Cotton Sandstorm / Emennet Pasargad

Cotton Sandstorm (formerly Emennet Pasargad, tracked by Microsoft as DEV-0198) is an IRGC-linked Iranian threat group that conducts both influence operations and destructive cyberattacks. The group was indicted by the US DOJ for attempting to interfere in the 2020 US presidential election by sending threatening emails to voters and attempting to compromise election infrastructure.

Attribute	Detail
Names	Cotton Sandstorm / Emennet Pasargad
Attribution	Iran (IRGC)
Active Since	2020
Primary Focus	Influence operations + destructive attacks. 2020 US election interference attempt.

Overview

Attribution

Cotton Sandstorm / Emennet Pasargad is attributed to Iran (IRGC), active since at least 2020. Influence operations + destructive attacks. 2020 US election interference attempt.

Notable Campaigns

2020 US election interference — voter intimidation emails
Hack-and-leak operations against Israeli organizations
Charlie Hebdo hack and data leak (2023)
Destructive attacks against Albanian government (support role)
Disinformation campaigns across social media platforms

MITRE ATT&CK Mapping

Technique ID	Technique	Confidence
`T1583`	Acquire Infrastructure	High
`T1566`	Phishing	High
`T1485`	Data Destruction	High
`T1491`	Defacement	High
`T1598`	Phishing for Information	High

Detection & Defense

Recommended Defenses

Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for Cotton Sandstorm activity patterns.

Mjolnir Security — Threat Intelligence & Response

Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting Cotton Sandstorm TTPs in your environment.

Threat Hunting Incident Response Threat Intelligence SOC-as-a-Service

mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875