Campaigns
Operation Epic Fury : Iran vs. Israel & US Cyber War

Operation Epic Fury : Iran vs. Israel & US Cyber War

Iran conflictUS–Israel ConflictCyber Warfare
On February 28, 2026, the United States and Israel launched Operation Epic Fury a coordinated military and cyber campaign targeting Iran's military command, missile infrastructure, and senior IRGC leadership. The operation triggered an unprecedented, multi-vector cyber conflict spanning 22+ countries, involving Iranian state-sponsored APT groups, pro-Iranian hacktivist coalitions, and Russian-aligned threat actors.

Indicators of Compromise

alwtania2.com
alwatanniya.com
dallmonfish.com
tgsprem.online
6b4s.popmonster.ru
delmoon5.com
proxy5.signalplus.org
tameeeny.com
zain-kw.pro
tamcar.pro
update.us
proxy1.signalplus.org
svans.online
el-watnneya.com
vib2.mytexno.com
uptime-timezone.dns-dynamic.ne
viliam.ude-final.online
wwindows.data
www.atomicmatryoshka.com
proxy6.signalplus.org
watnnia.com
host.id
mothedaa.live
tamienz.pro
proxy2.signalplus.org
delmone11.com
alwtaneya1.com
sorted-shop.online
lis-sknis.online
alwatenia4.com
9356.popmonster.ru
studia1309mail.online
watania01.com
www.go0gle.online
wataniax.pro
enteratealmaximo.com
take-a-breath.online
al-watnya.com
alwataniaa8.com
dl5.xvipx.top
www.pmshyptest.com
alwattny.com
ksbyz.jelikob.ru
almotahida1.com
dalmonfishs.com
www.ciphertechsolutions.com
watanuia01.com
kuzovavto77.online
krabsonsecurity.com
www.toolfare.online
mothada.pro
delmone9.com
www.video-connect.online
al-watanyea.com
alwattanya.com
www.owner-rate.online
elwattanya1.com
syarati.pro
wataniaa9.com
installcb.online
www.rohand63.xyz
delmoon9.com
motaheda01.com
watanyafish.com
artshirt.online
moneybac.ru
watanya2.com
www.p-safe.online
sibirskievolki.online
al-watanyia.com
afg.collinformations.com
vet-doma.online
elwattanuia.com
nfcq8.com
www.signalplus.org
watenya.com
watanyaa10.com
dmitriyzolotovskiy.online
dalmon-bh.com
watanuia.com
wataniaa10.com
alwattnia.com
kovaleva.expert
actuallys.com
nepage.dns-dynamic.net
awatanaia.com
bimelectrical.comclippershipintl.com
process.name
dalmon-fishs.com
islandbeat.party
temp.beanie
almotheda.com
zapominaka.pro
geomet.pro
alwatanya2.com
watanuya1.com
alwattnya.com
sherence.ru
breath-take.online
il-cert.org.il
www.look-together-online.online
funny-fake.ru
malwareandstuff.com
delmona5.com
megamail.pw
alwatnnia.com
wtanaya.com
ilwatanea.com
tinkoff-account.ru
mokokoroasters.online
greenstreet-estate.online
wattanuea.com
www.flygram.org
b.popmonster.ru
martcloudcompany.com
malverse.it
mokokocoffeeroasters.online
pushsignal.ru
elwataniaa8.com
dalmonfishy.com
rohan63.xyz
motahida2.com
motahidda2.com
israel-talent.com
encryption-redirect.online
kanplus.org
microsoft-updateserver.cf
panel.live-meet.blog
google.live-meet.blog
girlsbags.shop
thomas-mark.xyz
adams-cooling.online
kuret-live.online
viliam.white-life-bl.info
cook-tips.info
infinit-world.info
akamaicdnup.com
apps.weightlossihp.com
crysus-h.info
food-tips-blog.online
viliam.dmn-inter.online
live-board.online
platform.windsorbongvape.ca
onlinecloudzone.info
tylarion867mino.com
mail.bvio85.info
ridingduck.com
rbconline-support.info
rmxlqabmvfnw4wp4.onion.gq
indicelectronics.net
www.delldrivers.in
gos-usa.xyz
live-message.online
gupdate.us
discountshadesdirect.com
cavanic9.net
arcanet.online
mickel.connect-room.online
ph-crtdomain.info
shadow-network.best
viliam.exir-juice.online
besatoo.online
course-math.info
clippershipintl.com
u.piii.net
altreeservicellc.com
book-handwrite.online
oranus.white-life-bl.info
meet.video-connect.online
ramp4u.io
viliam.warning-d.info
editioncloudfiles.dns-dynamic.net
panel.live-meet.cfd
science-news.live
reg-d.info
white-life.info
pnl-worth.online
baddadsclub.com
viliam.live-coaching.online
moses-staff.se
viliam.prt-max.online
everything-here.info
loads-ideas.online
gandeste.net
www.birdsvpn.com
work-meeting.info
network-game.xyz
google.live-meet.cfd
pkglessplans.xyz
pfs1010.xyz
nice-goods.online
cavinet.org
oranus.yamal-group.online
www.xt24.com
city-splash.online
rap-art.info
dmn-for-hall.online
video.memozilla.org
dmn-inter.online
bmw.amg-car-ger.info
viliam.arcanet.online
viliam.live-conn.online
