The cybersecurity industry tends to lump Iranian threat actors into a single bucket, "Iranian APTs," as though the Islamic Republic's cyber apparatus were a monolith. It isn't. Iran's offensive cyber operations are split between two powerful, sometimes competing organizations: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Each operates with different mandates, institutional cultures, and strategic objectives — and those differences manifest in strikingly divergent approaches to compromising identity systems, harvesting credentials, and exploiting governance gaps.

For defenders (especially those responsible for identity governance and access management) understanding the distinction isn't academic. The way you architect your identity security posture should account for both styles of attack. One agency will try to trick your users into giving up their passwords through months-long social engineering campaigns. The other will quietly enumerate your Active Directory forest (read our docs to learn how to secure AD with Opal), exploit unpatched privilege escalation vulnerabilities, and sell the access on criminal forums.

This post unpacks how IRGC-backed and MOIS-backed APT groups differ in their approach to identity-related attacks, and what that means for security practitioners building resilient access governance programs.

The Organizational Divide

Before examining their tactics, it's worth understanding why these two agencies exist in parallel and what drives their divergence.

The IRGC is a branch of Iran's armed forces, founded in 1979 to protect the ideological legacy of the Islamic Revolution. It reports directly to Iran's Supreme Leader, bypassing the civilian presidency entirely. The IRGC's cyber operations are run primarily through the Cyber-Electronic Command (IRGC-CEC), a dedicated unit that the U.S. Treasury has sanctioned multiple times for targeting critical infrastructure. The IRGC's mission is fundamentally ideological — defending the revolution from internal and external threats — and that ideology permeates its cyber operations.

The MOIS, by contrast, is Iran's civilian intelligence service. It reports to the President, not the Supreme Leader. While its mandate also includes protecting the regime, the MOIS is generally assessed to be more technically focused and less ideology-driven than the IRGC. Its cyber operations tend toward traditional espionage: patient, methodical intelligence collection against government, energy, telecommunications, and maritime targets.

Both agencies operate through front companies and contracted threat actors, creating a layered ecosystem where attribution is deliberately muddied. But their underlying philosophies produce meaningfully different threat profiles — particularly when it comes to identity and access.

The IRGC Playbook: Social Engineering at Scale

These are IRGC's most prominent cyber groups:

• APT42

• APT35 (Charming Kitten)

• APT33 (Elfin) 

They all share a signature characteristic: they are obsessive credential harvesters who invest heavily in human-layer attacks.

APT42, which Mandiant formally designated in 2022, epitomizes the IRGC's approach. Affiliated with the IRGC Intelligence Organization (IRGC-IO), APT42 runs what can only be described as long-duration social engineering campaigns. Operators build fake personas — journalists, academics, conference organizers — and engage targets in weeks or months of legitimate-seeming correspondence before ever sending a malicious link. When the payload finally arrives, it's typically a credential harvesting page impersonating Google, Microsoft, or a university login portal.

The targeting is intensely personal. APT42 has impersonated Harvard faculty to target NGO leaders, posed as Wall Street Journal reporters to phish Iranian diaspora activists, and created fake conference invitation workflows to compromise policy researchers. Once credentials are harvested, the group moves into cloud environments — Microsoft 365, Google Workspace — and uses built-in platform features to exfiltrate data, minimizing their forensic footprint.

APT35 operates with a similar philosophy but at broader scale. This group has conducted massive credential spraying campaigns targeting thousands of accounts simultaneously, while also running tailored spear-phishing operations against high-value individuals. In one documented 30-day period, APT35 made over 2,700 attempts to compromise targeted email accounts.

From an identity governance perspective, the IRGC's approach exposes specific weaknesses. Their attacks succeed when organizations lack granular visibility into authentication anomalies — unusual login locations, credential harvesting patterns that precede bulk access, MFA registration changes that go unreviewed. They exploit the gap between "a user authenticated successfully" and "that authentication represented legitimate access." They thrive in environments where identity governance treats authentication as a binary event rather than a continuous signal.

The IRGC has also increasingly blurred the line between state operations and hacktivism. Groups like CyberAv3ngers initially presented themselves as ideologically motivated hacktivists before being directly attributed to the IRGC-CEC by the U.S. Treasury. In late 2023, CyberAv3ngers compromised at least 75 Unitronics programmable logic controllers across U.S. critical infrastructure, including water treatment facilities, by exploiting devices with default or no passwords. This represents the other edge of the IRGC's identity-related attack surface: not sophisticated credential theft, but the exploitation of utterly basic access control failures — default credentials on internet-exposed operational technology.

The MOIS Playbook: Technical Persistence and Network Exploitation

The MOIS-affiliated groups — MuddyWater, APT34 (OilRig), Hexane, and Agrius — operate with a fundamentally different cadence. Where the IRGC invests in humans, the MOIS invests in infrastructure. Where the IRGC phishes for cloud credentials, the MOIS exploits network perimeters and burrows into Active Directory.

MuddyWater, perhaps the most prolific MOIS-aligned group, is known for its "living off the land" approach — using legitimate system tools like PowerShell, WMI, and native Windows utilities to conduct reconnaissance and lateral movement. Once inside a network, MuddyWater operators enumerate domain controllers, map trust relationships using tools like Nltest, and query LDAP to identify privileged accounts and group memberships. The goal isn't to steal a single user's Gmail password. It's to map the entire identity fabric of an organization and find the seams.

APT34 (OilRig) takes this even further. Known for its custom backdoors and DNS tunneling techniques, OilRig targets government agencies, financial institutions, and energy companies with campaigns designed to establish long-term persistent access. OilRig's operations are characterized by patience — the group will maintain a foothold for months, slowly escalating privileges, harvesting Kerberos tickets, and moving laterally through trust relationships before extracting data.

