HOMETHREATSCotton Sandstorm
APT / THREAT GROUP

Cotton Sandstorm

🇮🇷Iran-attributed
1
campaigns
6
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury

Threat Analysis

Cotton Sandstorm is a known-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Cotton Sandstorm — Active Operations March 2026

Cotton Sandstorm is a unknown-motivation threat actor attributed to Iran. Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been lin...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇮🇷 Iran
Aliases6
SourceMalpedia

Also Known As

Emennet PasargadNEPTUNIUMHAYWIRE KITTENMARNANBRIDGECotton SandstormHoly Souls

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.