Mansour Ahmadi

The IRGC-affiliated employee Mansour Ahmadi is responsible for or complicit in, or have engaged in, directly or indirectly, global targeting of various networks, including critical infrastructure, by exploiting well-known vulnerabilities to gain initial access in furtherance of malicious activities, including ransom operations.

Status:Top Alert – Entity designated / sanctioned for terror, WMD and human rights violation

Risk Level:99%

May harm your business future. Persons or entities that engage in transactions with this entity will be exposed to sanctions or subject to an enforcement action.

Working with this entity means supporting Iranian Regime, Regime Terrorist Activities & development of WMD

Mansour is the owner, managing director, and chairman of the board of Najee Technology;

Mansour Ahmadi (Ahmadi) is wanted for his alleged involvement in a coordinated campaign that compromised hundreds of computer networks across the United States and abroad. Between October 2020 and August 2022, Iranian cyber actors Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari allegedly gained unauthorized access to protected networks, exfiltrated data, encrypted computer systems, and extorted victims for ransom, causing damage to and disrupting operations of organizations across multiple sectors, including critical infrastructure, government agencies, and non-profit organizations.

Ahmadi has been associated with Iran-based cyber company Najee Technology Hooshmand Fater LLC (Najee) since at least 2018 and serves as Najee’s managing director.

This IRGC-affiliated group is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities. Private cybersecurity firms routinely give monikers to specific cyber campaigns, and while the individuals sanctioned today do not directly align with a named advanced persistent threat group, some of their malicious cyber activity can be partially attributable to several named intrusion sets, such as “APT 35,” “Charming Kitten,” “Nemesis Kitten,” “Phosphorus,” and “Tunnel Vision.” Several cybersecurity firms have determined these intrusion sets as being associated with the Government of Iran, and have identified them as having conducted a varied range of malicious cyber-enabled activities, including ransomware and cyber-espionage.

This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications.

In February 2021, this group of malicious cyber actors victimized a New Jersey municipality through a computer network using a specific Fortinet vulnerability. These actors used their access to create unauthorized accounts, escalate their privileges, and conduct lateral movement to other parts of the network. They also used a fast reverse proxy on one of the municipality’s servers in order to establish persistent remote access to a particular domain that was registered by Mansour Ahmadi (Mansour). The group also deployed tools such as Mimikatz and Filezilla in furtherance of their malicious activity.

In March and April 2021, this malicious cyber group launched the first known set of their encryption activities by compromising networks, activating Microsoft BitLocker without authorization, and holding the decryption keys for ransom. During this time, a number of small businesses were impacted, including a law firm, an accounting firm, and a construction contractor.

In June 2021, the group gained unauthorized access to supervisory control and data acquisition systems associated with a U.S.-based children’s hospital. Once the group compromised the network, they created unauthorized accounts, escalated privileges, moved laterally through the network, established persistent access, exfiltrated data, and encrypted at least one device with BitLocker. U.S. government law enforcement partners provided a notification to the children’s hospital before there were any impacts to patient care or medical services.

From June through August 2021, the group accelerated their malicious activity by targeting a wide range of U.S.-based victims, including transportation providers, healthcare practices, emergency service providers, and educational institutions. U.S. government agencies were able to warn potential victims of this activity and prevented or mitigated harm to or the compromise of computer networks in many cases.

From September 2021 through the present, this group primarily gained unauthorized access to victim networks by exploiting Microsoft Exchange and related ProxyShell vulnerabilities, including an incident in October 2021 when they compromised the network of an electric utility company serving a rural area of the United States, and maliciously used BitLocker to disrupt operations.

This IRGC-affiliated group is comprised of employees and associates of Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System). Mansour is the owner, managing director, and chairman of the board of Najee Technology. Ahmad Khatibi Aghda (Khatibi) is managing director and member of the board of Afkar System. Additional employees and associates of Najee Technology and/or Afkar System include: Ali Agha-Ahmadi (Ali Ahmadi); Mohammad Agha Ahmadi (Mohammad Ahmadi); Mo’in Mahdavi (Mahdavi); Aliakbar Rashidi-Barjini (Rashidi); Amir Hossein Nikaeen Ravari (Nikaeen); Mostafa Haji Hosseini (Mostafa); Mojtaba Haji Hosseini (Mojtaba); and, Mohammad Shakeri-Ashtijeh (Shakeri).

In addition to being designated for sanctions, the U.S. Attorney’s Office for the District of New Jersey unsealed an indictment charging Mansour, Khatibi, and Nikaeen with violating the Computer Fraud and Abuse Act (CFAA) and conspiring to violate the CFAA.

State’s Rewards for Justice (RFJ) program is offering a reward of up to $10 million for information leading to the identification or location of Mansour, Khatibi, Nikaeen, or any other person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the CFAA.

Involved In:
Cyber activity

Also Known As:
Ahmadi, Mansur
Akbari, Masoud
Unsi, Parsa


07 Jul 1988

Shamiran, Tehran Province, Iran


National ID No.:
0453740243 (Iran)

Reason for the color:
» Added to the Specially Designated Nationals (SDN) list maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on September 14, 2022pursuant to Executive Order 13694, as amended, for being responsible for or complicit in, or having engaged in, directly or indirectly, a cyber-enabled activity identified pursuant to E.O. 13694, as amended;
» MANSOUR AHMADI – Wanted by the FBI;
» MANSOUR AHMADI – Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). ;