profile.arizonaclub.me
cognacbrown.co.uk
promoverse.org
cyclophilit.com
zra-roll.online
r2.earthvpn.org
viliam.sky-writer.online
live.goods-companies.online
update-svc.shop
hpupdate.net
security-soup.net
www.chatsynctransfer.info
pa-crtdomain.info
albert-company.online
idea-home.online
viliam.safe-lord.online
spring-club.info
isftyviliam.platinum-cnt.info
warplogic.pro
malware.name
synctimezone.dns-dynamic.net
live.live-gml.online
thelastxmas.com
ir-ops-room.net
teammate-live.online
viliam.alpha-meet.online
april.spring-club.info
nsim-pa.info
cloudarchive.info
viliam.human-fly900.online
robinthing123.online
viliam.azdava.online
kamikirim.my.id
backend.cheap-case.site
panel.network-show.online
www.baddadsclub.com
ve0.popmonster.ru
normal-dmn.info
oranus.albert-company.online
viliam.crysus-h.info
www.selfpackage.info
viliam.robinthing123.online
news-spot.xyz
delldrivers.in
royalsoul.online
online-speak.online
handala-files.com
lenan-rex.online
intelligence.live-meet.blog
termite.nu
alpha-man.info
lesson-first.info
service-management.tk
live.live-meet.info
correomindefensagobvemyspace.com
breathtake.online
oranus.platinum-cnt.info
maritimepakistan.kpt-pk.net
proxy.oracleapps.org
panel-meeting.info
socks.beauty
alison624.online
violet.backback.info
viliam.albert-company.online
imsensors.com
towerreseller.dns-dynamic.net
main.download
live-meet.blog
p-safe.online
viliam.alpha-met.online
hrd-dmn.info
viliam.besatoo.online
panel.live-meet.cloud
r1.earthvpn.org
codefusiontech.org
amg-car-ger.info
secnetdc.com
message-live.online
accounts.google.live-meet.cloud
zagrosguard.ir
google.live-meet.cloud
tcp443.org
scm.oracleapps.org
live-meet.info
cloth-model.blog
cloudregionpages.info
healthy-lifestyle.fit
viliam.yamal-group.online
mail.indiarailways.net
filenest.info
news-reporter.xyz
accounts.google.live-meet.info
human-fly900.online
viliam.tensore.online
coldwarehexahash.dns-dynamic.net
translatorupdater.dns-dynamic.net
shaer-likn.store
dreamy-jobs.com
cloudcaravan.info
propertyexpoandshowcase.com
updatecorporatenetworks.ru
smtp.amg-car-ger.info
log.autocount.org
www.brunomassage.com
web14.info
top-game.online
network-review.xyz
mssync.one
filereader.dns-dynamic.net
go0gle.online
into-support.online
personalwebview.info
directfileinternal.info
thehollow.co
bookmark-tag.com
viliam.dmn-for-car.online
smartview.dns-dynamic.net
oranus.besatoo.online
goods-companies.online
optio-nalynk.online
oranus.human-fly900.online
serialmenot.com
israel-talent.xyz
book.anna-blog.info
owner-rate.online
white-car.online
exir-juice.online
cnt-worth.online
www.numupdate.com
viliam.richard-3th.online
apple.beta-man.info
live.platinum-cnt.info
dev.cheap-case.site
video-connect.online
proof-video.online
stratioai.org
good-student.online
api-update.store
world-shop.online
community-web3.xyz
kdr.zarkada.ru
platinum-cnt.info
oranus.live-coaching.online
connect.il-cert.net
starlink-proxy.org
chatsynctransfer.info
news.memozilla.org
backback.info
itemselectionmode.info
signalplus.org
mikel.yamal-group.online
right.arrow-click.info
update.adboeonline.net
baqiyat-lock.cc
viliam.lynda-tricks.online
becker624.online
viliam.live-board.online
make-house.online
cloud.services-mozilla.com
profile.best85best.online
pfl.redirect-review.online
moonzonet.com
www.thelastxmas.com
www.pubsectors.com
miniquest.org
api.tikavodot.co.il
all-for-city.info
test1.zhangliyong.cn
ques-tion-ing.xyz
viliam.viliam-live-identity.online
apps.androidupdated.net
gsenergyspeedtest.com
good-news.fashion
cyberclub.one
viliam.hrd-dmn.info
viliam.owner-rate.online
panel-redirect.online
book.kuret-live.online
mfaantivirus.xyz
richard-3th.online
thekitten.group
live-meet.cloud
api.overall-continuing.site
micakiz.wikaba.org
rohand63.xyz
viliam.kuret-met.online
crowdstrike-office365.com
reading-course.online
www.earthvpn.org
ricardo-mell.online
onlinelive.info
viliam.goods-companies.online
sendly-ink.shop
viliam.steve-brown.info
service1.chrome-up.date
prj-ph.info
fugas.site
viliam.roland-cc.online
viliam.toolfare.online
www.chrome-up.date
live-gml.online
ntp-clock-p.info
white-life-bl.info
panel.live-meet.live
prj-pa.info
actor.rap-art.info
black-friday-store.online
master-club.info
