
Operation Epic Fury : Iran vs. Israel & US Cyber War
Indicators of Compromise
APT Groups27
Z-Pentest is a pro-Palestinian / pro-Iran hacktivist collective active since at least 2024. The group conducts DDoS attacks, website defacements, data leak claims, and occasional credential dumps, primarily targeting Israeli entities, U.S. organizations, and perceived Western/Israeli allies as part of the broader "Cyber Islamic Resistance" and #OpIsrael waves.
APT-IRAN (also stylized as APT Iran) is a pro-Iranian hacktivist collective active since at least 2023–2024, with heightened visibility in 2025–2026. The group claims responsibility for hack-and-leak operations, data breaches, DDoS attacks, and website defacements, primarily targeting Israeli, U.S., and regional adversaries in support of Iranian geopolitical interests and Palestinian causes. It frequently appears as part of the broader Cyber Islamic Resistance umbrella, coordinating with other pro-Iran hacktivist entities.
Team Fearless is a pro-Iranian hacktivist group that emerged in mid-2025. The group claims responsibility for DDoS attacks, website defacements, data leaks, and breaches targeting Israeli government, defense, and critical infrastructure entities, often in coordination with other pro-Iran hacktivist collectives as part of broader "Cyber Islamic Resistance" alliances.
Morning Star is a pro-Russian hacktivist collective active since at least 2024. The group specializes in DDoS attacks, website defacements, and occasional data leak claims, primarily targeting Ukrainian government portals, military-related sites, NATO-aligned infrastructure, and Western media outlets in support of Russian geopolitical interests during the Russia-Ukraine conflict.
Islamic Hacker Army (also referred to as IHA or IslamicHackerArmy) is a pro-Iranian / pro-Palestinian hacktivist collective active since at least 2023–2024, with a surge in visibility during the 2025–2026 Iran–Israel conflict escalations. The group claims responsibility for DDoS attacks, website defacements, data leaks, and occasional credential dumps, primarily targeting Israeli, U.S., Saudi, Bahraini, Jordanian, and Western-aligned entities in support of Palestinian causes and Iranian geopolitical interests.
Dark Storm Team is a pro-Palestinian hacktivist collective that emerged in September 2023. The group is primarily known for launching distributed denial-of-service (DDoS) attacks, website defacements, and occasional data breach/leak claims against targets it perceives as supporting Israel, NATO countries, or Western policies in the Israel–Palestine conflict.
Summary of Actor:NoName057(16) is a pro-Russian hacktivist group known for conducting DDoS attacks and propagating disinformation. The group emerged around Spring 2022 and primarily targets entities opposing Russian interests. General Features:The group primarily employs Distributed Denial of Service (DDoS) attacks and leverages Telegram for operational coordination and communication. They are motivated by political ideologies aligning with Russian state narratives. Related Other Groups: Killnet,Zarya, Sandworm, Cyber Army of Russia Indicators of Attack (IoA): Unusual traffic patterns suggesting DDoS activity Traffic originating from known malicious IP addresses linked to the group Use of various payloads implicating a volumetric DDoS attack Recent Activities and Trends: Latest Campaigns : Recent campaigns include DDoS attacks against Ukrainian government websites and Western media outlets. They've also been active in spreading propaganda via compromised social media accounts. Emerging Trends : There has been an observed increase in the sophistication and coordination of their DDoS attacks, indicating possible support or collaboration with other pro-Russian groups or state actors.
Summary of Actor:APT42 is an Iranian cyber espionage group known for its advanced persistent threat (APT) activities, targeting organizations primarily in the Middle East and beyond. The group is known for conducting cyber-espionage campaigns that focus on gathering intelligence and sensitive information. General Features:APT42 is notable for its sophisticated spear-phishing tactics and use of bespoke malware. The group's operations are closely linked to the interests of the Iranian government, and they often target entities that pose a strategic interest to Iran. Related Other Groups: APT34,OilRig,Charming Kitten Indicators of Attack (IoA): Spear-phishing emails Use of custom malware such as MALLARD and SHAPESHIFT C2 communication with domains masquerading as legitimate services Recent Activities and Trends: Latest Campaigns : In recent years, APT42 has launched numerous spear-phishing campaigns, leveraging pandemic-related lures to compromise targets. Additionally, they have been linked with attempts to infiltrate Middle Eastern nation's critical infrastructure. Emerging Trends : APT42 has been increasingly observed using multi-stage attacks, employing initial compromise with spear-phishing followed by sophisticated lateral movement techniques. There is also an uptick in targeting educational institutions to gather cutting-edge research data.
