A coordinated cyber offensive launched by the United States and Israel on February 28, 2026, code-named Operation Epic Fury and Operation Roaring Lion respectively, has ignited a volatile cyber conflict. This escalating cyber conflict saw Iran go offline, prompting a swift and formidable retaliatory campaign from hacktivist groups and state-aligned actors. The initial hours of the offensive resulted in a near-total internet blackout within Iran, with connectivity plummeting to between 1% and 4%.
This widespread internet disruption severely hampered Iran’s ability to coordinate sophisticated cyberattacks by cutting off state-aligned units from their command and control networks. In response, Iranian cyber cells have reportedly shifted into operational isolation, potentially leading to unpredictable deviations from established attack patterns. Simultaneously, hacktivist activity outside Iran surged, signaling a rapid escalation of the cyber war beyond a simple state-versus-state dynamic.
Following the initial strikes, Palo Alto Networks’ Unit 42 analysts identified a significant phishing campaign. Attackers distributed a malicious replica of the Israeli Home Front Command’s RedAlert emergency alert application as an Android Package Kit (APK) via SMS phishing. This deceptive tactic exploits public fear during the ongoing conflict, tricking users into downloading malware designed for mobile surveillance and data exfiltration under the guise of a trusted safety tool.
Despite the internal infrastructure challenges faced by Iran, hacktivist operations surged externally. As of March 2, 2026, approximately 60 groups, including pro-Russian collectives, were actively engaged in operations targeting Israeli, Western, and regional assets. Many of these groups are coordinated under the newly established “Electronic Operations Room,” which launched on February 28, 2026. These entities have claimed responsibility for a range of attacks, from distributed denial-of-service (DDoS) assaults on financial and government websites to full infrastructure compromises affecting energy, payment, and defense systems.
The impact of this cyber conflict has extended internationally. Cybercriminals in the UAE have been observed conducting vishing scams, impersonating the Ministry of Interior to steal national identification numbers. Furthermore, the ransomware-as-a-service group Tarnished Scorpius, also known as INC Ransomware, listed an Israeli industrial machinery company on its leak site, a move accompanied by the symbolic replacement of the company’s logo with a swastika. The speed and breadth of these attacks highlight the evolution of the conflict into a multi-actor cyber war.
Inside the Hacktivist Threat Ecosystem
The “Electronic Operations Room” has emerged as the central coordination hub for Iran-aligned hacktivist operations since the commencement of the conflict. A prominent actor within this ecosystem is Handala Hack, a persona linked to Iran’s Ministry of Intelligence and Security (MOIS). This group has claimed responsibility for significant breaches, including an Israeli energy exploration company, Jordan’s fuel systems, and has issued death threats to Iranian-American and Iranian-Canadian influencers, even sharing their home addresses with alleged physical operatives. This shift from digital disruption to direct physical intimidation represents a dangerous escalation in hacktivist tactics.
Other notable groups operating under the “Electronic Operations Room” include the Cyber Islamic Resistance, an umbrella collective that coordinates entities such as RipperSec and Cyb3rDrag0nzz. This collective has claimed to have compromised a drone defense system and Israeli payment infrastructure. The FAD Team has reported unauthorized access to multiple SCADA and PLC systems within Israel, while DieNet has targeted airports and banks across Bahrain, Saudi Arabia, Jordan, and the UAE. Pro-Russian groups, including NoName057(16) and the “Russian Legion,” have also joined the cyber offensive, with the latter alleging access to Israel’s Iron Dome radar system, although these claims remain unverified by independent sources.
In light of the escalating cyber threats, organizations are advised to implement robust defensive measures. It is crucial to maintain at least one offline copy of critical data to safeguard against ransomware and wiper attacks. All internet-facing assets should be rigorously patched and hardened against intrusion. Comprehensive employee training on phishing and social engineering tactics is essential. Additionally, organizations should consider implementing geographic IP blocking for high-risk regions and ensure business continuity plans are up-to-date. Monitoring ongoing guidance from cybersecurity agencies like CISA and the UK National Cyber Security Centre is also recommended.
Indicators of Compromise (IoCs)
The following IoCs have been identified in relation to the ongoing cyber conflict:
| Type | Indicator | Context |
|---|---|---|
| URL | hxxps[:]www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk |
Malicious RedAlert APK delivery URL |
| URL | hxxps[:]//api[.]ra-backup[.]com/analytics/submit.php |
C2 data exfiltration endpoint |
| URL | hxxps[:]//bit[.]ly/4tWJhQh |
Shortened URL used in SMS phishing campaign |
The cyber conflict shows no immediate signs of de-escalation, with both state-sponsored actors and hacktivist groups continuing to probe for vulnerabilities. Future developments will likely involve further retaliatory attacks and attempts to exploit the instability caused by the ongoing cyber war.