Cyber Threat Actor: GhyamSarnegouni

GhyamSarnegouni, also known as Rise to Overthrow, is an Iranian‑based dissident group that first appeared on Telegram on January 26 2022 and describes its actions as protests against the Iranian government. Analysts have noted that the group’s messaging echoes that of the Mojahedin‑e Khalq (MEK), suggesting a possible affiliation, though no formal link has been publicly confirmed. The group claims to conduct cyber operations against Iranian state institutions as a form of political dissent, and it has asserted responsibility for several high‑profile breaches involving data exfiltration and website defacement.

The actor’s targeting has been focused on Iranian government entities, specifically the offices of the president and the foreign ministry, indicating a sectoral focus on public administration and a geographic focus within Iran. In the May 29 2023 incident, GhyamSarnegouni reported exfiltrating diplomatic correspondence, network topologies, floor plans of presidential offices and sleeping quarters, security footage, and classified internal messages, while also defacing associated websites with images of MEK leaders. Earlier in May the group claimed to have compromised foreign ministry servers and defaced related sites, again using MEK imagery to signal its activity. Although no specific malware families or tooling styles are described in the reporting, experts have suggested that the obtained data may have been sourced through insider access, pointing to a possible initial access vector involving privileged insiders rather than publicly disclosed exploits or malware.

Notable operations attributed to GhyamSarnegouni include the May 2023 presidential office breach, which involved the alleged capture of 120 servers and control of over 1,300 computers on the internal network, and the earlier May foreign ministry hack claim that resulted in website defacement and the leakage of internal communications. These campaigns illustrate the group’s pattern of seeking to expose sensitive governmental information and disrupt online presences as part of its protest‑oriented activity. No further details regarding financial motives, criminal consortium ties, or state sponsorship are provided in the available sources.