Threat Intelligence

APT55: Iran's Quiet Intelligence-Gathering Arm Targeting U.S. Energy and Defense

NH
NoHackie
March 18, 2026 Updated April 17, 2026 28 min read

APT55 is an Iranian state-linked cyber espionage group operating under the Islamic Revolutionary Guard Corps (IRGC) that has been quietly targeting individuals connected to the U.S. energy and defense sectors. While less publicly documented than Iran's better-known threat actors, the group's role surfaced prominently in fresh intelligence reporting tied to the geopolitical escalation of early 2026.

In the weeks following the February 28, 2026 launch of Operation Epic Fury — the coordinated U.S.-Israeli military strikes on Iranian nuclear and military infrastructure — cybersecurity researchers and intelligence analysts scrambled to map the full scope of Iranian cyber retaliation. Among the actors named in new threat assessments was APT55, a group that operates differently from Iran's more aggressive and disruptive cyber units. APT55 does not knock systems offline. It watches. It collects. And it feeds what it finds back to the Iranian intelligence apparatus that decides what happens next.

Exposed ICS devices reachable in the U.S. 40,000+
Claimed attacks in first two weeks (self-reported; operational impact disputed) 600+
Pro-Iranian hacktivist groups mobilized 60+
Drones and missiles launched in Iran's opening retaliation 1,500+
Iran internet connectivity after strikes 4%
Senior IRGC officials eliminated 40+

What Is APT55 and Who Does It Work For

APT55 is an advanced persistent threat group with confirmed ties to Iran's Islamic Revolutionary Guard Corps. The IRGC, designated a foreign terrorist organization by the United States (April 2019), Canada (June 2024), and the European Union (January 29, 2026), operates a dedicated cyber arm. A note on this because confusion exists online: the United Kingdom had not formally designated the IRGC as of this writing, despite years of parliamentary pressure to do so — readers encountering sources that list only the U.S. and Canada as designators are working from pre-2026 material. The EU’s January 2026 designation was a significant policy reversal after decades of European engagement with Iran. The IRGC operates known as the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). This structure sits at the heart of Iran's offensive cyber operations and has oversight of several threat actor clusters, including APT33, CyberAv3ngers, and APT55.

The group's designation as a numbered APT reflects the private threat intelligence community's practice of cataloging Iranian cyber actors by their observed behaviors and sponsoring entities. A common misconception worth clarifying: the “APT” numbering system was created by Mandiant (now part of Google), not by U.S. government agencies. CISA, NSA, and the FBI publish their own advisories and sometimes reference Mandiant's APT numbers, but they also use separate naming schemes — Microsoft uses the Sandstorm and Kitten suffix conventions, CISA uses advisory identifiers. APT55 is Mandiant's designation, which carries significant analytical weight but may not correspond to whatever label classified government programs use for the same cluster. Readers who search for “APT55” in official U.S. government publications may not find it under that exact name, even when public reporting on a specific cluster remains limited. APT55 is among the less-publicized groups in Iran's portfolio, which is itself a function of its mission profile: intelligence collection rather than disruption. Threat actors focused on quiet, long-term access and data gathering tend to generate fewer public incident reports, because victims often do not realize they have been compromised, and because attribution at the operational level is harder to establish with confidence.

According to reporting by threat intelligence firm CloudSEK, published in the context of the escalating Iran-U.S. conflict in March 2026, APT55 sits alongside well-known IRGC-affiliated actors in a broader campaign targeting American critical infrastructure. As cited by Euronews, CloudSEK's assessment described the group's mission as conducting cyber espionage against individuals connected to the American energy and defense sectors in order to collect intelligence for Iranian targeting operations.

This framing is significant. The group is not described as targeting systems or networks in isolation. It is targeting people — specifically, individuals whose positions or access make them valuable sources of intelligence for the IRGC's broader operations and targeting decisions.

How APT55 Operates: The Human-First Approach to Espionage

APT55's mission as described by CloudSEK is intelligence collection oriented around people with access to the U.S. energy and defense sectors. This approach is consistent with a well-established tradecraft pattern across Iranian state-aligned groups: using cyber intrusion as a substitute for, or complement to, traditional human intelligence gathering.

The broader IRGC-affiliated cyber ecosystem has developed a sophisticated playbook for this kind of targeting. APT35 (widely known as Charming Kitten) is one of the IRGC's most well-documented espionage groups, and demonstrated in a 2025 leaked operational archive how structured and systematic this targeting can be. Attribution note that affects how you read online sources: APT35 and APT42 both carry the “Charming Kitten” label in some vendor taxonomies, which creates persistent confusion. Mandiant distinguishes them: APT35 operates on behalf of the broader IRGC, while APT42 is attributed to the IRGC Intelligence Organization (IRGC-IO) — a sub-entity focused on domestic surveillance and monitoring foreign threats. Both groups use nearly identical social engineering tradecraft, which is why conflation is so common. This article references APT35 because the 2025 leaked archive was attributed to that specific cluster. When you encounter “Charming Kitten” in a report, verify which group the source is actually describing before mapping its behavior to either APT35 or APT42. Gatewatcher's analysis of that archive, cited by CloudSEK, revealed "monthly performance reports in Persian and structured target development campaigns" spanning Iran, South Korea, Kuwait, Turkey, Saudi Arabia, and Lebanon. A leaked archive from the same group exposed spear-phishing operations built around impersonating conference coordinators, research assistants, and policy analysts — all designed to get a target to click before they know who they are dealing with.

