Exploits CVEs in the wild

iranian_nation_state_actors

Also known asiranian_nation_state_actors

Iranian nation-state cyber actors (no specific sub-groups or aliases named in the provided content). Reporting cited in the content indicates these actors conduct intrusions for intelligence collection and operational support, including gathering real-time intelligence used to enable or support non-cyber military operations (e.g., facilitating missile strikes). The content also states Iran blends espionage, disruption, and influence operations, including the use of AI-generated content for propaganda. Additionally, Microsoft reporting referenced in the content notes Iranian threat actors have increased ransomware attacks as part of influence operations. No further high-confidence details on specific tooling, victimology, or TTPs beyond these points are directly provided.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2023-27350Unauthenticated Authentication Bypass and RCE in PaperCut MF/NGIn the wildEvidence1

Earlier this April, another remote code execution vulnerability in the same product (CVE-2023-27350, CVSS score: 9.8)... came under widespread exploitation in the wild to deliver Cobalt Strike and ransomware.

CVE-2023-27351Authentication Bypass in PaperCut NG/MF SecurityRequestFilterIn the wildEvidence1

...and an information disclosure flaw (CVE-2023–27351) came under widespread exploitation in the wild to deliver Cobalt Strike and ransomware. Iranian nation-state actors were also spotted abusing the bugs...

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

securitysenses blogNews

Dec 1, 2025

December 1, 2025 Cyber Threat Intelligence Briefing

Conducting cyber intrusions to gather real-time intelligence in support of kinetic military operations, such as missile strikes.

help net securityNews

Nov 5, 2025

Google says 2026 will be the year AI supercharges cybercrime

Iranian nation-state actors blend espionage, disruption, and influence operations, using AI-generated content for propaganda and fake news to support regional objectives.

security online infoNews

Oct 17, 2024

600 Million Daily Cyberattacks: Microsoft’s Alarming Report

Iranian nation-state actors have increased their activity, now using ransomware as part of influence operations to further their geopolitical objectives.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.