3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Mahdi Lashgarian

Mahdi Lashgarian

ID: bd1c4dda869dd9a6f9450fcc24ef675b53497
Cybercrime Cyber Espionage Cybercriminal Hacktivist
Threat types: Hacktivism
Unknown
Updated: 2026-03-19
Created: 2026-03-19
Progress: 69% Completeness: 69% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Mehdi Lashgarian مهدی لشگریان
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Mahdi Lashgarian is a publicly named senior official of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Open reporting ties him to the command environment behind CyberAv3ngers-linked critical-infrastructure targeting and to a broader IRGC-CEC ecosystem that includes proxy branding and OT/IoT-focused activity.


Technique Technique name Tactics Evidence
T1110 Brute Force TA0006
  • 2023-12-02 — Joint advisory reporting on IRGC-affiliated Unitronics compromise showed abuse of default credentials. INFERENCE (confidence: high): as a senior IRGC-CEC official publicly associated with CyberAv3ngers-linked activity, Mahdi Lashgarian is linked at the supervisory level to this credential-abuse pattern. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-02 — IRGC-affiliated actors used valid default credentials to access exposed Unitronics devices. This valid-account pattern is central to the CyberAv3ngers ecosystem publicly tied to Mahdi Lashgarian. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-02 — Compromised Unitronics HMIs displayed anti-Israel defacement messaging attributed to CyberAv3ngers-linked operations. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-02 — Public advisory reporting indicates interface and project manipulation on compromised HMI devices. INFERENCE (confidence: medium-high): this aligns with stored data manipulation in the ecosystem tied to Mahdi Lashgarian. · ref
T1595 Active Scanning TA0043
  • 2024-05-30 — Microsoft documented a common attack methodology focused on discovering internet-exposed, poorly secured OT systems in CyberAv3ngers-linked activity. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-12-10 — Claroty described IOCONTROL as a modular Linux-based OT/IoT malware framework communicating with attacker-controlled infrastructure. INFERENCE (confidence: medium): this reflects ingress and egress tool transfer behavior in the ecosystem publicly associated with Mahdi Lashgarian. · ref
T1583.001 Domains TA0042
  • 2024-04-23 — Treasury designated front companies and affiliated operators acting for or on behalf of IRGC-CEC. INFERENCE (confidence: medium-high): Mahdi Lashgarian operates within a command environment that relies on organizationally acquired or controlled infrastructure and support structures. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-20T02:41:06+00:00

Mahdi Lashgarian

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Author: iQBlack Team


Executive Summary

Mahdi Lashgarian is publicly identified by the U.S. Department of the Treasury as a senior official of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Public sanctions and reward reporting also place him inside the same leadership environment linked to CyberAv3ngers activity targeting exposed industrial control assets and, later, to a broader Iran-linked OT/IoT malware and proxy-brand ecosystem.


Unlike public-facing handles or propaganda personas, Mahdi Lashgarian appears in open sources as a named state official rather than as a visible online operator. His analytical importance therefore comes from organizational position and repeated public linkage to IRGC-CEC-related malicious cyber activity, not from a rich trail of personal social-media presence, leaked chats, or directly observed hands-on-keyboard tradecraft.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Mahdi Lashgarian

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Mahdi Lashgarian

Classification: TLP:WHITE

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-20T02:43:15+00:00

IOC Appendix — Mahdi Lashgarian

Classification: TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-20T02:43:27+00:00

OSINT Library — Mahdi Lashgarian


2024-02-02 — U.S. Department of the Treasury — “Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Actor Free Preview
Actor