Sysdig Threat Bulletin: Iranian Cyber Threats

In the wake of the June 22, 2025, U.S. strikes on Iranian nuclear sites, the Sysdig Threat Research Team anticipates heightened cyber activities from Iranian state-sponsored groups and hacktivists, comparable to the cyber incidents at the Russia-Ukraine war's onset in 2022. The bulletin provides security teams with forward-looking guidance and threat intelligence to prepare for potential attacks, highlighting the tactics and tools used by key Iranian cyber groups. Notably, APT35 targets credentials from platforms like Microsoft 365 and Gmail, employing tools such as Hyperscrape and developing malware like PowerLess and BellaCiao. APT33 is known for its cloud-first intrusions and social engineering via LinkedIn, while Pioneer Kitten collaborates with ransomware gangs, exploiting VPN and network device vulnerabilities. Recommendations include enforcing multi-factor authentication, monitoring for unauthorized security tool usage, and ensuring backup integrity to mitigate ransomware threats.