English English Spanish (LATAM) French Japanese Threat Research Center High Profile Threats Malware Malware Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) 14 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering App-ID Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Cortex XSOAR Next-Generation Firewall Unit 42 Incident Response By: Unit 42 Published: April 17, 2026 Categories: Hacktivism High Profile Threats Malware Ransomware Tags: APK DDoS attacks GenAI Hacktivism Iran Phishing Tarnished Scorpius Wiper Share Updates Update April 17, 2026 As of April 17, 2026, Iran has begun restoring limited access to the internet after disconnecting from it for the past 47 days . Iran is limiting domestic access to only websites and applications mirrored on its National Information Network . Iranian Threat Groups Renew Interest in Critical Infrastructure In late March 2026, Unit 42 discovered a new cluster of threat activity we are tracking as CL-STA-1128 (aka Cyber Av3ngers, Storm-0784). The attacker behind this activity targeted operational technology and industrial control systems (OT/ICS) equipment manufactured by Rockwell Automation. This activity represents a shift from the cluster’s historic focus on internet-connected Unitronics programmable logic controllers (PLCs). Unit 42 assesses with moderate confidence that the attacker behind the CL-STA-1128 activity installed Rockwell Automation's FactoryTalk software on virtual private server (VPS) infrastructure to enable their exploitation efforts. FactoryTalk is a suite of industrial automation tools and manufacturing operations management software. Our assessment is based on a review of the unique port combinations observed across all of the hosts and their correlation to known static mappings for the FactoryTalk software. Since April 1, Cortex Xpanse scanning has observed Rockwell Automation or Allen-Bradley SCADA devices, including FactoryTalk services and various PLCs, on 5,600 IP addresses globally. On April 7, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory mirroring our findings. In particular, CISA noted that Cyber Av3ngers was also exploiting PLCs manufactured by Allen-Bradley. Since April 8, Xpanse has observed approximately 300,000 services daily in Iranian IP space, up from approximately 20,000 since February 25. Though still an order of magnitude less than peak activity observed in early- and mid-February, the increased activity is consistent with reports of limited restored access in the country. Timing of Destructive Attacks We have added more information about the timing of destructive attacks conducted by Iranian threat actors to the Appendix . Update March 26, 2026 Unit 42 conducted an in-depth investigation into conflict-themed phishing lures identifying 7,381 related phishing URLs spanning 1,881 unique hostnames. Recent threat activity demonstrates a widespread wave of financial fraud, credential harvesting and illicit content distribution targeting both enterprise and consumer sectors. Threat actors are heavily relying on the impersonation of highly trusted entities including major telecommunications providers, national airlines, law enforcement and critical energy corporations, to deceive victims. The operations leverage agile evasion tactics, including top-level domain rotation, subdomain chaining and purpose-built infrastructure designed to mimic official corporate portals and government payment workflows. Furthermore, attackers are opportunistically exploiting current geopolitical events with conflict-themed lures to facilitate widespread donation and cryptocurrency scams. Ultimately, this activity highlights a sophisticated, multi-pronged approach to exploiting regional brand trust for financial and data theft. We discuss these details in more detail in the section Current Scope of the Attacks – March 2026. Executive Summary On Feb. 28, 2026, the United States and Israel launched a significant joint offensive code named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In the hours following the initial strikes, Iran began a multi-vector retaliatory campaign, which has evolved into a significant transregional conflict. Unit 42 has observed an escalation in cyberattacks from activists outside the country. While threat activity from nation-state groups based within the country was likely stalled for hours to days, we assess with high confidence these groups likely shifted to using very-small-aperture terminal (VSAT) services through Starlink and possibly other providers to resume their operational tempo. As of April 17, 2026, Iran began restoring access to the internet to limited segments of its population, ending a 47-day near-complete internet outage. For Iran-aligned threat actors based outside of the region, we continue to assess that hacktivist groups