Cyber Toufan
Cyber Toufan is an Iran-aligned threat actor and hacktivist persona, described in the provided reporting as a false-flag hacktivist operation associated with Iran’s “Resistance Axis,” and in some reporting as a suspected Iranian state-sponsored threat operation. It has been observed operating alongside other pro-Iran personas including Cyber Support Front, Iranian Avenger, DieNet, APTIran, and Cyb3r Drag0nz, including through a team referred to as the Electronic Operations Room of Islamic Resistance Axis. The group has primarily been associated with targeting Israeli and defense-sector entities. Reporting states that Cyber Toufan targeted the Israeli defense sector and Israel-based users, including use of the proprietary POKYBLIGHT wiper. It has also been linked to hack-and-leak activity intended to erode public trust, including leaks of sensitive schematics and personnel data. Specific claims attributed to the group include breaching Israeli defense contractor Maya Engineering / Maya Defense, compromising security cameras and maintaining access for an extended period, releasing employee names, photos, internal documents, CCTV footage, and footage of internal meetings and engineering work related to drones, tanks, missiles, and other defense systems. Reporting also states the group leaked classified schematics for Australia’s Redback infantry fighting vehicle, allegedly stolen from an Israeli contractor. In broader conflict-related reporting, Cyber Toufan is described as part of Iran’s wider ecosystem of proxy or hacktivist groups used for retaliatory messaging and influence operations. During periods of regional escalation, it has been cited as re-engaging or emerging alongside other pro-Iran groups. Multiple sources in the content assess such groups as often relying on unsophisticated tactics, broad or embellished claims, and propaganda amplification, although Cyber Toufan is also specifically associated with destructive malware activity via POKYBLIGHT. During the late November 2023 Israel-Hamas ceasefire, Cyber Toufan reportedly stated it was pausing operations until the war resumed, and between November and December 2023 it reportedly claimed more than 100 Israeli victims on its leak site. Known alias in the provided content: cyber_toufan.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇮🇱 Israel
Where they're from
Attributed origin per open-source reporting.
- IR
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iran-aligned persona observed operating through the Electronic Operations Room of Islamic Resistance Axis.
Iran-linked false-flag hacktivist operation described as part of Iran's Resistance Axis; claimed large numbers of Israeli victims during the 2023 ceasefire period.
Named Iranian-aligned hacktivist/proxy group expected to increase activity; framed as part of a distraction layer and alignment signal for Iranian cyber ecosystem shifts.
Pro-Iran hacktivist group that re-engaged or emerged during the conflict; associated generally with misinformation, incitement, and low-sophistication activity.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.