Five Cyber Groups To Watch as Geo Political Tensions Rise: Research

As geopolitical tensions rise, cyber activity has intensified alongside it. According to Check Point Research, five Iran-linked threat groups are currently active, each with distinct tactics and target profiles.

Cyber attribution remains complex and probabilistic. Iran has repeatedly denied state involvement in offensive cyber operations.

Cotton Sandstorm

Linked to: Islamic Revolutionary Guard Corps (IRGC)
Primary targets: Israeli organisations, media outlets and political figures
Core tactic: Hack-and-leak operations combined with online influence

Check Point links Cotton Sandstorm to the IRGC and describes it as a group that combines intrusion with narrative shaping. It carries out website defacements, DDoS attacks, email compromise and data theft, then publishes stolen material at strategically timed moments.

The group uses a custom data-stealing malware known as WezRat, typically delivered through phishing emails. It has also deployed ransomware, including WhiteLock, particularly against Israeli targets. During periods of heightened tension, the group has been observed reactivating older online personas to claim responsibility for attacks, complicating attribution efforts.

Educated Manticore

Linked to: IRGC Intelligence Organization
Primary targets: Journalists, researchers, activists and policy professionals
Core tactic: Long-term social engineering and credential theft

Educated Manticore takes a slower, targeted approach. Check Point describes its method as “relationship-based access,” where trust is built over time before credentials are stolen.

Rather than broad phishing campaigns, the group selects individuals carefully. It has impersonated trusted contacts and directed targets to fake login pages mimicking platforms such as WhatsApp, Microsoft Teams and Google Meet. The objective is to obtain login credentials and session tokens, enabling quiet, long-term access for intelligence gathering.

MuddyWater

Also known as: Mango Sandstorm, Static Kitten
Linked to: Ministry of Intelligence and Security (MOIS)
Primary targets: Government, telecom, energy and private sector organisations in Israel and the Gulf
Core tactic: Using legitimate system tools to avoid detection

MuddyWater is known for using built-in system tools rather than highly visible malware. Check Point says the group relies heavily on Windows tools such as PowerShell and WMI to move through networks without triggering alerts.

Initial access often comes through phishing emails or legitimate remote monitoring and management tools. Once inside, the group may hijack internal email accounts to send further phishing messages. Its primary objective is intelligence collection, though it has demonstrated the ability to shift toward disruption when required.

Void Manticore / Handala

Linked to: Ministry of Intelligence and Security (MOIS)
Public persona: “Handala Hack Team”
Primary targets: Israeli entities and selected organisations across the Gulf
Core tactic: Psychological and reputational disruption

Handala emerged in late 2023 as a pro-Palestinian hacktivist identity and is assessed by Check Point as linked to Void Manticore. The group focuses on psychological impact rather than purely technical damage.

Gil Messing, Chief of Staff at Check Point, said that while “some underlying intrusion or access” is often present when the group claims responsibility, the “scale and impact are frequently exaggerated for psychological effect.” A recurring tactic involves releasing data from older breaches during periods of tension to create the impression of fresh attacks.

Check Point has also observed campaigns attributed to the group scanning externally facing systems for weak credentials and increasing online messaging aimed at Gulf states as tensions escalate.

Agrius

Also known as: Pink Sandstorm, Agonizing Serpens
Linked to: Ministry of Intelligence and Security (MOIS)
Active since: 2020
Primary targets: Israeli and Emirati organisations
Core tactic: Wiper malware disguised as ransomware

Agrius is associated with destructive operations. According to Check Point, the group deploys wiper malware designed to permanently destroy data but presents the attacks as ransomware to mask its intent.

It typically gains entry by exploiting vulnerable internet-facing servers. Once inside, it deploys webshells and uses legitimate system tools to move laterally before launching destructive payloads. The group has combined network-level disruption with data leaks to increase impact.

What Organisations Should Monitor

Check Point notes tactical overlap across the five groups. Phishing remains the most common entry point, often followed by credential theft and the misuse of legitimate remote management tools.

The firm recommends close monitoring of VPN traffic, stronger protection of internet-facing systems, phishing-resistant multi-factor authentication and careful scrutiny of unsolicited meeting or collaboration requests. Unusual login behaviour and credential misuse are flagged as key warning signs.

Messing said that while the immediate destructive impact of recent activity has been limited, the broader trend suggests continued operations and possible escalation. Iran’s cyber strategy, he said, tends to focus on sustained pressure and psychological influence rather than sudden large-scale disruption. The threat, he added, should be treated as ongoing rather than temporary.