Summary of Actor:Fox Kitten is an Iranian state-sponsored cyber espionage group known for its advanced persistent threat (APT) activities. The group primarily targets critical infrastructure sectors across various countries. Their operations often involve exploiting known vulnerabilities and strategic web compromises. General Features:Fox Kitten is known for its sophisticated attack methods, including the use of spear-phishing, custom malware, and exploiting known vulnerabilities in enterprise VPNs and RDP servers. The group operates with a focus on long-term persistence and data exfiltration from high-value targets. Related Other Groups: APT33,APT34,MuddyWater Indicators of Attack (IoA): Unauthorized RDP access Unusual outbound traffic Phishing emails targeting specific sectors Use of VPN access for network infiltration Recent Activities and Trends: Latest Campaigns : The most recent campaigns have involved exploiting vulnerabilities in enterprise VPNs to infiltrate networks of targeted organizations. Emerging Trends : There has been a noticeable increase in the group's use of strategic web compromises and focus on supply chain attacks, indicating a shift towards more complex and indirect methods of network infiltration.
Professor6T9 (also seen as professor6t9) is a low-level individual hacker or small hacktivist defacer active since at least 2023. The actor specializes in mass website defacements, primarily targeting educational institutions (schools, universities, vocational sites) across multiple countries, often using basic exploits like file upload vulnerabilities or SQL injection to upload a simple .txt defacement file.
Summary of Actor:CyberAv3ngers is a sophisticated and well-funded threat actor group known for its targeted cyber-espionage activities. They have been active since at least 2015 and are believed to be state-sponsored. Their primary objectives include data exfiltration, surveillance, and disruption. General Features:CyberAv3ngers employ advanced persistent threats (APTs), leveraging zero-day vulnerabilities and custom malware. They are known for their stealth, sophisticated social engineering techniques, and long-term persistence in targeted networks. Related Other Groups: APT28,Sandworm Team,Fancy Bear Indicators of Attack (IoA): Use of specific C2 servers Phishing emails with high social engineering tactics Advanced obfuscation and encryption techniques Custom malware signatures Recent Activities and Trends: Latest Campaigns : The most recent campaign by CyberAv3ngers targeted healthcare organizations, using spear-phishing emails to deliver a new variant of their custom malware. This campaign has been linked to a significant increase in data exfiltration incidents. Emerging Trends : CyberAv3ngers have been observed to shift towards targeting cloud infrastructure with sophisticated credential stuffing attacks. Additionally, there is an uptick in their use of AI and machine learning algorithms to enhance their phishing and social engineering tactics.
PalachPro (also referred to as Palach Pro or PalachPro Group) is a pro-Russian hacktivist group active since at least 2025. The group claims responsibility for data breaches, leaks, and disruptions targeting Ukrainian government platforms (notably Diia), critical infrastructure, and other perceived adversaries in the Russia–Ukraine conflict, often publishing unverified proofs on Telegram and dark web forums
Summary of Actor:Tortoiseshell is a cyber threat group primarily known for targeting IT providers in Saudi Arabia and the Middle East. They are believed to have a nexus to Iran. Their operations often focus on information gathering and espionage. General Features:Tortoiseshell primarily engages in cyber-espionage activities targeting sectors such as IT and telecommunications. Their motives appear to be state-sponsored intelligence gathering. Their operations are sophisticated and often involve tailored malware and social engineering tactics. Related Other Groups: APT35,OilRig, Muddy Water Indicators of Attack (IoA): Spear phishing emails Use of custom malware Data exfiltration Recent Activities and Trends: Latest Campaigns : Recent campaigns by Tortoiseshell have focused on leveraging custom malware to gain access to IT infrastructure in their target regions. They have been observed using new variants of their previously known malware. Emerging Trends : There has been an increasing use of sophisticated spear-phishing techniques, and they are increasingly targeting supply chains to gain indirect access to their primary targets.
Team 313 or is a pro-Iranian, Shia-aligned hacktivist collective based in Iraq. The group has been active since at least 2023–2024 and positions itself as "soldiers of Imam Mahdi" framing its activities as cyber jihad in support of the Islamic Resistance and against perceived enemies of Shia interests (primarily Israel, the US, and their allies).