viliam.into-support.online
villiam.online-speak.online
webviewerpage.info
run.linodepower.com
outlook.live.live-meet.cloud
il-cert.net
lizza-blog.info
asistechs.com
viliam.cppsg.online
msupdate.top
cyprus-villas.org
goodtobeloved.com
cancelle.net
prt-max.online
wazayif-halima.org
demo.cheap-case.site
viliam-live-identity.online
live-conn.online
connect-room.online
crowdstrike.com.vc
arizonaclub.me
viliam.wer-d.info
news-spot.live
bat.androidupdated.net
warning-d.info
mickel.white-life-bl.info
perusmartcity.com
dmsz.org
geordie.land
meet.ell-safe.online
azdava.online
beltsymd.org
mickel.platinum-cnt.info
ude-final.online
superlite.online
personalcloudparent.info
meet-work.info
arrow-click.info
webexadvertisingoffer.com
crysus-p.info
live.white-life-bl.info
service.chrome-up.date
mickel.yamal-group.online
ptr-cc.online
beta-man.info
yamal-group.online
viliam.message-live.online
accounts.google.network-show.online
look-together-online.online
online-room.online
patch-portal.online
alpha-met.online
network-show.online
app.cheap-case.site
friends.lizza-blog.info
viliam.platinum-cnt.info
dnsapp.info
bootcamptg.org
msservice.site
zipcodeterm.com
viliam.ntp-clock-h.info
bokhoreshonline.com
viliam.connect-room.online
oranus.connect-room.online
viliam.work-meeting.info
mickel.goods-companies.online
cdn-delivery.ru
newsinlevel.cc
www.exemsi.com
live.online-room.online
activeeditor.info
www.latavernaalmonte.com
google.network-show.online
wash-less.online
accounts.google.live-meet.cfd
tecret.com
sky-writer.online
redirect-review.online
ip-194-11-226-29.rockhoster.net
cppsg.online
it1.comodo-vpn.com
singa.linodepower.com
projectdrivevirtualcloud.co.uk
sanchaar.net
solutionconect.online
ics-remote.io
panel.live-meet.info
live.live-meet.cloud
moses-staff.to
dmn-for-car.online
verisims.com
cyberlattice.pro
superset.sandbox.live-meet.blog
pharmacynod.com
selfpackage.info
magicallyday.com
processplanet.org
viliam.superlite.online
expressmarket.online
viliam.rohand63.xyz
xre.popmonster.ru
suite-moral.info
megtech.xyz
progamevl.ru
word-course.online
readquickarticle.dns-dynamic.net
www.delhiopera.com
bimelectrical.com
andspurs.com
live-meet.cfd
alex-mendez-fire.info
moses-staff.io
www.megtech.xyz
ell-safe.online
mlw.services
cc-newton.info
onetimestorage.info
mickel.besatoo.online
proxy4.signalplus.org
meet.proof-video.online
bbmovements.com
researchdocument.info
upmirror.top
reminders.trahum.org
live.live-coaching.online
live.yamal-group.online
est5090.online
gallery-shop.online
lecturegenieltd.pro
meet.azdava.online
live.connect-room.online
alpha-meet.online
first-course.online
www.geordie.land
viliam.prj-ph.info
network-show-a.online
toolfare.online
steve-brown.info
viliam.nsim-ph.info
good-news.cfd
google.live-meet.info
meet.go0gle.online
live-coaching.online
admin.cheap-case.site
friends.thomas-mark.xyz
accounts.google.live-meet.blog
update.delldrivers.in
ph-work.info
api.cheap-case.site
flygram.org
viliam.meet-work.info
tomas-company.online
nsim-ph.info
preparingdestination.fixip.org
live.besatoo.online
live-content.online
data.live-meet.blog
netvigil.org
tensore.online
mail.pmumail.com
wer-d.info
www.live-meet.blog
kpt-pk.net
best85best.online
viliam.kuret-live.online
www.zitoart.com
xen.hill-family.us
marcoramilli.com
live-meet.live
monoo3at.com
chapter1.cc-newton.info
viliam.cnt-worth.online
cdnupdate.net
www.goodtobeloved.com
bracs-lion.online
yusufwelding.com
viliam.teslator.online
show-verify.xyz
roland-cc.online
wood-house.online
stats.live-meet.blog
outlook.live.live-meet.info
uppdatefile.com
messagepending.info
realcloud.info
viliam.online-room.online
stadium-fresh.online
clame-rade.online
vpn-auth.services
www.hpupdate.net
ntp-clock-h.info
bestshopu.online
safe-lord.online
proxy3.signalplus.org
viliam.ph-crtdomain.info
sandbox.live-meet.blog
teslator.online
nextcloudzone.dns-dynamic.net
viliam.p-safe.online
anna-blog.info
clothes-show.online
viliam.online-speak.online
maxisteq.org
host.integrativehealthpartners.com
door-black-meter.online
storm-wave.online
screenai.online
conn-ectionor.cfd
mickel.live-coaching.online
viliam.look-together-online.online
pfs1010.com
lynda-tricks.online
panel-network.online

