Researchers from Flashpoint have revealed a nation state–sponsored ransomware campaign carried out by Iran’s Islamic Revolutionary Guard Corps (IRGC). The APT group launched the operation by contracting a company based in the country that is identified as Emen Net Pasargard (ENP).

What has happened?

Flashpoint examined three documents leaked by the Iran-based group, Lab Dookhtegan, between March 19 and April 1. The group is known to provide highly reliable intelligence on Iran-based cyber activities.
  • The campaign tracked as Project Signal started between July and September last year. It reportedly started with ENP’s research organization Studies Center with a target list of twenty websites.
  • A spreadsheet analyzed by Flashpoint revealed that Project Signal was launched with financial motivations and the attacks were planned to start between October 18 and 21 last year.
  • In addition, the timing of ENP’s Project Signal corresponded with the Iranian ransomware campaign Pay2Key, which was targeting Israeli organizations around the fall of 2020.

Experts also hold that the ransomware operation could be a ploy or deceptive way of mimicking the TTPs of other ransomware gangs.

Recent incidents linked to Iranian attackers

Several Iran-sponsored threat groups have been discovered to be active and carried out cyber operations.
  • A few weeks ago, the APT-C-23 threat group was found using voice-changing software to fool targets into installing malware.
  • In February, Domestic Kitten conducted surveillance operations against Iranian citizens, posing a threat to the entire Iranian regime.


According to researchers, it is possible that pretending to be a financially motivated group could be an obfuscation technique intended to mimic other cybercriminal groups. While Flashpoint not confidently attributed Project Signal’s connection to Pay2Key, it does hint about the rising Iranian influence in the cybercrime landscape.

Cyware Publisher