APT55 shares the same institutional logic. A separate IRGC-affiliated group, Tortoiseshell, provides an instructive parallel: Trellix's 2026 capability assessment documented Tortoiseshell running a multi-year LinkedIn-based social engineering campaign against Western aerospace, defense, and aviation organizations beginning no later than June 2022 — establishing footholds through fake job recruitment lures before deploying a custom backdoor family designated MiniBike. The operational pattern is nearly identical to APT55's documented approach, differing primarily in that Tortoiseshell moves from social engineering to persistent technical implants whereas APT55 remains focused on credential harvesting and intelligence collection. Energy sector professionals — engineers, procurement specialists, policy advisors, grid operators — hold knowledge about infrastructure topology, operational schedules, vendor relationships, and security posture. Defense-adjacent personnel carry access to contracting vehicles, personnel rosters, technology roadmaps, and sometimes classified system configurations. From an intelligence standpoint, compromising a single well-positioned individual yields far more strategic value than defeating a firewall.

APT55 Intelligence Collection Chain
STAGE 1 Target Identification STAGE 2 Social Engineering STAGE 3 Credential Theft / Access STAGE 4 Silent Exfiltration STAGE 5 IRGC Targeting Feed
APT55 intelligence collection pipeline — click each stage for detail.

“In APT55’s case, the group conducts cyber-espionage against people connected to the American energy and defence sectors to gather information for Iranian intelligence targeting.”

— CloudSEK, March 2026 ICS/OT Threat Assessment, as cited by Euronews

The tactics documented across IRGC-affiliated espionage actors — which overlap with APT55's mission profile — include spear-phishing via email, WhatsApp, LinkedIn, and Telegram; impersonation of recruiters, researchers, and conference organizers; credential harvesting through cloned login pages hosted on legitimate infrastructure like Google Sites; and multi-stage infection chains that establish persistent access across Windows and macOS platforms. The Google Sites vector is worth specific attention because it generates real confusion in online security guidance. Pages hosted at sites.google.com carry a legitimate Google-owned domain, causing them to pass most URL reputation checkers, enterprise web filters, and email gateway inspections. This is not a flaw in Google’s security infrastructure — it is a deliberate abuse of a legitimate service. Mandiant’s own research into APT42 operations explicitly documented this technique, confirming sites.google.com-hosted pages that mimicked Microsoft and Google login portals. The practical takeaway: a URL containing “google.com” is not inherently safe. The full URL path matters. Any link beginning with sites.google.com can be created freely by anyone with a Google account and pointed at a pixel-perfect login clone. CloudSEK's March 2026 threat landscape assessment, focused on ICS and OT targeting during the Iran-U.S. conflict, confirmed that groups operating under the IRGC umbrella continue to use these techniques against U.S. government, military, and energy-adjacent individuals for credential theft and long-term access.

Interactive: How an APT55-Style Lure Works — Step Through the Campaign
Stage 01 — Persona Construction
Name: Dr. Sarah Kellerman
Affiliation: Atlantic Council for Energy Policy (fabricated)
LinkedIn: 312 connections, profile created 6 months prior, posts about energy grid policy
Profile photo: AI-generated professional headshot
Backstory: Postdoc at Johns Hopkins (unverified), co-author of a PDF white paper seeded into Google Scholar
ANALYST NOTE: APT35 operational archives leaked in 2025 revealed structured monthly performance quotas for persona development. A convincing persona is built over weeks before any contact is made with a target. The LinkedIn account has real engagement history to pass scrutiny.
Stage 02 — Platform Selection
Target: Senior grid reliability engineer at a U.S. regional transmission operator
Platform selected: LinkedIn (initial contact) → email (trust established) → WhatsApp (final delivery)
Why LinkedIn first: Professional context reduces suspicion. Target's profile is public. Message framed as networking.
Why WhatsApp for delivery: End-to-end encryption limits organizational monitoring. Shifts conversation off corporate infrastructure.
ANALYST NOTE: The Canadian Centre for Cyber Security specifically flagged LinkedIn as the primary initial reconnaissance and contact vector for IRGC-affiliated espionage actors in its March 2026 bulletin. Corporate security teams rarely monitor personal LinkedIn inboxes.
Stage 03 — Initial Message
From: Dr. Sarah Kellerman (Atlantic Council for Energy Policy)
To: [Target] via LinkedIn InMail

Hi [Name] — I came across your presentation from the NERC GridEx conference and found your remarks on SCADA resilience really compelling. I'm currently wrapping up a policy paper on grid security posture for the next administration and would love to include a practitioner perspective. Would you be open to a 20-minute background conversation? Happy to share the draft chapter in advance. Best, Sarah
ANALYST NOTE: The message references a real public event the target attended (sourced via OSINT). It flatters without overreach, proposes a low-commitment ask, and offers something in return (the draft chapter — which will contain the delivery vehicle). No malicious link appears at this stage.
Stage 04 — Lure Delivery
From: s.kellerman@atlantic-energy-council.org (lookalike domain, registered 3 months prior)
Subject: Draft chapter + Dropbox link for review

