The Lion Surge
You set the strategy. We make it run.
IRGC-affiliated advanced persistent threat actors — including MuddyWater, APT33, APT34, APT42, and Charming Kitten — are actively targeting US critical infrastructure, financial systems, and the MSPs defending them. Vijilan is responding with free active remediation for qualifying partners.
8+
Iranian APT Groups Active
24/7
SOC Active Remediation
$0
Cost to Qualifying Partners
+90
Days After US Victory
The Initiative
We mapped the threat. Now we're eliminating it.
Active Until US Victory — Then 90 Days More
Operation Lion Surge remains fully active until the United States officially declares victory in its conflict with the Islamic Republic of Iran. Vijilan will then honor every partner with an additional 90-day coverage extension at no cost — ensuring no organization is left exposed during the post-conflict transition window when residual Iranian threat actor cells may still be operational.
Vijilan Founder Kevin (KayVon) Nejad’s published research documented how Iran constructed one of the world’s most weaponized cyber ecosystems — Huawei deep packet inspection (DPI) systems, ZTE nationwide interception platforms, IRGC-affiliated integrators such as Khatam al-Anbiya and SAIRAN, and Russian-origin endpoint tools embedded throughout their national infrastructure.
As that regime collapses, its advanced persistent threat (APT) actors, hacktivist proxy networks, and cyber militia units do not stand down. CISA, NSA, FBI, and Palo Alto Unit 42 have all issued advisories documenting the surge in outward Iranian cyber aggression since February 2026. Operation Lion Surge is Vijilan’s direct response.
Free threat intelligence
Operation Lion Surge
60 hacktivist groups. A newly formed Electronic Operations Room. Active retaliatory campaigns — despite a ceasefire. The threat actors, TTPs, and defender implications, all documented.
Threat Intelligence Research Paper
No spam. One-time download only.
What You Receive
Threatremediate Core
Enterprise-grade active remediation. At no cost.
Breaches Stopped Before They Spread
Threats are contained and eliminated before your client ever knows there was an incident. Your reputation stays intact.
Ransomware Never Reaches Deployment
Iranian APT actors are cut off mid-chain — before encryption, before data exfiltration, before business disruption begins.
Stolen Identities Go Nowhere
Compromised accounts are rendered useless in minutes. Credential-based lateral movement — Iran's most common attack vector — is dead on arrival.
Your Attack Surface Shrinks Continuously
Unpatched vulnerabilities, misconfigurations, and exposed assets are identified and prioritized before adversaries can exploit them.
Audit-Ready Incident Records — Always
Every response action is documented, timestamped, and ready for compliance, cyber insurance claims, or executive reporting.
No Gap in Coverage — Ever
Iranian threat actors hit hardest at night, on weekends, and during holidays. Vijilan's SOC operates around the clock so your clients are never unguarded.
Duration: Active until US declares victory over Iran, plus an additional 90 days of free coverage for all enrolled partners — honoring our commitment through the full threat window.
Know Your Adversary
The IRGC & MOIS Threat Actors Targeting Your Clients Right Now
Iran’s offensive cyber operations are executed by two primary intelligence organs: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Each controls multiple advanced persistent threat (APT) groups deploying sophisticated tactics, techniques, and procedures (TTPs) — including spear-phishing, credential harvesting, living-off-the-land (LOTL) binaries, destructive wiper malware, and ransomware-as-a-service (RaaS).
APT33
Elfin / Refined Kitten / Peach Sandstorm
IRGC-Affiliated
Active since 2013. Targets US energy, aviation, and petrochemical sectors. Known for deploying destructive StoneDrill and Shamoon wipers alongside long-dwell reconnaissance. Actively retooling post-February 2026 strikes.
Energy · Aviation · Petrochemical
APT34
OilRig / Helix Kitten / Hazel Sandstorm
MOIS-Affiliated
Highly disciplined, long-horizon actor. Infrastructure staging observed Nov 2024–Apr 2025 across impersonated academic and tech company domains. Deploys custom backdoors including POWBAT, POWRUNER, and BONDUPDATER. Targets finance, government, and defense.
