Under Attack
Contact Us

Iran’s New Modus Operandi

Iran is shifting from Ransomware-as-a-Service to a far more destructive model: Wiper-as-a-Service. In this analysis, Rafael Franco, Founder and CEO of Code Blue, explains how state-level cyber capabilities are being distributed to proxy actors, accelerating impact and raising the stakes for organizational resilience.

 

Recently, a troubling picture has begun to emerge. Iran is successfully adopting an operating model long familiar from the cybercrime world, Ransomware-as-a-Service (RaaS), but is taking it one step further, toward a more destructive direction: Wiper-as-a-Service.

In several investigations we conducted over the past month across different companies and organizations, we identified similar attack tools being used by different threat groups. This finding leads to the assessment that MOIS, Iran’s Ministry of Intelligence and one of the most significant actors in the cyber arena, has adopted a new operating model: the mass distribution of advanced attack tools to pro-Iranian groups.

In addition, another significant indicator was identified. Wiper tools that were previously associated almost exclusively with Iranian state actors are now being observed, for the first time, in use by proxy actors. This finding reinforces the assessment that advanced destructive capabilities are being decentralized and delegated to semi-independent entities.

Beyond tool distribution, a more advanced model of operational division of labor is also emerging. One actor gains access and performs reconnaissance, and another actor later executes the destructive phase. Recent research points to systematic “handoffs” between different groups, a process that indicates a modular and organized operational structure, not merely ad hoc tool sharing. This process significantly shortens the time to impact.

As part of one of our investigations, an unusual operational indicator was also observed. A VPN connection failure during an attack activity exposed a real source IP address, located near the University of Tehran. This finding strengthens the assessment that some of the activity still relies on local infrastructure and occasionally suffers from operational failures.

This approach is part of a broader strategy to accelerate the volume of attacks by activating proxy groups such as Anonymous for Justice, Handala, Moses Staff, and similar entities.

Additionally, similarities have been identified between destructive attacks attributed to Iran in other arenas, for example Albania, and recent activity against Israeli targets, including the use of similar tools and operating patterns. The implication is clear: these are not isolated incidents, but a repeatable procedure that is becoming an operational routine.

Another assessment is that the Iranian regime is struggling to carry out direct attacks, in part due to infrastructure limitations and internet isolation. As a result, it has chosen to transfer some of its offensive capabilities to proxy actors. In practice, this creates a distributed network of cyber-terror groups operating on Iran’s behalf, enabling greater flexibility and operational resilience.

At the same time, it is evident that Iran is not only adopting techniques, but also the cybercrime ecosystem itself. This includes the use of models, services, and infrastructures traditionally associated with cybercrime, in order to scale and accelerate activity.

Moreover, unlike in the past, when plausible deniability was a central component, its importance appears to be diminishing. The growing use of proxies, combined with operational exposure and the broad scope of activity, points to a shift toward a less restrained approach, in which impact and damage take precedence over strict concealment.

In practice, an environment is emerging in which ostensibly “independent” actors operate under ideological motivations, while benefiting from state guidance, tools, and in some cases infrastructure.

There are also indications that some pro-Iranian actors are functioning as Initial Access Brokers, specializing in obtaining initial access and enabling other groups to carry out subsequent attack phases. This may represent a coordinated move toward functional specialization within the Iranian attack chain.

Similar to the rapid expansion of the RaaS model after the COVID period, we are likely to see a spillover of state-level capabilities to semi-independent actors without a restraint model. The result is that organizations that previously focused mainly on influence operations now possess advanced and destructive attack capabilities.

Iran’s cyber effort also serves as a complementary response to gaps in the kinetic arena and constitutes a central tool for influence, deterrence, and disruption. Microsoft has described recent Iranian activity as a shift toward a broad, coordinated, and increasingly aggressive operational model, both in scale and in level of destruction.

Furthermore, the combination of technical destruction and psychological influence is not a byproduct, but an inherent part of the model. Destructive attacks are combined with publicity, data leaks, and sometimes deliberate exaggeration of achievements to create a wide psychological effect.

From a strategic perspective, the proxy model provides Iran with new capabilities that are not dependent on internet isolation or weak infrastructure and also complicates targeted kinetic disruption of infrastructure that is sometimes located outside the country.

Summary

  • Pro-Iranian groups are becoming a central actor in Iran’s cyber effort.
  • State-level capabilities and tools are being distributed to proxy actors, and a decentralized “proxy cyber” model is emerging.
  • We are likely to see additional organizations joining the Iranian umbrella, forming hybrid entities that combine cybercrime and cyber terrorism. Extortion may evolve toward wipe-based models, making it increasingly difficult to determine whether the motivation is financial or state-driven.

We expect to see an increase in the volume of attack attempts against Israel, North America, countries in the Middle East, and European partners. This assessment is also supported by official warnings regarding Iranian activity against critical infrastructure in the United States, including operational systems and industrial controllers.

The implication is not only an increase in the number of attacks, but a shift toward a direct threat to operational continuity: service disruption, system shutdowns, and immediate damage to business operations.

Accordingly, every organization must reassess its emergency preparedness and ensure organizational and operational readiness to cope with this evolving threat. This includes recovery capabilities, transition to manual operations, and rapid restoration of critical systems. In this context, it is recommended to establish technical emergency protocols and backup environment procedures.

We are at your disposal for any questions or clarifications.

 

Sincerely,
Rafael Franco
Founder and CEO, Code Blue

Share the Post:

Related Posts

Article

Iran’s New Modus Operandi

Iran is shifting from Ransomware-as-a-Service to a far more destructive model: Wiper-as-a-Service. In this analysis, Rafael Franco, Founder and CEO
Read More
Article

Inside a Real Cyber Crisis in Aviation (Case Study)

Discover how a high‑risk aviation cyber incident was contained under regulatory and operational pressure in this real‑world crisis management case
Read More
Article

The Cheese Has Moved Again: Why Cyber Resilience Is Now a Business Imperative

AI has industrialized cyber offense, the defensive gap is widening, and quantum computing is already on the horizon. In this
Read More
Cyber Resilience First
Article

Cyber Resilience First: Everything You Need to Know About the New Way to Prepare for a Cyber Crisis

This approach shifts organizations from building “walls” toward business continuity and rapid recovery. Rafael Franco explains how to do it
Read More
Article

Inside Code Blue: Live Incidents & Real Fixes: MuddyWater’s “RustyWater” Campaign

The Iranian threat actor MuddyWater has evolved its toolkit with a new Rust-based implant dubbed “RustyWater.” This campaign utilizes sophisticated
Read More
Article

Inside Code Blue: 4 incidents in 2 weeks and the fixes that stop them now

Over the last two weeks we contained four major cyber incidents across mixed environments. The common thread was financially motivated
Read More
Skip to content