Conflict-Driven Cyber Activity Escalates Following Operations Epic Fury and Roaring Lion
March 6th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring increased cyber activity linked to the ongoing conflict between the United States, Israel, and Iran, following the launch of Operation Epic Fury (United States) and Operation Roaring Lion (Israel) on February 28, 2026. Since these operations began, cyber threats have expanded, involving hacktivist collectives, Iran-aligned actors, and opportunistic cybercriminals. Reported incidents include distributed denial-of-service (DDoS) attacks, phishing campaigns delivering malicious Android applications, website defacements, ransomware, and hack-and-leak operations targeting government, financial, and regional organizations. Several hacktivist groups have reportedly coordinated through online coalition channels such as the “Electronic Operations Room” to organize attacks against Israeli, Western, and regional targets. Although cyber activity has risen sharply, security researchers note that many hacktivist claims remain unverified or exaggerated, highlighting the information-warfare dimension commonly associated with geopolitical conflicts. Organizations should expect continued cyber threats, especially disruption-focused operations, phishing campaigns exploiting crisis themes, and opportunistic attacks on exposed digital infrastructure.
Technical Details
Severity: High
Threat Type: Geopolitically motivated cyber activity / hacktivist operations
Conflict Operations: Operation Epic Fury / Operation Roaring Lion
Threat Actors Observed:
Iran-aligned state-linked groups discussed as active in parallel or likely to escalate:
MuddyWater (Seedworm / Static Kitten)
APT34 (OilRig)
APT35 (Charming Kitten)
APT39
APT42
Handala Hack Team and affiliated hacktivist collectives
Sicarii ransomware operators
Various hacktivist groups participating in the Electronic Operations Room coalition.
Some personas participating in the coalition have been linked by security researchers to Iranian state entities.
Attribution for many hacktivist groups remains uncertain or based on self-claims.
Attack Patterns and Tactics:
Distributed Denial-of-Service (DDoS) attacks targeting government and financial sector infrastructure
Phishing campaigns distributing malicious Android APK files:
Reporting observed trojanized versions of the Israeli RedAlert emergency alert application
Website defacements and hack-and-leak operations conducted by hacktivist groups
Ransomware or destructive malware narratives used to create disruption and psychological impact
Voice phishing (vishing) campaigns impersonating government agencies to obtain identity information.
Reporting noted a vishing scam in the UAE impersonating the Ministry of Interior to solicit identity information.
Affected Components:
Government websites and public digital services
Financial institutions and banking platforms
Telecommunications providers
Energy and industrial infrastructure
Regional businesses and organizations across the Middle East.
Government institutions appear to represent the most frequently targeted sector, consistent with hacktivist campaigns aimed at generating political messaging and disruption during geopolitical crises.
Exploitation Activity:
Cyber activity increased sharply following the February 28 military strikes, with numerous hacktivist groups claiming attacks against Israeli, Western, and regional targets within days of the conflict escalation.
At the same time, analysts reported significant internet disruptions within Iran, with connectivity dropping to as low as 1–4% of normal traffic levels during certain periods.
These disruptions may have temporarily limited the ability of state-aligned cyber units to coordinate large-scale operations during the early stages of the conflict.
Impact
Cyber activity linked to the conflict presents several potential operational and security impacts:
Increased DDoS activity targeting government institutions and financial services
Website defacements and data-leak claims aimed at public messaging and disruption
Malware distribution campaigns targeting mobile device users
Increased phishing and vishing activity exploiting public fear and crisis messaging
Elevated risk of destructive cyber operations targeting critical infrastructure if the conflict escalates.
The convergence of hacktivist groups, state-aligned actors, and cybercriminal organizations creates a multi-actor threat environment, increasing the likelihood of opportunistic attacks and spillover cyber activity affecting regional and international organizations.
Detection Method
Organizations should implement monitoring strategies designed to detect disruption-oriented cyber activity and phishing campaigns associated with geopolitical conflicts:
Monitor for volumetric DDoS traffic spikes affecting internet-facing infrastructure
Identify unusual outbound network connections or potential botnet communications
Use EDR/XDR telemetry to detect suspicious mobile application installations from untrusted sources
Monitor web server logs for unauthorized file uploads or website defacement activity
Review authentication logs for phishing-driven credential compromise attempts
Correlate threat telemetry with geopolitical event timelines to identify conflict-related cyber campaigns.
Indicators of Compromise
Type | Indicator | Associated Actor / Campaign | Notes |
Malicious APK URL | www.shirideitch[.]com/wp-content/uploads/2022/06/RedAlert.apk | RedAlert Phishing Campaign | SMS phishing lure distributing trojanized Android application |
C2 / Data Exfiltration Endpoint | api.ra-backup[.]com/analytics/submit.php | RedAlert Campaign | Used by malicious Android application for telemetry submission |
Malicious Shortened URL | bit[.]ly/4tWJhQh | RedAlert Campaign | Redirect used in phishing SMS messages |
C2 Domain | codefusiontech[.]org | MuddyWater – Operation Olalampo | Command-and-control infrastructure |
Phishing Domain | whatsapp-meeting.duckdns[.]org | RedKitten Campaign | Social engineering / credential phishing infrastructure |
C2 Channel (Abused Legitimate Service) | api.telegram[.]org | MuddyWater / Multiple Actors | Telegram API leveraged for command-and-control communications |
Telegram Bot C2 | stager_51_bot | MuddyWater (CHAR Backdoor) | Bot used for Telegram-based command infrastructure |
File Hash (SOCKS5 Proxy Component) | 62ED16701A14CE26314F2436D9532FE606C15407 | MuddyWater | Associated with proxy functionality used by malware |
Malicious DLL | FMAPP.dll | MuddyWater | Malware component used in attack chain |
Dropper | gshdoc_release_X64_GUI.exe | MuddyWater | Initial dropper used to deploy additional payloads |
Loader | sh.exe | MuddyWater | Loader used to execute additional malicious components |
Recommendations
Organizations should implement the following defensive measures to reduce exposure to conflict-related cyber campaigns.
Patch and Secure Perimeter Infrastructure: Ensure all internet-facing perimeter devices (e.g., firewalls, VPN gateways, and remote access appliances) are fully patched and free of known exploitable vulnerabilities.
Strengthen Perimeter Defenses: Deploy DDoS mitigation services and web application firewalls to protect internet-facing systems.
Enhance Phishing Awareness: Educate users about crisis-themed phishing campaigns, particularly SMS-based malware delivery.
Secure Mobile Devices: Restrict installation of applications from untrusted sources and enforce mobile device security policies.
Enforce Multi-Factor Authentication: Require MFA across remote access services, administrative systems, and cloud environments.
Maintain Incident Response Readiness: Ensure response procedures are validated for ransomware, destructive malware, and large-scale service disruption.
Implement Continuous Monitoring: Leverage SIEM, EDR, and threat intelligence platforms to monitor for emerging indicators associated with geopolitical cyber campaigns.
Conclusion
Cyber activity linked to Operation Epic Fury and Operation Roaring Lion demonstrates the growing role of cyber operations in geopolitical conflicts. Although much of the observed activity currently involves hacktivist groups and opportunistic actors, the potential involvement of Iran-aligned threat groups and the risk of destructive cyber operations increase the overall threat level. Organizations should anticipate ongoing cyber operations related to the conflict, including DDoS attacks, phishing, influence campaigns, and possible attacks on infrastructure. Strong defensive controls, proactive monitoring, and the use of geopolitical threat intelligence are essential to mitigate risks in this evolving landscape.