Handala Hack
List of names used by the industry: Date founded: Affiliation: Affiliated with Iran, MOIS, Hezbollah and Hamas. Social media handles/websites: Previous operations: Tactics/Techniques/Tradecraft/Procedures (TTP’s): Sources: ict.org.il/bibi-gate-handala-hack-team-a-mask-for-iranian-psychological-warfare/ ict.org.il/wp-content/uploades/2025/12/image-11-1024×341 cyberint.com/wp-content/uploads/2024/07 cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/ israelhayom.com/2025/12/28/handala-hackers-iranian-cyber-attacks-israeli-officials splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html ransomlook.io/group/handala
Homeland Justice
Homeland Justice is a state-aligned Iranian hacktivist persona used by the Ministry of Intelligence and Security (MOIS) to conduct disruptive cyberattacks and psychological-operations campaigns, most notably against Albania since 2022. The group has carried out ransomware and wiper attacks, leaked…
Ghyam ta Sarnegouni
Ghyam ta Sarnegouni, meaning ‘uprising until overthrow’, is a hacking group that has been active since 2022. They have carried out a number of high-profile hack and leak operations against the Iranian state. They often deface websites, steal data and…
Ababil of Minab
Ababil of Minab is a new pro-Iranian hacking group. The group named itself after the missile attack on Shajareh Tayyebeh School in Minab, Hormuzgan province in Southern Iran which occured on the 28 February 2026 resulting in the death of…
PRANA Network
Date founded: First appeared in August 2023 Affiliation: Group described themselves as “Freedom Fighters From The Cyber World”. Collaboration of different hacktivist groups, some members are known to be Iranian. Social media handles/websites: Telegram: @Iran_EXPOSED (No longer active), @Prana_Network (No…
IRLeaks
List of names used by the industry: IRLeaks (no other names identified) Date founded: Telegram channel was created 13 June 2023 Affiliation: Researchers have analyzed data from irleaks attacks and determined that irleaks’ activity aligns with actions of more organized,…
Anonymous OpIran
In the wake of Mahsa Amini’s death on Sep 16 2022, the international hacktivist group Anonymous launched a new campaign called Op Iran against Iran’s online infrastructure. OpIran also continue to support the “No to Executions” movement and stands with…
Tapandegan
List of names used by industry: Date founded: Affiliation: Iranian hacktivists. The group refer to its acts as an act of protest demanding the Iranian leadership to improve the economy and to stop ignoring the demands of the people. No…
Predatory Sparrow
List of names used by industry: Date founded: July 2021 (though some attacks as early as 2019 have been attributed to them) Affiliation: Social media handles/websites: Previous operations: Tactics/techniques/tradecraft/procedures (TTP’s): Technical details: People of interest that have been doxxed online…
Ravin Academy
Ravin Academy is an Iranian cybersecurity training academy established in 2019 with the aim of improving Iran’s cybersecurity industry by providing advanced educational, research and cybersecurity services. It also functions as a sophisticated cyber-attack group, actively involved in espionage, sabotage…