On Feb. 28, 2026, the United States and Israel launched coordinated military operations against Iran, codenamed Operation Epic Fury by the U.S. and Operation Roaring Lion by Israel, opening a new phase where cyber operations are tightly coupled with kinetic strikes.
In the hours that followed, Iran initiated a multi‑vector retaliatory campaign that quickly expanded into a trans‑regional cyber confrontation spanning the Middle East and beyond.
Beginning the morning of Feb. 28, Iran’s national internet connectivity collapsed to roughly 1–4% of normal levels, placing the country in what observers describe as a near‑total blackout.
This disruption, aligned with ongoing strikes, has severely degraded Iranian leadership communications and command‑and‑control structures, limiting the ability of state‑aligned APTs operating inside Iran to coordinate and execute complex campaigns in the near term.
Unit 42 assesses that some state cyber units are now operating in isolation, potentially deviating from historic TTPs as they lose centralized tasking and deconfliction.
Cells and proxies based outside Iran may gain tactical autonomy, but their capacity to sustain high‑end, long‑duration operations is likely reduced by these systemic disruptions.
Hacktivists Fill the Vacuum
With domestic infrastructure constrained, Iran‑aligned threat activity is increasingly driven by geographically dispersed hacktivists and cyber proxies targeting governments and organizations perceived as hostile.
Many of these campaigns focus on low‑to‑medium sophistication operations such as DDoS, website defacement, hack‑and‑leak activity and opportunistic data theft, including against countries hosting U.S. military bases and regional logistics hubs.
Unit 42 has also observed an active phishing campaign abusing a malicious replica of Israel’s Home Front Command RedAlert Android application, weaponizing a look‑alike APK to deliver mobile surveillance and data‑exfiltration malware.
This campaign underscores how rapidly threat actors are exploiting public fear and alert channels during the conflict.
An estimated 60 hacktivist groups are active as of March 2, 2026, including pro‑Iranian, pro‑Palestinian and pro‑Russian collectives.
Key Iran‑aligned personas and umbrellas include Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, Sylhet Gang, 313 Team and DieNet, each claiming disruptive operations across energy, finance, aviation, media and government targets in Israel and neighboring states.
Some activity has escalated beyond pure cyber disruption into direct threats against individuals, with Handala Hack reportedly issuing death threats and doxxing perceived critics of Iran, signaling a shift toward hybrid psychological and physical intimidation.
At the same time, financially motivated actors are exploiting the chaos, including vishing scams in the UAE and ransomware‑as‑a‑service operators such as Tarnished Scorpius (INC Ransomware) listing new Israeli industrial victims on leak sites.
Nation‑State Outlook
Unit 42 tracks Iranian state‑sponsored actors collectively as Serpens and assesses they may escalate activity as connectivity stabilizes and command structures recover.
Campaigns have combined espionage, disruptive operations, AI‑assisted spear‑phishing and exploitation of known vulnerabilities, often leveraging covert infrastructure and supply‑chain pathways to reach high‑value political, defense and critical‑infrastructure targets.
Given the fluid threat landscape, organizations are advised to adopt a multi‑layered defense model, emphasizing patch hygiene, phishing resistance, DDoS preparedness, identity security and continuous monitoring across endpoint, network and cloud.
Palo Alto Networks notes that controls such as Advanced Threat Prevention, Advanced URL Filtering, Advanced DNS Security, Cortex XDR/XSIAM and engagement with Unit 42 Incident Response can help detect, prevent and investigate activity linked to this evolving conflict.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
