Resource Hub
Updated: April 16, 2026
Executive Summary
Since the launch of Operation Epic Fury in late February 2026, the cyber dimension of the Middle East conflict has evolved from highly visible disruption into a more complex and sustained threat landscape. Early activity was characterized by DDoS attacks, defacements, and public breach claims. Over time, reporting shows a clear shift toward more targeted and persistent operations, including reconnaissance, credential compromise, exploitation of exposed services, andĀ attemptsĀ to establish longer-term access within organizations.Ā
Across the reporting cycle, cyber activity has increasingly blended disruption, espionage, influence operations, and opportunistic intrusion. While high-volume attacks continue to generate visibility, the more significant risk may lie in quieter, ongoing efforts to gain footholds in enterprise environments and critical systems. This progression suggests a move beyond short-term impact toward sustained pressure, intelligence gathering, and the potential for more coordinated or disruptive activity as the conflict continues to unfold.
Due to the ongoing conflict in the region, CyberProof Threat Research Teams continue toĀ monitorĀ the situation,Ā andĀ we’llĀ continue to update this Resource Hub as new developmentsĀ emerge. If you are a current CyberProof customer please reach out to your Account Manager for more detailed cyber threat intelligenceĀ regardingĀ threat actors & campaigns, as well as recommended actions.Ā
Publicly Available Resources
- Iranian APT Seedworm Targets Global Organizations via Microsoft Teams
- Operation Epic Fury CTI Update 6: March 18, 2026
- Operation Epic Fury CTI Update 5: March 13, 2026
- Operation Epic Fury CTI Update 4: March 11, 2026
- Operation Epic Fury CTI Update 3: March 6, 2025
- Operation Epic Fury CTI Update 2: March 5, 2026
- Operation Epic Fury CTI Report Summary: March 3, 2026
- CyberProof 2026 GLOBAL THREAT INTELLIGENCE REPORT
Key Methods Observed
- DDoS attacks and defacements targeting public-facing infrastructure
- Spear-phishing and credential theft as primary intrusion vectors
- Account compromise and influence operations via messaging and social platforms
- Persistence and low-visibility command-and-control to maintain long-term access
- Exposure to shared cloud and regional infrastructure dependencies
Notable Threat Actors
The current threat landscape includes a mix of state-linked operators, affiliated proxy groups, and opportunistic actors, each contributing differently to the evolving cyber risk environment.
| Threat Actor / GroupĀ | Alignment | Primary Activity | Typical Tactics | Why It Matters |
| APT42 (APT35 / Charming Kitten) | IRGC-linked | Espionage, credential harvesting, social engineering | Phishing, fileless malware, identity compromise | High-risk actor focused on durable access to high-value individuals and enterprise environments. |
| MuddyWater (Seedworm) | MOIS-linked | Persistent intrusion, espionage, foothold establishment | Spear-phishing, vulnerability exploitation, backdoors, web-based C2 | Associated with long-term access and ongoing intelligence collection. |
| Pioneer Kitten | Iranian APT | Edge-device and VPN exploitation, post-compromise expansion | Exploitation of Fortinet SSL VPN, Pulse Secure, Citrix ADC; credential dumping; AD reconnaissance; data exfiltration | Reflects the shift toward edge-infrastructure compromise and structured post-exploitation activity. |
| Dust Specter | Iran-aligned proxy | Reconnaissance and intrusion attempts | Targeted scanning, exploitation attempts | Shows the broader ecosystem of aligned actors contributing to access-oriented activity. |
| Cyber Toufan | Iran-aligned proxy | Vulnerability exploitation | Exploitation activity against exposed services | Supporting broader disruption and exploitation activity. |
| Handala / Handala Hack Team | Pro-Iranian / broader Iranian cyber ecosystem | Hack-and-leak, influence operations, doxing, destructive activity claims | Data leaks, intimidation messaging, wiper-style activity, public exposure of victims | A hybrid actor blending intrusion, public pressure, and psychological impact. Also linked in the reporting to incidents involving Stryker and Verifone. |
