Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran

Executive Summary

On Feb. 28, 2026, the United States and Israel launched a significant joint offensive code named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In the hours following the initial strikes, Iran began a multi-vector retaliatory campaign, which has evolved into a significant trans-regional conflict. Unit 42 has observed an escalation in cyberattacks from activists outside the country. However, we believe threat activity from nation-state groups based within the country is mitigated in the near term because of the limited internet connectivity in Iran.

Beginning the morning of Feb. 28, 2026, Iran’s available internet connectivity dropped to between 1-4%. We assess that the loss of connectivity and significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term.

State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. Additionally, Iranian command and control degradation may also lead to tactical autonomy for cells outside of Iran. However, the capacity to sustain sophisticated cyber operations is likely reduced due to the operational disruptions.

For Iran-aligned threat actors based outside of the region, we assess that hacktivist groups will target organizations perceived as adversaries but their impact is likely to be of low to medium significance. Other nation-state-aligned threat actors may attempt to exploit the situation to activate cyberattacks to further their own interests.

Geographically dispersed operators and affiliated cyber proxies may also target governments in regions hosting U.S. military bases to disrupt logistics. In the near term, these activities are expected to consist of low-to-medium sophistication disruptions (for example, distributed denial of service and hack and leak campaigns).

For details on Unit 42’s previous observations of cyber activity linked to Iran-backed groups and hacktivists see the Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30). That report details Iran-backed groups and hacktivists expanding their global cyber operations using website defacement, distributed-denial-of-service (DDoS) attacks, and data exfiltration and wiper attacks. The primary objectives of Iran-aligned nation-state actors frequently include espionage and disruption. Techniques include using AI-enhanced targeted spear-phishing campaigns, the exploitation of known vulnerabilities, and the use of covert infrastructure for espionage.

Palo Alto Networks customers can receive protections from and mitigations for relevant threat actor activity through the following products and services:

• Next-Generation Firewalls with Advanced Threat Prevention
• Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious
• Cortex XDR, XSIAM and Cortex Cloud

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Current Scope of Cyberattacks

Threat Activity

Unit 42 has identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application. This campaign weaponizes a legitimate-looking Android package (APK) to deliver mobile surveillance and data-exfiltrating malware.

We have also observed a surge in hacktivist activity, with some estimates of 60 individual groups active, including pro-Russian groups as of March 2, 2026. Multiple Iranian state-aligned personas and collectives have claimed responsibility for a range of disruptive operations, several of which are associated with the recently established “Electronic Operations Room” formed on Feb. 28, 2026. Key observed entities include:

• Handala Hack, a hacktivist persona linked to Iran's Ministry of Intelligence and Security (MOIS), is the most prominent Iranian persona. The persona blends data exfiltration with cyber operations against the Israeli political and defense establishment.
  • Claimed responsibility for compromising an Israeli energy exploration company
  • Claimed responsibility for compromising Jordan’s fuel systems
  • Claimed to target Israeli civilian healthcare to create domestic pressure just days before the kinetic war broke out
• APT Iran, a pro-Iranian hacktivist collective that has gained notoriety for its hack-and-leak operations
  • Claimed responsibility for sabotage of Jordan’s critical infrastructure
• The Cyber Islamic Resistance, a pro-Iranian umbrella collective that coordinates multiple hacktivist teams — including groups like RipperSec and Cyb3rDrag0nzz — to launch synchronized DDoS attacks, data-wiping operations and website defacements against Israeli and Western infrastructure
  • Claimed responsibility for compromising a drone defense and detection system
  • Claimed responsibility for compromising Israeli payment infrastructure
• Dark Storm Team (also known as DarkStorm or MRHELL112) is a pro-Palestinian and pro-Iranian collective that specializes in large-scale DDoS and ransomware
  • Claimed to have targeted several Israeli websites, including an Israeli bank in DDoS attacks
• The FAD Team (often referred to in reports as the Fatimiyoun Cyber Team or Fatimion) is composed of pro-regime actors who focus on wiper malware and permanent data destruction
  • Claimed responsibility via their public Telegram board for gaining unauthorized access to multiple SCADA/PLC systems in Israel and other countries
  • Claimed responsibility via their public Telegram board for gaining unauthorized access to control systems associated with more than 24 private devices belonging to an Israeli security services company
  • Conducted an attack against a Turkish media outlet
• Evil Markhors is a pro-Iranian group typically specializing in credential harvesting and identifying unpatched critical systems
  • Claimed responsibility via their public Telegram board for targeting an Israeli bank website
• Sylhet Gang (often cited as Sylhet Gang-SG) acts as a message amplifier and recruitment engine for the pro-Iranian hacktivist front and participates in DDoS attacks
  • Claimed responsibility via their public Telegram board for targeting the Saudi Ministry of Home Affair's HCM and Internal Management Systems
• 313 Team (Islamic Cyber Resistance in Iraq), is an active pro-Iranian hacktivist cell
  • Claimed responsibility for targeting the Kuwait Armed Forces website
  • Claimed responsibility for targeting Kuwait Ministry of Defense website
  • Claimed responsibility for targeting the Kuwait Government website
• DieNet is a pro-Iran hacktivist group conducting DDoS attacks on various organizations across the Middle East
  • Claimed responsibility for attacking an airport in Bahrain
  • Claimed responsibility for attacking Sharjeh Airport in Saudi Arabia
  • Claimed responsibility for targeting Riyadh Bank website
  • Claimed responsibility via their public Telegram board for targeting the Bank of Jordan
  • Claimed responsibility via their public Telegram board for targeting an airport in the United Arab Emirates

The group Handala Hack also reportedly targeted an Iranian-American and Iranian-Canadian influencer with direct death threats via email, claiming to have leaked their home addresses to physical operatives in their respective home locations.