Finance · Government · Defense
APT42
Charming Kitten / Mint Sandstorm / TA453
IRGC Intelligence Organization
Social engineering and credential harvesting specialist. Deploys NICECURL and TAMECAT backdoors via cloud platforms (Cloudflare Workers, OneDrive, Firebase). Targets healthcare, defense contractors, think tanks, and diaspora. Expanded 2026 campaigns against NGOs.
Energy · Aviation · Petrochemical
MuddyWater
Seedworm / Static Kitten / Mercury / Mango Sandstorm
MOIS — Subordinate Element
Confirmed by CISA as “a subordinate element within MOIS.” Actively compromising US banks, airports, and non-profits as of March 2026. Deploys Phoenix backdoor via spear-phishing of compromised mailboxes. Uses living-off-the-land techniques to evade detection.
Banking · Critical Infrastructure
APT35
Focused on nuclear policy researchers, government officials, and defense sector targets. Employs multi-persona social engineering across LinkedIn, email, and phone. Known for password-spray campaigns against Microsoft Exchange and Office 365 environments.
Nuclear Policy · Government
Tortoiseshell
IRGC-Directed
Watering hole and fake LinkedIn recruitment attacks against defense contractors, aerospace firms, and IT supply chains. Deployed MiniBike custom backdoor via DLL sideloading. Active supply chain targeting through 2025; assessed as repositioning for 2026 operations.
Aerospace · Defense Supply Chain
Iranian Hacktivist Proxy Network
State-Deputized Hacktivist Groups
Iran deliberately deploys hacktivist proxy groups to conduct operations with plausible deniability. Palo Alto Unit 42 tracks these as part of the “Serpens” constellation. While lower in sophistication than APT actors, these groups conduct DDoS attacks, destructive wiper campaigns, doxxing, and hack-and-leak operations coordinated with kinetic military activity — and are actively escalating.
- Handala Hack
MOIS-linked. Blends data exfiltration with ICS targeting. Reduced public activity since Jan 2026 — historically signals active operations underway.
- Emennet Pasargad
Cotton Sandstorm / Haywire Kitten. IRGC-linked. Cyber-enabled influence operations against US, Israel, France, and Sweden. Expanding scope in 2026.
- DieNet
Pro-Iranian DDoS collective. Claimed responsibility for attacks on US energy, financial, healthcare, and government systems following US military strikes.
- Cyber Islamic Resistance (313 Team)
IRGC-affiliated cell active in the Electronic Operations Room formed Feb 28, 2026. Targeting Gulf state and Western government infrastructure.
Activation Process
Deployed in Days, Not Months
1
Apply as a Partner
Complete Vijilan's MSP/MSSP partner application. Existing partners proceed directly to Step 3.
2
Fast-Track Approval
Operation Lion Surge applicants receive expedited vetting. Critical sector partners prioritized.
3
Your Clients Get Covered
Vijilan's team onboards eligible client environments fast — full protection active within days, not months.
4
SOC Goes Live
Vijilan's global 24/7 SOC assumes active monitoring, detection, and hands-on remediation.
Eligibility
Does Your Practice Qualify?
Operation Lion Surge is built for channel partners serving organizations in Iranian APT crosshairs.
Active Vijilan MSP / MSSP Partners
If you're already in the Vijilan ecosystem, ThreatRemediate Core activation is immediate. Contact your partner representative or reply to our partner advisory email.
New MSP & MSSP Applicants
Not yet a Vijilan partner? Apply now. Fast-tracked onboarding with no minimums and a 30-day opt-out guarantee.
Priority Sectors (CISA Elevated Risk)
Critical infrastructure (OT/ICS), healthcare, financial services, defense industrial base (DIB), and government contractors receive prioritized onboarding per CISA guidance.
