Threat Intelligence

APT55: Iran's Quiet Intelligence-Gathering Arm Targeting U.S. Energy and Defense

NH
NoHackie
March 18, 2026 Updated March 27, 2026 12 min read

APT55 is an Iranian state-linked cyber espionage group operating under the Islamic Revolutionary Guard Corps (IRGC) that has been quietly targeting individuals connected to the U.S. energy and defense sectors. While less publicly documented than Iran's better-known threat actors, the group's role surfaced prominently in fresh intelligence reporting tied to the geopolitical escalation of early 2026.

In the weeks following the February 28, 2026 launch of Operation Epic Fury — the coordinated U.S.-Israeli military strikes on Iranian nuclear and military infrastructure — cybersecurity researchers and intelligence analysts scrambled to map the full scope of Iranian cyber retaliation. Among the actors named in new threat assessments was APT55, a group that operates differently from Iran's more aggressive and disruptive cyber units. APT55 does not knock systems offline. It watches. It collects. And it feeds what it finds back to the Iranian intelligence apparatus that decides what happens next.

Exposed ICS devices reachable in the U.S. 40,000+
Claimed attacks in first two weeks 600+
Pro-Iranian hacktivist groups mobilized 60+
Ballistic missiles launched by Iran 585
Iran internet connectivity after strikes 4%
Senior IRGC officials eliminated 40+

What Is APT55 and Who Does It Work For

APT55 is an advanced persistent threat group with confirmed ties to Iran's Islamic Revolutionary Guard Corps. The IRGC, designated a foreign terrorist organization by the United States and Canada, operates a dedicated cyber arm known as the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). This structure sits at the heart of Iran's offensive cyber operations and has oversight of several threat actor clusters, including APT33, CyberAv3ngers, and APT55.

The group's designation as a numbered APT reflects the intelligence community's practice of cataloging Iranian cyber actors by their observed behaviors and sponsoring entities, even when public reporting on a specific cluster remains limited. APT55 is among the less-publicized groups in Iran's portfolio, which is itself a function of its mission profile: intelligence collection rather than disruption. Threat actors focused on quiet, long-term access and data gathering tend to generate fewer public incident reports, because victims often do not realize they have been compromised, and because attribution at the operational level is harder to establish with confidence.

According to reporting by threat intelligence firm CloudSEK, published in the context of the escalating Iran-U.S. conflict in March 2026, APT55 sits alongside well-known IRGC-affiliated actors in a broader campaign targeting American critical infrastructure. As cited by Euronews, CloudSEK's assessment described the group's mission as conducting cyber espionage against individuals connected to the American energy and defense sectors in order to collect intelligence for Iranian targeting operations.

This framing is significant. The group is not described as targeting systems or networks in isolation. It is targeting people — specifically, individuals whose positions or access make them valuable sources of intelligence for the IRGC's broader operations and targeting decisions.

How APT55 Operates: The Human-First Approach to Espionage

APT55's mission as described by CloudSEK is intelligence collection oriented around people with access to the U.S. energy and defense sectors. This approach is consistent with a well-established tradecraft pattern across Iranian state-aligned groups: using cyber intrusion as a substitute for, or complement to, traditional human intelligence gathering.

The broader IRGC-affiliated cyber ecosystem has developed a sophisticated playbook for this kind of targeting. APT35 (Charming Kitten), one of the IRGC's most well-documented espionage groups, demonstrated in a 2025 leaked operational archive how structured and systematic this targeting can be. Gatewatcher's analysis of that archive, cited by CloudSEK, revealed "monthly performance reports in Persian and structured target development campaigns" spanning Iran, South Korea, Kuwait, Turkey, Saudi Arabia, and Lebanon. A leaked archive from the same group exposed spear-phishing operations built around impersonating conference coordinators, research assistants, and policy analysts — all designed to get a target to click before they know who they are dealing with.

APT55 shares the same institutional logic. Energy sector professionals — engineers, procurement specialists, policy advisors, grid operators — hold knowledge about infrastructure topology, operational schedules, vendor relationships, and security posture. Defense-adjacent personnel carry access to contracting vehicles, personnel rosters, technology roadmaps, and sometimes classified system configurations. From an intelligence standpoint, compromising a single well-positioned individual yields far more strategic value than defeating a firewall.