CHRYSENE is a cyber threat activity group tracked by Dragos, believed to be linked to Iran. It evolved from earlier Iranian-linked operations associated with groups such as OilRig (APT34) and Greenbug. The group specializes in gaining initial access to networks, conducting reconnaissance, and potentially handing off compromised systems to other actors for further exploitation. CHRYSENE primarily conducts cyber espionage operations with a focus on industrial control systems (ICS) and operational technology (OT) environments. It demonstrates advanced capabilities in initial network penetration, credential theft, and malware deployment, often targeting critical infrastructure for long-term intelligence gathering rather than immediate disruption. Indicators of Attack (IoA) Spear-phishing emails with malicious attachments or links Use of custom backdoors and frameworks similar to those employed by related groups Watering hole attacks on non-ICS-related websites to steal credentials Deployment of 64-bit malware variants Lateral movement via compromised credentials DNS and HTTP-based command-and-control (C2) communication
HackHax is a pro-Russian hacktivist group active since early 2026. The group conducts DDoS attacks, website disruptions, and defacements targeting Ukrainian media, government sites, and NATO-aligned entities, often claiming responsibility on X/Twitter and Telegram to amplify pro-Russian propaganda during the Russia-Ukraine conflict.
Summary of Actor:APT39, also known as Chafer, is an Iran-based cyber espionage group that primarily targets telecommunications and travel industries. The group is notable for its focus on personal information and movement tracking. They have been active since at least 2014. General Features:APT39 primarily conducts cyber espionage operations aimed at stealing personal information and surveillance data. They are known for their use of custom malware and existing malware tools tailored to their needs. Their activities are in alignment with Iranian strategic goals. Related Other Groups: Charming Kitten,OilRig,APT33 Indicators of Attack (IoA): Phishing emails with malicious attachments or links Spear-phishing targeting telecom and travel sectors Use of social engineering to establish initial access Custom malware deployment for surveillance purposes Recent Activities and Trends: Latest Campaigns : APT39 has recently been involved in campaigns focusing on COVID-19-related phishing schemes, primarily targeting healthcare and pharmaceutical sectors. Emerging Trends : There has been an increased use of dual-use tools to evade detection and attribution, along with a shift towards targeting cloud-based infrastructure.
Summary of Actor:MAGNALLIUM, also known as APT33, is a sophisticated Iranian cyber espionage group. The group is known for targeting aerospace and energy sectors, especially organizations in Saudi Arabia and the United States. Their operations are characterized by the use of spear-phishing campaigns and custom malware. General Features:MAGNALLIUM is notable for its focus on espionage and disruptive activities. They frequently use spear-phishing emails as an initial attack vector and deploy custom malware like SHAPESHIFT and DROPZONE to achieve their objectives. The group is also known for its persistence and ability to adapt to different environments. Related Other Groups: Elfin,APT34,OilRig Indicators of Attack (IoA): Unusual email attachments from known but untrusted sources Unexpected activity on critical servers Non-standard communication patterns with external IPs Recent Activities and Trends: Latest Campaigns : In 2023, MAGNALLIUM was involved in a campaign targeting the aerospace industry, using a new variant of the SHAPESHIFT malware to compromise sensitive engineering documents. Emerging Trends : Recently, there has been an increase in the group's use of living-off-the-land techniques and supply chain attacks to infiltrate networks. MAGNALLIUM has also shown interest in exploiting vulnerabilities in cloud-based environments.
Nation Of Saviors (NOS) is an Islamic-oriented hacktivist group operated by Bengali-speaking administrators. The group is known for its pro-Iranian ideological stance and conducts cyber operations including DDoS attacks and sensitive database leaks. Their history dates back to January 2025.
Summary of Actor:MuddyWater is a sophisticated threat actor group believed to be operating out of Iran. They have been known to conduct espionage campaigns primarily targeting Middle Eastern nations and academic institutions. This group has been active since around 2017 and often uses custom malware and spear-phishing techniques. General Features:MuddyWater is known to use sophisticated social engineering techniques and custom malware. Their campaigns often focus on credential harvesting and lateral movement within targeted networks. They are adept at evading detection through obfuscation and encryption of their malware. Related Other Groups: SeedWorm,TEMP.Zagros Indicators of Attack (IoA): Spear-phishing emails with malicious attachments Use of PowerShell scripts for malware deployment Credential harvesting through phishing websites Recent Activities and Trends: Latest Campaigns : MuddyWater has recently been associated with campaigns targeting governmental entities in the Middle East, leveraging COVID-19 themed phishing lures. Emerging Trends : An increased use of cloud storage services for malware hosting and growing sophistication in their spear-phishing tactics to bypass email security solutions.
