Two Iranian hackers, allegedly affiliated with the Shahid Shushtari cyber unit under Iran’s Revolutionary Guard Corps (IRGC), are now at the center of global attention as the U.S. State Department pledges up to $10 million for actionable intelligence on Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi. The announcement comes amid mounting concerns over the group’s involvement in disruptive campaigns that have impacted vital infrastructure and sought to undermine foreign political processes. Officials stress the importance of collective vigilance, emphasizing that information from individuals worldwide could play a pivotal role in curbing the group’s illicit digital activities. As cyber threats outpace technical defenses, authorities are increasingly relying on public cooperation to identify perpetrators operating beyond national boundaries.
Shahid Shushtari, also known by various aliases such as Emennet Pasargad and previously tracked as Cotton Sandstorm and Haywire Kitten, has featured in security bulletins in recent years for its persistent operations targeting Western and regional interests. Recent publications indicate that the group’s tactics have remained largely consistent, with a similar pace and targeting scope since 2020. Earlier government advisories referenced overlapping personnel and shifting organizational fronts, but the focus on individuals rather than infrastructure marks an escalation in strategy. The renewed bounty signals a transition from warnings to direct action, with law enforcement agencies now seeking to disrupt these activities by targeting key figures behind the screen.
What is Shahid Shushtari’s Role in Global Cyber Operations?
Shahid Shushtari is suspected of orchestrating cyberattacks across several sectors, including news, telecommunications, financial services, and public utilities. U.S. officials allege that this group, along with its front companies, coordinated attacks that have resulted in considerable financial harm and service disruptions across the United States, parts of Europe, and the Middle East. These operations extend beyond mere espionage to affect both government agencies and private enterprises.
How Are Individuals Linked to Broader State Campaigns?
Allegations suggest Shirinkar and Kashi directly planned and executed attacks of particular interest to Iran’s government, reflecting coordinated state-linked cyber initiatives. The unit’s reach became highly visible during the U.S. 2020 presidential election, during which it allegedly conducted sophisticated influence and false-flag operations. According to the State Department, their recent campaigns display an adaptability designed to evade detection, using new techniques to infiltrate targeted networks.
What Do Security Experts Say About the Group’s Activity?
Josh Atkins from Google Threat Intelligence Group remarks that the group, which his team names UNC5866, continues to operate at a steady pace, maintaining phishing and malware activities since 2020. He observes that IRGC-related contractors rapidly adjust their methods in line with shifting priorities.
“Target industries are typically government but we’ve seen them target finance, healthcare, tech and generally anything of interest to the regime,”
Atkins stated, highlighting the broad scope of their targets.
“Operational tempo from UNC5866 is consistent with the last few years. They’ve been active in both phishing and malware delivery operations at a fairly consistent pace since 2020,”
he added, underlining ongoing vigilance in monitoring such groups.
Sanctions and public advisories have previously addressed Emennet Pasargad’s influence operations, but impacts have been limited to disruptions in specific incidents. The group’s recurring rebranding efforts and persistence illustrate the challenges facing authorities attempting to curb its reach. Direct focus on the individuals in operational command may prove more influential in disrupting future campaigns, as suggested by the pattern observed by U.S. and allied officials. The collaboration among government, technology companies, and international law enforcement signals a comprehensive approach to deterring cyber-enabled threats linked to state actors. Effective countermeasures require combining intelligence sharing, sanctions, public engagement, and forensic tracking technologies. Readers with interest or awareness of recent phishing or infrastructure disruptions are encouraged to follow updates and remain alert to developments in the cyber threat landscape.
