APT / THREAT GROUP

Sima

🇮🇷Iran-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Sima is a group of suspected Iranian origin targeting Iranians in diaspora.

In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.

Threat Analysis

Sima is a known-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Sima — Active Operations March 2026

Sima is a unknown-motivation threat actor attributed to Iran. Sima is a group of suspected Iranian origin targeting Iranians in diaspora. In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees ...

ACTIVEMEDIUM2026

Intelligence Reports Mentioning Sima

Siemens WinCC Certificate Manager
CISA Alerts· Jun 23, 2026
Siemens Products using OpenSSL
CISA Alerts· Jun 23, 2026
Siemens SIMATIC S7 PLC Web Server
CISA Alerts· May 14, 2026
Siemens SIMATIC
CISA Alerts· May 14, 2026
Siemens SIMATIC
CISA Alerts· May 14, 2026
Siemens TPM 2.0
CISA Alerts· Apr 21, 2026
Siemens SIMATIC
CISA Alerts· Mar 12, 2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇮🇷 Iran
Aliases1
SourceMalpedia

Also Known As

Sima

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Sima — APT / Threat Group | Threat Intelligence | CTIWATCH.COM