Cyber Threat Actor: Lab Dookhtegan
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
2 incidents |
|---|
Profile
Lab Dookhtegan, also known by the alias Tapandegan, is an Iranian‑based hacktivist collective that has carried out operations aimed at exposing alleged abuses and undermining state‑linked cyber capabilities. The group operates from within Iran and has used public platforms such as Telegram to disseminate leaked material, positioning itself as a voice of opposition to the Iranian government’s security apparatus. Their activities are not described as financially motivated; instead, they emphasize political and human‑rights objectives, seeking to highlight alleged misconduct by Iranian authorities and to disrupt the operational effectiveness of Iranian cyber‑espionage units.
In terms of targeting, Lab Dookhtegan has focused on Iranian governmental infrastructure and on entities associated with the state‑sponsored threat group APT34 (also called OilRig or HelixKitten). The 2021 operation involved breaching the internal closed‑circuit television system of Evin prison, a Tehran facility known for holding political detainees, and leaking video footage that depicted inmate abuse. This action directly targeted the prison’s security controls and aimed to bring international attention to reported human‑rights violations. Earlier, in 2019, the group leaked internal data belonging to APT34, including source code for custom tools, details of web shells, and personal information purportedly linked to members of Iran’s Ministry of Intelligence and Security. By exposing these assets, Lab Dookhtegan sought to impair APT34’s ability to conduct cyber‑espionage against targets in the Middle East, such as government offices and media organizations in Dubai, Kuwait, Oman, and elsewhere.
The group's observed tactics, techniques, and procedures include gaining unauthorized access to surveillance networks, taking control of control‑room systems, and using messaging platforms to distribute large data dumps. They have leaked specific malware families and tools that were previously associated with APT34, notably the Jason email hijacking utility—a brute‑force tool for Microsoft Exchange accounts—and PowerShell‑based backdoors referred to as Poison Frog and Glimpse. Additionally, they disclosed several web shells, including HyperShell, HighShell, Fox Panel, and Webmask, which are used for maintaining persistence on compromised servers. While the exact initial‑access vectors employed by Lab Dookhtegan are not detailed in the source material, their operations demonstrate capability in exploiting networked systems and in repurposing or publishing adversary tooling to achieve disruption and publicity goals. Their affiliations remain rooted in hacktivist opposition to the Iranian regime, with no public indication of state sponsorship or criminal‑enterprise ties. Notable public operations include the 2021 Evin prison CCTV leak and the 2019 exposure of APT34’s internal tools and member data, both of which attracted significant media coverage and prompted official investigations by Iranian authorities.
