APT Iran

APT Iran is a self-styled pro-Iran hacktivist or state-aligned cyber persona active on Telegram and darknet marketplaces, associated in the reporting with disruptive operations, data-theft claims, ransomware-style extortion, and OT/ICS-themed activity. The actor is described as conducting operations against Israeli infrastructure and against Gulf states perceived as aligned with Israel or the United States, including Jordan, Saudi Arabia, Bahrain, and Kuwait. Reported targets also include Israeli academic and government systems, Jordanian critical infrastructure, U.S. defense contractor Lockheed Martin, and a U.S. water treatment control system. Across the cited reporting, APT Iran claimed a month-long intrusion into Jordanian critical infrastructure, including alleged manipulation of power plant controls to reduce electricity output and intrusion into grain storage systems with claimed manipulation of storage temperatures and wheat-weight reporting. It also published a screenshot of what appeared to be an active HMI panel for a Kupferle Water Solutions water treatment control system in Missouri, claiming the device had been accessed, rebooted, and backed up; these OT/ICS claims were noted as unverified in the reporting. The actor was also cited as engaging in data exfiltration and ransomware attacks on Israeli academic and government systems. APT Iran publicly claimed to have exfiltrated 375 TB of data from Lockheed Martin, including purported F-35 blueprints, and to be selling the data for more than $598 million or demanding a ransom exceeding $400 million to prevent sale to U.S. adversaries. Reporting noted these claims were promoted via Telegram and on the Russian-language darknet marketplace Threat Market, and at least one assessment described the Lockheed Martin claim as implausible and unverified. Sophos reporting characterized the group’s observed activity more broadly as DDoS attacks, website defacements, and unverified compromise claims involving Israeli infrastructure. The actor has also been linked to the marketing of an offensive OT framework via Tor-accessible marketplaces, promoted as a tool for industrial and military control-network exploitation, including capabilities related to protocol scanning and electric-grid manipulation. Reporting states the APT IRAN channel advertised the framework and teased a demo focused on “the insecurity of the United States of America.” Multiple sources in the content associate APT Iran with Iranian state structures. The reporting says researchers found links between the APT IRAN channel and the Islamic Revolutionary Guard Corps (IRGC), describes the actor as closely linked to CyberAv3ngers, and notes some sources claim APT Iran is effectively a rebranding or subdivision of IRGC cyber elements, including the IRGC Cyber Command (IRGC-CEC). These links are reported claims in the source material. Known aliases or related identities mentioned in the content include Brona Blanco, a Telegram identity reportedly adopted after attention around the Lockheed Martin claims, and Cyber4vengers/CyberAv3ngers as closely linked or overlapping entities.