A joint advisory issued by the FBI, CISA, NSA, and international partners in October 2024 documented how Iranian actors affiliated with MOIS operations used brute force attacks and MFA push-bombing to compromise accounts across healthcare, government, energy, and technology sectors. The critical detail was what happened after initial access: the actors modified MFA registrations to ensure persistent access, performed extensive network discovery to identify additional credential stores, and then sold that access on cybercriminal forums. This commodification of access — harvesting identities and governance data for resale — is a distinctive MOIS pattern that introduces downstream risks far beyond the original compromise.

The MOIS approach exploits different governance failures than the IRGC's. Where IRGC campaigns succeed against weak phishing defenses and poor authentication monitoring, MOIS operations thrive in environments with excessive standing privileges, unmonitored service accounts, stale access entitlements, and insufficient segmentation between identity tiers. They exploit the difference between "who has access" and "who should have access" — the exact gap that identity governance programs exist to close.

Convergent Threat, Divergent Defenses

Despite their differences, both agencies increasingly target the same identity infrastructure attack surface — they just enter through different doors.

The IRGC starts with the human layer. A compromised credential from a well-crafted phishing campaign becomes the initial foothold. From there, IRGC operators pivot into cloud identity platforms, modify MFA settings, and use legitimate application features to maintain access and exfiltrate data. The kill chain runs through the user, into the identity provider, and out through the cloud.

The MOIS starts with the network layer. A brute-forced password or an exploited perimeter device provides entry. From there, MOIS operators map Active Directory, harvest cached credentials, exploit privilege escalation vulnerabilities like ZeroLogon (CVE-2020-1472), and move laterally through domain trusts. The kill chain runs through the perimeter, into the directory, and across the network.

Both paths converge on the same critical asset: the identity plane. Whether an attacker arrives via a spoofed Google login page or a brute-forced VPN credential, the ultimate objective is the same — accumulate enough identity context and privilege to access sensitive systems and data.

This convergence means that defenders can't afford to optimize for only one attack style. An organization that invests exclusively in anti-phishing training and MFA hardening may blunt IRGC-style campaigns while remaining vulnerable to MOIS-style network exploitation. Conversely, an organization that focuses only on network segmentation and Active Directory hardening may miss the cloud-native credential theft campaigns that IRGC groups specialize in.

What This Means for Identity Governance

The dual-agency threat model demands an identity governance approach that addresses both the human-layer and infrastructure-layer attack surfaces simultaneously. Several principles emerge.

First, continuous access validation matters more than point-in-time certification. Both IRGC and MOIS groups exploit the gap between when access is granted and when it's reviewed. IRGC operators modify MFA registrations and persist in cloud environments for weeks. MOIS operators maintain network footholds for months. Annual or quarterly access reviews are insufficient against adversaries who operate between review cycles. Organizations need real-time visibility into access patterns, authentication anomalies, and privilege changes.

Second, least privilege isn't just a network concept — it's an identity concept. MOIS groups exploit excessive standing privileges and stale entitlements to move laterally. IRGC groups exploit overly permissive cloud configurations to pivot from a single compromised account into broader organizational data. Reducing standing privileges, implementing just-in-time access provisioning, and continuously auditing entitlements reduces the blast radius of both attack styles.

Third, identity telemetry must span both cloud and on-premises environments. IRGC campaigns increasingly terminate in cloud environments — Microsoft 365, Google Workspace, Azure AD — while MOIS campaigns remain heavily oriented toward on-premises Active Directory and network infrastructure. Organizations that monitor only one environment create blind spots that sophisticated adversaries will find and exploit.

Fourth, MFA is necessary but insufficient. Both agencies have demonstrated the ability to bypass or subvert MFA. IRGC groups use real-time credential interception and AiTM (adversary-in-the-middle) phishing kits that capture session tokens alongside passwords. MOIS-aligned groups use push-bombing and social engineering to exhaust users into approving fraudulent MFA prompts. Phishing-resistant MFA (FIDO2, hardware keys) should be the baseline for privileged accounts, and MFA registration events should be monitored as high-fidelity signals.

Finally, governance and detection must be unified. The traditional separation between "identity governance" (who has access to what) and "threat detection" (who is doing something malicious) creates exactly the kind of seam that Iranian APTs exploit. When MuddyWater enumerates your domain controllers, that's a threat detection problem. When APT42 modifies MFA on a compromised account, that's a governance problem. But both are fundamentally identity problems, and they demand integrated solutions that correlate governance data with security telemetry.

The Bigger Picture

Iran's cyber ecosystem is evolving rapidly. The IRGC has expanded its use of hacktivist proxies for plausible deniability, while the MOIS has deepened its integration with cybercriminal access broker markets. The June 2025 Israel-Iran conflict demonstrated how both agencies can mobilize their full cyber apparatus — APTs, hacktivists, and everything in between — in coordination with kinetic military operations.

For security teams, the lesson is clear: Iranian threat actors are not a single adversary with a single playbook. They represent a spectrum of capabilities, from sophisticated multi-month social engineering campaigns to brute-force credential stuffing to the exploitation of default passwords on internet-exposed industrial controllers. Defending against this spectrum requires identity governance that is continuous, contextual, and comprehensive — able to detect both the patient impersonation of a journalist building trust over email and the automated enumeration of Active Directory trust relationships at 3 AM.

The identity plane is where both heads of the hydra converge. That's where your defenses should be strongest. To secure your business from Iranian Advanced Persistent Threats and other actors targeting identity infrastructure, reach out to us to schedule a demo.