Iran-linked threat actors primarily exploit known, unpatched vulnerabilities and exposed edge infrastructure to gain initial access, employing opportunistic, lower-complexity techniques such as phishing, DDoS, and data exfiltration. Their persistent campaigns target government, critical infrastructure, and enterprise environments. The report highlights observed TTPs but does not specify individual CVEs, affected products, or patch versions.
This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.