastructure provided by Respina Networks and Farabord Dadeh Haye Iranian Company (FDI)—two internet service providers complicit in shielding malicious activity. His tradecraft involved the purchase of high-speed internet access and static IP addresses specifically to facilitate the exfiltration of large volumes of data from compromised campaign accounts.

The identification of the Maleklou Street address is particularly significant. Intelligence indicates this location served as a dedicated operational hub (a "safe house" or office) for this specific cell between 2020 and 2023, suggesting a physical centralization of the hacking team distinct from standard military bases.

3.2 Seyyed Ali Aghamiri: The Insider

Seyyed Ali Aghamiri fits the profile of the technically skilled university recruit drafted into state service. A graduate of Islamic Azad University, he is a skilled computer hacking operator. Like Jalili, his work was physically centered at the Malekloo Office in Tehran. His role appears to have been operational execution—conducting the actual spearphishing attacks and managing the persistence within compromised networks.

3.3 Yaser Balaghi: The Toolsmith

Yaser Balaghi provides the developmental capability for the cell. Holding a bachelor's degree in computer software from Islamic Azad University, Balaghi has a history of creating offensive cyber tools. His resume boldly claims experience as a "Head of Security and Hacking," where he designed systems for phishing attacks, brute-force password cracking, and Windows-based malware. This background indicates that Balaghi was likely responsible for coding the custom obfuscation tools used to bypass the email filters of the targeted political campaigns.

04The Contractor Nexus: Mahak Rayan Afraz

Parallel to the election interference efforts, another IRGC-linked cell was actively targeting the U.S. defense industrial base and the Department of the Treasury. This group operated under the cover of a private company, Mahak Rayan Afraz (Persian: محک رایان افراز). The use of such front companies allows the IRGC to recruit talent from the private sector while maintaining plausible deniability.

This specific cell was charged in a multi-year conspiracy involving computer fraud and identity theft. Their tradecraft relied heavily on "social engineering"—impersonating real people (often women) to build trust with targets before delivering malware.

4.1 Reza Kazemifar: The Bridge

Reza Kazemifar represents the link between the military bureaucracy and the private contractor world. From approximately 2014 to 2020, he was employed directly by the IRGC Electronic Warfare and Cyber Defense (EWCD) unit. He subsequently moved to Mahak Rayan Afraz, bringing his institutional knowledge and clearance with him. His role focused on testing the efficacy of the tools developed by the group, ensuring their malware could evade detection by standard antivirus software.

4.2 Komeil Baradaran Salmani: The Tester

Salmani functioned as a quality assurance engineer for the group's offensive capabilities. He was responsible for testing spearphishing campaigns—specifically those targeting a hospitality company—and maintaining the server infrastructure. His address in the Shahid Mahalati Complex (Mini City, Tehran) is noteworthy, as this area is known to house IRGC personnel and their families, further reinforcing the state ties.

4.3 Alireza Shafie Nasab & Hossein Harooni: The Procurers

These two individuals focused on the logistics of the cyberattack lifecycle. Nasab and Harooni were responsible for procuring the necessary infrastructure—servers, domains, and accounts—often using stolen identities. Nasab, for instance, utilized the name and passport of a real individual ("Individual-1") to register accounts, a common tradecraft technique to break the attribution chain.

05The "Handala" Exposure: MOIS Unmasked

In late 2025, the façade of the "Handala Hack Team" collapsed. For years, this group had posed as independent hacktivists, claiming responsibility for attacks on Israeli infrastructure and the London-based broadcaster Iran International. However, investigative reporting by Iran International and cybersecurity researchers revealed that "Handala" was merely a persona for the Ministry of Intelligence and Security (MOIS), specifically a unit tracked as "Banished Kitten" (also known as Storm-0842 or Dune).

The exposure of this unit revealed a startling lack of professionalism within the MOIS's operational ranks, characterized by nepotism and poor operational security (OPSEC).

5.1 Yahya Hosseini Panjaki: The Command Authority

Yahya Hosseini Panjaki is the senior executive overseeing the MOIS's domestic cyber operations. He represents a "new guard" of intelligence managers deeply trusted by Supreme Leader Ali Khamenei. His mandate is aggressive and extraterritorial; he founded the "Qassem Soleimani Headquarters" within the MOIS to coordinate overseas operations, bridging the traditional rivalry between the MOIS and the IRGC. Panjaki was sanctioned by the U.S. in 2024 for his role in assassination plots against dissidents, confirming that his cyber unit supports kinetic objectives.