Hi [Name] — So glad we connected last week. As promised, here's the draft chapter for your review. I've also included a Google Sites page where we're collecting practitioner annotations — it would be great to have your input before we finalize. Let me know if you have any access issues.

https://sites.google.com/atlantic-energy-council-review.com/grid-resilience-2026/login
ANALYST NOTE: The phishing link is hosted on Google Sites — a legitimate Google-owned domain. This bypasses most URL reputation filters. The page renders a cloned Microsoft 365 or Dropbox login form. The real document referenced in the earlier message exists and is benign. The credential theft occurs on the login page, not through the document.
Stage 05 — Credential Harvest & Access
Captured: Corporate email credentials (username + password)
Secondary capture: If target uses SSO, session token may also be captured via adversary-in-the-middle proxy
What happens next: Credentials are tested against corporate VPN, email, and collaboration platforms within hours. Successful access triggers silent inbox harvesting. Target receives no error — login is proxied to the real service.
Forensic footprint: Near zero. No malware deployed. Credential used from rotating IP infrastructure. Appears as normal user login.
ANALYST NOTE: This is why APT55 is difficult to detect. No endpoint compromise occurs. SIEM rules looking for malware execution, lateral movement, or known bad IPs will not fire. The first indication is often an anomalous login hours or days later — if anyone checks.
1 / 5
Note on Attribution Confidence

APT55 has limited public documentation compared to well-established Iranian groups like APT33, APT34, and APT35. The primary publicly sourced reference to the group in a current operational context comes from CloudSEK's March 2026 reporting cited by Euronews. This does not mean the group is new — it may reflect a group that has operated with greater operational security, or one that has been tracked internally by intelligence agencies without extensive public reporting. Readers should treat this as an emerging public profile with more intelligence likely held by government and private sector analysts who do not publish all findings.

APT55 in the Context of Iran's Layered Cyber Ecosystem

To understand APT55, it helps to see where it fits within the larger structure of Iranian state cyber operations. Iran has built its offensive cyber capability through two primary institutions: the IRGC, which reports directly to the Supreme Leader, and the Ministry of Intelligence and Security (MOIS), which operates under the civilian presidency. Both organizations maintain affiliated APT clusters, and they share tools, infrastructure, and sometimes personnel in ways that complicate attribution.

The IRGC's cyber arm, the IRGC-CEC, sponsors or directs groups including APT33 (Elfin), APT35 (Charming Kitten), and CyberAv3ngers, among others. MOIS runs actors such as APT34 (OilRig) and MuddyWater. The Center for Strategic and International Studies assessed in a March 2026 analysis that Iran's cyber ecosystem has matured into a coordinated threat structure — one that layers state-directed APT groups from both the IRGC and MOIS alongside a growing network of proxy hacktivist actors.

APT55 sits within the IRGC cluster, alongside actors with very different operational mandates. Consider the contrast:

Iran's Cyber Ecosystem — Click any actor to see its role
Click any node to learn about that actor's role in Iran's cyber structure.

This division of labor is deliberate. Iran's cyber doctrine, as documented by analysts at Picus Security, CSIS, and Nozomi Networks, has evolved from overt, state-sponsored sabotage toward operations designed to blur attribution and maximize strategic leverage. The IRGC uses espionage groups to map the terrain before deploying disruptive ones. APT55, as a human-centric intelligence collection actor, is logically positioned at the front of that chain.

CSIS's March 2026 assessment characterized Iran's cyber structure as a deliberate combination of state-directed espionage actors and a broader ecosystem of opportunistic hacktivist proxies — a layered architecture that gives Tehran both precision and deniability.