APT Groups27

Z-PentestIR

Z-Pentest is a pro-Palestinian / pro-Iran hacktivist collective active since at least 2024. The group conducts DDoS attacks, website defacements, data leak claims, and occasional credential dumps, primarily targeting Israeli entities, U.S. organizations, and perceived Western/Israeli allies as part of the broader "Cyber Islamic Resistance" and #OpIsrael waves.

Z Pentest TeamZ-PENTEST ALLIANCE
APT-IRANIR

APT-IRAN (also stylized as APT Iran) is a pro-Iranian hacktivist collective active since at least 2023–2024, with heightened visibility in 2025–2026. The group claims responsibility for hack-and-leak operations, data breaches, DDoS attacks, and website defacements, primarily targeting Israeli, U.S., and regional adversaries in support of Iranian geopolitical interests and Palestinian causes. It frequently appears as part of the broader Cyber Islamic Resistance umbrella, coordinating with other pro-Iran hacktivist entities.

APT Iran
Team FearlessIR

Team Fearless is a pro-Iranian hacktivist group that emerged in mid-2025. The group claims responsibility for DDoS attacks, website defacements, data leaks, and breaches targeting Israeli government, defense, and critical infrastructure entities, often in coordination with other pro-Iran hacktivist collectives as part of broader "Cyber Islamic Resistance" alliances.

Morning StarRU

Morning Star is a pro-Russian hacktivist collective active since at least 2024. The group specializes in DDoS attacks, website defacements, and occasional data leak claims, primarily targeting Ukrainian government portals, military-related sites, NATO-aligned infrastructure, and Western media outlets in support of Russian geopolitical interests during the Russia-Ukraine conflict.

Morning Star Group
Islamic Hacker ArmyIR

Islamic Hacker Army (also referred to as IHA or IslamicHackerArmy) is a pro-Iranian / pro-Palestinian hacktivist collective active since at least 2023–2024, with a surge in visibility during the 2025–2026 Iran–Israel conflict escalations. The group claims responsibility for DDoS attacks, website defacements, data leaks, and occasional credential dumps, primarily targeting Israeli, U.S., Saudi, Bahraini, Jordanian, and Western-aligned entities in support of Palestinian causes and Iranian geopolitical interests.

IHA
DarkStorm Teamnull

Dark Storm Team is a pro-Palestinian hacktivist collective that emerged in September 2023. The group is primarily known for launching distributed denial-of-service (DDoS) attacks, website defacements, and occasional data breach/leak claims against targets it perceives as supporting Israel, NATO countries, or Western policies in the Israel–Palestine conflict.

NoName057RU

Summary of Actor:NoName057(16) is a pro-Russian hacktivist group known for conducting DDoS attacks and propagating disinformation. The group emerged around Spring 2022 and primarily targets entities opposing Russian interests. General Features:The group primarily employs Distributed Denial of Service (DDoS) attacks and leverages Telegram for operational coordination and communication. They are motivated by political ideologies aligning with Russian state narratives. Related Other Groups: Killnet,Zarya, Sandworm, Cyber Army of Russia Indicators of Attack (IoA): Unusual traffic patterns suggesting DDoS activity Traffic originating from known malicious IP addresses linked to the group Use of various payloads implicating a volumetric DDoS attack Recent Activities and Trends: Latest Campaigns : Recent campaigns include DDoS attacks against Ukrainian government websites and Western media outlets. They've also been active in spreading propaganda via compromised social media accounts. Emerging Trends : There has been an observed increase in the sophistication and coordination of their DDoS attacks, indicating possible support or collaboration with other pro-Russian groups or state actors.

05716nnmNnm05716NoName057(16)NoName05716
APT42IR

Summary of Actor:APT42 is an Iranian cyber espionage group known for its advanced persistent threat (APT) activities, targeting organizations primarily in the Middle East and beyond. The group is known for conducting cyber-espionage campaigns that focus on gathering intelligence and sensitive information. General Features:APT42 is notable for its sophisticated spear-phishing tactics and use of bespoke malware. The group's operations are closely linked to the interests of the Iranian government, and they often target entities that pose a strategic interest to Iran. Related Other Groups: APT34,OilRig,Charming Kitten Indicators of Attack (IoA): Spear-phishing emails Use of custom malware such as MALLARD and SHAPESHIFT C2 communication with domains masquerading as legitimate services Recent Activities and Trends: Latest Campaigns : In recent years, APT42 has launched numerous spear-phishing campaigns, leveraging pandemic-related lures to compromise targets. Additionally, they have been linked with attempts to infiltrate Middle Eastern nation's critical infrastructure. Emerging Trends : APT42 has been increasingly observed using multi-stage attacks, employing initial compromise with spear-phishing followed by sophisticated lateral movement techniques. There is also an uptick in targeting educational institutions to gather cutting-edge research data.

