Cybersecurity researchers have warned of a surge in retaliatory hacktivist exercise following the U.S.-Israel coordinated army marketing campaign towards Iran, codenamed Epic Fury and Roaring Lion.
“The hacktivist menace within the Center East is extremely lopsided, with two teams, Keymous+ and DieNet, driving almost 70% of all assault exercise between February 28 and March 2,” Radware stated in a Tuesday report. The primary distributed denial-of-service (DDoS) assault was launched by Hider Nex (aka Tunisian Maskers Cyber Drive) on February 28, 2026.
In keeping with particulars shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that helps pro-Palestinian causes. It leverages a hack-and-leak technique combining DDoS assaults with knowledge breaches to leak delicate knowledge and advance its geopolitical agenda. The group emerged in mid-2025.
In all, a complete of 149 hacktivist DDoS claims had been recorded concentrating on 110 distinct organizations throughout 16 international locations. The assaults had been carried out by 12 totally different teams, together with Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all exercise.
Of those assaults, the overwhelming majority, 107, had been concentrated within the Center East, disproportionately concentrating on public infrastructure and state-level targets. Europe was the goal of twenty-two.8% of the entire international exercise through the time interval. Almost 47.8% of all focused organizations globally belonged to the federal government sector, adopted by finance (11.9%) and telecommunications (6.7%) sectors.
“The digital entrance is increasing alongside the bodily one within the area, with hacktivist teams concurrently concentrating on extra nations within the Center East than ever earlier than,” Radware stated. “The distribution of assaults throughout the area was closely concentrated in three particular nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the entire assault claims.”
Moreover Keymous+, DieNet, and NoName057(16), a few of the different teams which have engaged in disruptive operations embrace Nation of Saviors (NOS), the Conquerors Digital Military (CEA), Sylhet Gang, 313 Workforce, Handala Hack, APT Iran, the Cyber Islamic Resistance, Darkish Storm Workforce, the FAD Workforce, Evil Markhors, and PalachPro, per knowledge from Flashpoint, Palo Alto Networks Unit 42, and Radware.
The present scope of cyber assaults is listed under –
- Professional-Russian hacktivist teams like Cardinal and Russian Legion claimed to have breached Israeli army networks, together with its Iron Dome missile protection system.
- An energetic SMS phishing marketing campaign has been noticed utilizing a rogue duplicate of the Israeli House Entrance Command RedAlert utility to ship cellular surveillance and data-exfiltrating malware. “By manipulating victims into sideloading this malicious APK underneath the guise of an pressing wartime replace, the adversaries efficiently deploy a completely purposeful alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant inhabitants,” CloudSEK stated.
- Iran’s Islamic Revolutionary Guard Corps (IRGC) focused the power and digital infrastructure sectors within the Center East, hanging Saudi Aramco and an Amazon Internet Companies knowledge middle within the U.A.E. with an intent to “inflict most international financial ache as a counter-pressure to army losses,” Flashpoint stated.
- Cotton Sandstorm (aka Haywire Kitten) revived its outdated cyber persona, Altoufan Workforce, claiming to have hacked web sites in Bahrain. “This displays the reactive nature of the actor’s campaigns and a excessive likelihood of their additional involvement in intrusions throughout the Center East amid the battle,” Verify Level stated.
- Knowledge gathered by Nozomi Networks exhibits that the Iranian state-sponsored hacking group often known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Delicate Snail) was the fourth most energetic actor within the second half of 2025, focusing its assaults on protection, aerospace, telecommunications, and regional authorities entities to advance the nation’s geopolitical priorities.
- Main Iranian cryptocurrency exchanges have remained operational however introduced operational changes, both suspending or batching withdrawals, and issuing danger steering urging customers to arrange for doable connectivity disruption.
- “What we’re seeing in Iran shouldn’t be clear proof of mass capital flight, however fairly a market managing volatility underneath constrained connectivity and regulatory intervention,” stated Ari Redbord, International Head of Coverage at TRM Labs. “For years, Iran has operated a shadow financial system that, partially, has used crypto to evade sanctions, together with by subtle offshore infrastructure. What we’re seeing now – underneath the pressure of warfare, connectivity shutdowns, and risky markets – is a real-time stress check of that infrastructure and the regime’s means to leverage it.”
- Sophos stated it “noticed a surge in hacktivist exercise, however not an escalation in danger,” primarily from pro-Iran personas, together with Handala Hack staff and APT Iran within the type of DDoS assaults, web site defacements, and unverified claims of compromises involving Israeli infrastructure.
- The U.Okay. Nationwide Cyber Safety Centre (NCSC) alerted organizations to a heightened danger of Iranian cyber assaults, urging them to strengthen their cybersecurity posture to higher reply to DDoS assaults, phishing exercise, and ICS Focusing on.
In a publish shared on LinkedIn, Cynthia Kaiser, ransomware analysis middle SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation’s Cyber Division, stated Iran has a observe file of utilizing cyber operations to retaliate towards “perceived political slights,” including these actions have more and more integrated ransomware.
“Tehran has lengthy most popular to show a blind, or no less than detached, eye to non-public cyber operations towards targets within the US, Israel, and different allied international locations,” Kaiser added. “That is as a result of accessing cyber criminals offers the federal government choices. As Iran considers its response to US and Israeli army actions, it’s prone to activate any of those cyber actors if it believes their operations can ship a significant retaliatory affect.”
Cybersecurity firm SentinelOne has additionally assessed with excessive confidence that organizations in Israel, the U.S., and allied nations are prone to face direct or oblique concentrating on, notably inside authorities, vital infrastructure, protection, monetary providers, educational, and media sectors.
“Iranian menace actors have traditionally demonstrated a willingness to mix espionage, disruption, and psychological affect operations to advance strategic aims,” Nozomi Networks stated. “In intervals of instability, these operations usually intensify, concentrating on vital infrastructure, power networks, authorities entities, and personal business far past the fast battle zone.”
To counter the chance posed by the kinetic battle, organizations are suggested to activate steady monitoring to replicate escalated menace exercise, replace menace intelligence signatures, scale back exterior assault floor, conduct complete publicity opinions of linked property, validate correct segmentation between info expertise and operational expertise networks, and guarantee correct isolation of IoT units.
“In previous conflicts, Tehran’s cyber actors have aligned their exercise with broader strategic aims that improve stress and visibility at targets, together with power, vital infrastructure, finance, telecommunications, and healthcare,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, stated in a press release shared with The Hacker Information.
“Iranian adversaries have continued to evolve their tradecraft, increasing past conventional intrusions into cloud and identity-focused operations, which positions them to behave quickly throughout hybrid enterprise environments with elevated scale and affect.”