Threat Actor Comparison — Select an actor to compare mission, targets, and noise level
APT55 Espionage
Sponsor
IRGC-CEC
Mission
Human intelligence collection against U.S. energy and defense sector individuals — identities, access levels, org relationships, system knowledge. Feeds the IRGC targeting apparatus.
Primary targets
Energy engineers, grid operators, defense contractors, policy advisors, procurement specialists
Primary TTPs
Spear-phishing via LinkedIn, email, WhatsApp, Telegram; fake recruiter/researcher personas; credential harvesting via Google Sites-hosted clones
Noise level
Very low — designed to be invisible
APT33 — Elfin / Magnallium Disruptive
Sponsor
IRGC-CEC
Mission
Cyber espionage and destructive operations targeting aerospace, aviation, and energy. Known for deploying wiper malware (SHAMOON-style) and attempting to disable industrial safety systems.
Primary targets
U.S. electric utilities, oil and gas companies, Saudi energy infrastructure, aerospace and defense contractors
Primary TTPs
High-volume password spraying; spear-phishing with malicious macro documents; wiper malware deployment; VPN exploitation
Noise level
Moderate — bulk spraying generates alerts
CyberAv3ngers Disruptive
Sponsor
IRGC-CEC (U.S. Treasury sanctioned six IRGC-CEC officials for directing operations)
Mission
Disruptive attacks against internet-exposed industrial control systems — presented as ideological hacktivism but confirmed as state-directed. Targeted U.S. water and wastewater systems and Israeli-made PLCs.
Primary targets
Internet-exposed PLCs and HMIs with default credentials, especially in U.S. water/wastewater; Israeli-made Unitronics controllers (34 U.S. wastewater devices compromised in 2023)
Primary TTPs
Default credential exploitation on internet-facing ICS devices; malware installation on industrial controllers; public hacktivist framing to obscure state direction
Noise level
Very high — public claims, ICS disruption
APT35 — Charming Kitten / Magic Hound Espionage
Sponsor
IRGC / IRGC-IO (Intelligence Organization)
Mission
Long-term espionage against journalists, researchers, government officials, and dissidents globally. Known for relationship-based social engineering and systematic target development campaigns with documented monthly performance metrics.
Primary targets
Journalists, academics, policy researchers, government officials, Iranian diaspora, nuclear negotiators, security experts — particularly those critical of the Iranian regime
Primary TTPs
Spear-phishing; fake conference invitations and researcher personas; Google Sites phishing infrastructure; multi-stage infection chains; exploitation of CVE-2024-1709 (ConnectWise)
Noise level
Low — precision targeting, low volume
MuddyWater — Seedworm / Static Kitten Espionage Disruptive
Sponsor
MOIS (Ministry of Intelligence and Security)
Mission
Dual-purpose espionage and disruption. Planted backdoors inside a U.S. bank, airport, and defense-adjacent firms before the 2026 conflict began. Used new MuddyViper backdoor against Israeli and Egyptian critical infrastructure in late 2025.
Primary targets
Government organizations, energy and telecom companies, financial institutions, defense-adjacent firms across the Middle East, Europe, and North America
Primary TTPs
Spear-phishing; custom backdoors (MuddyViper, Dindoor); supply chain compromise; living-off-the-land techniques; deployment of commercial remote management tools as C2
Noise level
Moderate — custom tooling detectable

Operation Epic Fury and the Acceleration of Iranian Cyber Threats

The geopolitical context in which APT55 is now being discussed is significant. On February 28, 2026, U.S. Central Command commenced Operation Epic Fury alongside Israel's Operation Roaring Lion — a joint military campaign striking Iranian nuclear facilities, missile infrastructure, and senior leadership compounds across Tehran, Isfahan, Qom, Karaj, and Kermanshah. According to BeyondTrust's threat advisory, the strikes eliminated Supreme Leader Ali Khamenei, IRGC Commander Mohammad Pakpour, Defense Minister Aziz Nasirzadeh, Chief of Staff Abdolrahim Mousavi, and at least 40 senior officials, including four confirmed IRGC intelligence commanders. Pakpour was the second consecutive IRGC commander killed by Israel in under a year — his predecessor, Hossein Salami, had been killed during the June 2025 Twelve-Day War (Pakpour was formally appointed IRGC commander on June 13, 2025). Mojtaba Khamenei was elected Supreme Leader on March 8, 2026 following an interim period. Iran retaliated with ballistic missiles and drones targeting Israel and U.S. military bases across Jordan, Bahrain, Qatar, Kuwait, Saudi Arabia, the UAE, Oman, and Syria — with SOCRadar documenting over 1,500 drones and missiles in the opening days of the conflict. Within hours of the strikes, over 60 pro-Iranian hacktivist groups mobilized through an "Electronic Operations Room" on Telegram, claiming more than 600 distinct operations across more than 100 Telegram channels in the first two weeks. The “hacktivist” label applied to these groups deserves scrutiny: in the Iranian cyber context, the distinction between genuinely independent ideological actors and state-proxied groups operating behind a hacktivist cover is actively blurred by design. CSIS has documented this as a deliberate Iranian pattern — deploying state-funded, state-tooled actors under hacktivist personas to create deniability. CyberAv3ngers is the clearest example: it presented as an ideologically motivated hacktivist group before U.S. Treasury sanctions confirmed direct IRGC-CEC direction. The 600+ figure comes from self-reported Telegram channel activity and cannot be independently verified; the actual operational impact of this claimed activity is widely assessed as overstated relative to the claims made.

CloudSEK's assessment, issued March 5, 2026, made clear that the February 28 strikes did not originate the cyber threat to U.S. critical infrastructure — they compressed a trajectory that had been developing for more than a decade. That acceleration matters for understanding APT55. Groups like CyberAv3ngers and APT33 generate immediate, visible impact. APT55 generates something more durable: an intelligence picture that shapes what Iran does next, kinetically or otherwise.

The CloudSEK assessment confirmed that IRGC-backed groups including APT33 and APT55, alongside CyberAv3ngers, were actively engaged against American infrastructure in the context of this conflict. Separately, the MOIS-linked Handala group claimed responsibility for the cyberattack on medical technology company Stryker, which confirmed on March 11, 2026 that a cyberattack had disrupted its global network — an example of the parallel MOIS-directed campaign operating alongside IRGC operations. The Soufan Center noted that MOIS-linked activity demonstrated Iran's ability to retain advanced offensive capability and impose both psychological and operational costs well beyond the immediate battlefield, even as IRGC command structure was being degraded.

For energy sector organizations, the implication is that much of the targeting may have been underway long before the conflict became public. Iran's APT groups pre-positioned infrastructure across global networks according to CloudSEK's threat briefing, and the CSIS analysis noted that Iranian APT groups had maintained persistent footholds inside Middle Eastern critical infrastructure through credential theft and VPN compromise extending back to early 2025. APT55's quiet approach to intelligence collection fits precisely within that pre-positioning model.

