3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Hamid Reza Lashgarian

Hamid Reza Lashgarian

ID: dc8eceafd88a3bf25d2d43d57b6c4d3499330
Cybercrime Cyber Espionage Cybercriminal Hacktivist
Threat types: Hacktivism
Unknown ISR
Updated: 2026-03-19
Created: 2026-03-19
Progress: 84% Completeness: 81% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
Hamidreza Lashgarian حمیدرضا لشگریان
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Hamid Reza Lashgarian is the publicly identified head of the IRGC Cyber-Electronic Command (IRGC-CEC) and a commander in the IRGC-Qods Force. He is best assessed as a state cyber leadership figure linked to the command structure behind CyberAv3ngers and related critical-infrastructure cyber activity.


Technique Technique name Tactics Evidence
T1110 Brute Force TA0006
  • 2023-12-02 — Joint advisory states IRGC-affiliated actors compromised Unitronics devices through default credentials. INFERENCE (confidence: high): as head of IRGC-CEC, Lashgarian is linked at the supervisory level to this credential-abuse tradecraft. · ref
  • 2024-10-09 — OpenAI reported CyberAv3ngers-linked accounts asking for default usernames and passwords for PLCs and industrial routers, reinforcing the credential-abuse pattern in the ecosystem Lashgarian leads. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-02 — IRGC-affiliated actors logged into exposed Unitronics devices with valid default credentials. INFERENCE (confidence: high): this valid-account pattern is central to the publicly linked IRGC-CEC activity. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-02 — Compromised Unitronics HMIs displayed anti-Israel defacement messaging attributed to CyberAv3ngers-linked operations. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-02 — Public advisory reporting indicates interface/project manipulation on HMI devices. INFERENCE (confidence: medium-high): this aligns with stored data manipulation within the linked operational ecosystem. · ref
T1595 Active Scanning TA0043
  • 2024-10-09 — OpenAI reported reconnaissance requests for industrial routers, PLCs, protocols, and electricity-related targets by CyberAv3ngers-linked accounts. · ref
T1059.004 Unix Shell TA0002
  • 2024-10-09 — CyberAv3ngers-linked operators sought assistance with bash scripting. INFERENCE (confidence: medium): this supports command-level understanding of Linux/OT scripting use in the ecosystem Lashgarian leads. · ref
T1059.006 Python TA0002
  • 2024-10-09 — CyberAv3ngers-linked operators sought Python scripting and debugging support, including recon-related code tasks. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-12-10 — Claroty described IOCONTROL as a modular Linux-based OT/IoT malware framework communicating with attacker-controlled infrastructure. INFERENCE (confidence: medium): this reflects ingress/egress tool transfer behavior within the IRGC-CEC-linked ecosystem. · ref
T1583.001 Domains TA0042
  • 2024-04-23 — Treasury designated MASN and DAA as front companies supporting malicious cyber activity for the IRGC-CEC. INFERENCE (confidence: high): Lashgarian's command environment relies on organizationally acquired or controlled infrastructure and companies. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-20T02:24:41+00:00

Hamid Reza Lashgarian

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Author: iQBlack CTI Team


Executive Summary

Hamid Reza Lashgarian is publicly identified by the U.S. Department of the Treasury and Rewards for Justice as the head of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) and, simultaneously, as a commander in the IRGC-Qods Force. In open sources, this makes him one of the clearest named senior officials tied to the state-linked command structure behind the CyberAv3ngers ecosystem and related malicious cyber activity affecting critical infrastructure.


Public reporting does not present Lashgarian as a noisy online “handle” or a visible operator persona. Instead, he appears as a senior command-and-control figure whose significance derives from organizational leadership, state authority, and linkage to a broader portfolio of Iranian cyber and intelligence operations. His relevance to defenders therefore lies less in direct attribution of hands-on keyboard activity to him personally, and more in understanding the leadership node that appears to sit above operational brands, front companies, and supporting personnel.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Hamid Reza Lashgarian

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Hamid Reza Lashgarian

Priority: High for OT/ICS-heavy organizations, critical infrastructure operators, water/wastewater, fuel-management environments, and enterprises with internet-exposed industrial devices.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-20T02:27:14+00:00

IOC Appendix — Hamid Reza Lashgarian

Classification: TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-20T02:27:46+00:00

OSINT Library — Hamid Reza Lashgarian


2024-02-02 — U.S. Department of the Treasury — “Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Actor Free Preview
Actor
Actor Free Preview
Actor
Actor Free Preview
Actor