EU Sanctions on Chinese and Iranian Firms: Raptor Train Botnet, SMS Service, and Olympic Billboard Cyberattacks Targeting European Critical Infrastructure

On March 16–17, 2026, the Council of the European Union imposed sanctions on three companies—Integrity Technology Group and Anxun Information Technology (both based in China), and Emennet Pasargad (based in Iran)—as well as two individuals, for their roles in cyberattacks targeting EU member states and critical infrastructure. The sanctioned entities are linked to large-scale device compromises, influence operations, and data breaches affecting sectors such as government, communications, media, and public safety. Notably, Integrity Technology Group was connected to the ‘Raptor Train’ botnet, which infected over 65,000 devices in six EU states between 2022 and 2023. Anxun Information Technology provided hacker-for-hire services targeting critical infrastructure, while Emennet Pasargad was responsible for influence campaigns, including hijacking advertising billboards during the 2024 Paris Olympics and breaching a Swedish SMS service. The sanctions include asset freezes, travel bans for individuals, and prohibitions on EU citizens and companies providing funds or resources to the listed entities. These actions follow similar sanctions by U.S. authorities and are based on technical evidence and law enforcement attributions from organizations such as the FBI, Microsoft, and the U.S. Department of Justice. The incident underscores the persistent threat posed by state-linked and contractor cyber actors to European critical infrastructure and public communications.

The Council of the European Union’s sanctions are the result of a multi-year investigation into coordinated cyberattacks attributed to Chinese and Iranian entities. The technical evidence, corroborated by law enforcement and independent security researchers, details the methods, tools, and impact of these operations.

Integrity Technology Group is attributed with providing technical and material support that enabled the compromise of over 65,000 devices across six EU member states between 2022 and 2023. The FBI and U.S. Treasury Department have linked this company to the ‘Raptor Train’ botnet, operated by the Chinese state-sponsored threat actor known as Flax Typhoon. The botnet, by January 2025, had grown to control approximately 260,000 infected devices. The infection vector likely involved exploiting vulnerabilities in public-facing applications, allowing for remote code execution and persistent access. The botnet’s command and control (C2) infrastructure enabled large-scale data exfiltration and potentially disruptive operations against critical infrastructure. The technical attribution is considered high confidence, based on direct evidence from the FBI and U.S. Treasury Department (BleepingComputer).

Anxun Information Technology, also known as i-Soon, is identified as a provider of hacker-for-hire services, targeting critical infrastructure and essential functions of EU member states and third countries. The company’s internal operations and offensive toolkit were exposed in a significant data leak in mid-February 2024. The toolkit included exploits for initial access, lateral movement, and data exfiltration, although specific malware names have not been publicly disclosed. The U.S. Department of Justice sanctioned Anxun in March 2025 for its role in cyberattacks dating back to at least 2011. The technical evidence supporting these attributions is of medium to high confidence, based on leaked internal data, law enforcement actions, and corroborating statements from the EU Council (BleepingComputer).

Emennet Pasargad is an Iranian company with a documented history of influence operations, technical breaches, and direct cyberattacks. The company was responsible for compromising a Swedish SMS service, hijacking advertising billboards to spread disinformation during the 2024 Paris Olympics, and unlawfully accessing a French subscriber database belonging to the magazine Charlie Hebdo. In early January 2023, an actor using the moniker Holy Souls offered the personal information of 230,000 Charlie Hebdo subscribers for sale on a hacker forum, publishing a sample of the stolen data. Emennet Pasargad has also provided cybersecurity services for the Iranian government and was previously sanctioned by the U.S. Department of Justice in 2021. The technical attribution is high confidence, supported by Microsoft, law enforcement, and EU Council statements (BleepingComputer, Iran International).

The attack methods employed by these entities align with several MITRE ATT&CK techniques. For Integrity Technology Group and the Raptor Train botnet, initial access was likely achieved through exploitation of public-facing applications (T1190), with persistence via boot or logon autostart execution (T1547), and command and control using application layer protocols (T1071). Anxun Information Technology likely utilized spearphishing attachments (T1566.001) and remote services (T1021) for lateral movement, with data exfiltration over web services (T1567.002). Emennet Pasargad used valid accounts (T1078) and exploited public-facing applications (T1190) for initial access, with subsequent data exfiltration and influence operations, including defacement (T1491) and disinformation campaigns (T1585).