APT55's Operational Status After the Strikes

This is the question that intelligence assessments circulating as of late March 2026 are still working to answer. The strikes on Operation Epic Fury created conditions that directly affected IRGC-CEC operations — not just in intent, but structurally. Israel kinetically struck Iran's cyber warfare headquarters in eastern Tehran, according to IDF confirmation cited by the Soufan Center. Iranian internet connectivity dropped to approximately 4% of normal at the moment of the February 28 strikes, according to NetBlocks monitoring data, then fell further to roughly 1% by March — severing coordination links between IRGC operators and their external infrastructure. At least 40 senior officials were killed including the IRGC's top commander.

Those facts matter for any group operating under IRGC-CEC direction. The immediate question for APT55 is whether the decapitation of its chain of command has disrupted its ability to receive tasking, process collected intelligence, and exfiltrate data. The analytical consensus from Trellix, the Soufan Center, and BeyondTrust is that short-term disruption is real but likely temporary — and that the conditions create a specific risk profile defenders should understand.

Three dynamics are worth tracking:

“The most immediate risk comes not from the reconstituting IRGC command structure, which will require time to restore coherence, but from the pre-positioned presence already embedded in networks.”

— BeyondTrust, Threat Advisory: Iran-Aligned Cyber Actors Respond to Operation Epic Fury, March 2026
  • Pre-authorized operations may have continued uninterrupted. BeyondTrust's advisory observed that the speed of claimed Iranian operations immediately after the strikes, combined with pre-conflict indicators, pointed to likely pre-authorized activity — consistent with Iran's documented crisis and succession contingency planning for leadership decapitation scenarios. A human-targeting espionage mission that had already identified targets and established social contact would not necessarily require ongoing central direction to continue collecting. A note on contested framing: the phrase “pre-authorized operations” appears in BeyondTrust’s advisory and has been widely cited. Some analysts debate whether this reflects explicit standing orders issued before the strikes or simply emergent behavior from a decentralized structure. The operational outcome — continued activity without central command — is the same in either interpretation, but readers should know there is analytical latitude in attributing specific intent to “authorization.”
  • Pre-positioned access remains a separate risk from active tasking. Trellix's 2026 capability assessment identified pre-positioned malware activation as the highest near-term risk: if Iranian handlers restored communications and moved to activate implants already embedded in energy or water infrastructure, the impact could be rapid and significant. The intelligence APT55 collected before the strikes may already be in the hands of whoever assumes control of IRGC-CEC operations next.
  • Iran has rebuilt from structural decapitation before. Shieldworkz's March 2026 analysis noted that following the 2020 Soleimani assassination, Iranian cyber actors regrouped, broadened their targeting, and established ties with ransomware ecosystems for added revenue and deniability. The Soufan Center documented a comparable pattern after Stuxnet — Iran's subsequent campaigns disabled Saudi Aramco, struck the Sands Casino, and ran sustained DDoS operations against U.S. financial infrastructure. APT55's tradecraft — patient, low-noise, human-targeted — is precisely the kind of capability that survives organizational disruption better than high-visibility disruptive operations.

“Iranian threat actors specifically exploit professional interactions on social media platforms to extract information about organizations relevant to Iran’s political, economic, and military interests.”

— Canadian Centre for Cyber Security, Cyber Threat Bulletin, March 2026

The Canadian Centre for Cyber Security issued a specific bulletin in March 2026 describing Iranian state-sponsored groups as particularly sophisticated in combining social engineering with spear-phishing to target public officials and gain footholds in government networks and private sector organizations globally. The CCCS further noted that these social engineering efforts leverage professional interactions on platforms such as LinkedIn to extract information about organizations relevant to Iran's political, economic, and military interests — with a specific focus on aerospace, energy, defense, security, and telecommunications sectors. That profile maps directly onto APT55's documented mission — and it is not a mission that stops because a commander was killed.

Conflict & Cyber Timeline — Click events for detail
Jun 2025
Surge in Iranian proxy cyber activity begins; pre-positioning ramps up across U.S. and allied networks
Early 2025–Feb 2026
APT55 assessed to be conducting pre-conflict intelligence collection against U.S. energy and defense personnel
Feb 28, 2026
Operation Epic Fury launches — U.S.-Israeli strikes eliminate IRGC senior leadership; Iran's internet collapses to ~4% of normal at strike onset, falling to ~1% within days
Feb 28 – Mar 2, 2026
60+ pro-Iranian hacktivist groups mobilize instantly — Cyber Islamic Resistance claims 600+ operations in two weeks
Mar 5, 2026
CloudSEK publishes assessment explicitly naming APT55 — one of the first public profiles of the group in an active operational context
~Mar 6–10, 2026
Israel strikes Iran's cyber warfare headquarters in eastern Tehran — IRGC-CEC command infrastructure directly damaged
Mar 11, 2026
Stryker confirms global network disruption — MOIS-linked Handala claims responsibility; demonstrates Iran's parallel offensive tracks remain active
Mar 2026 (ongoing)
APT55 operational status: disrupted but not neutralized — pre-positioned intelligence intact, mosaic doctrine enables partial resumption without central command
Kinetic
Cyber (general)
APT55 specific

Why APT55 Matters Now

Three things make APT55 worth paying attention to, even given the limited public record on the group specifically.

