Menu
Browse

Cyber Threat Actor: NEPTUNIUM

Actor Type Location Known Incidents
 Icon
Nation State
Iran
1 incident
Profile

NEPTUNIUM, also tracked as Emennet Pasargad, is an Iran‑linked threat actor that has been publicly attributed to operations originating from Iran. Microsoft’s Digital Threat Analysis Center has linked the group’s activities to Iranian influence tactics, describing its operations as part of hack‑and‑leak campaigns coupled with coordinated disinformation efforts aimed at undermining confidence in targeted organizations. The actor operates under the alias NEPTUNIUM in threat‑intelligence reporting and is also known by the name Emennet Pasargad in open‑source references.

The most publicly documented operation attributed to NEPTUNIUM occurred on January 4 2023 when the group targeted the online store of the French satirical magazine Charlie Hebdo. The attackers compromised the store’s systems, exfiltrated personal data belonging to more than 200 000 subscribers—including names, contact details and addresses—and subsequently advertised the stolen data for sale. To amplify the impact, the actors operated under the “Holy Souls” persona and created fabricated French‑language social media accounts that posed as local authorities and journalists, spreading disinformation about the breach. The intrusion followed the magazine’s announcement of a cartoon contest mocking Iran’s Supreme Leader, a move that prompted public threats from Iranian officials and triggered retaliatory diplomatic actions against France. French authorities launched an investigation into unauthorized access, data extraction and obstruction of service, while Microsoft’s analysis tied the incident to broader Iranian influence operations that combine data leaks with manipulative messaging to erode trust in the victim’s security posture.

In terms of observed tactics, techniques and procedures, NEPTUNIUM’s Charlie Hebdo operation exemplified a hack‑and‑leak approach coupled with the use of fabricated social media personas to disseminate false narratives. The group’s public advertising of the stolen dataset indicates an attempt to monetize the compromised information, while the coordinated disinformation campaign demonstrates a focus on influencing public perception and damaging the target’s reputation. No specific malware families, exploit kits or intrusion vectors were detailed in the provided material beyond the compromise of the online storefront and the subsequent social‑media amplification.

Attribution to Iran is supported by the Microsoft Digital Threat Analysis Center’s assessment that the activity aligns with Iranian state‑linked influence tactics, and the actor’s alias Emennet Pasargad has been publicly associated with Iranian origins in open‑source reporting. No further affiliations with criminal syndicates or other state actors are described in the supplied sources. The profile presented here is limited to the facts explicitly documented in the context, without speculation about the group’s size, resources, motivations beyond those stated, or additional capabilities not evidenced in the material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
13 sources