will target organizations perceived as adversaries but their impact is likely to be of low to medium significance. Other nation-state-aligned threat actors may attempt to exploit the situation to activate cyberattacks to further their own interests. Geographically dispersed operators and affiliated cyber proxies may also target governments in regions hosting U.S. military bases to disrupt logistics. In the near term, these activities are expected to consist of low-to-medium sophistication disruptions (for example, distributed denial of service and hack and leak campaigns). For details on Unit 42’s previous observations of cyber activity linked to Iran-backed groups and hacktivists, see the Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30) . That report details Iran-backed groups and hacktivists expanding their global cyber operations using website defacement, distributed-denial-of-service (DDoS) attacks, and data exfiltration and wiper attacks. The primary objectives of Iran-aligned nation-state actors frequently include espionage and disruption. Techniques include using AI-enhanced targeted spear-phishing campaigns, the exploitation of known vulnerabilities, and the use of covert infrastructure for espionage. Palo Alto Networks customers can receive protections from and mitigations for relevant threat actor activity through the following products and services: Next-Generation Firewalls with Advanced Threat Prevention Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious Cortex XDR , XSIAM and Cortex Cloud Cortex Xpanse Device Security The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Related Unit 42 Topics Hacktivism , DDoS Attacks , Wipers , Phishing Scope of Cyberattacks in March 2026 Conflict-Themed Domains Attackers have registered new conflict-themed domains, numbering in the thousands. They are being used for malicious purposes, including creating fake storefronts, running donation scams and hosting phishing portals. Screenshots of these domains are shown in Figures 1 and 2. Figure 1. Scam website iranforward[.]org asking for humanitarian aid in the form of cryptocurrency donations. Figure 2. Scam domain trumpvsirancoin[.]xyz requesting humanitarian aid for Iranian families affected by the war. Emirates-Focused Crypto and Financial Fraud Palo Alto Networks has identified two separate malicious campaigns targeting people in the United Arab Emirates (UAE). One campaign involves financial fraud exploiting brands with “Emirates” in the name. The second consists of crypto and investment scams using domains branded with the word “Dubai,” which leverage lures related to high-value real estate and luxury lifestyles. Figures 3 and 4 below show examples of scam domains for asset management and banking. Figure 3. Scam domain emiratescryptobank[.]com . Figure 4. Scam domain emiratesinvestunion[.]com . Targeted Regional Enterprise Impersonation We’ve observed two campaigns targeting a regional telecommunication brand corporate portal with impersonation, using a fake dialing-code prefix to replicate the company’s enterprise portal. We also identified a billing fraud campaign masquerading as the same company. These attackers registered the same domain concept across multiple top-level domains, rotating as each is blocked. We are tracking a wave of targeted attacks against leading organizations in Saudi Arabia. The attackers are deploying a dual-pronged strategy: Highly tailored enterprise credential phishing that mimics major enterprise resource planning (ERP) brands to trick employees Widespread financial fraud These broader schemes are designed to trap both employees and consumers using the following: Malicious utility billing portals Corporate-branded investment scams Misspelled banking sites leveraging Outlook subdomain chaining to deceive victims (Figure 5 shows an example of this type of scheme) Figure 5. Fraudulent investment portal. Opportunistic Criminal Credit Card Theft Attackers are luring users to fraudulent payment pages that mimic legitimate package delivery services to steal credit card credentials. These malicious sites are characterized by using newly registered domains and generic hosting domains, frequently incorporating Emirates Post within the subdomain. A key technical detail is attackers using the cdn-cgi/phish-bypass path on certain domains, such as traz[.]top . This path indicates a specific tactic designed to exploit and circumvent security challenges. Figure 6 below shows an example. Figure 6. Scam domain emirates-post[.]racunari-bl[.]com urging the victim to provide sensitive information. Impersonation of Dubai Government Authorities In another financially motivated campaign, attackers impersonated legitimate government entities for credit card theft. Specifically, we discovered the path payment-system/card-proc