CALANQUEUNC788APT 42
Fox KittenIR

Summary of Actor:Fox Kitten is an Iranian state-sponsored cyber espionage group known for its advanced persistent threat (APT) activities. The group primarily targets critical infrastructure sectors across various countries. Their operations often involve exploiting known vulnerabilities and strategic web compromises. General Features:Fox Kitten is known for its sophisticated attack methods, including the use of spear-phishing, custom malware, and exploiting known vulnerabilities in enterprise VPNs and RDP servers. The group operates with a focus on long-term persistence and data exfiltration from high-value targets. Related Other Groups: APT33,APT34,MuddyWater Indicators of Attack (IoA): Unauthorized RDP access Unusual outbound traffic Phishing emails targeting specific sectors Use of VPN access for network infiltration Recent Activities and Trends: Latest Campaigns : The most recent campaigns have involved exploiting vulnerabilities in enterprise VPNs to infiltrate networks of targeted organizations. Emerging Trends : There has been a noticeable increase in the group's use of strategic web compromises and focus on supply chain attacks, indicating a shift towards more complex and indirect methods of network infiltration.

Lemon SandstormPARISITEPIONEER KITTENPioneerKittenRUBIDIUMUNC757
Professor6T9null

Professor6T9 (also seen as professor6t9) is a low-level individual hacker or small hacktivist defacer active since at least 2023. The actor specializes in mass website defacements, primarily targeting educational institutions (schools, universities, vocational sites) across multiple countries, often using basic exploits like file upload vulnerabilities or SQL injection to upload a simple .txt defacement file.

Cyber Av3ngersIR

Summary of Actor:CyberAv3ngers is a sophisticated and well-funded threat actor group known for its targeted cyber-espionage activities. They have been active since at least 2015 and are believed to be state-sponsored. Their primary objectives include data exfiltration, surveillance, and disruption. General Features:CyberAv3ngers employ advanced persistent threats (APTs), leveraging zero-day vulnerabilities and custom malware. They are known for their stealth, sophisticated social engineering techniques, and long-term persistence in targeted networks. Related Other Groups: APT28,Sandworm Team,Fancy Bear Indicators of Attack (IoA): Use of specific C2 servers Phishing emails with high social engineering tactics Advanced obfuscation and encryption techniques Custom malware signatures Recent Activities and Trends: Latest Campaigns : The most recent campaign by CyberAv3ngers targeted healthcare organizations, using spear-phishing emails to deliver a new variant of their custom malware. This campaign has been linked to a significant increase in data exfiltration incidents. Emerging Trends : CyberAv3ngers have been observed to shift towards targeting cloud infrastructure with sophisticated credential stuffing attacks. Additionally, there is an uptick in their use of AI and machine learning algorithms to enhance their phishing and social engineering tactics.

PalachProRU

PalachPro (also referred to as Palach Pro or PalachPro Group) is a pro-Russian hacktivist group active since at least 2025. The group claims responsibility for data breaches, leaks, and disruptions targeting Ukrainian government platforms (notably Diia), critical infrastructure, and other perceived adversaries in the Russia–Ukraine conflict, often publishing unverified proofs on Telegram and dark web forums

Palach Pro
TortoiseshellIR

Summary of Actor:Tortoiseshell is a cyber threat group primarily known for targeting IT providers in Saudi Arabia and the Middle East. They are believed to have a nexus to Iran. Their operations often focus on information gathering and espionage. General Features:Tortoiseshell primarily engages in cyber-espionage activities targeting sectors such as IT and telecommunications. Their motives appear to be state-sponsored intelligence gathering. Their operations are sophisticated and often involve tailored malware and social engineering tactics. Related Other Groups: APT35,OilRig, Muddy Water Indicators of Attack (IoA): Spear phishing emails Use of custom malware Data exfiltration Recent Activities and Trends: Latest Campaigns : Recent campaigns by Tortoiseshell have focused on leveraging custom malware to gain access to IT infrastructure in their target regions. They have been observed using new variants of their previously known malware. Emerging Trends : There has been an increasing use of sophisticated spear-phishing techniques, and they are increasingly targeting supply chains to gain indirect access to their primary targets.