5.2 Ali Bermoudeh: The Amateur Operator

The identification of Ali Bermoudeh serves as a case study in the degradation of Iranian tradecraft. A 27-year-old from Tabriz, Bermoudeh is the son of Mousa Bermoudeh, a provincial official with the Foundation of Martyrs and Veterans Affairs. This familial connection likely facilitated his entry into the intelligence apparatus.

Despite his role in high-profile attacks against Iran International, Bermoudeh is described by sources as an "amateur." Intelligence reveals that he used his own date of birth as a password for multiple critical accounts, a catastrophic OPSEC failure that likely facilitated his identification by Western researchers. He runs an online store and has worked with Iran's Cyber Police (FATA), illustrating the blurred lines between civilian commerce, law enforcement, and state espionage.

5.3 Morteza Aftabifar: The Handler

Morteza Aftabifar functions as the intermediary between the senior command (Panjaki) and the street-level operators (Bermoudeh). Also hailing from Tabriz, his presence confirms the regional/familial clustering of this specific MOIS cell. His role involves tasking the operators and ensuring their activities align with the Ministry's strategic goals, such as the intimidation of foreign journalists.

Click to go to next section →

06Transnational Repression: The Zindashti Nexus

Perhaps the most alarming evolution in Iranian threat doctrine is the formalization of the "Crime-as-a-Service" model. The regime has increasingly turned to transnational criminal syndicates to execute kidnappings and assassinations in Europe and the United States. This allows the state to maintain a veneer of deniability while projecting lethal force abroad.

The Zindashti Network, led by narcotics trafficker Naji Ibrahim Sharifi-Zindashti, is the primary proxy for these operations. While Zindashti provides the gunmen, the MOIS provides the intelligence—often derived from cyber espionage—required to locate and track the victims.

6.1 Naji Ibrahim Sharifi-Zindashti: The Cartel Leader

Zindashti operates under the protection of the Iranian security establishment. His network has been implicated in the abduction of Iranian dissident Habib Chaab in Turkey and the assassination of dissident Masoud Molavi Vardanjani in Istanbul. U.S. indictments have also linked his network to plots to assassinate residents in Maryland. The regime's cyber units facilitate these acts by providing digital "pattern of life" data on targets, effectively using hackers as spotters for hitmen.

6.2 The Lieutenants

To manage the logistics of international assassination plots, Zindashti relies on a cadre of trusted lieutenants who coordinate between the cartel in Turkey/Iran and hired assets in the West.

07Department 40 Operations

Intelligence analysis has shed light on Department 40 of the IRGC Intelligence Organization (linked to the APT group known as "Charming Kitten"), exposing personnel lists, organizational charts, and project details.

Evidence confirms that Department 40 has integrated into the "kill chain" for physical attacks. The unit utilizes a centralized intelligence system called "Kashef" to catalog cyber-gathered data (locations, contacts) into "target packages" for physical assassination squads. Furthermore, the unit is actively developing kinetic delivery systems:

Analysis has identified approximately 60 agents, revealing a pattern of deep nepotism and the extensive use of civilian front companies to mask their activities. This indicates that the IRGC is attempting to build a self-sustaining, covert ecosystem that blends military R&D with intelligence gathering.

08Financial and Corporate Enablers

Sustaining this global operational tempo requires significant financial resources and corporate cover.

8.1 Ali Aliakbar Ansari: The Financier

Ali Aliakbar Ansari represents the financial artery of the IRGC's external operations. A dual-national with a massive property portfolio, Ansari facilitates the movement of funds that underwrite hostile activities. His sanctioning by the UK government in late 2025 targeted his ability to use the British banking system and real estate market to launder IRGC capital.

8.2 Emennet Pasargad: The Persistent Front

Despite previous sanctions, the cybersecurity firm Emennet Pasargad (formerly Net Peygard Samavat) remains a primary contractor for IRGC interference operations. In September 2024, the U.S. Treasury sanctioned additional employees, highlighting the firm's continued utility to the regime.

Click to go to next section →

09Conclusion

The data aggregated in this report paints a picture of a regime that has aggressively integrated its cyber capabilities with its kinetic and criminal apparatus. The IRGC and MOIS have moved beyond mere espionage to a "hybrid war" footing, characterized by the targeting of civilian infrastructure, the assassination of dissidents, and interference in democratic processes.

However, the wealth of specific identifiers—National IDs, home addresses, passport numbers—exposed in this report also points to a significant vulnerability: the regime's own operational security is crumbling. Whether through the incompetence of amateur operators like Ali Bermoudeh or the penetration of their networks by Western intelligence, the "veil of anonymity" that once protected Iranian cyber actors has been pierced.