APT55 Intelligence Collection Chain
STAGE 1 Target Identification STAGE 2 Social Engineering STAGE 3 Credential Theft / Access STAGE 4 Silent Exfiltration STAGE 5 IRGC Targeting Feed
APT55 intelligence collection pipeline — click each stage for detail.

The tactics documented across IRGC-affiliated espionage actors — which overlap with APT55's mission profile — include spear-phishing via email, WhatsApp, LinkedIn, and Telegram; impersonation of recruiters, researchers, and conference organizers; credential harvesting through cloned login pages hosted on legitimate infrastructure like Google Sites; and multi-stage infection chains that establish persistent access across Windows and macOS platforms. CloudSEK's March 2026 threat landscape assessment, focused on ICS and OT targeting during the Iran-U.S. conflict, confirmed that groups operating under the IRGC umbrella continue to use these techniques against U.S. government, military, and energy-adjacent individuals for credential theft and long-term access.

Interactive: How an APT55-Style Lure Works — Step Through the Campaign
Stage 01 — Persona Construction
Name: Dr. Sarah Kellerman
Affiliation: Atlantic Council for Energy Policy (fabricated)
LinkedIn: 312 connections, profile created 6 months prior, posts about energy grid policy
Profile photo: AI-generated professional headshot
Backstory: Postdoc at Johns Hopkins (unverified), co-author of a PDF white paper seeded into Google Scholar
ANALYST NOTE: APT35 operational archives leaked in 2025 revealed structured monthly performance quotas for persona development. A convincing persona is built over weeks before any contact is made with a target. The LinkedIn account has real engagement history to pass scrutiny.
Stage 02 — Platform Selection
Target: Senior grid reliability engineer at a U.S. regional transmission operator
Platform selected: LinkedIn (initial contact) → email (trust established) → WhatsApp (final delivery)
Why LinkedIn first: Professional context reduces suspicion. Target's profile is public. Message framed as networking.
Why WhatsApp for delivery: End-to-end encryption limits organizational monitoring. Shifts conversation off corporate infrastructure.
ANALYST NOTE: The Canadian Centre for Cyber Security specifically flagged LinkedIn as the primary initial reconnaissance and contact vector for IRGC-affiliated espionage actors in its March 2026 bulletin. Corporate security teams rarely monitor personal LinkedIn inboxes.
Stage 03 — Initial Message
From: Dr. Sarah Kellerman (Atlantic Council for Energy Policy)
To: [Target] via LinkedIn InMail

Hi [Name] — I came across your presentation from the NERC GridEx conference and found your remarks on SCADA resilience really compelling. I'm currently wrapping up a policy paper on grid security posture for the next administration and would love to include a practitioner perspective. Would you be open to a 20-minute background conversation? Happy to share the draft chapter in advance. Best, Sarah
ANALYST NOTE: The message references a real public event the target attended (sourced via OSINT). It flatters without overreach, proposes a low-commitment ask, and offers something in return (the draft chapter — which will contain the delivery vehicle). No malicious link appears at this stage.
Stage 04 — Lure Delivery
From: [email protected] (lookalike domain, registered 3 months prior)
Subject: Draft chapter + Dropbox link for review

Hi [Name] — So glad we connected last week. As promised, here's the draft chapter for your review. I've also included a Google Sites page where we're collecting practitioner annotations — it would be great to have your input before we finalize. Let me know if you have any access issues.

https://sites.google.com/atlantic-energy-council-review.com/grid-resilience-2026/login
ANALYST NOTE: The phishing link is hosted on Google Sites — a legitimate Google-owned domain. This bypasses most URL reputation filters. The page renders a cloned Microsoft 365 or Dropbox login form. The real document referenced in the earlier message exists and is benign. The credential theft occurs on the login page, not through the document.
Stage 05 — Credential Harvest & Access
Captured: Corporate email credentials (username + password)
Secondary capture: If target uses SSO, session token may also be captured via adversary-in-the-middle proxy
What happens next: Credentials are tested against corporate VPN, email, and collaboration platforms within hours. Successful access triggers silent inbox harvesting. Target receives no error — login is proxied to the real service.
Forensic footprint: Near zero. No malware deployed. Credential used from rotating IP infrastructure. Appears as normal user login.
ANALYST NOTE: This is why APT55 is difficult to detect. No endpoint compromise occurs. SIEM rules looking for malware execution, lateral movement, or known bad IPs will not fire. The first indication is often an anomalous login hours or days later — if anyone checks.
1 / 5
Note on Attribution Confidence