First, its targeting scope aligns directly with sectors that are under heightened threat pressure. U.S. energy infrastructure is a confirmed priority target for multiple Iranian state actors simultaneously. CloudSEK reported in March 2026 that over 40,000 internet-exposed ICS devices are directly reachable in the United States, many with default or no credentials. A six-agency joint advisory (CISA AA26-097A) issued on April 7, 2026 confirmed that Iranian-affiliated actors have already disrupted Rockwell Automation PLCs across U.S. water, energy, and government facilities with confirmed operational disruption and financial loss — the intelligence picture APT55 builds about the people managing these systems directly feeds that kind of targeting. The intelligence APT55 collects about the people managing those systems — their identities, positions, communications, and access levels — directly supports the operational planning of the groups trying to reach those devices.

Second, human-targeted espionage is harder to detect than network intrusion. Organizations running security information and event management (SIEM) systems and endpoint detection and response (EDR) tools are well-positioned to spot anomalous network behavior. They are less equipped to spot a well-crafted spear-phishing email that convinces a senior energy executive to hand over credentials to a cloned Microsoft login page. CloudSEK's documentation of APT35's tactics — which overlap with the broader IRGC playbook APT55 likely shares — describes phishing links hosted on legitimate Google Sites infrastructure, password-protected archives with malicious LNK files, and multi-stage infection chains designed to evade standard detection tooling.

Third, numbered APT designations assigned by the research community sometimes trail real operational timelines by months or years. The limited public documentation on APT55 does not mean the group is new or small. It may reflect an actor that has operated successfully precisely because its methods generate less visible forensic noise. As Unit 42 at Palo Alto Networks noted in March 2026 reporting on the evolving Iranian cyber threat, the shift toward living-off-the-land techniques — using native administrative tools rather than custom malware — removes a critical detection guardrail that historically helped defenders identify intrusions.

Fourth, the human-targeting tradecraft APT55 represents is still actively evolving. On April 17, 2026, researchers at the Foundation for Defense of Democracies documented a new IRGC espionage recruitment operation targeting Israeli military and government personnel with a precision that prior Iranian operations had not attempted — leveraging breached data to identify specific individuals based on past service rather than casting a wide net. The FDD assessed that this kind of targeted, intelligence-informed recruitment represents a qualitative escalation: Iran is investing greater resources in its intelligence asset recruitment operations, a trend that U.S. energy and defense personnel should treat as a direct parallel to their own exposure profile. The IRGC is not only conducting cyber espionage against infrastructure — it is actively building a human intelligence capability that uses collected data to identify and approach the most valuable targets.

Defender Guidance

Organizations in U.S. energy and defense supply chains should treat unsolicited outreach via LinkedIn, WhatsApp, Telegram, and email with heightened skepticism — particularly from individuals presenting as researchers, conference organizers, or recruiters. Specific steps: enforce phishing-resistant multi-factor authentication (FIDO2 hardware keys are preferable to SMS codes for privileged accounts); conduct security awareness training that specifically covers IRGC-style social engineering personas; audit VPN and remote access appliances for unauthorized or dormant accounts; monitor for credential use from unusual geolocations or outside normal working hours; and apply both CISA advisory AA23-335A and the April 2026 joint advisory AA26-097A guidance for ICS-connected environments — AA26-097A confirmed operational disruption and financial loss at multiple U.S. organizations from Iranian-affiliated ICS exploitation as recently as March 2026. The Canadian Centre for Cyber Security's March 2026 bulletin additionally notes that Iranian groups specifically exploit professional interactions on social media platforms as an initial reconnaissance vector — LinkedIn profile reviews for energy and defense-adjacent personnel should be treated accordingly.

How to Protect Against APT55-Style Spear-Phishing

The tactics APT55 uses — fabricated professional personas, multi-platform social engineering, and credential harvesting through cloned login pages — target human behavior rather than network defenses. These steps address the specific attack chain documented in IRGC-affiliated espionage operations.

  1. Enforce phishing-resistant MFA on all privileged accounts. SMS-based one-time codes can be intercepted by adversary-in-the-middle proxies. FIDO2 hardware security keys (such as YubiKey) are tied to the origin domain and cannot be replayed against a cloned login page. Require them for any account with VPN, email, or ICS/SCADA access.
  2. Treat unsolicited LinkedIn outreach as a potential lure. APT55's documented approach begins with a credible professional persona on LinkedIn — a researcher, policy analyst, or conference organizer. Before engaging any unsolicited message, verify the person's existence through independent channels. A profile with few connections, recent creation date, and AI-generated headshots should raise immediate suspicion.
  3. Inspect URLs before entering credentials. IRGC-affiliated groups host phishing pages on Google Sites infrastructure (sites.google.com/...), which passes most URL reputation filters. Check the full URL, not just the domain prefix. If any login page arrives via a link in a message rather than through your organization's SSO portal, do not enter credentials.
  4. Audit VPN and remote access accounts quarterly. APT55's goal is long-term quiet access. Accounts established through harvested credentials may sit dormant before being used. Review all active VPN accounts, confirm each maps to a current employee or contractor, and immediately disable or revoke any unrecognized sessions.
  5. Run targeted security awareness training on IRGC social engineering patterns. Generic phishing training does not address the specific methodology used by IRGC-affiliated actors — multi-week persona cultivation, migration from LinkedIn to WhatsApp to move off corporate monitoring, and benign-looking document lures. Brief energy and defense-adjacent staff specifically on these patterns.
  6. Monitor for off-hours and anomalous-geolocation credential use. Harvested credentials used by threat actors typically appear from unfamiliar IP ranges, unusual countries, or outside normal business hours. Configure your SIEM to alert on these patterns for accounts with privileged or infrastructure access.
  7. Apply CISA advisory AA23-335A and the April 2026 joint advisory AA26-097A for ICS-connected environments. AA23-335A addresses IRGC-affiliated actors exploiting internet-facing ICS devices. AA26-097A — co-signed by six agencies including FBI, NSA, EPA, DOE, and U.S. Cyber Command in April 2026 — confirmed active disruption of Rockwell Automation PLCs at U.S. water, energy, and government facilities. If your environment includes remote access to operational technology, both advisories provide hardening steps directly relevant to the threat APT55 feeds intelligence to.
Self-Assessment: Are You a Likely APT55 Target?