Keymous+ is a North African hacktivist collective that emerged in late 2023, assessed with moderate confidence to be of Algerian origin, and primarily known for high-volume Distributed Denial-of-Service operations. The group operates under pan-Arab and pro-Palestinian ideological banners, though their targeting is frequently opportunistic and adapts to shifting geopolitical tensions rather than following a consistent political agenda — they also openly promote and monetize DDoS-for-hire services, blending hacktivism with commercial cybercrime
Moroccan Black Cyber Army (also referred to as MBCA or Moroccan Black Cyber) is a pro-Iranian hacktivist group that emerged prominently in late 2025. The group claims responsibility for DDoS attacks, website disruptions, defacements, and occasional data leak announcements targeting Israeli entities, telecommunications providers, and perceived adversaries of Iran/Palestine causes.
Babayo Eror System is an Indonesian nationalist hacktivist group active since at least 2023. The group primarily conducts website defacements, DDoS attacks, and occasional data leak claims, targeting perceived adversaries of Indonesia (especially Indian government portals, media outlets, and symbolic sites), often with strong pro-Indonesian messaging and retaliation narratives.
<p><strong>Summary of Actor</strong>: RipperSec is a pro-Palestinian and pro-Muslim hacktivist group originating from Malaysia, recognized for using disruptive tactics such as DDoS attacks, website defacement, and data breaches. This group is ideologically motivated, focusing on targets they perceive as adversaries of Palestine or supporters of Israel. They leverage public platforms, including Telegram, to mobilize followers and conduct coordinated cyber campaigns.</p><p><strong>General Features</strong>: RipperSec exhibits the typical characteristics of hacktivist groups, with a focus on DDoS as a primary attack vector. They have developed and utilize a tool called MegaMedusa, a powerful web DDoS attack tool that enables them to launch high-impact attacks on public websites. RipperSec frequently collaborates with other hacktivist groups, such as Tengkorak Cyber Crew, Eagle Cyber Crew, and Stucx Team, to amplify their attack reach and effectiveness. Their operations aim not only to disrupt services but also to make a political statement, aligning with anti-Israel and pro-Palestinian sentiments.</p><p><strong>Related Other Groups</strong>: Tengkorak Cyber Crew, Eagle Cyber Crew, Stucx Team</p><p><strong>Indicators of Attack (IoA)</strong>:</p><ul><li>Coordinated DDoS attacks using the MegaMedusa tool, targeting public websites.</li><li>Frequent use of proxies and other infrastructure to obscure the origin of attack traffic.</li><li>Anti-Israel and pro-Palestinian messaging, often promoted through social media channels and Telegram.</li><li>Defacement of websites with political statements supporting Palestine.</li></ul><p><strong>Recent Activities and Trends</strong>:</p><ul><li><strong>Latest Campaigns</strong>: RipperSec has launched DDoS attacks on various high-profile websites and public services in countries perceived as adversaries to Palestine. The MegaMedusa tool has been employed in these campaigns, causing widespread disruption.</li><li><strong>Emerging Trends</strong>: Increased use of public DDoS tools like MegaMedusa, allowing followers and sympathizers to participate in attacks. This trend underscores a shift towards decentralized, crowd-sourced cyber attacks, where anyone with access to the tool can join the campaign.</li></ul>
<li node="[object Object]"><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;">DieNet is an emerging <strong node="[object Object]">hacktivist group</strong> that publicly debuted on Telegram in March 2025. The group is ideologically motivated by <strong node="[object Object]">pro-Palestinian, anti-U.S. (particularly anti-Trump administration), and anti-Israel sentiments</strong>, often framing attacks as retaliation for geopolitical actions (e.g., U.S. support for Israel or policies toward Yemen/Palestine). Primary targets include <strong node="[object Object]">U.S. critical infrastructure</strong> (transportation, energy, healthcare, telecommunications), government websites, Trump-affiliated businesses, and entities in Iraq, Israel, Sweden, and Egypt. Attacks are primarily disruptive rather than destructive or financially motivated.