APT55 has limited public documentation compared to well-established Iranian groups like APT33, APT34, and APT35. The primary publicly sourced reference to the group in a current operational context comes from CloudSEK's March 2026 reporting cited by Euronews. This does not mean the group is new — it may reflect a group that has operated with greater operational security, or one that has been tracked internally by intelligence agencies without extensive public reporting. Readers should treat this as an emerging public profile with more intelligence likely held by government and private sector analysts who do not publish all findings.

APT55 in the Context of Iran's Layered Cyber Ecosystem

To understand APT55, it helps to see where it fits within the larger structure of Iranian state cyber operations. Iran has built its offensive cyber capability through two primary institutions: the IRGC, which reports directly to the Supreme Leader, and the Ministry of Intelligence and Security (MOIS), which operates under the civilian presidency. Both organizations maintain affiliated APT clusters, and they share tools, infrastructure, and sometimes personnel in ways that complicate attribution.

The IRGC's cyber arm, the IRGC-CEC, sponsors or directs groups including APT33 (Elfin), APT35 (Charming Kitten), and CyberAv3ngers, among others. MOIS runs actors such as APT34 (OilRig) and MuddyWater. The Center for Strategic and International Studies assessed in a March 2026 analysis that Iran's cyber ecosystem has matured into a coordinated threat structure — one that layers state-directed APT groups from both the IRGC and MOIS alongside a growing network of proxy hacktivist actors.

APT55 sits within the IRGC cluster, alongside actors with very different operational mandates. Consider the contrast:

Iran's Cyber Ecosystem — Click any actor to see its role
Click any node to learn about that actor's role in Iran's cyber structure.

This division of labor is deliberate. Iran's cyber doctrine, as documented by analysts at Picus Security, CSIS, and Nozomi Networks, has evolved from overt, state-sponsored sabotage toward operations designed to blur attribution and maximize strategic leverage. The IRGC uses espionage groups to map the terrain before deploying disruptive ones. APT55, as a human-centric intelligence collection actor, is logically positioned at the front of that chain.

CSIS's March 2026 assessment characterized Iran's cyber structure as a deliberate combination of state-directed espionage actors and a broader ecosystem of opportunistic hacktivist proxies — a layered architecture that gives Tehran both precision and deniability.

Threat Actor Comparison — Select an actor to compare mission, targets, and noise level
APT55 Espionage
Sponsor
IRGC-CEC
Mission
Human intelligence collection against U.S. energy and defense sector individuals — identities, access levels, org relationships, system knowledge. Feeds the IRGC targeting apparatus.
Primary targets
Energy engineers, grid operators, defense contractors, policy advisors, procurement specialists
Primary TTPs
Spear-phishing via LinkedIn, email, WhatsApp, Telegram; fake recruiter/researcher personas; credential harvesting via Google Sites-hosted clones
Noise level
Very low — designed to be invisible
APT33 — Elfin / Magnallium Disruptive
Sponsor
IRGC-CEC
Mission
Cyber espionage and destructive operations targeting aerospace, aviation, and energy. Known for deploying wiper malware (SHAMOON-style) and attempting to disable industrial safety systems.
Primary targets
U.S. electric utilities, oil and gas companies, Saudi energy infrastructure, aerospace and defense contractors
Primary TTPs
High-volume password spraying; spear-phishing with malicious macro documents; wiper malware deployment; VPN exploitation
Noise level
Moderate — bulk spraying generates alerts
CyberAv3ngers Disruptive
Sponsor
IRGC-CEC (U.S. Treasury sanctioned six IRGC-CEC officials for directing operations)
Mission
Disruptive attacks against internet-exposed industrial control systems — presented as ideological hacktivism but confirmed as state-directed. Targeted U.S. water and wastewater systems and Israeli-made PLCs.
Primary targets
Internet-exposed PLCs and HMIs with default credentials, especially in U.S. water/wastewater; Israeli-made Unitronics controllers (34 U.S. wastewater devices compromised in 2023)
Primary TTPs
Default credential exploitation on internet-facing ICS devices; malware installation on industrial controllers; public hacktivist framing to obscure state direction
Noise level
Very high — public claims, ICS disruption
APT35 — Charming Kitten / Magic Hound Espionage
Sponsor
IRGC / IRGC-IO (Intelligence Organization)
Mission
Long-term espionage against journalists, researchers, government officials, and dissidents globally. Known for relationship-based social engineering and systematic target development campaigns with documented monthly performance metrics.
Primary targets
Journalists, academics, policy researchers, government officials, Iranian diaspora, nuclear negotiators, security experts — particularly those critical of the Iranian regime
Primary TTPs
Spear-phishing; fake conference invitations and researcher personas; Google Sites phishing infrastructure; multi-stage infection chains; exploitation of CVE-2024-1709 (ConnectWise)
Noise level
Low — precision targeting, low volume
MuddyWater — Seedworm / Static Kitten Espionage Disruptive
Sponsor
MOIS (Ministry of Intelligence and Security)
Mission
Dual-purpose espionage and disruption. Planted backdoors inside a U.S. bank, airport, and defense-adjacent firms before the 2026 conflict began. Used new MuddyViper backdoor against Israeli and Egyptian critical infrastructure in late 2025.
Primary targets
Government organizations, energy and telecom companies, financial institutions, defense-adjacent firms across the Middle East, Europe, and North America
Primary TTPs
Spear-phishing; custom backdoors (MuddyViper, Dindoor); supply chain compromise; living-off-the-land techniques; deployment of commercial remote management tools as C2
Noise level
Moderate — custom tooling detectable

