ACCORDING to Unit 42, recent Iranian cyber operations extend beyond disruption and sit within a broader strategy of asymmetric retaliation, moving from MBR‑wiper style attacks to identity‑driven abuse of enterprise management tools.
The piece traces an escalation from 2012 and 2016, when groups such as Curious Serpens (APT33, Elfin) and Evasive Serpens (APT34, OilRig) used disk‑wiping malware against IT infrastructure, to the 2020–2022 period where Agonizing Serpens (Agrius) deployed wiper and ransomware blends, and then to 2023–2025 hacktivist activities with cross‑platform wipers like Hatef, Hamsa, and BiBi.
It notes a pivot in 2023–2025 toward cross‑platform destruction paired with data exfiltration, and highlights the 2026 transition to the Era of Identity Weaponization, where highly privileged identities and cloud‑based management consoles (MDM/RMM) are exploited to broadcast built‑in remote‑wipe commands across thousands of devices.
The analysis underscores that the attack surface now centres on the management plane, with EDR often unable to see these authenticated, authorised commands delivered from trusted infrastructure.