Cybersecurity researchers have warned of an increase in counter-hacktivist activity following the US-Israel coordinated military operation against Iran, codenamed Epic Fury and Roaring Lion.
“The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymus+ and Dyanet, carrying out nearly 70% of the attack activity between February 28 and March 2,” Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisian Maskers Cyber Force) on February 28, 2026.
According to details shared by Orange CyberDefense, Hadar Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes. It leverages hack-and-leak tactics of combining DDoS attacks with data breaches to leak sensitive data and advance its geopolitical agenda. The group emerged in mid-2025.
Overall, a total of 149 hacktivist DDoS claims were filed targeting 110 different organizations in 16 countries. The attacks were carried out by 12 different groups, including Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all activity.
Of these attacks, the vast majority, 107, were concentrated in the Middle East, disproportionately targeting public infrastructure and state-level targets. Europe was the target of 22.8% of total global activity during this period. About 47.8% of all targeted organizations globally belonged to the government sector, followed by the finance (11.9%) and telecommunications (6.7%) sectors.
“The physical front as well as the digital front is expanding in the region, with hacktivist groups simultaneously targeting more countries in the Middle East than ever before,” Radware said. “The distribution of attacks within the region was heavily concentrated in three specific countries: Kuwait, Israel and Jordan, with Kuwait accounting for 28%, Israel 27.1% and Jordan accounting for 21.5% of total attack claims.”
In addition to Keymous+, DieNet, and NoName057(16), some of the other groups involved in disinformation campaigns include Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhorse, and PalachPro, according to data from Flashpoint, Palo Alto Networks Unit 42. shows from. And redware.
The current scope of cyber attacks is listed below –
- Pro-Russian hacktivist groups such as Cardinal and Russian Legion have claimed to have breached Israeli military networks, including the Iron Dome missile defense system.
- An active SMS phishing campaign has been observed using a rogue replica of the Israeli Home Front Command RedAlert application to distribute mobile monitoring and data-exfiltrating malware. “By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, adversaries successfully deployed a fully functional alert interface that masks an aggressive surveillance engine designed to prey on an over-vigilant population,” CloudSEEK said.
- Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted energy and digital infrastructure sectors in the Middle East, attacking Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates, with the aim of “inflicting maximum global economic pain as retaliatory pressure for military losses”, Flashpoint said.
- Cotton Sandstorm (aka Haywire Kitten) revived his old cyber persona, Altoufan Team, claiming to hack websites in Bahrain. “This reflects the reactive nature of the actor’s campaigns and the high likelihood of their further involvement in infiltration into the Middle East amid the conflict,” Check Point said.
- Data collected by Nozomi Networks shows that the Iranian state-sponsored hacking group known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing its attacks on defense, aerospace, telecommunications, and regional government entities to further the country’s geopolitical priorities.
- Major Iranian cryptocurrency exchanges remain operational, but have announced operational adjustments, either suspending or batching withdrawals, and issuing risk guidance and urging users to prepare for possible connectivity disruptions.
- “What we are seeing in Iran is not clear evidence of large-scale capital flight, but rather a market that is managing volatility under restricted connectivity and regulatory interference,” said Ari Radbord, global head of policy at TRM Labs. “For years, Iran has operated a shadow economy that has, in part, used crypto to evade sanctions, including sophisticated offshore infrastructure. What we are seeing now – under the stress of war, connectivity shutdowns and volatile markets – is a real-time stress test of that infrastructure and the regime’s ability to take advantage of it.”
- Sophos said it has “seen an increase in hacktivist activity, but no increase in risk,” primarily from pro-Iran individuals, including the Handala Hack Team and APT Iran in the form of DDoS attacks, website defacement, and unverified claims of compromise involving Israeli infrastructure.
- The UK National Cyber Security Center (NCSC) alerted organizations to the increasing risk of Iranian cyber attacks, urging them to strengthen their cybersecurity posture to better respond to DDoS attacks, phishing activity and ICS targeting.
In a post shared on LinkedIn, Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon and former deputy assistant director of the Federal Bureau of Investigation’s Cyber Division, said Iran has a track record of using cyber operations to retaliate against “perceived political insignificants,” adding that these activities have increasingly involved ransomware.
“Tehran has long preferred to turn a blind eye to, or at least remain indifferent to, private cyber campaigns against targets in the US, Israel and other allies,” Kaiser said. “This is because having access to cybercriminals gives the government options. As Iran considers its response to U.S. and Israeli military actions, it can activate any of these cyber actors if it believes their operations could trigger a meaningful response.”
Cybersecurity company SentinelOne also assesses with full confidence that organizations in Israel, the US and associated countries may face direct or indirect targeting, particularly in the government, critical infrastructure, defence, financial services, academic and media sectors.
“Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological influence operations to pursue strategic objectives,” Nozomi Networks said. “In times of instability, these operations often intensify, and target critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone.”
To combat the risk posed by dynamic conflict, organizations are advised to activate continuous monitoring to reflect increased threat activity, update threat intelligence signatures, reduce the external attack surface, conduct comprehensive risk reviews of connected assets, validate appropriate separation between information technology and operational technology networks, and ensure proper isolation of IoT devices.
“In past conflicts, Tehran’s cyber actors have aligned their activity with broader strategic objectives, increasing pressure and visibility on targets including energy, critical infrastructure, finance, telecommunications, and healthcare,” Adam Meyers, head of counter adversary operations at CrowdStrike, said in a statement shared with The Hacker News.
“Iranian adversaries continue to evolve their business acumen, expanding beyond traditional infiltration into cloud and identity-centric operations, enabling them to increasingly act in hybrid enterprise environments with increased scale and impact.”
