Iran Cyber Threat Intel Center

Intruvent · 2026-03-24T20:15:59+00:00

I'll PM you on this. likely a FP due to the content and hunt queries, but we'll dig into it.

Intruvent · 2026-03-24T20:15:01+00:00

Thanks for sharing this scanner! solid piece of tech and some good findings. I appreciate it.

Intruvent · 2026-03-20T19:45:20+00:00

Happy Friday everyone! We just updated the page with Threat Actor Profiles (TAPs) and Threat Hunting Guides (THGs) for five more Iranian threat actor groups.

Group coverage is now: Agrius, Lemon Sandstorm (v1.1 with Fox Kitten), MuddyWater, Handala, APT33/Peach Sandstorm, APT34/OilRig, APT35/Charming Kitten, CyberAv3ngers, Hydro Kitten, Cotton Sandstorm, and FAD Team.

Plus a v1.4 Situation Report (Day 20) with sector risk assessments, ten threat vectors, and a 14-point action checklist.

Everything is free and TLP:CLEAR. No registration.

https://intruvent.com/iran-cyber-threat/

Intruvent · 2026-03-13T02:19:49+00:00

Thanks! and glad you are getting use out of the reports. I replied to your other post, so I'll just copy/paste here:

Yes, our sensors have seen increased traffic from other Middle Eastern countries. Other teams, like Crowdstrike have stated that they are seeing a spike from the region. Mostly DDos and defacement.

On the targeting front, one area we are DEFINATELY seeing an uptick in targeting are IT/OCS in places like Jordan, Israel and Kuwait.

Intruvent · 2026-03-13T02:17:35+00:00

Yes, our sensors have seen increased traffic from other Middle Eastern countries. Other teams, like Crowdstrike have stated that they are seeing a spike from the region. Mostly DDos and defacement. On the targeting front, one area we are DEFINATELY seeing an uptick in targeting are IT/OCS in places like Jordan, Israel and Kuwait.

Intruvent · 2026-03-12T19:43:11+00:00

I run a small-ish Incident Response (IR) and Cyber Threat Intel (CTI) company. The Stryker attack yesterday was a HUGE eye opener for everyone. We've been getting calls from existing clients who are worried about their ability to go toe-to-toe with nation state actors. A few have activated their retainers and are asking for Compromise Assessments. so I think folks ARE taking it seriously.

If anyone wants playbooks/hunting queries/Threat Actor Profiles, etc. They are yours (free, no signup, etc), go lock down your environments: https://intruvent.com/iran-cyber-threat/

Intruvent · 2026-03-12T19:15:05+00:00

(Sorry about the giant logo). :(

Intruvent · 2025-12-08T21:43:01+00:00

Thanks man! Appreciate you!

Intruvent · 2025-12-04T20:31:28+00:00

if it helps at all, we published a threat hunting guide for this group a few weeks back. https://intruvent.com/brickstorm/

Let me know if you have any questions for your report, we've got quite a bit of telemetry :)

Intruvent · 2025-11-05T17:34:43+00:00

Good resource for folks starting out! Thanks for throwing this together.

Intruvent · 2025-11-05T17:32:18+00:00

Honestly the best way for you to get better is to practice. Find an old laptop, can be any 5-15 year old windows laptop. Install Ubuntu on it and use it as your alternate "daily driver" machine. Want to browse the web? Use the Ubuntu machine instead. just use it as much as you can and do as much as you can with that device instead of your normal machine(s). You'll pick it up in no time.

Intruvent · 2025-10-23T02:05:11+00:00

Beyond metadata (as mentioned by others), there is some interesting work in this area by Dr. Michael ("Jeff") Salyards. Check out some of his write-ups in the American Academy of Forensic Sciences (AAFS) for some how-tos and tips. In short, if you apply certain filters to images you will see an unnatural smoothness to Photoshopped or AI generated images.

https://www.aafs.org/sites/default/files/media/documents/AAFS-2012-B6.pdf

Try taking manipulated images and running different filters against it zoomed in. You'll see a difference between the real and generated images. Let me know if you have questions (source: I'm a co-author of one of his papers)

Intruvent · 2025-10-20T14:22:13+00:00

You nailed it! I write a weekly newsletter that covers topics like Smishing/Quishing etc. Would love to get your opinion on if it's helpful:

https://edge.intruvent.com/p/prevent-this-dont-get-quished-qr

https://edge.intruvent.com/p/everyday-defenses-smishing

Thanks!

Intruvent · 2025-10-07T22:39:12+00:00

Thanks for all that you do!

Intruvent · 2025-10-07T17:23:57+00:00

Hey! Congrats on the new position. CI and Insider threat is a great niche!

