Introduction
In today’s interconnected world, the line between physical and digital domains is increasingly blurred, with geopolitical tensions often spilling over into cyberspace. Over the years, nation-state actors—particularly those aligned with Iran—have consistently leveraged cyberspace to advance political and strategic objectives, employing tactics such as destructive malware, targeted intrusions, and disinformation campaigns.
While a ceasefire is in place following U.S. intervention in the 12-day Iran-Israel conflict that erupted in June 2025, the U.S. Department of Homeland Security (DHS) recently issued a National Terrorism Advisory System Bulletin warning of an increased risk of retaliatory cyber operations. In response, Arctic Wolf® issued a preemptive security bulletin anticipating potential cyber threats and retaliatory actions by Iran.
Cyber threat actors aligned with or sympathetic to Iran such as pro-Iranian hacktivist groups and cyber actors affiliated with the Iranian government are likely to intensify their efforts in the coming days as a form of retaliation. This increases risks not only for U.S.-based organizations, but also for private enterprises across allied nations, particularly those with diplomatic, military, or critical infrastructure ties.
In this article, we’ll review some of the common dual-use software that has been utilized by Iran-aligned threat actors. Though many of these tools are utilized in a limited but legitimate capacity depending on the circumstance, some organizations may wish to block tooling deemed not relevant to their business operations. To that end, we are providing a Windows Defender Application Control (WDAC) policy to limit execution of dual-use software linked to Iran-aligned threat activity.
Iranian-linked Tooling
To facilitate their malicious activities, many cyber threat actors including sophisticated advanced persistent threat (APT) groups may leverage legitimate software that isn’t inherently malicious but may be utilized in a “dual-use” purpose.
Using a technique known as Living-off-the-Land (LotL), threats actors abuse pre-approved or commonly used software within a target organization to conduct illicit activities. This allows their malicious actions to go under the radar without raising suspicions or straying from standard routines observed by security teams or security products, thus bleeding their operations into normal traffic flows and operations.
Though a wide range of groups associated with Iran may leverage some form of LotL techniques, two groups frequently known to utilize these kinds of techniques include:
MuddyWater
Active since 2017, MuddyWater (aka TA450, Earth Vetala) is a suspected element within the Iranian Ministry of Intelligence and Security (MoIS) that has been associated with multiple cyber incidents over the years. Known for their utilization of dual-use tooling and spear phishing campaigns, the group has been observed conducting cyber espionage and intelligence-gathering activities against surrounding Arab nations and European targets. MuddyWater’s primary targets are often related to critical infrastructure, academia and government agencies.
OilRig
OilRig (aka APT34, TA452) is another Iran-aligned group that has been seen in the wild since 2014. The group has leveraged both custom-built and commodity malware with the purpose of deploying illicit backdoors and remote access trojans (RATs) onto target devices. Unlike other more destructive and noisy threat groups, OilRig concentrates on activities that support long-term covert targeting, with a sharp focus on economic insights, particularly those connected with natural resources and military intelligence.
Known Dual-Use Tools Used by Threat Actors
By assessing tooling frequently utilized by Iran-aligned threat groups and many others, Arctic Wolf has procured a list of known dual-use tooling that may be used in some of the most common types of cyberattacks we’ve observed coming from these types of threat actors. This list can be used to assist organizations in blocking low-level attacks by leveraging Windows Defender Application Control (discussed below) to deny the execution of such applications.
It’s important to note that while dual-use tools can be abused by threat actors, many tools—such as PuTTY—are commonly used for legitimate purposes in enterprise environments. As such, organizations should first focus on discovery and baseline development to understand what “normal” usage looks like in their environment before implementing any blocking or restrictive controls.
Remote Access and Administration Tools
The following legitimate tools and utilities may be abused by the listed groups:
| Name | Company / Org. | APT / Threat Group | Usage / Feature Set |
| ScreenConnect | ConnectWise, Inc. | MuddyWater | Remote Access & Management |
| RemoteUtilities | Utilities LLC | MuddyWater | Remote Access & Management |
| SimpleHelp | SimpleHelp Ltd | MuddyWater | Remote Access |
| AteraAgent | Atera Networks Ltd | MuddyWater | Remote Management |
| Advanced Monitoring Agent | N-able Technologies Inc. | MuddyWater | Reconnaissance |
| TeamViewer | TeamViewer Germany GmbH | Various | Various |
| AnyDesk | AnyDesk Software GmbH | Various | Various |
| ProcDump64.exe | Microsoft | MuddyWater | Credential Dumping |
Network and Communications
The following legitimate services, software and toolsets may also be abused by threat groups:
| Name | APT / Threat Group | Usage / Feature Set |
| ngrok | APT34/OilRig | Command-and-Control Tunneling |
| Plink | APT34/OilRig | SSH Access |
| PuTTY | APT34/OilRig | SSH Access |
| Fast Reverse Proxy (FRP) | Various | Tunneling |
| ExpressVPN | APT42 | Infrastructure Anonymization |
| SSH | Various | SSH Access, Lateral Movement & Tunneling |
Proactive Measures Using WDAC
Windows Defender Application Control (WDAC) is a security feature in Microsoft Windows that assists organizations in protecting themselves against the execution of potentially unwanted applications. Sitting at the kernel level, it enables administrators to create policies that define trusted (or untrusted) software based on attributes such as digital signatures, hashes or paths.
WDAC Policy Deployment
The following is intended as a quick guide on WDAC policy deployment.
For comprehensive deployment instruction, please refer to Microsoft’s Deploying App Control for Business policies.
Download the WDAC policy binary from our public GitHub: AW_WDAC_Iran_Policy.cip
Download the XML from our public GitHub: AW_WDAC_Iran_Policy.xml
- The given WDAC policy works on Windows versions supporting the “Multiple Policy Format” (Windows version 1903 or newer).
- The given WDAC policy is a base policy that denies execution of known tools used by Iran-aligned threat groups.
Local Deployment
For local deployment, the Refresh CI Policy for WDAC tool is required.
1. Place the WDAC policy in:
C:\Windows\System32\CodeIntegrity\CIPolicies\Active\
2. Run the Refresh CI Policy tool to activate the policy.
Mobile Device Management (MDM)
1. In the Microsoft Intune portal, go to Endpoint security > App Control for Business (Preview) > App Control for Business tab, and click on “Create Policy”.
2. Fill out the Create profile page as follows:
Basics:
i. Name: AW-RAAT_Network_Comm_IR
ii. Description: Known Remote Access & Administration Tools (RAAT) and network/ communication tools used by Iran-aligned threat groups.
Configuration settings:
i. Configuration settings format: Select “Enter xml data”
ii. App Control for Business policy: Upload the WDAC policy XML
3. Fill Scope tags with desired scope tags and Assignments with the groups that should receive the policy.
4. Review the policy and click Create.
Conclusion
By leveraging the Windows Defender Application Control in Microsoft Windows, organizations can assess which tools, software and applications are used within their digital environments. Locking down or continually reassessing such lists may reduce the likelihood of threat actors leveraging Living-off-the-Land binaries within their environment.
Arctic Wolf’s Commitment to Securing Organizations
Arctic Wolf remains actively engaged in monitoring and analyzing the evolving threat landscape. Our global security operations center (SOC) teams continuously track developments, assess threats, and provide our customers with timely, detailed guidance through security bulletins and other direct communications.
For those looking to deepen their understanding of how geopolitical tensions are influencing the cyber threats—and how to best prepare and respond—watch the recent LinkedIn Live we hosted. This video covers the latest updates on this situation and provide additional practical steps organizations can take to harden their defenses and adapt to this continually shifting threat environment.
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.
Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