CURIUMCrimson SandstormCuboid SandstormDUSTYCAVEIMPERIAL KITTENImperial KittenSmoke SandstormTA456Yellow LidercDEV-0228
313 TeamIR

Team 313 or is a pro-Iranian, Shia-aligned hacktivist collective based in Iraq. The group has been active since at least 2023–2024 and positions itself as "soldiers of Imam Mahdi" framing its activities as cyber jihad in support of the Islamic Resistance and against perceived enemies of Shia interests (primarily Israel, the US, and their allies).

xX313XxTeamUnit 313
CHRYSENEIR

CHRYSENE is a cyber threat activity group tracked by Dragos, believed to be linked to Iran. It evolved from earlier Iranian-linked operations associated with groups such as OilRig (APT34) and Greenbug. The group specializes in gaining initial access to networks, conducting reconnaissance, and potentially handing off compromised systems to other actors for further exploitation. CHRYSENE primarily conducts cyber espionage operations with a focus on industrial control systems (ICS) and operational technology (OT) environments. It demonstrates advanced capabilities in initial network penetration, credential theft, and malware deployment, often targeting critical infrastructure for long-term intelligence gathering rather than immediate disruption. Indicators of Attack (IoA) Spear-phishing emails with malicious attachments or links Use of custom backdoors and frameworks similar to those employed by related groups Watering hole attacks on non-ICS-related websites to steal credentials Deployment of 64-bit malware variants Lateral movement via compromised credentials DNS and HTTP-based command-and-control (C2) communication

APT34Cobalt GypsyEUROPIUMGreenbugHazel SandstormOilRigTwisted KittenCrambusHelix KittenIRN2ATK40G0049Evasive SerpensTA452Earth Simnavaz
HackHaxRU

HackHax is a pro-Russian hacktivist group active since early 2026. The group conducts DDoS attacks, website disruptions, and defacements targeting Ukrainian media, government sites, and NATO-aligned entities, often claiming responsibility on X/Twitter and Telegram to amplify pro-Russian propaganda during the Russia-Ukraine conflict.

SYLHET GANG-SGBD
APT39IR

Summary of Actor:APT39, also known as Chafer, is an Iran-based cyber espionage group that primarily targets telecommunications and travel industries. The group is notable for its focus on personal information and movement tracking. They have been active since at least 2014. General Features:APT39 primarily conducts cyber espionage operations aimed at stealing personal information and surveillance data. They are known for their use of custom malware and existing malware tools tailored to their needs. Their activities are in alignment with Iranian strategic goals. Related Other Groups: Charming Kitten,OilRig,APT33 Indicators of Attack (IoA): Phishing emails with malicious attachments or links Spear-phishing targeting telecom and travel sectors Use of social engineering to establish initial access Custom malware deployment for surveillance purposes Recent Activities and Trends: Latest Campaigns : APT39 has recently been involved in campaigns focusing on COVID-19-related phishing schemes, primarily targeting healthcare and pharmaceutical sectors. Emerging Trends : There has been an increased use of dual-use tools to evade detection and attribution, along with a shift towards targeting cloud-based infrastructure.

Burgundy SandstormCOBALT HICKMANChaferG0087ITG07REMIX KITTENRadio SerpensTA454APT 39
MAGNALLIUMIR

Summary of Actor:MAGNALLIUM, also known as APT33, is a sophisticated Iranian cyber espionage group. The group is known for targeting aerospace and energy sectors, especially organizations in Saudi Arabia and the United States. Their operations are characterized by the use of spear-phishing campaigns and custom malware. General Features:MAGNALLIUM is notable for its focus on espionage and disruptive activities. They frequently use spear-phishing emails as an initial attack vector and deploy custom malware like SHAPESHIFT and DROPZONE to achieve their objectives. The group is also known for its persistence and ability to adapt to different environments. Related Other Groups: Elfin,APT34,OilRig Indicators of Attack (IoA): Unusual email attachments from known but untrusted sources Unexpected activity on critical servers Non-standard communication patterns with external IPs Recent Activities and Trends: Latest Campaigns : In 2023, MAGNALLIUM was involved in a campaign targeting the aerospace industry, using a new variant of the SHAPESHIFT malware to compromise sensitive engineering documents. Emerging Trends : Recently, there has been an increase in the group's use of living-off-the-land techniques and supply chain attacks to infiltrate networks. MAGNALLIUM has also shown interest in exploiting vulnerabilities in cloud-based environments.

APT 33APT33ATK35COBALT TRINITYElfinG0064HOLMIUMPeach SandstormRefined KittenTA451
Nation Of Saviors (NOS)BD

Nation Of Saviors (NOS) is an Islamic-oriented hacktivist group operated by Bengali-speaking administrators. The group is known for its pro-Iranian ideological stance and conducts cyber operations including DDoS attacks and sensitive database leaks. Their history dates back to January 2025.

nos
AnonymousBsnsFrance
Anonymous France
MuddyWaterIR

Summary of Actor:MuddyWater is a sophisticated threat actor group believed to be operating out of Iran. They have been known to conduct espionage campaigns primarily targeting Middle Eastern nations and academic institutions. This group has been active since around 2017 and often uses custom malware and spear-phishing techniques. General Features:MuddyWater is known to use sophisticated social engineering techniques and custom malware. Their campaigns often focus on credential harvesting and lateral movement within targeted networks. They are adept at evading detection through obfuscation and encryption of their malware. Related Other Groups: SeedWorm,TEMP.Zagros Indicators of Attack (IoA): Spear-phishing emails with malicious attachments Use of PowerShell scripts for malware deployment Credential harvesting through phishing websites Recent Activities and Trends: Latest Campaigns : MuddyWater has recently been associated with campaigns targeting governmental entities in the Middle East, leveraging COVID-19 themed phishing lures. Emerging Trends : An increased use of cloud storage services for malware hosting and growing sophistication in their spear-phishing tactics to bypass email security solutions.

