Introduction
Crafty Camel is an Iranian state-aligned advanced persistent threat (APT) actor that has grown steadily into one of the most capable cyber-espionage threats in the region. The group is believed to first have emerged around 2017 and is affiliated with a larger group of Iranian cyber operators, sharing infrastructure, tools, tactics, techniques, and procedures (TTPs), and similar strategic goals with several Iran-based threat groups. Crafty Camel’s characterized operations closely emulate Iran’s increasing reliance on cyber capabilities for state-sponsored power projection, to influence regional dynamics, and acquire intelligence to support military, political, and economic objectives.
Between 2023 and 2025, Crafty Camel has escalated its targeting of government, defense contractors, energy companies, telecommunication firms, and policy research institutions. The group’s innovative and adaptive TTPs incorporate traditional spearphishing with more modern cloud-based compromise operations. As Iranian cyber strategy advances, Crafty Camel remains a critical tool, victimizing targets for purposes of long-term intelligence collection and regional influence.
Identity & Motivation
Crafty Camel functions as a component of the cyber apparatus of the state of Iran in coordination with Iranian intelligent agencies. Although Crafty Camel has been documented publicly under narrow definitional terms, its activity patterns and target selections strongly imply that it operates in parallel with known Iranian cyber-espionage environments.
The group’s objectives include:
– Strategic Espionage: Gathering sensitive data related to government, defense, and energy sector information
– Surveillance: Evidencing dissident, non-governmental organizations (NGOs), academic research, and general policy analyst
– Movement and Influence: Supporting Iran’s geopolitical and geo-economic objectives by compromising organizations around Middle Eastern diplomacy, energy markets, and military
– Security Awareness: Monitoring telecommunication and insfrastructure for metadata and gaining visibility into networks.
Crafty Camel’s objectives prioritize an orientation toward long-term patient persistence, stealthy and discrete intelligence gathering, and not destructive activity, however, are a critical contribution to the state objectives of Iran.
TTPs: Methods, Tools, and Access Strategies
Crafty Camel employs a combination of well-established and emerging intrusion techniques, reflecting a deliberate shift toward cloud-oriented and identity-focused operations.
Initial Access
The group commonly begins operations with: – Spearphishing emails impersonating trusted institutions, policy groups, or defense agencies. – Thematic lures tied to Middle Eastern geopolitics or diplomatic events. – Credential harvesting via malicious login pages or spoofed cloud portals. – Exploitation of vulnerable VPN appliances, webmail interfaces, and Microsoft Exchange servers.
These entry points enable access to internal networks or cloud identities, laying the foundation for deeper infiltration.
Persistence
Crafty Camel maintains footholds using: – Lightweight backdoors embedded within scheduled tasks or startup services. – OAuth token abuse and identity misconfigurations in cloud environments. – Custom loaders designed to deploy reconnaissance tools without triggering antivirus detection.
Their persistence strategy focuses heavily on identity compromise rather than malware reliance, reducing their detection footprint.
Command and Control (C2)
Crafty Camel uses: – HTTPS-based C2 channels that mimic legitimate traffic. – DNS tunneling to hide communications within normal DNS queries. – Compromised Middle Eastern hosting providers to stage payloads and exfiltrate data. – Cloud storage platforms (e.g., OneDrive, Dropbox) to relay instructions or encrypted payloads.
These methods enable stealthy, resilient communication channels that are difficult to distinguish from routine business traffic.
Malware, Tools & Techniques
Crafty Camel relies on a blend of custom and publicly available tools, including: – Custom droppers for reconnaissance implants. – Credential harvesters and mailbox scraping utilities. – PowerShell and other Living-off-the-Land (LOTL) techniques. – Public RATs repurposed for stealth and persistence.
Their tooling philosophy emphasizes modularity and low-risk deployment, reinforcing their clandestine approach.
Notable Operations
Crafty Camel’s operations illustrate a consistent pattern of targeting regional institutions aligned with Iranian strategic priorities.
- 2018 – Government Credential Theft: Phishing waves targeting Middle Eastern ministries and diplomatic bodies.
- 2020 – Defense & Aerospace Reconnaissance: Increased focus on defense contractors, seeking research data and strategic communications.
- 2021 – Cloud Account Compromise: Large-scale harvesting of cloud credentials from NGOs and policy organizations.
- 2022 – Telecom Sector Intrusions: Targeting telecom infrastructure to collect metadata and gain access to downstream clients.
- 2023–2025 – Hybrid Espionage Campaigns: Blending perimeter exploits, phishing, and cloud persistence across energy, government, and research sectors.
These operations reflect a geopolitical logic: gaining insight into regional decision-making, defense capabilities, and technological advancements.
Recent Developments (2024–2025)
Crafty Camel’s recent campaigns demonstrate a shift toward advanced identity-centric and cloud-based attacks. As organizations increasingly migrate critical services to cloud ecosystems, the group has adapted by: – Exploiting misconfigured identity providers. – Leveraging OAuth-based persistence mechanisms. – Exploiting newly disclosed vulnerabilities in edge services. – Using multi-stage phishing workflows across email, social media, and cloud messaging platforms.
The group has also intensified targeting of energy and transportation networks, particularly in the Gulf region. Telecom intrusions appear aimed at facilitating long-term intelligence operations, possibly in support of Iranian military and strategic planners.
Additionally, Crafty Camel increasingly uses supply-chain vectors, compromising IT or telecom providers to pivot into downstream victims. This approach mirrors tactics seen in more mature nation-state actors.
Conclusion & Defensive Takeaways
Crafty Camel represents a well-established and evolving component of Iran’s cyber-espionage apparatus. Its operations reflect a shift toward cloud-focused identity compromise, persistent surveillance, and high-value intelligence collection across government, defense, and energy sectors.
To defend against Crafty Camel’s operations, security teams should: – Strengthen MFA enforcement and identity governance. – Monitor for suspicious OAuth activity and cloud login anomalies. – Apply rapid patching for VPNs, email servers, and exposed services. – Harden telecom and IT supply-chain dependencies. – Conduct threat hunting for credential harvesting indicators and LOTL activity.
Crafty Camel’s adaptability and persistence ensure that it will remain a significant cyber threat in the Middle East and beyond. Understanding its tactics and evolution is essential for organizations seeking to defend against Iran’s increasingly sophisticated cyber-espionage campaigns.
You can download and review the sheet for all the details!