Operation Epic Fury and the Acceleration of Iranian Cyber Threats

The geopolitical context in which APT55 is now being discussed is significant. On February 28, 2026, U.S. Central Command commenced Operation Epic Fury alongside Israel's Operation Roaring Lion — a joint military campaign striking Iranian nuclear facilities, missile infrastructure, and senior leadership compounds across Tehran, Isfahan, Qom, Karaj, and Kermanshah. According to BeyondTrust's threat advisory, the strikes eliminated Supreme Leader Ali Khamenei, IRGC Commander Mohammad Pakpour, Defense Minister Aziz Nasirzadeh, and at least 40 senior officials. An interim governing council assumed power as succession proceedings began. Iran retaliated with ballistic missiles and drones targeting Israel and U.S. military bases across Jordan, Bahrain, Qatar, Kuwait, Saudi Arabia, the UAE, Oman, and Syria — a strike campaign that SOCRadar documented as launching roughly 585 ballistic missiles and over 1,500 drones in the opening days of the conflict. Within hours of the strikes, over 60 pro-Iranian hacktivist groups mobilized through an "Electronic Operations Room" on Telegram, claiming more than 600 distinct operations across more than 100 Telegram channels in the first two weeks.

CloudSEK's assessment, issued March 5, 2026, made clear that the February 28 strikes did not originate the cyber threat to U.S. critical infrastructure — they compressed a trajectory that had been developing for more than a decade. That acceleration matters for understanding APT55. Groups like CyberAv3ngers and APT33 generate immediate, visible impact. APT55 generates something more durable: an intelligence picture that shapes what Iran does next, kinetically or otherwise.

The CloudSEK assessment confirmed that IRGC-backed groups including APT33 and APT55, alongside CyberAv3ngers, were actively engaged against American infrastructure in the context of this conflict. Separately, the MOIS-linked Handala group claimed responsibility for the cyberattack on medical technology company Stryker, which confirmed on March 11, 2026 that a cyberattack had disrupted its global network — an example of the parallel MOIS-directed campaign operating alongside IRGC operations. The Soufan Center noted that MOIS-linked activity demonstrated Iran's ability to retain advanced offensive capability and impose both psychological and operational costs well beyond the immediate battlefield, even as IRGC command structure was being degraded.

For energy sector organizations, the implication is that much of the targeting may have been underway long before the conflict became public. Iran's APT groups pre-positioned infrastructure across global networks according to CloudSEK's threat briefing, and the CSIS analysis noted that Iranian APT groups had maintained persistent footholds inside Middle Eastern critical infrastructure through credential theft and VPN compromise extending back to early 2025. APT55's quiet approach to intelligence collection fits precisely within that pre-positioning model.