This type of action represents an escalation of threatening cyber activity directed toward perceived critics of Iran.

Other Threat Group Activity

Cybercriminals are reportedly capitalizing on the conflict in the United Arab Emirates in a social engineering vishing scam to steal credentials. The threat actors call potential victims impersonating the Ministry of Interior, claiming to be confirming receipt of a national alert and prompting for the victim’s Emirates Identification Number (EID) for verification.

The ransomware-as-a-service (RaaS) group Tarnished Scorpius (aka INC Ransomware) has listed on its leak site an Israeli industrial machinery company, and replaced the company logo with a swastika.

Pro-Russian Hacktivist Activity

Cardinal, a pro-Russian hacktivist group, claimed to target Israel Defense Forces (IDF) systems via their public Telegram board. The group is assessed to be state-aligned but likely operates independently of direct state funding. The group claims to have infiltrated IDF networks referencing a purportedly confidential document related to “Magen Tsafoni” (Northern Shield). The posted document includes operational movement details, command approvals and contact information.

The pro-Russian hacktivist group NoName057(16) has claimed multiple Israeli targets including disruptive operations against a range of Israeli municipal, political, telecom and defense-related entities.

The pro-Russian hacktivist collective “Russian Legion,” claimed to have access to Israel’s Iron Dome missile defense system. In their post, they claimed to be controlling radars, intercepting targets and monitoring in real-time, with reported system paralysis and loss of interception control. The group also claimed a new cyber operation it says compromised closed IDF servers.

State-Sponsored Attacks

Unit 42 tracks various Iranian state-sponsored actors under the constellation name Serpens. These groups could increase or escalate activity in the coming weeks.

State-sponsored Iranian cyber capabilities are often used to project and amplify political messaging (often using destructive and psychological tactics). These efforts are likely to focus on regional targets (e.g., Israel) as well as what they deem high-value targets (e.g., politicians, key decision-makers and other directly involved entities).

State-sponsored campaigns might target their victim’s supply-chains, critical infrastructure, vendors or providers.

Conclusion

Given the rapidly changing nature of this situation, a multi-layered defense is most effective as no single tool can provide complete protection. We recommend focusing on foundational security hygiene, a proven approach that provides resilient protection against a wide range of tactics.

We recommend taking the following precautions to help mitigate the impact from possible attacks. These recommendations are consistent with previous guidance provided.

Tactical recommendations

• Ensure at least one copy of critical data is stored offline (air-gapped) to mitigate against encryption or deleting backups stored on the network
• Implement strict “out-of-band” verification for incoming requests via media, verifying through a separate trusted corporate channel
• Increase response to any threat signals where possible, especially those associated with internet-facing assets such as websites, virtual private network (VPN) gateways and cloud assets
• Ensure internet-facing infrastructure is up to date with security patches and other hardening best practices
• Train employees on phishing and social engineering tactics and continuously monitor for suspicious activity
• Consider implementing geographic IP address blocking from specific high-risk regions where legitimate business is not conducted
• Have a robust communications plan ready to address unauthorized access versus system compromise, as hacktivist groups often exaggerate their reach. Scoping and quickly verifying the potential compromise can prevent public panic.
• Continue to check for updates from trusted cyber agencies such as the UK National Cyber Security Center and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Iran Threat Overview and Advisories page

Strategic recommendations

• Begin or update business continuity plans for any staff or assets that digital or physical attacks could disrupt
• Prepare to validate and respond to claims of breaches or data leaks
  • Threat actors might use claims (even if they’re untrue) to embarrass or harass victims, or to disseminate political narratives

As activity is likely to continue to intensify throughout the duration of these events, it’s important to remain vigilant to potential attacks. Hacktivists and state-supported threat actors have been opportunistic, leading to potentially unexpected sources being targeted.

We will update this threat brief as more relevant information becomes available.

How Palo Alto Networks and Unit 42 Can Help

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against threats related to aspects of these events.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 00080005045107
• South Korea: +82.080.467.8774

Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention

Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious.

Cortex

Cortex XDR, XSIAM and Cortex Cloud are designed to prevent the execution of known malicious malware. It is also designed to prevent the execution of unknown malware and other malicious activities using Behavioral Threat Protection and machine learning based on the Local Analysis module.

Indicators of Compromise

• hxxps[:]www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk
• hxxps[:]//api[.]ra-backup[.]com/analytics/submit.php
• hxxps[:]//bit[.]ly/4tWJhQh