ATK51Boggy SerpensCOBALT ULSTEREarth VetalaG0069MERCURYMango SandstormSeedwormStatic KittenTA450TEMP.Zagros
Keymous+DZ

Keymous+ is a North African hacktivist collective that emerged in late 2023, assessed with moderate confidence to be of Algerian origin, and primarily known for high-volume Distributed Denial-of-Service operations. The group operates under pan-Arab and pro-Palestinian ideological banners, though their targeting is frequently opportunistic and adapts to shifting geopolitical tensions rather than following a consistent political agenda — they also openly promote and monetize DDoS-for-hire services, blending hacktivism with commercial cybercrime

Keymous TeamKeymous plus
Moroccan Black Cyber ArmyMA

Moroccan Black Cyber Army (also referred to as MBCA or Moroccan Black Cyber) is a pro-Iranian hacktivist group that emerged prominently in late 2025. The group claims responsibility for DDoS attacks, website disruptions, defacements, and occasional data leak announcements targeting Israeli entities, telecommunications providers, and perceived adversaries of Iran/Palestine causes.

Moroccan Black ArmyMoroccon Black Army
Babayo Error SystemID

Babayo Eror System is an Indonesian nationalist hacktivist group active since at least 2023. The group primarily conducts website defacements, DDoS attacks, and occasional data leak claims, targeting perceived adversaries of Indonesia (especially Indian government portals, media outlets, and symbolic sites), often with strong pro-Indonesian messaging and retaliation narratives.

Babayo
RipperSecMY

<p><strong>Summary of Actor</strong>: RipperSec is a pro-Palestinian and pro-Muslim hacktivist group originating from Malaysia, recognized for using disruptive tactics such as DDoS attacks, website defacement, and data breaches. This group is ideologically motivated, focusing on targets they perceive as adversaries of Palestine or supporters of Israel. They leverage public platforms, including Telegram, to mobilize followers and conduct coordinated cyber campaigns.</p><p><strong>General Features</strong>: RipperSec exhibits the typical characteristics of hacktivist groups, with a focus on DDoS as a primary attack vector. They have developed and utilize a tool called MegaMedusa, a powerful web DDoS attack tool that enables them to launch high-impact attacks on public websites. RipperSec frequently collaborates with other hacktivist groups, such as Tengkorak Cyber Crew, Eagle Cyber Crew, and Stucx Team, to amplify their attack reach and effectiveness. Their operations aim not only to disrupt services but also to make a political statement, aligning with anti-Israel and pro-Palestinian sentiments.</p><p><strong>Related Other Groups</strong>: Tengkorak Cyber Crew, Eagle Cyber Crew, Stucx Team</p><p><strong>Indicators of Attack (IoA)</strong>:</p><ul><li>Coordinated DDoS attacks using the MegaMedusa tool, targeting public websites.</li><li>Frequent use of proxies and other infrastructure to obscure the origin of attack traffic.</li><li>Anti-Israel and pro-Palestinian messaging, often promoted through social media channels and Telegram.</li><li>Defacement of websites with political statements supporting Palestine.</li></ul><p><strong>Recent Activities and Trends</strong>:</p><ul><li><strong>Latest Campaigns</strong>: RipperSec has launched DDoS attacks on various high-profile websites and public services in countries perceived as adversaries to Palestine. The MegaMedusa tool has been employed in these campaigns, causing widespread disruption.</li><li><strong>Emerging Trends</strong>: Increased use of public DDoS tools like MegaMedusa, allowing followers and sympathizers to participate in attacks. This trend underscores a shift towards decentralized, crowd-sourced cyber attacks, where anyone with access to the tool can join the campaign.</li></ul>