APT55's Operational Status After the Strikes

This is the question that intelligence assessments circulating as of late March 2026 are still working to answer. The strikes on Operation Epic Fury created conditions that directly affected IRGC-CEC operations — not just in intent, but structurally. Israel kinetically struck Iran's cyber warfare headquarters in eastern Tehran, according to IDF confirmation cited by the Soufan Center. Iranian internet connectivity dropped to approximately 4% of normal in the opening days of the conflict, according to SOCRadar's tracking, severing coordination links between IRGC operators and their external infrastructure. At least 40 senior officials were killed including the IRGC's top commander.

Those facts matter for any group operating under IRGC-CEC direction. The immediate question for APT55 is whether the decapitation of its chain of command has disrupted its ability to receive tasking, process collected intelligence, and exfiltrate data. The analytical consensus from Trellix, the Soufan Center, and BeyondTrust is that short-term disruption is real but likely temporary — and that the conditions create a specific risk profile defenders should understand.

Three dynamics are worth tracking:

  • Pre-authorized operations may have continued uninterrupted. BeyondTrust's advisory observed that the speed of claimed Iranian operations immediately after the strikes, combined with pre-conflict indicators, pointed to likely pre-authorized activity — consistent with Iran's documented crisis and succession contingency planning for leadership decapitation scenarios. A human-targeting espionage mission that had already identified targets and established social contact would not necessarily require ongoing central direction to continue collecting.
  • Pre-positioned access remains a separate risk from active tasking. Trellix's 2026 capability assessment identified pre-positioned malware activation as the highest near-term risk: if Iranian handlers restored communications and moved to activate implants already embedded in energy or water infrastructure, the impact could be rapid and significant. The intelligence APT55 collected before the strikes may already be in the hands of whoever assumes control of IRGC-CEC operations next.
  • Iran has rebuilt from structural decapitation before. Shieldworkz's March 2026 analysis noted that following the 2020 Soleimani assassination, Iranian cyber actors regrouped, broadened their targeting, and established ties with ransomware ecosystems for added revenue and deniability. The Soufan Center documented a comparable pattern after Stuxnet — Iran's subsequent campaigns disabled Saudi Aramco, struck the Sands Casino, and ran sustained DDoS operations against U.S. financial infrastructure. APT55's tradecraft — patient, low-noise, human-targeted — is precisely the kind of capability that survives organizational disruption better than high-visibility disruptive operations.

The Canadian Centre for Cyber Security issued a specific bulletin in March 2026 describing Iranian state-sponsored groups as particularly sophisticated in combining social engineering with spear-phishing to target public officials and gain footholds in government networks and private sector organizations globally. The CCCS further noted that these social engineering efforts leverage professional interactions on platforms such as LinkedIn to extract information about organizations relevant to Iran's political, economic, and military interests — with a specific focus on aerospace, energy, defense, security, and telecommunications sectors. That profile maps directly onto APT55's documented mission — and it is not a mission that stops because a commander was killed.

Conflict & Cyber Timeline — Click events for detail
Jun 2025
Surge in Iranian proxy cyber activity begins; pre-positioning ramps up across U.S. and allied networks
Early 2025–Feb 2026
APT55 assessed to be conducting pre-conflict intelligence collection against U.S. energy and defense personnel
Feb 28, 2026
Operation Epic Fury launches — U.S.-Israeli strikes eliminate IRGC senior leadership; Iran's internet collapses to 4% of normal
Feb 28 – Mar 2, 2026
60+ pro-Iranian hacktivist groups mobilize instantly — Cyber Islamic Resistance claims 600+ operations in two weeks
Mar 5, 2026
CloudSEK publishes assessment explicitly naming APT55 — one of the first public profiles of the group in an active operational context
~Mar 6–10, 2026
Israel strikes Iran's cyber warfare headquarters in eastern Tehran — IRGC-CEC command infrastructure directly damaged
Mar 11, 2026
Stryker confirms global network disruption — MOIS-linked Handala claims responsibility; demonstrates Iran's parallel offensive tracks remain active
Mar 2026 (ongoing)
APT55 operational status: disrupted but not neutralized — pre-positioned intelligence intact, mosaic doctrine enables partial resumption without central command
Kinetic
Cyber (general)
APT55 specific

Why APT55 Matters Now

Three things make APT55 worth paying attention to, even given the limited public record on the group specifically.

