Nozomi Networks Labs has reported a significant uptick in cyber operations attributed to well-known Iranian Advanced Persistent Threat (APT) groups.
Data collected by the security research team reveals a 133% increase in Iranian-actor-linked cyberattacks during May and June 2025, compared to the preceding two months.
The primary targets are organizations within the transportation and manufacturing sectors in the United States, corroborating recent warnings issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security.
Profile of Iranian Threat Actors
Nozomi Labs’ daily telemetry and threat intelligence monitoring identified 28 distinct attacks associated with Iranian APTs in the past two months, up from 12 in March and April.
The most prolific among these groups, MuddyWater (SeedWorm), conducted campaigns against at least five U.S.-based organizations, focusing largely on transportation and manufacturing.
Meanwhile, APT33 (Elfin) was linked to attacks on three separate U.S. entities, with OilRig (APT34/Helix Kitten), CyberAv3ngers, Fox Kitten (Pioneer Kitten), and Homeland Justice each targeting at least two different companies in the same industries.
These Iranian groups are recognized for their advanced capabilities, including cyber espionage, intellectual property theft, and, increasingly, disruptive attacks.
MuddyWater, active since 2017, typically targets government, telecom, and energy operations in the Middle East but has now shifted focus to U.S. critical sectors.
APT33, with a history of targeting aerospace, energy, and petrochemical entities for espionage, and OilRig, known for spear-phishing and custom malware, have both extended their operations toward U.S.-based infrastructure.
Fox Kitten’s persistent access techniques and CyberAv3ngers’ use of specialized OT-focused malware like OrpaCrab (aka IOCONTROL) present a continued risk for operational technology environments.
Homeland Justice, infamous for its disruptive attack on Albanian government infrastructure in 2022, represents another extension of Iranian-sponsored offensive cyber operations.
A notable observation from the latest activity includes the reuse of an IP address by CyberAv3ngers from their 2024 campaign leveraging the OrpaCrab malware.
This illustrates a pattern of re-deploying successful tactics and infrastructure against new targets, enhancing the efficiency and evasiveness of their cyber offensives.
Ongoing Vigilance
Nozomi Networks emphasizes the importance of continuous monitoring and timely threat intelligence updates for organizations operating in at-risk sectors.
Their proprietary Threat Intelligence feed, coupled with the Mandiant TI Expansion Pack, enables detection of indicators tied to these Iranian APT groups, ensuring organizations can act swiftly to counteract efforts to penetrate their environments.
As cyberattacks increase in tandem with global conflicts, maintaining a proactive and resilient security posture is critical for U.S. and allied organizations, particularly those managing industrial assets.
Indicators of compromise (IoCs):
| IP Address |
|---|
| 159.100.6[.]69 |
| 169.150.227[.]230 |
| 95.181.161[.]50 |
| 164.132.237[.]65 |
| 5.199.133[.]149 |
| 104.200.128[.]71 |
| 104.200.128[.]206 |
| 31.192.105[.]28 |
| 185.118.66[.]114 |
| 194.187.249[.]102 |
| 185.162.235[.]29 |
| 144.202.84[.]43 |
| 64.176.173[.]77 |
| 64.176.172[.]101 |
| 64.176.172[.]235 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
