Executive Summary
Since the launch of Operation Epic Fury in late February 2026, the cyber dimension of the Middle East conflict has evolved from highly visible disruption into a more complex and sustained threat landscape. Early activity was characterized by DDoS attacks, defacements, and public breach claims. Over time, reporting shows a clear shift toward more targeted and persistent operations, including reconnaissance, credential compromise, exploitation of exposed services, and attempts to establish longer-term access within organizations.
Across the reporting cycle, cyber activity has increasingly blended disruption, espionage, influence operations, and opportunistic intrusion. While high-volume attacks continue to generate visibility, the more significant risk may lie in quieter, ongoing efforts to gain footholds in enterprise environments and critical systems. This progression suggests a move beyond short-term impact toward sustained pressure, intelligence gathering, and the potential for more coordinated or disruptive activity as the conflict continues to unfold.
Due to the ongoing conflict in the region, CyberProof Threat Research Teams continue to monitor the situation.
CTI Update 6: March 18, 2026
There is a shift toward more resilient and harder-to-detect operations, with increased reliance on botnet-backed infrastructure and decentralized command-and-control techniques. Actors are leveraging scalable, distributed botnets to deliver attacks with greater resilience and reduced attribution, alongside approaches such as blockchain-based command delivery (e.g., EtherHiding, where command logic is embedded within blockchain-based services to evade traditional network detection) and open directory hosting to stage payloads and rotate infrastructure rapidly. Together, these techniques enable lower-observable operations while maintaining persistence, marking a move away from easily disruptable, centralized attack infrastructure.
Activity also reflects a growing focus on indirect and high-impact targeting, including the compromise of upstream providers such as Stryker, which introduced downstream disruption across dependent healthcare environments. Actors continue to exploit internet-facing edge infrastructure (including VPN appliances and enterprise service platforms) to gain initial access, followed by credential harvesting, lateral movement, and data access. Alongside this, the expansion of hack-and-leak activity and targeting of major cloud and enterprise platforms signals a more coordinated and mature approach, where persistence, supply chain leverage, and selective disruption are combined to create broader operational and reputational impact.
Visit the Cyber Threat Intelligence on Middle East Escalations Resource Hub for new developments.