</p><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Key Characteristics:</strong> DieNet conducts high-volume <strong node="[object Object]">Distributed Denial-of-Service (DDoS) attacks</strong> using rented or shared <strong node="[object Object]">DDoS-as-a-Service (DaaS) infrastructure</strong>, enabling rapid scaling without proprietary botnets. Common TTPs include multi-vector floods (e.g., TCP SYN, TCP RST, DNS/NTP amplification), public claims on Telegram with screenshots/proof, and coordination with allied hacktivist groups for promotion and possible shared resources. Victimology focuses on symbolic, high-visibility targets to maximize disruption and propaganda value. No associated malware families; operations are surface-web focused on availability disruption. Relevant MITRE ATT&CK Technique IDs: T1498 (Network Denial of Service), T1499 (Endpoint Denial of Service, if applicable), with reliance on external services rather than direct intrusion.</p></li> <li node="[object Object]"><p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Indicators of Attack (IoA):</strong> As a DDoS-focused hacktivist, DieNet lacks traditional intrusion-phase IoAs (e.g., no malware, credential theft, or persistence). High-confidence indicators are network/behavioral during active attacks:</p><ul dir="auto" node="[object Object]"> <li node="[object Object]">Sudden high-volume inbound traffic from diverse sources using amplification vectors (e.g., DNS queries, NTP requests) or direct floods (TCP SYN/RST).</li> <li node="[object Object]">Attack patterns matching shared DaaS platforms (e.g., overlapping source IPs with other groups like OverFlame/DenBots Proof).</li> <li node="[object Object]">Public claims on Telegram correlating with traffic spikes, often including taunts, ideological statements, or proof (e.g., outage screenshots).</li> <li node="[object Object]">Varied vectors per target (e.g., carpet-bombing for broad disruption), with no pre-intrusion reconnaissance artifacts like scanning.</li> <li node="[object Object]">No file-based, registry, or memory indicators, as operations do not involve endpoint compromise.</li></ul></li>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Isolate immediately
Network-isolate the affected host — do not power off (preserves volatile memory and forensic artifacts)
Block associated C2 IPs and domains at perimeter; document with timestamps
Preserve before acting
Capture full memory dump (WinPmem on Windows, avml/LiME on Linux)
Collect: Windows Event Logs, PowerShell ScriptBlock logs (Event 4104), Sysmon, EDR telemetry, DNS logs, NetFlow
Preserve disk image before any remediation — do not skip this step
Establish scope
Run YARA rules 6.1–6.4 across all endpoints in the same network segment
Search for persistence: registry run keys, scheduled tasks, services created in last 90 days
Review all outbound connections from affected host to cloud storage and known C2 IPs
Lateral movement: review authentication logs for the compromised account accessing other systems
Reset all credentials
Force password reset for ALL accounts that authenticated to the compromised system
Revoke and reissue all API tokens, SSH keys, service account credentials reachable from the host
Invalidate all active sessions (Azure AD: revoke all refresh tokens; on-prem: reset KRBTGT twice)
Rebuild to clean state
For wiper victims: restore from verified offline backup taken before infection date — no in-place recovery
Rebuild from trusted golden image where persistent backdoor is confirmed
Validate backup integrity before restoration — this conflict has seen adversaries targeting backup infrastructure
Sector | Specific Risk (Day 69 Context) | Priority Action |
|---|---|---|
Government & Defense | MuddyWater pre-planted backdoors; Charming Kitten credential ops; Unit 9900 officer files published; PSK WIND air defense C2 breach claimed | Immediate backdoor hunt; force MFA everywhere; audit all privileged accounts; review any classified system access logs |
Energy / OT / ICS | Z-Pentest silo control video; Kupferle Water HMI; Cyber Av3ngers siren claim; FSociety1337 ICS claim; IRGC energy-sector APT33 probing | Verify zero public ICS exposure immediately; deploy Sigma 7.5; one-way data diodes; block all OT management ports at perimeter |
US Tech (IRGC Designated) | Apple, Microsoft, Google, Meta, Nvidia, IBM, Intel, Oracle, Cisco, HP, Dell, Palantir, JPMorgan, Tesla, GE, Boeing, Spire Solutions, G42 formally designated | Escalate DDoS posture to maximum; review all regional infrastructure (especially Middle East); ensure cloud tenants have Conditional Access |
Telecom | NoName targeting Bezeq; Keymous targeting Telecom Egypt; Mad Ghost 4G core claim | Enable DDoS scrubbing; monitor BGP routes; audit core network device access |
Finance & Banking | MuddyWater pre-positioned in US bank; Israeli company INC ransomware; Bank of Jerusalem data; Discount Bank DDoS | Patch all public-facing apps; offline ransomware backup; EDR on all servers |
Water / Critical Infra | Kupferle Water HMI (US); Z-Pentest water pump (Israel); PureWater 100 (South Korea) — all three claimed by adversaries with video proof | Remove all HMI from internet immediately; segment OT from IT; verify remote access VPN security; test incident response plan for ICS breach scenario |