HOMETHREATSGray Sandstorm
APT / THREAT GROUP

Gray Sandstorm

🇮🇷Iran-attributed
1
campaigns
2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.

Threat Analysis

Gray Sandstorm is a known-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Gray Sandstorm — Active Operations March 2026

Gray Sandstorm is a unknown-motivation threat actor attributed to Iran. Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been obs...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇮🇷 Iran
Aliases2
SourceMalpedia

Also Known As

Gray SandstormDEV-0343

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Gray Sandstorm — APT / Threat Group | Threat Intelligence | CTIWATCH.COM