Cybersecurity researchers have warned of a surge in retaliatory hacktivist activity in the wake of the joint US-Israeli military operations against Iran, codenamed Epic Fury and Roaring Lion.
“The hacktivist threat in the Middle East is highly skewed, with two groups, Keymous+ and DieNet, leading nearly 70% of all attack activity from February 28 to March 2,” Radware said in a report on Tuesday. The first distributed denial of service (DDoS) attack was launched by Hider Nex (also known as Tunisian Maskers Cyber Force) on February 28, 2026.
According to details shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes. Leverage hack-and-leak strategies that combine DDoS attacks and data breaches to leak sensitive data and advance geopolitical agendas. This group was born in mid-2025.
In total, we recorded a total of 149 alleged hacktivist DDoS attacks targeting 110 different organizations in 16 countries. The attacks were carried out by 12 different groups, including Keymous+, DieNet, and NoName057(16), accounting for 74.6% of all activity.
The majority of these attacks, 107, were concentrated in the Middle East, disproportionately targeting public infrastructure and nation-state targets. 22.8% of global activity during this period was in Europe. Almost 47.8% of all targeted organizations worldwide were in the government sector, followed by the finance (11.9%) and telecommunications (6.7%) sectors.
“The digital front is expanding in parallel with the physical front in the region, with hacktivist groups targeting more countries in the Middle East simultaneously than ever before,” Radware said. “The distribution of attacks in the region is concentrated in three specific countries: Kuwait, Israel, and Jordan, with Kuwait accounting for 28% of all attack claims, Israel accounting for 27.1%, and Jordan accounting for 21.5%.”
In addition to Keymous+, DieNet, and NoName057(16), other groups that engaged in subversive operations include the Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro, according to Flashpoint data. Palo Alto Networks Unit 42, and Radware.
The scope of current cyber attacks is as follows:
Pro-Russian hacktivist groups such as Cardinal and Russian Legion claimed to have compromised Israeli military networks, including the Iron Dome missile defense system. An active SMS phishing campaign has been observed using malicious replicas of the Israeli Home Front Command RedAlert application to deliver mobile surveillance and data leakage malware. “By manipulating victims into sideloading this malicious APK under the guise of an emergency wartime update, the adversary was able to deploy a fully functional alert interface, masking an intrusive monitoring engine designed to prey on hyper-vigilant populations,” CloudSEK said. Iran’s Islamic Revolutionary Guards Corps (IRGC) targeted the energy and digital infrastructure sectors in the Middle East, attacking data centers of Saudi Aramco and Amazon Web Services in the UAE, with the aim of “inflicting maximum pain on the global economy as a response to military losses,” Flashpoint said. Cotton Sandstorm (aka Haywire Kitten) claimed to have hacked a Bahraini website and resurrected his old cyber persona, Altoufan Team. “This reflects the reactive nature of this actor’s activities and their likely further involvement in incursions throughout the Middle East during times of conflict,” Check Point said. Data collected by Nozomi Networks shows that the Iranian state-sponsored hacker group known as UNC1549 (also known as GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing on attacks on defense, aerospace, telecommunications, and local government to advance the country’s geopolitical priorities. Iran’s main cryptocurrency exchanges remain open but have announced operational adjustments, including suspending or bulk processing withdrawals, and issued risk guidance urging users to prepare for possible connection disruptions. “What we are seeing in Iran is not clear evidence of mass capital flight, but rather markets managing volatility under constrained connectivity and regulatory intervention,” said Ali Redboad, global policy director at the TRM Institute. “Iran has been running a shadow economy for years, using cryptocurrencies in part to evade sanctions through sophisticated offshore infrastructure. Under the strain of war, communications blackouts, and volatile markets, what we are now witnessing is a real-time stress test of that infrastructure and the regime’s ability to leverage it.” “We have observed an uptick in hacktivist activity, including DDoS attacks from Iran and other pro-Iranian actors, website defacements, and unconfirmed claims of compromise involving Israeli infrastructure, but we have not observed an increase in risk,” he said. The UK’s National Cyber Security Center (NCSC) has warned organizations of the increased risk of Iranian cyber-attacks and urged them to strengthen their cybersecurity posture to better respond to DDoS attacks, phishing operations and ICS targets.
Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center and former assistant director of the Federal Bureau of Investigation’s cyber division, said in a post shared on LinkedIn that Iran has a history of using cyber operations to retaliate against “perceived political slights,” adding that these operations are increasingly incorporating ransomware.
“The Iranian government has long preferred to turn a blind eye, or at least turn a blind eye, to civilian cyber operations against targets of the United States, Israel, and other allies,” Kaiser added. “That’s because having access to cybercriminals gives governments options. As Iran considers its response to U.S. and Israeli military action, it is likely to activate one of these cyberattackers if it believes their operations could have a meaningful retaliatory effect.”
Cybersecurity firm SentinelOne also assesses with high confidence that organizations in Israel, the United States, and allied countries are likely to face direct or indirect targets, particularly in the government, critical infrastructure, defense, financial services, academic, and media sectors.
“Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological influence operations to advance strategic objectives,” Nozomi Networks said. “In times of instability, these operations often intensify, targeting critical infrastructure, energy networks, government institutions, and private industry far beyond the immediate conflict area.”
To combat the risks posed by dynamic conflicts, organizations are encouraged to activate continuous monitoring to reflect escalating threat activity, update threat intelligence signatures, reduce external attack surfaces, conduct comprehensive exposure reviews of connected assets, verify proper segmentation between information technology and operational technology networks, and ensure proper isolation of IoT devices.
“In past conflicts, Tehran’s cyber adversaries have operated in alignment with broader strategic objectives that increased pressure and visibility on targets in energy, critical infrastructure, finance, telecommunications, healthcare, and more,” Adam Myers, head of counteradversarial operations at CrowdStrike, said in a statement shared with Hacker News.
“Iran’s adversaries continue to evolve their methods, expanding beyond traditional intrusions to cloud and identity-focused operations, and are positioned to increase scale and impact and move quickly across hybrid enterprise environments.”
Source link