| DieNet | Pro-Iranian / pro-Palestinian hacktivist | DDoS disruption campaigns | High-volume DDoS, public claims via messaging platforms | Part of the expanded hacktivist layer driving visible disruption and noise. |
| Keymous+ | Hacktivist collective | High-volume DDoS operations | Volunteer-based botnets, compromised infrastructure, public claims | Responsible for a significant share of disruption activity during the escalation. |
| NoName057(16) | Pro-Russian hacktivist | DDoS and influence operations | Coordinated DDoS, propaganda, public verification links | Expands the threat environment beyond strictly Iran-based actors and shows cross-ecosystem alignment. |
| 313 Team | Iraq-aligned hacktivist | DDoS campaigns against government and cloud-linked services | Disruption of public-sector and enterprise platforms | Significant because it broadens the campaign into Gulf and enterprise-platform targeting, including Microsoft-linked claims. |
| Anti-Zionist Cyber Group | Hacktivist / anti-Israel aligned | Coordinated cloud-service disruption claims | DDoS against Microsoft-facing services and platforms | Escalation into high-visibility cloud and productivity platforms. |
| Sylhet Gang | Hacktivist | Disruption campaigns | DDoS and aligned disruption activity | Involvement in earlier phases of the conflict-related activity. |
| FSociety | Hacktivist collective | Threat messaging, intimidation, disruption support | Propaganda, mobilization messaging | Psychological amplification and mobilization rather than deep technical tradecraft. |
| TA402/ TA473/ TA453 | Iranian-associated threat cluster | Phishing and influence support activity | Credential harvesting, phishing, messaging /influence operations | Part of the broader Iranian-associated ecosystem supporting the conflict-related cyber environment. |
| Camaro Dragon | Chinese-nexus threat actor | Parallel intelligence collection activity | PlugX malware deployment attempts | The conflict has attracted additional nation-state activity into the same environment. |
Industry Specific TrendsĀ
These cyber incidents have renewed attention on the risks posed by Iranāaligned cyber groups, particularly to sectors that manage sensitive data or support critical services.
- Healthcare: Healthcare organizations are of particular concern due to their reliance on interconnected digital systems, the criticality of uninterrupted patient care, and the high value of protected health information (PHI). Historically, Iranālinked threat actors haveĀ demonstratedĀ capabilities ranging from disruptive attacks and data destruction to espionageādriven intrusions and data theft, often targeting organizations perceived as strategically or symbolically important.Ā Ā
For healthcare environments, the most significant risks include ransomware or wiperāstyle attacks that disrupt clinical operations, exploitation of internetāfacing systems such as VPNs, remote access gateways, or medical device management platforms, and credentialābased intrusions that enable lateral movement across hospital networks. Even when attacks are not intended to cause direct harm, secondary impactsāsuch as downtime of electronic health records (EHRs), diagnostic systems, or scheduling platformsācan have serious operational and patient safety consequences. Additionally, healthcare dataĀ remainsĀ a highāvalue target for theft or extortion, making hospitals and health systems vulnerable to campaigns focused on data exfiltration rather than immediate disruption.Ā Ā - Critical Infrastructure: Iranāaligned cyber activity has also historically targeted broader critical infrastructure sectors, including energy, manufacturing, transportation, and public services. These campaigns often emphasize reconnaissance, longāterm access, and the ability to pivot during periods of heightened tension. As a result, healthcare organizations areĀ advised to treatĀ these threats not as isolated events but as part of a wider risk environment affecting sensitive personal information and essential services. Proactive measuresāsuch as tightening access controls,Ā monitoringĀ for credential abuse, hardening externally exposed systems, and validating incident response readinessāremain critical to reducing both the likelihood and impact of such activity.Ā
