3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Iranian Avenger

Iranian Avenger

ID: 31464ffaf91cd94be2f0a1f29a3b2444
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion, DDoS, Defacement, Pro-Iran
Iran ISR, USA
Updated: 2026-03-15
Created: 2026-03-04
Progress: 72% Completeness: 73% Freshness: 70%
Operation zone: Israel, United States
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-low
Actor Techniques page ATT&CK® Diagram

Iranian Avenger is a pro-Iran retaliatory cyber persona publicly identified during the March 2026 escalation. Current public evidence most strongly supports DDoS, defacement-style disruption, opportunistic credential pressure, broad compromise claims, and retaliatory messaging rather than distinctive high-end intrusion tradecraft.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2026-02-28 — Sophos assessed that the most likely activity in the escalation window included disruptive operations, and specifically advised vigilance for DDoS in the same cluster environment in which Iranian Avenger was identified. · ref
  • 2026-03-13 — SOCRadar's conflict dashboard showed DDoS as the dominant attack type across the wider campaign environment, supporting conservative cluster-based mapping for actors such as Iranian Avenger. · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-01 — INFERENCE (confidence: medium): Sophos and follow-on reporting characterize the surrounding actor set as using unsophisticated tactics and website-impact behaviors, making external defacement a plausible cluster-consistent technique for Iranian Avenger. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-02-28 — INFERENCE (confidence: low-medium): Sophos explicitly warned organizations to remain vigilant for credential attacks in the same conflict environment in which Iranian Avenger was active. · ref
T1589 Gather Victim Identity Information TA0043
  • 2026-03-01 — INFERENCE (confidence: low): broad compromise claims and retaliatory messaging against visible public-sector and critical-infrastructure targets imply at least basic target identification and victim selection activity. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-15T13:38:39+00:00

Iranian Avenger

Classification: TLP:WHITE — (Cyber / Pro-Iran Hybrid Hacktivist Brand / Low-Maturity Crisis-Era Retaliatory Persona)

Author: iQBlack Team


Executive Summary

Iranian Avenger is a pro-Iran cyber actor label publicly visible during the latest phase of regional escalation in early March 2026. The strongest current open-source evidence for the actor does not support a mature, deeply evidenced intrusion program. Instead, reputable reporting places Iranian Avenger among the emerging or reactivated pro-Iran hacktivist brands that surged after the 2026 U.S.–Israel strikes on Iran and then relied primarily on noisy retaliatory messaging, unsophisticated tactics, and broad or embellished cyber claims.


Available public reporting associates the actor with the Telegram/X/underground-forum propaganda layer of the conflict environment, where DDoS narratives, website defacement, unverified infrastructure compromise claims, and incitement messaging are common. Sophos X-Ops CTU explicitly grouped Iranian Avenger with Cyber Toufan, Cyber Support Front, and Cyb3r Drag0nz as brands that were amplifying retaliatory messaging while generally exhibiting limited sophistication and uneven operational validation.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Iranian Avenger

Classification: TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Iranian Avenger


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-15T13:39:59+00:00

IOC Appendix — Iranian Avenger

Classification: TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-15T13:40:13+00:00

OSINT Library — Iranian Avenger

2026-03-01 — Sophos X-Ops — "Hacktivist campaigns increase as United States, Iran, and Israel conflict intensifies"

https://www.sophos.com/en-us/blog/hacktivist-campaigns-increase-as-united-states-iran-and-israel-conflict-intensifies

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.