MuddyWater, APT33 Lead Wave of Iranian Cyberattacks Against Industrial Sectors

Iranian state-sponsored cyber activity has seen a sharp rise in recent months, with Nozomi Networks reporting a 133% increase in attacks linked to Iranian threat actors during May and June 2025. In total, Nozomi Networks tracked 28 cyberattacks tied to groups aligned with Iran, up from just 12 in the previous two-month period. The primary targets of this surge have been organizations in the U.S., particularly within the Transportation and Manufacturing sectors. Nozomi Networks warned, “During May and June, we observed 28 attacks related to Iranian threat actors. Compared to the previous 2-month period, where we saw only 12, this represents a 133% increase in their activity.” This escalation is consistent with broader geopolitical tensions and follows warnings from U.S. federal agencies about the heightened risk of retaliatory cyberattacks.

The most active group during this period was MuddyWater, which targeted at least five U.S. companies in the impacted sectors. APT33 followed, linked to at least three incidents, while OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were each connected to attacks on at least two U.S. organizations. Each of these groups has distinct operational histories: MuddyWater is known for targeting government and energy sectors; APT33 has focused on aerospace and petrochemical entities; OilRig has engaged in espionage within the financial and energy industries; while Fox Kitten and Homeland Justice have been active in disruptive operations. Notably, CyberAv3ngers was observed reusing IP infrastructure from prior attacks involving OT-specific malware, reflecting the group's continued focus on operational technology environments.

These developments come amid growing global concerns over the use of cyberattacks as extensions of state conflict. Fox Kitten, in particular, has reportedly shifted toward ransomware operations in partnership with affiliates, offering financial incentives for attacks that align with Iran’s strategic interests as reported by Morphisec. Homeland Justice, previously linked to disruptive operations against government targets, remains active in the cyber threat landscape. Nozomi Networks has emphasized the importance of vigilance within critical infrastructure sectors, urging organizations to enhance detection and response capabilities.