DieNetIR

<li node="[object Object]"><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;">DieNet is an emerging <strong node="[object Object]">hacktivist group</strong> that publicly debuted on Telegram in March 2025. The group is ideologically motivated by <strong node="[object Object]">pro-Palestinian, anti-U.S. (particularly anti-Trump administration), and anti-Israel sentiments</strong>, often framing attacks as retaliation for geopolitical actions (e.g., U.S. support for Israel or policies toward Yemen/Palestine). Primary targets include <strong node="[object Object]">U.S. critical infrastructure</strong> (transportation, energy, healthcare, telecommunications), government websites, Trump-affiliated businesses, and entities in Iraq, Israel, Sweden, and Egypt. Attacks are primarily disruptive rather than destructive or financially motivated.</p><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Key Characteristics:</strong> DieNet conducts high-volume <strong node="[object Object]">Distributed Denial-of-Service (DDoS) attacks</strong> using rented or shared <strong node="[object Object]">DDoS-as-a-Service (DaaS) infrastructure</strong>, enabling rapid scaling without proprietary botnets. Common TTPs include multi-vector floods (e.g., TCP SYN, TCP RST, DNS/NTP amplification), public claims on Telegram with screenshots/proof, and coordination with allied hacktivist groups for promotion and possible shared resources. Victimology focuses on symbolic, high-visibility targets to maximize disruption and propaganda value. No associated malware families; operations are surface-web focused on availability disruption. Relevant MITRE ATT&CK Technique IDs: T1498 (Network Denial of Service), T1499 (Endpoint Denial of Service, if applicable), with reliance on external services rather than direct intrusion.</p></li> <li node="[object Object]"><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Indicators of Attack (IoA):</strong> As a DDoS-focused hacktivist, DieNet lacks traditional intrusion-phase IoAs (e.g., no malware, credential theft, or persistence). High-confidence indicators are network/behavioral during active attacks:</p><ul dir="auto" node="[object Object]"> <li node="[object Object]">Sudden high-volume inbound traffic from diverse sources using amplification vectors (e.g., DNS queries, NTP requests) or direct floods (TCP SYN/RST).</li> <li node="[object Object]">Attack patterns matching shared DaaS platforms (e.g., overlapping source IPs with other groups like OverFlame/DenBots Proof).</li> <li node="[object Object]">Public claims on Telegram correlating with traffic spikes, often including taunts, ideological statements, or proof (e.g., outage screenshots).</li> <li node="[object Object]">Varied vectors per target (e.g., carpet-bombing for broad disruption), with no pre-intrusion reconnaissance artifacts like scanning.</li> <li node="[object Object]">No file-based, registry, or memory indicators, as operations do not involve endpoint compromise.</li></ul></li>

Shiite_Harvest

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation If Compromise is Confirmed or Suspected
  1. Isolate immediately

  • Network-isolate the affected host — do not power off (preserves volatile memory and forensic artifacts)

  • Block associated C2 IPs and domains at perimeter; document with timestamps


  1. Preserve before acting

  • Capture full memory dump (WinPmem on Windows, avml/LiME on Linux)

  • Collect: Windows Event Logs, PowerShell ScriptBlock logs (Event 4104), Sysmon, EDR telemetry, DNS logs, NetFlow

  • Preserve disk image before any remediation — do not skip this step


  1. Establish scope

  • Run YARA rules 6.1–6.4 across all endpoints in the same network segment

  • Search for persistence: registry run keys, scheduled tasks, services created in last 90 days

  • Review all outbound connections from affected host to cloud storage and known C2 IPs

  • Lateral movement: review authentication logs for the compromised account accessing other systems


  1. Reset all credentials

  • Force password reset for ALL accounts that authenticated to the compromised system

  • Revoke and reissue all API tokens, SSH keys, service account credentials reachable from the host

  • Invalidate all active sessions (Azure AD: revoke all refresh tokens; on-prem: reset KRBTGT twice)


  1. Rebuild to clean state

  • For wiper victims: restore from verified offline backup taken before infection date — no in-place recovery

  • Rebuild from trusted golden image where persistent backdoor is confirmed

  • Validate backup integrity before restoration — this conflict has seen adversaries targeting backup infrastructure

Sector-Specific Priority Actions

Sector

Specific Risk (Day 69 Context)

Priority Action

Government & Defense

MuddyWater pre-planted backdoors; Charming Kitten credential ops; Unit 9900 officer files published; PSK WIND air defense C2 breach claimed

Immediate backdoor hunt; force MFA everywhere; audit all privileged accounts; review any classified system access logs

Energy / OT / ICS

Z-Pentest silo control video; Kupferle Water HMI; Cyber Av3ngers siren claim; FSociety1337 ICS claim; IRGC energy-sector APT33 probing

Verify zero public ICS exposure immediately; deploy Sigma 7.5; one-way data diodes; block all OT management ports at perimeter

US Tech (IRGC Designated)

Apple, Microsoft, Google, Meta, Nvidia, IBM, Intel, Oracle, Cisco, HP, Dell, Palantir, JPMorgan, Tesla, GE, Boeing, Spire Solutions, G42 formally designated

Escalate DDoS posture to maximum; review all regional infrastructure (especially Middle East); ensure cloud tenants have Conditional Access

Telecom

NoName targeting Bezeq; Keymous targeting Telecom Egypt; Mad Ghost 4G core claim

Enable DDoS scrubbing; monitor BGP routes; audit core network device access

Finance & Banking

MuddyWater pre-positioned in US bank; Israeli company INC ransomware; Bank of Jerusalem data; Discount Bank DDoS

Patch all public-facing apps; offline ransomware backup; EDR on all servers

Water / Critical Infra

Kupferle Water HMI (US); Z-Pentest water pump (Israel); PureWater 100 (South Korea) — all three claimed by adversaries with video proof

Remove all HMI from internet immediately; segment OT from IT; verify remote access VPN security; test incident response plan for ICS breach scenario

Observed Countries13

AE (356)
BH (263)
CY (249)
IL (957)
IQ (256)
IR (748)
JO (855)
KW (99)
OM (367)
QA (428)
RO (894)
SA (679)
US (577)