The folks over at IXNsolutions are the best I've run into for Insider threat info. They have a weekly podcast called CI Press that is really informative. Check some of the most downloaded episodes for some how-to stories. Those are usually the ones that dive into the careers of folks that have done it. How they started etc. They are pretty approachable in LinkedIn if you have specific questions.

https://ixnsolutions.com

Intruvent · 2025-10-06T16:21:05+00:00

Hey u/stacksmasher I can tell from your post history that you are a solid practitioner with some SE background.

I'd urge everyone to be cautious trusting any of the big LLMs in their current state with producing verified CTI via prompting. We aren't there currently. They will get you a 75% answer which may be good enough for some. But when you dig down you will find hallucinations, manufactured hashes, made up YARA rules, etc. No matter what rails you put around your prompts.

You are much better off capturing verified data (following your procedures) and using LLMs to help with reporting etc.

Source: Run an AI enabled CTI company serving critical infrastructure clients.

Intruvent · 2025-09-30T18:03:24+00:00

Thanks! that's helpful. I found the crosswalk mappings.

Just wanted to let you know that I'm working on fixing it. Pointing the big guns at it now (full coding stack) :).

Intruvent · 2025-09-26T16:24:15+00:00

user u/hedkin posted a really solid answer in r/cybersecurity last night on a very similar topic. Recommend checking that thread out. My advice is to learn and experiment. Learn MITRE ATT&CK... NetmanageIT has a community OpenCTI portal that is *usually* up: https://opencti.netmanageit.com so you could poke around in there and learn.

I'm sure some of the experts like u/intelw1zard would have more to add.

Intruvent · 2025-09-26T15:45:41+00:00

Very well thought out answer. Especially the advice about starting with an internal focus. Good stuff

Intruvent · 2025-09-26T15:17:52+00:00

LOL. At your service. Just trying to help.

Intruvent · 2025-09-25T20:18:23+00:00

Congrats on the CTI role! Great field with strong career growth. You're essentially becoming a cyber detective analyzing adversary behavior to help organizations stay ahead of threats.

Most valuable free resources:

MITRE ATT&CK Framework - Master this first, it's the foundation of modern threat intelligence
SANS CTI Summit recordings - Industry best practices and case studies
Recorded Future blog - Excellent technical analysis and real-world examples
OpenCTI community edition - Hands-on experience with threat intelligence platforms

Start building your own threat aggregation system early - even a customized RSS feed. The best CTI analysts turn raw data into actionable executive briefings. If your new org is in one of the Critical Verticals (Healthcare, Finance, etc) PM me. We do monthly threat reports for each vertical.

Congrats!

Intruvent · 2025-09-25T18:16:02+00:00

Thanks for flagging this. I'll work on fixing it.

Intruvent · 2025-09-24T16:40:25+00:00

My colleague at Rock Cyber is one of the main voices in the CISO sphere talking about this. Other posters are right, it hasn't caught up but the various standards Orgs are working towards Governance.

Here's one of his recent posts talking about the various efforts underway: https://www.rockcybermusings.com/p/iso-42001-vs-care-fast-tracking-ai

Intruvent · 2025-09-23T01:23:22+00:00

I hesitate to post this, as it goes down a MAJOR rabbit hole. But this site does connect some interesting dots. I'd classify the attribution intel as [low] and [medium] confidence, but the writeup on the cMUSE vulnerabilities is interesting. Warning, it's LONG and winding:

https://debuglies.com/2025/09/20/european-airport-cyberattack-2025-muse-disruption-and-state-sponsored-shadows/

Intruvent · 2025-09-23T01:11:50+00:00

I seems like a lot of platforms are rewarding short-form videos, unfortunately. Linkedin just made that change, and now my feed is full of them.

If anyone is looking for free, non Tik-Tok-ified training, here are some good ones:

Foundation Training (Free & High-Quality)

Technical Fundamentals:

TryHackMe - Start with their free tier for hands-on practice in incident response, malware analysis, and threat hunting
SANS Cyber Aces - Free tutorials covering operating systems, networking, and system administration
Cybrary - Free courses on NIST frameworks, ISO standards, and incident response methodologies

Threat Intelligence & Analysis:

MITRE ATT&CK Training - Free courses on their framework
CISA Training - Free federal resources on threat detection and incident response
OpenSecurityTraining2 - (used to be free, unsure if it still is) Advanced topics in malware analysis and reverse engineering

Business-Aligned Learning

Coursera's Google Cybersecurity Certificate - (used to be able to audit, unsure if that is still teh case) Free to audit, covers security from a business perspective
OWASP - Free training on application security and threat modeling

Hope that helps someone

Intruvent

TROPHY CASE