First, its targeting scope aligns directly with sectors that are under heightened threat pressure. U.S. energy infrastructure is a confirmed priority target for multiple Iranian state actors simultaneously. CloudSEK reported in March 2026 that over 40,000 internet-exposed ICS devices are directly reachable in the United States, many with default or no credentials. The intelligence APT55 collects about the people managing those systems — their identities, positions, communications, and access levels — directly supports the operational planning of the groups trying to reach those devices.

Second, human-targeted espionage is harder to detect than network intrusion. Organizations running security information and event management (SIEM) systems and endpoint detection and response (EDR) tools are well-positioned to spot anomalous network behavior. They are less equipped to spot a well-crafted spear-phishing email that convinces a senior energy executive to hand over credentials to a cloned Microsoft login page. CloudSEK's documentation of APT35's tactics — which overlap with the broader IRGC playbook APT55 likely shares — describes phishing links hosted on legitimate Google Sites infrastructure, password-protected archives with malicious LNK files, and multi-stage infection chains designed to evade standard detection tooling.

Third, numbered APT designations assigned by the research community sometimes trail real operational timelines by months or years. The limited public documentation on APT55 does not mean the group is new or small. It may reflect an actor that has operated successfully precisely because its methods generate less visible forensic noise. As Unit 42 at Palo Alto Networks noted in March 2026 reporting on the evolving Iranian cyber threat, the shift toward living-off-the-land techniques — using native administrative tools rather than custom malware — removes a critical detection guardrail that historically helped defenders identify intrusions. An espionage actor collecting credentials and intelligence through carefully engineered social contact may leave very little to detect at all.

Defender Guidance

Organizations in U.S. energy and defense supply chains should treat unsolicited outreach via LinkedIn, WhatsApp, Telegram, and email with heightened skepticism — particularly from individuals presenting as researchers, conference organizers, or recruiters. Specific steps: enforce phishing-resistant multi-factor authentication (FIDO2 hardware keys are preferable to SMS codes for privileged accounts); conduct security awareness training that specifically covers IRGC-style social engineering personas; audit VPN and remote access appliances for unauthorized or dormant accounts; monitor for credential use from unusual geolocations or outside normal working hours; and apply CISA advisory AA23-335A guidance for ICS-connected environments. The Canadian Centre for Cyber Security's March 2026 bulletin additionally notes that Iranian groups specifically exploit professional interactions on social media platforms as an initial reconnaissance vector — LinkedIn profile reviews for energy and defense-adjacent personnel should be treated accordingly.

How to Protect Against APT55-Style Spear-Phishing

The tactics APT55 uses — fabricated professional personas, multi-platform social engineering, and credential harvesting through cloned login pages — target human behavior rather than network defenses. These steps address the specific attack chain documented in IRGC-affiliated espionage operations.

  1. Enforce phishing-resistant MFA on all privileged accounts. SMS-based one-time codes can be intercepted by adversary-in-the-middle proxies. FIDO2 hardware security keys (such as YubiKey) are tied to the origin domain and cannot be replayed against a cloned login page. Require them for any account with VPN, email, or ICS/SCADA access.
  2. Treat unsolicited LinkedIn outreach as a potential lure. APT55's documented approach begins with a credible professional persona on LinkedIn — a researcher, policy analyst, or conference organizer. Before engaging any unsolicited message, verify the person's existence through independent channels. A profile with few connections, recent creation date, and AI-generated headshots should raise immediate suspicion.
  3. Inspect URLs before entering credentials. IRGC-affiliated groups host phishing pages on Google Sites infrastructure (sites.google.com/...), which passes most URL reputation filters. Check the full URL, not just the domain prefix. If any login page arrives via a link in a message rather than through your organization's SSO portal, do not enter credentials.
  4. Audit VPN and remote access accounts quarterly. APT55's goal is long-term quiet access. Accounts established through harvested credentials may sit dormant before being used. Review all active VPN accounts, confirm each maps to a current employee or contractor, and immediately disable or revoke any unrecognized sessions.
  5. Run targeted security awareness training on IRGC social engineering patterns. Generic phishing training does not address the specific methodology used by IRGC-affiliated actors — multi-week persona cultivation, migration from LinkedIn to WhatsApp to move off corporate monitoring, and benign-looking document lures. Brief energy and defense-adjacent staff specifically on these patterns.
  6. Monitor for off-hours and anomalous-geolocation credential use. Harvested credentials used by threat actors typically appear from unfamiliar IP ranges, unusual countries, or outside normal business hours. Configure your SIEM to alert on these patterns for accounts with privileged or infrastructure access.
  7. Apply CISA advisory AA23-335A controls for ICS-connected environments. CISA's advisory specifically addresses IRGC-affiliated threat actors exploiting internet-facing ICS and OT devices. If your environment includes remote access to operational technology, this advisory provides concrete hardening steps directly relevant to the threat APT55 feeds intelligence to.
Self-Assessment: Are You a Likely APT55 Target?