APT55 targets individuals whose professional roles give them knowledge useful to Iranian intelligence. Answer five questions to gauge your exposure profile. This is not a security audit — it is a thinking tool based on documented targeting patterns.

01.Does your role involve working with energy infrastructure, power grid operations, oil and gas systems, or utility procurement?
02.Do you work for, contract with, or advise a U.S. defense contractor, military branch, or national security agency?
03.Is your professional profile publicly visible on LinkedIn, including your employer, role, and specialization?
04.Have you recently spoken at, attended, or been listed as a participant in a public conference related to energy, infrastructure, or defense policy?
05.Does your organization use VPN or remote access tools to connect to OT, ICS, or SCADA environments?

Key Takeaways

  1. APT55 is an IRGC-affiliated espionage actor, not a disruptive one. Its documented mission is intelligence collection against individuals with access to U.S. energy and defense sectors, feeding that intelligence to the IRGC's broader targeting apparatus.
  2. The group operates within a layered Iranian cyber structure. It shares the same institutional sponsorship as CyberAv3ngers and APT33 but serves a different function — mapping human terrain before other actors move against systems.
  3. Operation Epic Fury eliminated APT55's chain of command but likely did not stop its pre-positioned operations. The strikes killed senior IRGC leadership including the IRGC commander and struck Iran's cyber headquarters in eastern Tehran. Iran's internet connectivity dropped to 4% of normal at the moment of the strikes and fell further to approximately 1% within days, a record-breaking shutdown confirmed by NetBlocks. But pre-authorized operations and pre-established social contact with targets may have continued, and historical precedent shows Iran rebuilds cyber capability after decapitation events.
  4. Human-centric espionage is the hardest vector to detect. Social engineering and credential harvesting through cloned phishing infrastructure generates minimal forensic noise compared to network-level intrusion, making APT55's methods particularly difficult to catch through standard security tooling.
  5. The public record on APT55 is thin but growing. CloudSEK's March 2026 reporting is among the first to name the group explicitly in a current operational context. The Canadian Centre for Cyber Security, Soufan Center, Trellix, and BeyondTrust have all published relevant 2026 assessments that add context. Further attribution reporting is likely as analysts continue to examine the conflict's cyber dimension.
  6. The IRGC is actively escalating its human intelligence operations in parallel with cyber collection. Researchers at the Foundation for Defense of Democracies documented in April 2026 a new IRGC recruitment operation targeting Israeli defense and government personnel with a precision enabled by breached data — selecting individuals based on past military service rather than broad targeting. The same intelligence APT55 collects about U.S. energy and defense personnel feeds this kind of targeted recruitment and coercion capability.
  7. APT55's collected intelligence may already be in hostile hands regardless of current disruption. Information gathered through months or years of pre-conflict espionage operations does not disappear when a commander is killed. The intelligence picture APT55 built about U.S. energy and defense personnel — identities, access levels, relationships, communications patterns — represents durable strategic value to whoever reconstitutes IRGC-CEC operations.

APT55 represents what is, in many ways, the most dangerous kind of adversary: one that operates quietly, targets people rather than systems, and contributes to a larger intelligence picture that its peers then act on. The leadership decapitation of Operation Epic Fury changed the organizational structure at the top — it did not erase the access, the collected intelligence, or the tradecraft. Understanding where APT55 fits in Iran's nation-state cyber ecosystem, what it was looking for, and why that collection may have already been completed is the first step toward making its job harder the next time.

Frequently Asked Questions

What is APT55?

APT55 is an Iranian state-linked cyber espionage group affiliated with the Islamic Revolutionary Guard Corps (IRGC). Unlike disruptive Iranian groups such as CyberAv3ngers, APT55 focuses on intelligence collection — specifically targeting individuals connected to the U.S. energy and defense sectors to gather information for Iranian intelligence targeting. The group was named explicitly in CloudSEK's March 2026 threat intelligence reporting during the Iran-U.S. conflict that followed Operation Epic Fury.

Is APT55 part of the IRGC?

