Iranian Hackers Are Targeting Developers in 2026. Here's the Threat Intel Guide.

In the weeks following the US-Israel strikes on Iran, cybersecurity firms are observing a sharp increase in reconnaissance and attack activity from Iranian-aligned threat actors. Developers, DevOps engineers, and technical researchers are not bystanders in this — they are primary targets.

This is the practical threat intelligence guide for the people actually in the crosshairs.

The Four Groups You Need to Know

Iranian state-sponsored hacking is not monolithic. There are distinct groups with different mandates, techniques, and target profiles. Understanding which group is relevant to you changes what you should be watching for.

Cotton Sandstorm (formerly Mercury / IRGC-linked)

What they want: Intelligence on dissidents, journalists, and activists. Also conducting disruptive operations against critical infrastructure.

Current tactic: Deploying WezRat — a custom modular infostealer distributed via spearphishing emails disguised as software update notifications. WezRat can capture keystrokes, take screenshots, steal clipboard contents, and exfiltrate files.

Who they target: Journalists, activists, human rights organizations, and anyone with access to communications about Iranian political opposition.

Peach Sandstorm (APT33 / Holmium)

What they want: Intellectual property from aerospace, energy, and defense sectors. Long-term access for espionage and sabotage positioning.

Current tactic: Password spraying at scale against satellite operators, defense contractors, and pharmaceutical companies. When they get in, they move laterally and sit quietly for months.

Who they target: Anyone at a company in aerospace, defense, energy, or pharma — including developers building internal tools for these industries.

Charming Kitten (APT35 / Phosphorus)

What they want: Credentials and communications from researchers, academics, and policy people who might have insight into sanctions, nuclear negotiations, or military strategy.

Current tactic: Mass credential theft via sophisticated fake domains — spoofed login pages for Gmail, Microsoft, and corporate SSO providers sent via convincing spearphishing. Also impersonating journalists to build rapport before delivering malware.

Who they target: Researchers, academics, think tank analysts, and — increasingly — developers at companies doing AI/ML research with any national security adjacency.

APT34 (OilRig / Helix Kitten)

What they want: Long-term persistent access to government, financial, and telecom networks in the Middle East and beyond.

Current tactic: Custom malware families with legitimate-looking command-and-control infrastructure. Known for patience — they maintain access for years before activating.

Who they target: Telecom companies, banks, and government contractors.

The WezRat Campaign: What Developers Need to Know

WezRat is worth specific attention because its delivery mechanism directly exploits developer behavior.

The malware is distributed via emails that appear to be software update notifications — think "Your Chrome installation requires a security update" or "Action required: update your VPN client." The emails are convincing because they spoof legitimate sender domains and link to pages that closely mimic vendor update portals.

What WezRat does after installation:

• Keylogger: captures everything you type, including passwords, API keys, and code
• Screenshot capture: periodic screenshots sent to C2 servers
• Clipboard theft: captures anything you copy, including tokens and credentials
• File exfiltration: scans for and uploads documents, config files, and SSH keys
• Persistence: installs as a startup service to survive reboots

For a developer, the blast radius of WezRat infection is severe: AWS/GCP/Azure credentials, GitHub tokens, SSH private keys, database passwords, API keys stored in .env files — all of these are exactly what WezRat is designed to find.

The Password Spraying Problem

Peach Sandstorm's password spraying campaigns are a different kind of threat. Rather than targeting you individually, they throw common passwords against thousands of accounts simultaneously, staying below lockout thresholds.

If your company uses Microsoft 365, Azure AD, or Okta, and you don't have MFA enforced across the board, you are inside the blast radius of these campaigns. The sectors they prioritize include satellite communications, defense, pharmaceutical — but the technique is indiscriminate enough that any organization with weak password hygiene is at risk.

What "password spraying" means technically: Instead of trying many passwords against one account (which triggers lockout), attackers try one or two common passwords against thousands of accounts simultaneously. "Spring2026!" and "Company2026" are perennial favorites.

How to Actually Protect Yourself

This is not a checklist of obvious things you already know. These are the specific gaps Iranian APT groups are exploiting right now.

1. Treat software update emails as suspicious by default

Legitimate software updates don't come via email asking you to click a link. Chrome updates via Chrome. VS Code updates via VS Code. If you receive an email about a required update for any developer tool, go directly to the vendor's website — never through the email link.

2. Hardware security keys for critical accounts

Phishing-resistant MFA (FIDO2 / hardware keys like YubiKey) stops Charming Kitten's credential theft cold. SMS-based MFA does not — it's vulnerable to SIM swapping and real-time phishing proxies. If you have access to production infrastructure, use a hardware key.

3. Secrets management — not .env files

If you're storing API keys, database credentials, or tokens in .env files on your development machine, WezRat will find them. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password Secrets Automation) and rotate credentials regularly.

4. Watch your SSH keys

WezRat specifically targets ~/.ssh/. If your private keys aren't passphrase-protected, any malware with filesystem access can exfiltrate them silently. Audit your SSH keys, use passphrases, and consider using short-lived certificates via a bastion rather than long-lived keys.

5. Monitor for impossible travel and new device logins

Your company's identity provider almost certainly logs device and location data. Set up alerts for logins from new countries or devices. Iranian APT groups often log in from VPNs, but the initial compromise sometimes leaves a geographic trace.

6. Be suspicious of inbound outreach from "journalists" and "researchers"

Charming Kitten's social engineering starts with building rapport. They'll reach out on LinkedIn or Twitter claiming to be writing a piece about AI, asking if you'd like to be interviewed, then gradually move toward document sharing or link clicking. If you receive unsolicited researcher outreach that eventually involves sharing files, treat it as a red flag.

The Bigger Picture: Why Developers Are Targets

Nation-state hackers aren't interested in your laptop because of who you are. They're interested because of what you have access to.

A developer at a satellite communications company has VPN credentials that connect to the control network. A DevOps engineer at a defense contractor has AWS access to the infrastructure running classified workloads. A researcher at an AI lab has access to model weights and training data that foreign governments want.

The developer is the path of least resistance — technically sophisticated enough to have deep access, but often less security-aware than the dedicated IT security team protecting the same organization.

Understanding that you are a target, specifically because of what you can access, changes how you think about your own security hygiene.

Related: Iran's Internet Collapsed to 4% of Normal — Technical Breakdown | USA-Israel Strikes on Iran: Tech and Cyberwar Impact