APT55 targets individuals whose professional roles give them knowledge useful to Iranian intelligence. Answer five questions to gauge your exposure profile. This is not a security audit — it is a thinking tool based on documented targeting patterns.

01.Does your role involve working with energy infrastructure, power grid operations, oil and gas systems, or utility procurement?
02.Do you work for, contract with, or advise a U.S. defense contractor, military branch, or national security agency?
03.Is your professional profile publicly visible on LinkedIn, including your employer, role, and specialization?
04.Have you recently spoken at, attended, or been listed as a participant in a public conference related to energy, infrastructure, or defense policy?
05.Does your organization use VPN or remote access tools to connect to OT, ICS, or SCADA environments?

Key Takeaways

  1. APT55 is an IRGC-affiliated espionage actor, not a disruptive one. Its documented mission is intelligence collection against individuals with access to U.S. energy and defense sectors, feeding that intelligence to the IRGC's broader targeting apparatus.
  2. The group operates within a layered Iranian cyber structure. It shares the same institutional sponsorship as CyberAv3ngers and APT33 but serves a different function — mapping human terrain before other actors move against systems.
  3. Operation Epic Fury eliminated APT55's chain of command but likely did not stop its pre-positioned operations. The strikes killed senior IRGC leadership including the IRGC commander and struck Iran's cyber headquarters in eastern Tehran. Iran's internet connectivity collapsed to roughly 4% of normal. But pre-authorized operations and pre-established social contact with targets may have continued, and historical precedent shows Iran rebuilds cyber capability after decapitation events.
  4. Human-centric espionage is the hardest vector to detect. Social engineering and credential harvesting through cloned phishing infrastructure generates minimal forensic noise compared to network-level intrusion, making APT55's methods particularly difficult to catch through standard security tooling.
  5. The public record on APT55 is thin but growing. CloudSEK's March 2026 reporting is among the first to name the group explicitly in a current operational context. The Canadian Centre for Cyber Security, Soufan Center, Trellix, and BeyondTrust have all published relevant 2026 assessments that add context. Further attribution reporting is likely as analysts continue to examine the conflict's cyber dimension.
  6. APT55's collected intelligence may already be in hostile hands regardless of current disruption. Information gathered through months or years of pre-conflict espionage operations does not disappear when a commander is killed. The intelligence picture APT55 built about U.S. energy and defense personnel — identities, access levels, relationships, communications patterns — represents durable strategic value to whoever reconstitutes IRGC-CEC operations.

APT55 represents what is, in many ways, the most dangerous kind of adversary: one that operates quietly, targets people rather than systems, and contributes to a larger intelligence picture that its peers then act on. The leadership decapitation of Operation Epic Fury changed the organizational structure at the top — it did not erase the access, the collected intelligence, or the tradecraft. Understanding where APT55 fits in Iran's nation-state cyber ecosystem, what it was looking for, and why that collection may have already been completed is the first step toward making its job harder the next time.

Frequently Asked Questions

What is APT55?

APT55 is an Iranian state-linked cyber espionage group affiliated with the Islamic Revolutionary Guard Corps (IRGC). Unlike disruptive Iranian groups such as CyberAv3ngers, APT55 focuses on intelligence collection — specifically targeting individuals connected to the U.S. energy and defense sectors to gather information for Iranian intelligence targeting. The group was named explicitly in CloudSEK's March 2026 threat intelligence reporting during the Iran-U.S. conflict that followed Operation Epic Fury.

Is APT55 part of the IRGC?

Yes. APT55 operates under the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), the dedicated cyber warfare branch of the IRGC. The IRGC-CEC has been designated and sanctioned by the U.S. Treasury Department and is responsible for overseeing multiple threat actor clusters including APT33, CyberAv3ngers, and APT55.

