Altoufan Team, also rendered as AL Toufan, Al-Toufan, ALTOUFAN TEAM, and altoufan_team, is a pro-Iranian threat persona active in Middle Eastern cyber operations and hacktivist-style campaigns. Reporting consistently places it within the broader Iran-aligned cyber ecosystem and, in some assessments, links it to the Islamic Revolutionary Guard Corps (IRGC). It has also been described as a revived persona associated with Cotton Sandstorm, an Iranian state-linked actor tied to hack-and-leak and influence operations. Altoufan Team is further referenced as part of the wider Islamic Cyber Resistance or Cyber Isnaad Front milieu alongside groups such as 313 Team, Fatimion Cyber Team, FAD Team, Liwaa Mohammad, Unit 313, Gaza313, and Al Safwa, with apparent coordination from Iraqi territory in support of the Axis of Resistance narrative. The group’s activity has centered on politically motivated operations against Israel, Bahrain, Kuwait, Jordan, and other Gulf targets, as well as entities portrayed as representing U.S. or allied presence in the region. Its early operations were dominated by public claims of distributed denial-of-service attacks and short-lived disruptions against government, media, aviation, and commercial websites, consistent with visibility-seeking hacktivist behavior. It has also been cited in campaigns targeting Bahrain with antisemitic and inflammatory messaging intended to provoke social tension and attach U.S.-aligned states to the Israel-Palestine conflict. More recent reporting indicates an apparent evolution in Altoufan Team’s claims from website disruption toward intrusion and industrial-control narratives. The group has claimed compromises involving operational technology and SCADA-related environments, including manipulation of industrial processes and surveillance systems. These claims, if accurate, would represent a significant escalation from nuisance-level disruption to critical infrastructure targeting, although public corroboration of the full extent of such access remains limited. Operationally, Altoufan Team fits the pattern of Iran-aligned proxy or front activity that blends ideological propaganda, Telegram-based amplification, opportunistic targeting, and deniable cyber effects. Its messaging is strongly aligned with anti-Israel and anti-U.S. themes, and it frequently appears in clusters of mutually reinforcing personas that amplify one another’s attack claims. Across available reporting, the group is best characterized as an Iran-aligned, resistance-branded cyber actor used for disruptive operations, psychological signaling, and possibly limited intrusion activity within the broader regional proxy cyber ecosystem.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Attributed origin per open-source reporting.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iran-aligned hacktivist group involved in Gulf cyber campaign activity, especially through coordinated messaging, disruption claims, and broader intrusion narratives.
IRGC-linked pro-Iranian group conducting early retaliatory operations, including DDoS, website compromise claims, and later claimed intrusions into SCADA/industrial control environments in Jordan and against U.S./Israeli-linked regional targets.
Group targeting Bahrain as part of influence and social-polarization operations tied to antisemitic messaging and provocation.
Iraqi territory-based pro-Iran cyber proxy group within the Islamic Cyber Resistance ecosystem.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.