Skip to main content

Cotton Sandstorm

Repository Navigation

  • Actor workbench: Cotton Sandstorm
  • TTP-to-detection matrix: all mapped techniques
  • Surface and capability routes: None currently mapped.
  • Detection status: dashboard
  • Hunt workflow: hunt workflow
  • ATT&CK mappings: T1585 Establish Accounts (M1); T1204.002 User Execution: Malicious File (M3); T1566 Phishing (M3)
  • Mapped detections: DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
  • Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
  • IOC reference sources: SRC-CP-WEZRAT Email sender; domains; hashes; C2 paths; malware behavior
  • Tool detail pages: WezRat
  • Tool matrix: all actor-linked tools (1 mapped tool row(s))
  • Evidence records: EVD-022 / CLM-COTTONSANDSTORM-001
  • Imported research intakes: None currently mapped.
  • Intel update candidates: None in current feed pull.
  • Source IDs in structured data: SRC-CP-WEZRAT, SRC-FBI-EMENNET-2024, SRC-MS-IRAN-IO

Aliases: Emennet Pasargad, Aria Sepehr Ayandehsazan (ASA), MarnanBridge, Haywire Kitten, Altoufan Team (Al-Toufan), Net Peygard Samavat.

Assessed sponsor: IRGC-linked, specifically associated with the front company Aria Sepehr Ayandehsazan (ASA) per the FBI / U.S. Treasury / INCD joint advisory (October 2024). ASA is an Iranian cyber contractor, not a direct IRGC unit — distinguish from IRGC-CEC (CyberAv3ngers) and MOIS-subordinate actors.

Relevance

Cotton Sandstorm is relevant to Israeli government because Microsoft describes Iranian cyber-enabled influence operations that combine intrusion, leak claims, impersonation, and messaging designed to shape perceptions during conflict.

Defensive Focus

  • Separating verified compromise from public claims.
  • Monitoring leak-site and persona claims without over-attribution.
  • Preserving forensic evidence for public communications response.
  • Coordinating cyber, legal, and communications teams.

Detection Ideas

  • Web defacement attempts.
  • Bulk email or SMS impersonation campaigns.
  • Unusual public data exposure followed by coordinated amplification.

Sources: SRC-MS-IRAN-HAMAS, SRC-MS-IRAN-IO, SRC-FDD-IRAN-IO-ISRAEL.