No country faces more sustained, state-aligned cyber pressure than Israel, and Iran together with its proxies is the dominant adversary. These are not opportunistic criminals; they are organized groups tied to Iran’s intelligence services and the IRGC, running espionage, disruption, and information operations in parallel with physical conflict. For any Israeli organization, knowing the major actors and how they operate is the first step in prioritizing defenses. Below are the groups every Israeli defender should track.
MuddyWater (Seedworm / Static Kitten / Mango Sandstorm)
Widely assessed as tied to Iran’s Ministry of Intelligence and Security (MOIS), MuddyWater is the workhorse of regional espionage. It favors fileless, PowerShell-driven intrusions and heavily abuses legitimate remote monitoring and management (RMM) tools delivered through large phishing waves. In early 2026 it launched “Operation Olalampo,” introducing new malware families and showing signs of generative-AI involvement in its development — a clear signal that its tradecraft is accelerating.
Charming Kitten (APT35 / APT42 / Mint Sandstorm / TA453)
Affiliated with the IRGC, this cluster specializes in high-trust, relationship-based access: impersonating journalists, researchers, and policy experts to phish credentials from people close to decision-makers. It has matured from simple credential harvesting toward long-term persistence in cloud environments and custom PowerShell implants, making it especially dangerous to executives and their assistants.
OilRig (APT34 / Helix Kitten) and Fox Kitten
OilRig focuses on government, telecom, and energy espionage, and is known for DNS-based exfiltration. Fox Kitten (also Pioneer Kitten / Lemon Sandstorm) specializes in exploiting unpatched perimeter and VPN appliances, and has been linked to the Pay2Key ransomware operation — a vivid example of Iranian groups blending state objectives with extortion.
Destructive and OT-focused actors
CyberAv3ngers has targeted Israeli industrial control systems and water utilities. Agrius (Pink Sandstorm / Agonizing Serpens) deploys wipers disguised as ransomware. Handala Hack pairs custom wipers with the commercially available Rhadamanthys infostealer, often using fake software-update lures, and runs narrative-shaping leak operations. Around them, hacktivist clusters launch DDoS waves against public portals.
How to prioritize your defenses
- Patch internet-facing devices, VPNs, and edge infrastructure immediately — this is Fox Kitten’s primary route in.
- Remove or tightly control unmanaged RMM tools, which MuddyWater abuses for persistence.
- Harden identity: enforce phishing-resistant MFA and watch for credential phishing aimed at key individuals.
- Monitor DNS for anomalous patterns, segment OT networks, and validate DDoS mitigation on public portals.
Persist Security tracks these actors continuously through live threat intelligence and feeds that context straight into our managed SOC and incident-response teams. Contact us for a threat briefing tailored to your sector.
