On February 28, 2026, the US and Israel launched a kinetic military operation (designated Operation Epic Fury and Operation Roaring Lion) targeting Iranian government and military installations, which resulted in the deaths of Supreme Leader Ayatollah Ali Khamenei and several government officials. Following this action, security researchers and federal agencies have observed a sharp increase in retaliatory cyber operations. Groups affiliated with the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), alongside geographically dispersed politically motivated groups, are directing disruptive campaigns at critical infrastructure, telecommunications, and financial networks across the US and allied nations.
Palo Alto Networks' Unit 42 reports that internal internet connectivity in Iran dropped to between 1% and 4% shortly after the military actions. This infrastructure degradation may limit the coordination of state-aligned threat actors within the country, potentially leading to increased tactical autonomy for cells operating outside the region. The Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI, and the DoD Cyber Crime Center (DC3) warn that organizations should anticipate significant Distributed Denial of Service (DDoS) campaigns, data-wiping operations, and potential ransomware activity as these groups attempt to impose economic and operational costs.
Security evaluations from Flashpoint, Check Point Research, and Cisco Talos outline several active campaigns. The IRGC has directed operations at the energy sector, including Saudi Arabia's Aramco facility at Ras Tanura and an Amazon Web Services (AWS) data center in the United Arab Emirates. Another IRGC-affiliated actor, Cotton Sandstorm (also known as Emennet Pasargad), recently revived its "Altoufan Team" persona to target organizations in Bahrain. Meanwhile, the FAD Team initiated a global SQL injection campaign, exposing personally identifiable information from educational institutions in France, India, and Vietnam, alongside a US Air Force group. The FAD Team also claims to have gained unauthorized access to firewall monitoring dashboards in Saudi Arabia and disrupted the Bahrain News Agency, Gasco, and Qatar Radio.
A persona linked to Iran's MOIS, known as Handala Hack, has combined data exfiltration with disruptive operations against Israeli defense and political entities, claiming unauthorized access to an energy exploration company and Jordan's fuel systems. An umbrella collective known as the Cyber Islamic Resistance—coordinating groups like RipperSec and Cyb3rDrag0nzz—has claimed responsibility for DDoS campaigns and data-wiping operations against Israeli payment infrastructure and drone defense systems. Externally, the pro-Palestinian Dark Storm Team and pro-Russian groups like Cardinal and NoName057(16) are supporting these efforts, claiming unauthorized access to Israel Defense Forces (IDF) networks and partnering on DDoS campaigns against municipal governments and defense contractors.
As threat actors scale their operations, researchers at Darktrace identified a newly dedicated DDoS botnet named ShadowV2. This botnet targets misconfigured, internet-exposed Docker daemons on AWS EC2 instances, specifically scanning port 2375. Rather than uploading a pre-built image, unauthorized parties deploy a generic setup container to install Go-based malware directly on the host. The ShadowV2 platform leverages cloud-native architecture to launch HTTP/2 rapid reset floods and bypass Cloudflare's Under Attack Mode (UAM), polling its command-and-control server every five seconds for new targeting instructions.
To protect critical infrastructure and ensure business continuity, security teams should implement heightened security protocols immediately. Cisco Talos researchers advise prioritizing the security of third-party partners and suppliers in the Middle East, as these regional network links present elevated risk to wider enterprise environments. Organizations should verify that multi-factor authentication (MFA) is active and enforced across all external-facing services. For containerized environments, teams must enforce least-privilege access, disable externally exposed Docker APIs, and apply continuous monitoring to identify anomalous API usage or unauthorized container orchestration patterns. Reviewing incident response plans and hardening cyber defenses now will help organizations maintain resilience during this period of heightened threat activity.