Cybersecurity researchers have warned of a surge in retaliatory hacktivist exercise following the U.S.-Israel coordinated army marketing campaign towards Iran, codenamed Epic Fury and Roaring Lion.
“The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2,” Radware stated in a Tuesday report. The primary distributed denial-of-service (DDoS) assault was launched by Hider Nex (aka Tunisian Maskers Cyber Pressure) on February 28, 2026.
In accordance with particulars shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that helps pro-Palestinian causes. It leverages a hack-and-leak technique combining DDoS assaults with information breaches to leak delicate information and advance its geopolitical agenda. The group emerged in mid-2025.
In all, a complete of 149 hacktivist DDoS claims had been recorded concentrating on 110 distinct organizations throughout 16 international locations. The assaults had been carried out by 12 totally different teams, together with Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all exercise.
Of those assaults, the overwhelming majority, 107, had been concentrated within the Center East, disproportionately concentrating on public infrastructure and state-level targets. Europe was the goal of twenty-two.8% of the overall world exercise in the course of the time interval. Practically 47.8% of all focused organizations globally belonged to the federal government sector, adopted by finance (11.9%) and telecommunications (6.7%) sectors.
“The digital front is expanding alongside the physical one in the region, with hacktivist groups simultaneously targeting more nations in the Middle East than ever before,” Radware stated. “The distribution of attacks within the region was heavily concentrated in three specific nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the total attack claims.”
Moreover Keymous+, DieNet, and NoName057(16), a number of the different teams which have engaged in disruptive operations embrace Nation of Saviors (NOS), the Conquerors Digital Military (CEA), Sylhet Gang, 313 Workforce, Handala Hack, APT Iran, the Cyber Islamic Resistance, Darkish Storm Workforce, the FAD Workforce, Evil Markhors, and PalachPro, per information from Flashpoint, Palo Alto Networks Unit 42, and Radware.
The present scope of cyber assaults is listed under –
- Professional-Russian hacktivist teams like Cardinal and Russian Legion claimed to have breached Israeli army networks, together with its Iron Dome missile protection system.
- An lively SMS phishing marketing campaign has been noticed utilizing a rogue duplicate of the Israeli House Entrance Command RedAlert software to ship cellular surveillance and data-exfiltrating malware. “By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, the adversaries successfully deploy a fully functional alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant population,” CloudSEK stated.
- Iran’s Islamic Revolutionary Guard Corps (IRGC) focused the vitality and digital infrastructure sectors within the Center East, hanging Saudi Aramco and an Amazon Internet Companies information heart within the U.A.E. with an intent to “inflict maximum global economic pain as a counter-pressure to military losses,” Flashpoint stated.
- Cotton Sandstorm (aka Haywire Kitten) revived its outdated cyber persona, Altoufan Workforce, claiming to have hacked web sites in Bahrain. “This reflects the reactive nature of the actor’s campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict,” Examine Level stated.
- Information gathered by Nozomi Networks reveals that the Iranian state-sponsored hacking group often known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Delicate Snail) was the fourth most lively actor within the second half of 2025, focusing its assaults on protection, aerospace, telecommunications, and regional authorities entities to advance the nation’s geopolitical priorities.
- Main Iranian cryptocurrency exchanges have remained operational however introduced operational changes, both suspending or batching withdrawals, and issuing danger steerage urging customers to arrange for doable connectivity disruption.
- “What we’re seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention,” stated Ari Redbord, World Head of Coverage at TRM Labs. “For years, Iran has operated a shadow economy that, in part, has used crypto to evade sanctions, including through sophisticated offshore infrastructure. What we’re seeing now – under the strain of war, connectivity shutdowns, and volatile markets – is a real-time stress test of that infrastructure and the regime’s ability to leverage it.”
- Sophos stated it “observed a surge in hacktivist activity, but not an escalation in risk,” primarily from pro-Iran personas, together with Handala Hack group and APT Iran within the type of DDoS assaults, web site defacements, and unverified claims of compromises involving Israeli infrastructure.
- The U.Ok. Nationwide Cyber Safety Centre (NCSC) alerted organizations to a heightened danger of Iranian cyber assaults, urging them to strengthen their cybersecurity posture to higher reply to DDoS assaults, phishing exercise, and ICS Concentrating on.
In a submit shared on LinkedIn, Cynthia Kaiser, ransomware analysis heart SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation’s Cyber Division, stated Iran has a monitor file of utilizing cyber operations to retaliate towards “perceived political slights,” including these actions have more and more included ransomware.
“Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries,” Kaiser added. “That’s because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact.”
Cybersecurity firm SentinelOne has additionally assessed with excessive confidence that organizations in Israel, the U.S., and allied nations are more likely to face direct or oblique concentrating on, significantly inside authorities, crucial infrastructure, protection, monetary providers, educational, and media sectors.
“Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological impact operations to advance strategic objectives,” Nozomi Networks stated. “In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone.”
To counter the chance posed by the kinetic battle, organizations are suggested to activate steady monitoring to replicate escalated menace exercise, replace menace intelligence signatures, scale back exterior assault floor, conduct complete publicity evaluations of linked belongings, validate correct segmentation between info expertise and operational expertise networks, and guarantee correct isolation of IoT units.
“In past conflicts, Tehran’s cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, stated in an announcement shared with The Hacker Information.
“Iranian adversaries have continued to evolve their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, which positions them to act rapidly across hybrid enterprise environments with increased scale and impact.”
