Ravin Academy is an Iranian cybersecurity training academy established in 2019 with the aim of improving Iran’s cybersecurity industry by providing advanced educational, research and cybersecurity services. It also functions as a sophisticated cyber-attack group, actively involved in espionage, sabotage and influence operations. This report details the academy’s known attributes, affiliations and key personnel, based on available information.
Associated groups:
There is some evidence that Ravin Academy personnel are also involved with the following groups:
- APT33 – ElfinTeam, Refined Kitten (CrowdStrike), Magnallium (Dragos), Peach Sandstorm/Holmium (Microsoft). Targets aerospace, defense and petrochemical industry targets in the US, South Korea and Saudi Arabia.
- APT34 – OilRig, Helix Kitten, Hazel Sandstorm/Yellow Nix (Microsoft): targets many of the same organizations as APT33.
- APT35 – Charming Kitten, Mint Sandstorm (Microsoft): Often associated with individuals training at Ravin Academy.
- MuddyWater/Static Kitten
- Mabna Institute/COBALT DICKENS/Silent Librarian
Date founded:
- Ravin Academy was founded as Avayeh Hooshmand Ravin in 2019 by Farzin Karimi and Seyyed Mojtaba Mostafavi (possibly @Seyyed_Mojtaba97, current Deputy Chairman of the Board). Both of these individuals are sanctioned.1
Affiliation:
The affiliation with the Iranian state is strong, though the exact degree is debated. Most analysts believe Ravin Academy operates with the blessing and support of the Iranian state. Strong ties to the IRGC are suspected, with many believing they operate under the IRGC’s ubrella. Including working closing with Basij cyber groups, which operates as a recruitment pool. The co-founders are purported to have strong links to the Ministry of Intelligence and Security (MOIS).
Ravin Academy actively recruit members from Iranian universities, particularly those with strong computer science programs, suggesting a degree of state investment and direction.
Ravin Academy affiliate cyber operations often align with Iranian geopolitical goals and narratives, particularly regarding the Palestinian cause and opposition to Israel and Saudi Arabia and recent sanctions issued by the US Treasury sanctions in February 2024 soldify the view of strong state affiliation.
Social media handles and websites:
- Telegram – Their primary communication and recruitment channel: T.me/RavinAcademy
- Instagram – instagram.com/ravinacademy
- Website – ravinacademy.com
- X – x.com/RavinAcademy
Previous operations:
Tactics/techniques/tradecraft/procedures (TTP’s):
Courses taught at the Academy have contained elements of the techniques described below:
- Website defacement: A common tactic, often used for propaganda and to demonstrate capability.
- Data Exfiltration: Attempting to steal sensitive data from compromised systems.
- DDoS Attacks: Used to disrupt services.
- SQL Injection: Exploiting vulnerabilities in web applications.
- Credential Stuffing: Using compromised credentials to gain access to systems.
- Phishing: Targeting individuals with phishing emails to steal credentials.
- Exploitation of Known Vulnerabilities: Targeting systems with known, but unpatched vulnerabilities.
- Use of Open-Source Tools: Leveraging readily available tools like Metasploit and Nmap.
- Custom Tools: Developing their own tools, demonstrating increased sophistication.
- Propaganda and Messaging: Heavily using propaganda and messaging, often linking their attacks to broader geopolitical events and the Palestinian cause.
- Low and Slow Attacks: Using techniques that are harder to detect than large, obvious attacks.
- Watering Hole Attacks: Compromising frequently visited websites.
Key People of Interest:
Current active personnel according to Rasmio:
- Mehdi Hatemi Kesavand: Managing Director, presents video content on ravinacademy.com. Strong likeness with @DFIRhero
- Mohsen Nik Saft: Chairman of the Board of Directors
- Seyyed Mojteba Mostafavi (possibly @Seyed_Mojtaba97): Deputy Chairman of the Board and Co-Founder. Linked to APT34.
Other important personnel:
- Ali Rezvani: Considered one of the founding members and a key leader of Ravin Academy. Frequently featured in their Telegram posts.
- Farzin Karimi (Farzin K): Co-founder. Linked to APT34 and its predecessors. Confirmed affiliation with MOIS via Lab Dookhtegan leak in 2019.2
- Mohammad Hossein Rezvani: Another prominent member, often involved in technical operations.
- Seyed Mohammad Hossein Mousavi: A key recruiter for the group, often targeting university students.
- Mohammad Javad Kazemi: Sanctioned by the US Treasury in February 2024.
- Reza Arabzadeh: Sanctioned by the US Treasury in February 2024.
- Hossein Parastar: Sanctioned by the US Treasury in February 2024.
- Hussain Taeb: Former head of IRGC Intelligence, key figure in developing the academy.
- Ali Hemmati: Director of Ravin Academy.
Registered Address:
- Address: Motahari Street, Soleiman Khater Street, between Gross Alley and Mosque, No, 105
- Branches: According to the Ravin Academy website, the company’s first branch is located in Khuzestan province, opened due to the province’s economic and industrial importance. It is worth noting most of the company’s legitimate training programs are offered as online courses. It is unknown if the Khuzestan branch is used as a physical classroom.
The October 2025 Breach
In October 2025, Nariman Gharib, exiled Iranian cyber activist now living in the UK, revealed a large amount of leaked data about Ravin Academy, received from an unknown source. It contained registration details, course names and instructor details. It confirmed that the courses offered by Ravin Academy are not solely for civilian cyber training, but a pipeline for state cyber actors.
Ravin Academy is a vital component of Iran’s growing cyber warfare capabilities. Its graduates are actively involved in espionage, sabotage, and influence operations against a wide range of adversaries. With continued Iranian investment in its cyber infrastructure, Ravin Academy is likely to become an increasingly important player in the global cyberspace landscape.
