Threat Research Center High Profile Threats Malware Malware Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran 7 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Next-Generation Firewall By: Unit 42 Published: March 2, 2026 Categories: Hacktivism High Profile Threats Malware Ransomware Tags: APK DDoS attacks GenAI Hacktivism Iran Phishing Tarnished Scorpius Share Executive Summary On Feb. 28, 2026, the United States and Israel launched a significant joint offensive code named Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel). In the hours following the initial strikes, Iran began a multi-vector retaliatory campaign, which has evolved into a significant trans-regional conflict. Unit 42 has observed an escalation in cyberattacks from activists outside the country. However, we believe threat activity from nation-state groups based within the country is mitigated in the near term because of the limited internet connectivity in Iran. Beginning the morning of Feb. 28, 2026, Iran’s available internet connectivity dropped to between 1-4%. We assess that the loss of connectivity and significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near-term. State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. Additionally, Iranian command and control degradation may also lead to tactical autonomy for cells outside of Iran. However, the capacity to sustain sophisticated cyber operations is likely reduced due to the operational disruptions. For Iran-aligned threat actors based outside of the region, we assess that hacktivist groups will target organizations perceived as adversaries but their impact is likely to be of low to medium significance. Other nation-state-aligned threat actors may attempt to exploit the situation to activate cyberattacks to further their own interests. Geographically dispersed operators and affiliated cyber proxies may also target governments in regions hosting U.S. military bases to disrupt logistics. In the near term, these activities are expected to consist of low-to-medium sophistication disruptions (for example, distributed denial of service and hack and leak campaigns). For details on Unit 42’s previous observations of cyber activity linked to Iran-backed groups and hacktivists see the Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30) . That report details Iran-backed groups and hacktivists expanding their global cyber operations using website defacement, distributed-denial-of-service (DDoS) attacks, and data exfiltration and wiper attacks. The primary objectives of Iran-aligned nation-state actors frequently include espionage and disruption. Techniques include using AI-enhanced targeted spear-phishing campaigns, the exploitation of known vulnerabilities, and the use of covert infrastructure for espionage. Palo Alto Networks customers can receive protections from and mitigations for relevant threat actor activity through the following products and services: Next-Generation Firewalls with Advanced Threat Prevention Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious Cortex XDR , XSIAM and Cortex Cloud The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Related Unit 42 Topics Iran , Hacktivism , DDoS Attacks , Tarnished Scorpius Current Scope of Cyberattacks Threat Activity Unit 42 has identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application . This campaign weaponizes a legitimate-looking Android package (APK) to deliver mobile surveillance and data-exfiltrating malware. Figure 1. SMS phishing message to download malicious RedAlert application. We have also observed a surge in hacktivist activity, with some estimates of 60 individual groups active, including pro-Russian groups as of March 2, 2026. Multiple Iranian state-aligned personas and collectives have claimed responsibility for a range of disruptive operations, several of which are associated with the recently established “Electronic Operations Room” formed on Feb. 28, 2026. Key observed entities include: Handala Hack, a hacktivist persona linked to Iran's Ministry of Intelligence and Security (MOIS), is the most prominent Iranian persona. The persona blends data exfiltration with cyber operations against the Israeli political and defense establishment. Claimed responsibility for compromising an Israeli energy exploration company Claimed responsibility for compromising Jordan’s fuel systems Claimed to target Israeli civilian healthcare to create domestic pressure just days before the kinetic war broke out APT Iran, a pro-Iranian hacktivist collective that has gained notoriety for its hack-and-leak operations Claimed responsibility for sabotage of Jordan’s critical infrastructure The Cyber Islamic Resistance , a pro-Iranian umbrella collective that coordinates multiple hacktivist teams — including groups like RipperSec and Cyb3rDrag0nzz — to launch synchronized DDoS attacks, data-wiping operations and website defacements against Israeli and Western infrastructure Claimed responsibility for compromising a drone defense and detection system Claimed responsibility for compromising Israeli payment infrastructure Dark Storm Team (also known as DarkStorm or MRHELL112) is a pro-Palestinian and pro-Iranian collective that specializes in large-scale DDoS and ransomware Claimed to have targeted several Israeli websites, including an Israeli bank in DDoS attacks The FAD Team (often referred to in reports as the Fatimiyoun Cyber Team or Fatimion) is composed of pro-regime actors who focus on wiper malware and permanent data destruction Claimed responsibility via their public Telegram board for gaining unauthorized access to multiple SCADA/PLC systems in Israel and other countries Claimed responsibility via their public Telegram board for gaining unauthorized access to control systems associated with more than 24 private devices belonging to an Israeli security services company Conducted an attack against a Turkish media outlet Evil Markhors is a pro-Iranian group typically specializing in credential harvesting and identifying unpatched critical systems Claimed responsibility via their public Telegram board for targeting an Israeli bank website Sylhet Gang (often cited as Sylhet Gang-SG) acts as a message amplifier and recruitment engine for the pro-Iranian hacktivist front and participates in DDoS attacks Claimed responsibility via their public Telegram board for targeting the Saudi Ministry of Home Affair's HCM and Internal Management Systems 313 Team (Islamic Cyber Resistance in Iraq), is an active pro-Iranian hacktivist cell Claimed responsibility for targeting the Kuwait Armed Forces website Claimed responsibility for targeting Kuwait Ministry of Defense website Claimed responsibility for targeting the Kuwait Government website DieNet is a pro-Iran hacktivist group conducting DDoS attacks on various organizations across the Middle East Claimed responsibility for attacking an airport in Bahrain Claimed responsibility for attacking Sharjeh Airport in Saudi Arabia Claimed responsibility for targeting Riyadh Bank website Claimed responsibility via their public Telegram board for targeting the Bank of Jordan Claimed responsibility via their public Telegram board for targeting an airport in the United Arab Emirates The group Handala Hack also reportedly targeted an Iranian-American and Iranian-Canadian influencer with direct death threats via email, claiming to have leaked their home addresses to physical operatives in their respective home locations. This type of action represents an escalation of threatening cyber activity directed toward perceived critics of Iran. Figure 2. Handala Hack death threat email to U.S. and Canada influencers. Other Threat Group Activity Cybercriminals are reportedly capitalizing on the conflict in the United Arab Emirates in a social engineering vishing scam to steal credentials. The threat actors call potential victims impersonating the Ministry of Interior, claiming to be confirming receipt of a national alert and prompting for the victim’s Emirates Identification Number (EID) for verification. The ransomware-as-a-service (RaaS) group Tarnished Scorpius (aka INC Ransomware) has listed on its leak site an Israeli industrial machinery company, and replaced the company logo with a swastika. Pro-Russian Hacktivist Activity Cardinal, a pro-Russian hacktivist group , claimed to target Israel Defense Forces (IDF) systems via their public Telegram board. The group is assessed to be state-aligned but likely operates independently of direct state funding. The group claims to have infiltrated IDF networks referencing a purportedly confidential document related to “Magen Tsafoni” (Northern Shield). The posted document includes operational movement details, command approvals and contact information. The pro-Russian hacktivist group NoName057(16) has claimed multiple Israeli targets including disruptive operations against a range of Israeli municipal, political, telecom and defense-related entities. The pro-Russian hacktivist collective “Russian Legion,” claimed to have access to Israel’s Iron Dome missile defense system. In their post, they claimed to be controlling radars, intercepting targets and monitoring in real-time, with reported system paralysis and loss of interception control. The group also claimed a new cyber operation it says compromised closed IDF servers. State-Sponsored Attacks Unit 42 tracks various Iranian state-spo