What sectors does APT55 target?

APT55 targets individuals connected to the U.S. energy sector — engineers, grid operators, procurement specialists, policy advisors — and U.S. defense-adjacent personnel with access to contracting vehicles, personnel rosters, technology roadmaps, and system configurations. Its focus is on people rather than systems directly, using their access and knowledge to build intelligence for the IRGC's broader operations.

How does APT55 conduct its attacks?

APT55 uses the same tradecraft documented across IRGC-affiliated espionage actors: targeted spear-phishing via email, LinkedIn, WhatsApp, and Telegram; impersonation of recruiters, researchers, journalists, and conference organizers; credential harvesting through cloned login pages hosted on legitimate infrastructure such as Google Sites; and multi-stage infection chains designed to establish long-term access with minimal forensic noise.

Has APT55's operational capability been affected by Operation Epic Fury?

Operation Epic Fury eliminated senior IRGC leadership including IRGC Commander Mohammad Pakpour and struck Iran's cyber warfare headquarters in eastern Tehran. Iran's internet connectivity dropped to roughly 4% of normal in the immediate aftermath. APT55's ability to receive new tasking and exfiltrate collected data was likely disrupted in the short term. However, analysts at the Soufan Center and Trellix note that Iran's cyber capability was built for decentralization, and pre-positioned access and pre-authorized operational modes may allow human-targeting espionage to resume with limited central direction.

What can defenders do to protect against APT55?

Organizations in U.S. energy and defense supply chains should enforce phishing-resistant multi-factor authentication (FIDO2 hardware keys are preferable to SMS codes for privileged accounts); conduct security awareness training specifically covering IRGC-style social engineering personas; audit VPN and remote access appliances for unauthorized accounts; monitor for credential use from unusual geolocations or outside normal working hours; and apply CISA advisory AA23-335A guidance for ICS-connected environments. The Canadian Centre for Cyber Security's March 2026 bulletin specifically notes that Iranian groups exploit professional social media activity as a primary reconnaissance vector — LinkedIn reviews for energy and defense personnel should be treated as a likely initial access point. See the full seven-step protection guide above for implementation detail on each control.

Sources

  • CloudSEK, "A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict," March 5, 2026. cloudsek.com
  • CloudSEK, "Situation Report: Middle East Escalation (February 27–1st March, 2026)," March 2026. cloudsek.com
  • Euronews, "How cyberattacks are being used as weapons in the Iran war," March 18, 2026. euronews.com
  • Center for Strategic and International Studies, "Beyond Hacktivism: Iran's Coordinated Cyber Threat Landscape," March 2026. csis.org
  • The Soufan Center, "Cyber Operations as Iran's Asymmetric Leverage," March 17, 2026. thesoufancenter.org
  • Canadian Centre for Cyber Security, "Cyber Threat Bulletin: Iranian Cyber Threat Response to US/Israel Strikes, February 2026," March 2026. cyber.gc.ca
  • Trellix, "The Iranian Cyber Capability 2026," March 5, 2026. trellix.com
  • BeyondTrust, "Threat Advisory: Iran-Aligned Cyber Actors Respond to Operation Epic Fury," March 2026. beyondtrust.com
  • Nozomi Networks, "Iranian APT Activity During Geopolitical Escalation," March 2026. nozominetworks.com
  • Unit 42 / Palo Alto Networks, "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran," Updated March 26, 2026. unit42.paloaltonetworks.com
  • Unit 42 / Palo Alto Networks, "Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization," March 2026. unit42.paloaltonetworks.com
  • CISA, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors," Updated December 18, 2024. cisa.gov
  • Rapid7, "Iran's Cyber Playbook in the Escalating Regional Conflict," March 2026. rapid7.com
  • Check Point Research, "What Defenders Need to Know about Iran's Cyber Capabilities," March 2026. blog.checkpoint.com
  • SOCRadar, "Iran vs. Israel & US Cyber War 2026: Operation Epic Fury Threat Intelligence," March 2026. socradar.io
  • Picus Security, "Inside the Shadows: Understanding Active Iranian APT Groups," July 2025. picussecurity.com
  • Shieldworkz, "Decoding the Strategic Quiet of Iranian Cyber Groups," March 2026. shieldworkz.com
← all articles