The targeted sectors included government, communications, public safety, media, and event security. The compromise of a Swedish SMS service and the hijacking of advertising billboards during the Paris Olympics highlight the attackers’ ability to disrupt public communications and influence public perception. The sale of Charlie Hebdo subscriber data demonstrates the risk to media organizations and personal privacy.

The affected entities and operations span multiple years and sectors. Between 2022 and 2023, Integrity Technology Group facilitated the hacking of over 65,000 devices in six EU states. In early January 2023, Emennet Pasargad (as Holy Souls) offered stolen Charlie Hebdo subscriber data for sale. In mid-February 2024, Anxun Information Technology suffered a data leak exposing its offensive toolkit and internal operations. During 2024, Emennet Pasargad compromised advertising billboards at the Paris Olympics and breached a Swedish SMS service, impacting a large number of EU citizens. In January 2025, the U.S. Treasury Department sanctioned Integrity Technology Group for its involvement in the Raptor Train botnet. In March 2025, the U.S. Department of Justice sanctioned Anxun Information Technology. The EU imposed its sanctions on March 16–17, 2026, targeting all three companies and two individuals associated with Anxun (BleepingComputer, Iran International, Rappler).

The threat activity attributed to these entities is characterized by coordinated, persistent, and multi-vector cyber operations. Integrity Technology Group enabled the deployment of the Raptor Train botnet, which infected tens of thousands of devices and was used for large-scale data exfiltration and potential disruption of critical infrastructure. The botnet’s operation required technical expertise in exploiting vulnerabilities, maintaining persistence, and managing a distributed command and control infrastructure.

Anxun Information Technology specialized in hacker-for-hire services, providing offensive cyber capabilities to third parties. The company’s toolkit, exposed in a 2024 data leak, included exploits for initial access, lateral movement, and data exfiltration. The targeting of critical infrastructure and essential services suggests a focus on high-value, high-impact operations.

Emennet Pasargad conducted influence operations and technical breaches, including the compromise of a Swedish SMS service and the hijacking of advertising billboards during the Paris Olympics. The company also accessed and attempted to monetize sensitive subscriber data from a French magazine. These activities demonstrate a blend of technical exploitation and psychological operations aimed at disrupting public communications and spreading disinformation.

The attribution of these activities is supported by technical artifacts, law enforcement advisories, and leaked internal data. The confidence level for attribution is high for Integrity Technology Group and Emennet Pasargad, and medium to high for Anxun Information Technology.

Organizations should prioritize the following mitigation actions, ranked by severity:

Critical: Immediately review and update access controls for all public-facing applications and services. Apply security patches for known vulnerabilities exploited by botnets and hacker-for-hire toolkits, particularly those associated with remote code execution and privilege escalation.

High: Monitor network traffic for indicators of compromise related to the Raptor Train botnet and similar command and control patterns. Implement network segmentation and enhanced logging to detect lateral movement and data exfiltration attempts.

Medium: Conduct regular security awareness training to reduce the risk of spearphishing and social engineering attacks. Review and restrict third-party access to sensitive systems, especially for vendors and contractors with remote access privileges.

Low: Audit and update incident response plans to include scenarios involving influence operations and public communications compromise. Engage with sector-specific information sharing and analysis centers (ISACs) to stay informed about emerging threats and mitigation strategies.

All organizations should ensure compliance with EU sanctions by refraining from any financial or business relationships with the listed entities and individuals. Regularly consult official EU and national advisories for updates on sanctioned actors and associated indicators of compromise.

https://www.bleepingcomputer.com/news/security/europe-sanctions-chinese-and-iranian-firms-for-cyberattacks/

https://www.iranintl.com/en/202603169873

https://www.rappler.com/technology/european-union-sanctions-china-iran-companies-cyber-attacks/

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks originating from external vendors and contractors. Our platform enables continuous monitoring of supply chain exposures, supports compliance with regulatory requirements, and delivers actionable intelligence on emerging threats. For questions regarding this report or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.

• Active Exploitation Alert