Skip to main content
Security and Defense

How Iran Uses Malware Against Kurdish Dissidents

Cyber operations have become a common tool that states use to surveil, coerce, and sabotage their adversaries. Operations by state and non-state actors have surged by 440% between 2009 and 2018. Iran has conducted the third most offensive cyber operations globally, behind only China and Russia. The targets of its operations range anywhere from critics of the regime to rival governmental and commercial institutions.

Recently, Iran has used malware to spy on its Kurdish citizens. Kurdish nationalism and separatism have long been a concern for Iran. Since the establishment of the Kurdish Mahabad Republic in northwestern Iran in 1946, Iran has sought to suppress its Kurdish minority. Two espionage campaigns have targeted Kurdish dissidents within Iran. These operations are alarming, especially as Iran has expanded the scope of its aggressive activities by targeting Iranian Kurdish political officials and activists abroad.

Iranian Espionage Campaigns

Cybersecurity firm Checkpoint recently uncovered an espionage campaign attributed to an Iranian threat actor, Domestic Kitten, which uses malware to spy on Iranian Kurds. Victims are lured into downloading applications of interest to them. One of the applications is ANF, a pro-Kurdish news agency site. The site is loaded with spyware to then collect sensitive information about the targets.

Once these applications are downloaded, the hackers access the targets’ messages, geolocation, contacts, and other crucial information. Logan Ahmadi, a senior member of the Democratic Party of Iranian Kurdistan (PDKI), confirmed that Iran targets Kurds using spyware through messaging and news apps. Ahmadi also reiterated that Iran uses this tool every time it commits some form of violence against the Kurdish people.

Another espionage campaign has used similar tools to spy on Kurds. Active since March of 2020, the campaign uses identical intrusion methods as Domestic Kitten. ESET researchers revealed how fake Facebook profiles dedicated to supporting Masoud Barzani, the former president of the Kurdistan Region of Iraq, encouraged their supporters to download malware-embedded apps from the Android app store. One of these Facebook profiles had over 11,000 followers, many of whom were misled by this tactic. Although this espionage campaign has not been attributed to Iran, its targets and tools reveal uncanny resemblances to previous operations targeting Kurds.

Iran’s increased aggression in the KRI

These espionage campaigns provide Iran with a new tactic it can use to identify active Kurdish political leaders opposed to the regime and block Iranian Kurds from spreading information unfavorable to the government. It does this in order to suppress Kurdish political activity and prevent civil unrest. It is no secret that Iran uses surveillance against its citizens to prevent protests and demonstrations. Nor is it hidden that Tehran suppresses Kurdish dissidents. However, malware may provide leverage for Iranian intelligence to conduct attacks and assassinations against Kurdish targets, particularly Iranian Kurdish political party officials, outside of Iran’s borders.

There have been multiple assassinations and attacks targeting Iranian Kurdish political officials on Iraq’s home soil over the past several years. The PDKI has had a long history of clashes with the Iranian government dating back to the 1970s. However, the party previously had a two-decade-long ceasefire with Tehran. This ceasefire was revoked after party officials formally announced their revived armed struggle in 2016, following the death of a Kurdish hotel chambermaid. This timeline aligns with Iran’s anti-Kurdish espionage campaign, which began in 2016. This corroborates Logan Ahmadi’s assertion that Iran utilizes cyber espionage operations during clashes with Kurdish groups.

The resumption of hostilities has spilled over into the Kurdistan Region of Iraq (KRI), where many Iranian Kurdish political groups’ headquarters are located. In 2018, Iran shelled PDKI’s base in Koya, Iraq, killing at least 11 people, according to Iraqi Kurdish officials.

Recently, the body of a senior PDKI official, Mousa Babakhani, was found in a hotel in Erbil on August 7th, 2021. Party officials claimed Iran was responsible for the attack. A few months prior to Babakhani’s murder, an Iranian Kurdish activist was assassinated in Sulaymaniyah, which is under the Patriotic Union of Kurdistan’s (PUK) authority.

Iran has notoriously utilized its relationship with the PUK to access and operate in northern Iraq. This access provides them opportunities to reach Kurdish targets and extend their influence in the country. The PUK has a historic and ambiguous relationship with Iran. Tehran’s backing allows this political party to rival the Kurdistan Democratic Party (KDP) for control over the KRI, in return for Iran’s access to the region. This was particularly evident in Kirkuk. PUK officials met with Iranian officials before Iran-backed Popular Mobilization Forces (PMF) groups took the oil-rich city from the Peshmerga after the failed 2017 independence referendum, with some accounts alleging that the PUK struck a deal with Iran to withdraw without resistance.

As the murder of Babakhani in Erbil shows, Iran is now also extending its reach to territories under the control of the Kurdistan Democratic Party (KDP). It may use malware to leverage intelligence operations in the region.Iran’s repeated attacks in the KRI not only sends a message to its Kurdish political opponents who operate across the border, but also sends a message to the United States, whose military bases in the Kurdistan Region are within KDP territory.


Cyber espionage is becoming a significant factor in strategic competition between states. Data collection can be used by governments to achieve strategic, operational, and tactical goals. These tactics become particularly concerning when operations target ethnic minorities, who do not have the same resources as a nation-state would to defend themselves. From China’s surveillance against Uyghur Muslims to Iran’s espionage against Iranian Kurds, the advancement of digital technology has given states increased capabilities to spy on the communities that they repress the most, with disturbing implications for freedom and human rights.

Espionage can leverage intelligence to conduct future physical and cyber-attacks against adversaries. With Iran’s ongoing aggression in the KRI, these cyber espionage operations may allow it to intensify repression of Kurdish dissidents and expand their influence in Iraq. For the KRI, this Iranian intervention degrades their security establishment, which is a relative success compared to its southern neighbors.

Iran’s militia groups, namely the Popular Mobilization Forces (PMF) who operate in Iraq, have become a concern for the Middle East and the US. Iran’s persistent militancy in northern Iraq, where the US sees the Kurds as a reliable security partner, may destabilize the region and spark hostilities between Iran and its opponents.

About the Author

Rawan Saed


Rawan Saed is a graduate student pursuing his Master’s in Security Studies at the Edmund A. Walsh School of Foreign Service at Georgetown University. His research interests include the intersection of cyber operations and geopolitics of…

Read More
Explore More