Cybersecurity researchers have warned of a surge in retaliatory hacktivist exercise following the U.S.-Israel coordinated army marketing campaign towards Iran, codenamed Epic Fury and Roaring Lion.
“The hacktivist menace within the Center East is extremely lopsided, with two teams, Keymous+ and DieNet, driving practically 70% of all assault exercise between February 28 and March 2,” Radware stated in a Tuesday report. The primary distributed denial-of-service (DDoS) assault was launched by Hider Nex (aka Tunisian Maskers Cyber Pressure) on February 28, 2026.
In accordance with particulars shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that helps pro-Palestinian causes. It leverages a hack-and-leak technique combining DDoS assaults with knowledge breaches to leak delicate knowledge and advance its geopolitical agenda. The group emerged in mid-2025.
In all, a complete of 149 hacktivist DDoS claims had been recorded concentrating on 110 distinct organizations throughout 16 international locations. The assaults had been carried out by 12 completely different teams, together with Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all exercise.
Of those assaults, the overwhelming majority, 107, had been concentrated within the Center East, disproportionately concentrating on public infrastructure and state-level targets. Europe was the goal of twenty-two.8% of the whole world exercise through the time interval. Almost 47.8% of all focused organizations globally belonged to the federal government sector, adopted by finance (11.9%) and telecommunications (6.7%) sectors.
“The digital entrance is increasing alongside the bodily one within the area, with hacktivist teams concurrently concentrating on extra nations within the Center East than ever earlier than,” Radware stated. “The distribution of assaults inside the area was closely concentrated in three particular nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the whole assault claims.”
Apart from Keymous+, DieNet, and NoName057(16), a few of the different teams which have engaged in disruptive operations embody Nation of Saviors (NOS), the Conquerors Digital Military (CEA), Sylhet Gang, 313 Crew, Handala Hack, APT Iran, the Cyber Islamic Resistance, Darkish Storm Crew, the FAD Crew, Evil Markhors, and PalachPro, per knowledge from Flashpoint, Palo Alto Networks Unit 42, and Radware.
The present scope of cyber assaults is listed under –
- Professional-Russian hacktivist teams like Cardinal and Russian Legion claimed to have breached Israeli army networks, together with its Iron Dome missile protection system.
- An lively SMS phishing marketing campaign has been noticed utilizing a rogue reproduction of the Israeli Residence Entrance Command RedAlert utility to ship cell surveillance and data-exfiltrating malware. “By manipulating victims into sideloading this malicious APK beneath the guise of an pressing wartime replace, the adversaries efficiently deploy a completely practical alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant inhabitants,” CloudSEK stated.
- Iran’s Islamic Revolutionary Guard Corps (IRGC) focused the power and digital infrastructure sectors within the Center East, placing Saudi Aramco and an Amazon Net Providers knowledge middle within the U.A.E. with an intent to “inflict most world financial ache as a counter-pressure to army losses,” Flashpoint stated.
- Cotton Sandstorm (aka Haywire Kitten) revived its outdated cyber persona, Altoufan Crew, claiming to have hacked web sites in Bahrain. “This displays the reactive nature of the actor’s campaigns and a excessive chance of their additional involvement in intrusions throughout the Center East amid the battle,” Examine Level stated.
- Information gathered by Nozomi Networks reveals that the Iranian state-sponsored hacking group often known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Delicate Snail) was the fourth most lively actor within the second half of 2025, focusing its assaults on protection, aerospace, telecommunications, and regional authorities entities to advance the nation’s geopolitical priorities.
- Main Iranian cryptocurrency exchanges have remained operational however introduced operational changes, both suspending or batching withdrawals, and issuing danger steerage urging customers to organize for attainable connectivity disruption.
- “What we’re seeing in Iran just isn’t clear proof of mass capital flight, however reasonably a market managing volatility beneath constrained connectivity and regulatory intervention,” stated Ari Redbord, International Head of Coverage at TRM Labs. “For years, Iran has operated a shadow financial system that, partly, has used crypto to evade sanctions, together with by means of subtle offshore infrastructure. What we’re seeing now – beneath the pressure of warfare, connectivity shutdowns, and unstable markets – is a real-time stress take a look at of that infrastructure and the regime’s capability to leverage it.”
- Sophos stated it “noticed a surge in hacktivist exercise, however not an escalation in danger,” primarily from pro-Iran personas, together with Handala Hack workforce and APT Iran within the type of DDoS assaults, web site defacements, and unverified claims of compromises involving Israeli infrastructure.
- The U.Ok. Nationwide Cyber Safety Centre (NCSC) alerted organizations to a heightened danger of Iranian cyber assaults, urging them to strengthen their cybersecurity posture to raised reply to DDoS assaults, phishing exercise, and ICS Focusing on.
In a submit shared on LinkedIn, Cynthia Kaiser, ransomware analysis middle SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation’s Cyber Division, stated Iran has a monitor file of utilizing cyber operations to retaliate towards “perceived political slights,” including these actions have more and more included ransomware.
“Tehran has lengthy most well-liked to show a blind, or a minimum of detached, eye to personal cyber operations towards targets within the US, Israel, and different allied international locations,” Kaiser added. “That is as a result of getting access to cyber criminals provides the federal government choices. As Iran considers its response to US and Israeli army actions, it’s more likely to activate any of those cyber actors if it believes their operations can ship a significant retaliatory influence.”
Cybersecurity firm SentinelOne has additionally assessed with excessive confidence that organizations in Israel, the U.S., and allied nations are more likely to face direct or oblique concentrating on, notably inside authorities, important infrastructure, protection, monetary companies, educational, and media sectors.
“Iranian menace actors have traditionally demonstrated a willingness to mix espionage, disruption, and psychological influence operations to advance strategic goals,” Nozomi Networks stated. “In intervals of instability, these operations usually intensify, concentrating on important infrastructure, power networks, authorities entities, and personal business far past the fast battle zone.”
To counter the chance posed by the kinetic battle, organizations are suggested to activate steady monitoring to replicate escalated menace exercise, replace menace intelligence signatures, cut back exterior assault floor, conduct complete publicity opinions of linked belongings, validate correct segmentation between info know-how and operational know-how networks, and guarantee correct isolation of IoT gadgets.
“In previous conflicts, Tehran’s cyber actors have aligned their exercise with broader strategic goals that enhance strain and visibility at targets, together with power, important infrastructure, finance, telecommunications, and healthcare,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, stated in a press release shared with The Hacker Information.
“Iranian adversaries have continued to evolve their tradecraft, increasing past conventional intrusions into cloud and identity-focused operations, which positions them to behave quickly throughout hybrid enterprise environments with elevated scale and influence.”