Yes. APT55 operates under the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), the dedicated cyber warfare branch of the IRGC. The IRGC-CEC has been designated and sanctioned by the U.S. Treasury Department and is responsible for overseeing multiple threat actor clusters including APT33, CyberAv3ngers, and APT55.

What sectors does APT55 target?

APT55 targets individuals connected to the U.S. energy sector — engineers, grid operators, procurement specialists, policy advisors — and U.S. defense-adjacent personnel with access to contracting vehicles, personnel rosters, technology roadmaps, and system configurations. Its focus is on people rather than systems directly, using their access and knowledge to build intelligence for the IRGC's broader operations.

How does APT55 conduct its attacks?

APT55 uses the same tradecraft documented across IRGC-affiliated espionage actors: targeted spear-phishing via email, LinkedIn, WhatsApp, and Telegram; impersonation of recruiters, researchers, journalists, and conference organizers; credential harvesting through cloned login pages hosted on legitimate infrastructure such as Google Sites; and multi-stage infection chains designed to establish long-term access with minimal forensic noise.

Has APT55's operational capability been affected by Operation Epic Fury?

Operation Epic Fury eliminated senior IRGC leadership including IRGC Commander Mohammad Pakpour and struck Iran's cyber warfare headquarters in eastern Tehran. Iran's internet connectivity dropped to roughly 4% of normal at the moment of the strikes, then fell further to approximately 1% by March, per NetBlocks monitoring data — the longest nation-scale internet shutdown on record. APT55's ability to receive new tasking and exfiltrate collected data was likely disrupted in the short term. However, analysts at the Soufan Center and Trellix note that Iran's cyber capability was built for decentralization, and pre-positioned access and pre-authorized operational modes may allow human-targeting espionage to resume with limited central direction.

What can defenders do to protect against APT55?

Organizations in U.S. energy and defense supply chains should enforce phishing-resistant multi-factor authentication (FIDO2 hardware keys are preferable to SMS codes for privileged accounts); conduct security awareness training specifically covering IRGC-style social engineering personas; audit VPN and remote access appliances for unauthorized accounts; monitor for credential use from unusual geolocations or outside normal working hours; and apply both CISA advisory AA23-335A and the April 2026 joint advisory AA26-097A guidance for ICS-connected environments — AA26-097A confirmed operational disruption and financial loss at multiple U.S. organizations from Iranian-affiliated ICS exploitation as recently as March 2026. The Canadian Centre for Cyber Security's March 2026 bulletin specifically notes that Iranian groups exploit professional social media activity as a primary reconnaissance vector — LinkedIn reviews for energy and defense personnel should be treated as a likely initial access point. See the full seven-step protection guide above for implementation detail on each control.

Sources

  • CloudSEK, "A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict," March 5, 2026. cloudsek.com
  • CloudSEK, "Situation Report: Middle East Escalation (February 27–1st March, 2026)," March 2026. cloudsek.com
  • Euronews, "How cyberattacks are being used as weapons in the Iran war," March 18, 2026. euronews.com
  • Center for Strategic and International Studies, "Beyond Hacktivism: Iran's Coordinated Cyber Threat Landscape," March 2026. csis.org
  • The Soufan Center, "Cyber Operations as Iran's Asymmetric Leverage," March 17, 2026. thesoufancenter.org
  • Canadian Centre for Cyber Security, "Cyber Threat Bulletin: Iranian Cyber Threat Response to US/Israel Strikes, February 2026," March 2026. cyber.gc.ca
  • Trellix, "The Iranian Cyber Capability 2026," March 5, 2026. trellix.com
  • BeyondTrust, "Threat Advisory: Iran-Aligned Cyber Actors Respond to Operation Epic Fury," March 2026. beyondtrust.com
  • Nozomi Networks, "Iranian APT Activity During Geopolitical Escalation," March 2026. nozominetworks.com
  • Unit 42 / Palo Alto Networks, "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran," Updated March 26, 2026. unit42.paloaltonetworks.com
  • Unit 42 / Palo Alto Networks, "Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization," March 2026. unit42.paloaltonetworks.com
  • CISA, "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors," Updated December 18, 2024. cisa.gov
  • FBI / CISA / NSA / EPA / DOE / U.S. Cyber Command, "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure," Advisory AA26-097A, April 7, 2026. cisa.gov
  • NetBlocks, Internet connectivity monitoring data: Iran at 4% of normal at onset of February 28 strikes, falling to approximately 1% by March 2026. Cited in Al Jazeera, IranIntl, and multiple press sources. netblocks.org
  • Foundation for Defense of Democracies / Center on Cyber and Technology Innovation, "Tehran’s Looking for a Few Good Spies in Israel," April 17, 2026. fdd.org
  • Rapid7, "Iran's Cyber Playbook in the Escalating Regional Conflict," March 2026. rapid7.com
  • Check Point Research, "What Defenders Need to Know about Iran's Cyber Capabilities," March 2026. blog.checkpoint.com
  • SOCRadar, "Iran vs. Israel & US Cyber War 2026: Operation Epic Fury Threat Intelligence," March 2026. socradar.io
  • Picus Security, "Inside the Shadows: Understanding Active Iranian APT Groups," July 2025. picussecurity.com
  • Shieldworkz, "Decoding the Strategic Quiet of Iranian Cyber Groups," March 2026. shieldworkz.com
← all articles