US & Allied Nation Partners
Vijilan's global SOC covers partners across North America and allied nations. Canadian partners are also eligible given Canada's elevated threat posture per the Canadian Centre for Cyber Security.
Activate Now
Ready to Cover Your Clients?
Fill out the form and a Vijilan partner specialist will reach out within one business day. Existing partners will be activated immediately upon confirmation. New partner applications receive fast-tracked review under Operation Lion Surge.
- Your environment will be monitored and breaches are stopped — not just reported — by Vijilan's 24/7 expert SOC, but also remedied.
- Ransomware, wipers, and credential attacks neutralized before they cause damage
- Attack surface continuously reduced — unpatched exposures identified and prioritized
- Full audit trail for every incident — compliance and cyber insurance ready from day one
- Active until US declares victory over Iran, plus 90 additional days of guaranteed coverage
- SOC 2 Type 2 · ISO 27001 · No minimums · White-label ready
Activate Lion Surge
For MSP & MSSP channel partners only. We’ll reach out within one business day.
Intelligence Briefing
Everything Your Team Needs to Know
What are the active Iranian cyber threat actors in 2026?
What is the difference between an APT and a hacktivist?
Advanced Persistent Threat (APT) actors are state-sponsored groups using sophisticated, long-dwell TTPs — custom malware, zero-days, and supply chain attacks. Iranian APTs operate under the IRGC and MOIS. Hacktivist groups (Handala, DieNet, Cyber Islamic Resistance) are proxy actors Iran deploys for plausible deniability, conducting DDoS attacks, defacements, and doxxing. CISA and Unit 42 document how Iran deliberately blurs these categories, deputizing hacktivists to amplify state operations.
What is active remediation vs. managed detection and response (MDR)?
Standard MDR (Managed Detection and Response) detects threats and sends alerts with remediation guidance — your team must still act. Active remediation, as delivered by Vijilan’s ThreatRemediate Core, means the SOC directly isolates endpoints, kills malicious processes, and disables compromised accounts. Against Iranian APT actors who move from initial access to lateral movement in hours, active remediation is the only viable defense posture.
How long does Operation Lion Surge last?
Operation Lion Surge remains active until the United States officially declares victory in its conflict with the Islamic Republic of Iran. Vijilan then provides an additional 90 days of free ThreatRemediate Core coverage for all enrolled partners — covering the post-conflict window when residual Iranian APT cells and hacktivist proxy networks may continue operating. The 90-day extension is Vijilan’s guarantee that no partner is left exposed during transition.
Which sectors are at highest risk from Iranian cyberattacks?
CISA, NSA, and FBI joint advisories identify the following as at elevated risk from IRGC-affiliated cyber actors: critical infrastructure (water, energy, OT/ICS systems), financial institutions, healthcare networks, defense industrial base (DIB) contractors, government agencies, and aerospace and aviation. MuddyWater has been observed targeting US-based banks, airports, and software companies with Israeli defense connections as of March 2026.
What outcomes does ThreatRemediate Core deliver?
Organizations enrolled in Operation Lion Surge experience a measurable reduction in dwell time — the window between initial compromise and detection and containment. Iranian APT actors typically move from initial access to lateral movement within hours; Vijilan’s SOC collapses that window to minutes. The result: ransomware never reaches deployment, data exfiltration is cut off mid-stream, identity-based attacks are rendered useless before privilege escalation, and your clients’ networks emerge from every incident with documented proof of response — ready for cyber insurance claims, regulatory audits, and board reporting. Every detection rule and response playbook is custom-built for Iranian threat actor TTPs — not generic signatures.
Kevin (KayVon) Nejad
Founder & CEO, Vijilan Security · CISSP · Wharton · Carnegie Mellon · NYU
Apply Today
A Compromised Infrastructure Means A Compromised Future.
Operation Lion Surge is active now. Every day without coverage is a day Iranian APT actors can move freely through your clients’ networks. The offer costs nothing. The risk of waiting does.