Iran-Israel Cyber Conflict Timeline

Haaretz Discloses Six-Year Iranian Penetration of Israel's INSS — 100,000+ Emails Leaked, Senior Defense-Intelligence Communications Exposed

Handala (claimed) — Iran-nexus, MOIS most likely (assessed) — Mon, 04 May 2026 12:00:00 GMT

Haaretz published a long-form investigation on May 4, 2026 disclosing a sustained six-year Iranian cyber-espionage and influence campaign against the Institute for National Security Studies (INSS), Israel's premier government-adjacent defense and intelligence research institution. The investigation, anchored on a corpus of more than 100,000 emails and internal messages, documents multi-year compromise across phishing-led credential theft, Zoom / video-conferencing account takeover, and security-camera infrastructure access — with exfiltrated data including communications from senior officials such as a former Mossad research head. The pro-Iran hacktivist persona Handala claims responsibility for tranches of the leak, asserting access to 400,000+ classified files and infrastructure passwords; the underlying campaign is assessed Iran-nexus with MOIS as the most likely state sponsor based on the target profile and multi-year cadence consistent with state-backed collection. | Actor: Handala (claimed) — Iran-nexus, MOIS most likely (assessed) (Moderate confidence) | Campaign type: Espionage | Severity: Critical | TLP: TLP:GREEN

Unit 42 Tracks CyberAv3ngers OT Pivot as CL-STA-1128 — Rockwell FactoryTalk Installed on VPS as Exploitation Tooling

CyberAv3ngers / IRGC-CEC — Fri, 17 Apr 2026 12:00:00 GMT

Unit 42 (Palo Alto Networks) publicly designated the actor behind the CISA AA26-097A US PLC campaign as cluster CL-STA-1128, equating it with Cyber Av3ngers / Storm-0784. The April 17 update to Unit 42's Iran threat brief documents two analytical contributions distinct from the CISA advisory: (a) the cluster's historic Unitronics focus has shifted to Rockwell Automation/Allen-Bradley equipment as primary target, and (b) Unit 42 assesses with moderate confidence that the attacker installed Rockwell's own FactoryTalk industrial-automation suite on virtual private server (VPS) infrastructure as the exploitation tooling — derived by correlating unique port-combination static-mappings across hosts. Companion event to IRN-ISR-2026-0010. | Actor: CyberAv3ngers / IRGC-CEC (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Darktrace + Dragos Disclose ZionSiphon — Iran-Aligned OT Malware Targeting Israeli Desalination Plants; Dragos Assesses LLM-Generated Origin and Structurally Non-Credible

Unattributed — Thu, 16 Apr 2026 12:00:00 GMT

Two complementary vendor disclosures (Darktrace Apr 16, Dragos Apr 23) document ZionSiphon, a malware sample purpose-built to sabotage Israeli dam-desalination environments by tampering with chlorine dosing and reverse-osmosis pressure set-points. Darktrace identified an XOR-mismatch self-destruct flaw in the country-verification routine (suggesting a fixable developer error). Dragos's follow-up analysis by Jimmy Wylie (TRISIS/CRASHOVERRIDE/PIPEDREAM author) reframes the artefact more sceptically: Dragos assesses ZionSiphon as 'LLM-generated' with multiple structural defects — fictional Windows process names and directory paths, ineffective Modbus TCP chlorine manipulation, immature Modbus/DNP3/S7Comm protocol detection — concluding the malware is 'not a credible threat to dam desalination facilities or any critical infrastructure' and that it lacks ICS-capability per Dragos's classification framework. The two-vendor reading reframes ZionSiphon as a probable AI-tooling artefact rather than a CyberAv3ngers prototype, which weakens the prior IRGC-CEC pattern-match. | Actor: Unattributed (Low confidence) | Campaign type: destructive | Severity: Medium | TLP: TLP:GREEN

IRGC-IO SMS-Based Recruitment Campaign Targets Israelis for HUMINT Collection and Low-Level Sabotage

IRGC Intelligence Organization (IRGC-IO) — Mon, 13 Apr 2026 12:00:00 GMT

FDD's Center on Cyber and Technology Innovation documented an ongoing IRGC Intelligence Organization (IRGC-IO) campaign using SMS, Telegram, and social-media direct messages to recruit Israeli citizens — with particular focus on economically stressed individuals, recent immigrants, and minorities — for intelligence collection, surveillance photography of strategic sites, and low-level sabotage. Shin Bet has arrested approximately 40 Israelis since October 2023 for acting on such contacts, with payments reportedly ranging from hundreds to thousands of US dollars routed via cryptocurrency and informal value transfer. | Actor: IRGC Intelligence Organization (IRGC-IO) (High confidence) | Campaign type: influence | Severity: High | TLP: TLP:GREEN

Handala Claims ICS/SCADA Breach and Production Halt at Foulath and SULB Gulf Steel Plants

Handala / Void Manticore — Mon, 13 Apr 2026 12:00:00 GMT

Handala claimed breach of SCADA/ICS systems at Foulath Holding (Bahrain) and SULB (Saudi Arabia), two major Gulf steel producers with combined annual output of ~2 million metric tonnes and ~$5 billion value. The group published screenshots of plant surveillance cameras and industrial monitoring networks, claiming complete production halt. Foulath declared force majeure. Framed as retaliation for strikes on Resistance Axis steel infrastructure. | Actor: Handala / Void Manticore (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Handala Claims Destructive Breach of Three Dubai Government Entities: Courts, Land Department, and RTA

Handala / Void Manticore — Sun, 12 Apr 2026 12:00:00 GMT

Handala claimed breach of Dubai Courts Department, Dubai Land Department, and Dubai Roads and Transport Authority, alleging destruction of 6 petabytes of data and exfiltration of 149 TB of sensitive documents. The operation was framed as retaliation for UAE alignment against the Resistance Axis. Claims remain unverified by UAE authorities but represent a significant geographic expansion of Handala destructive operations into Gulf state government infrastructure. | Actor: Handala / Void Manticore (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Iranian Cyber Operations Expand Across Gulf States: 600K Incidents Hit Banking, Aviation, Telecom

Multiple Iran-Aligned Groups — Fri, 10 Apr 2026 12:00:00 GMT

UAE cybersecurity chief reported cyberattacks tripled to 600,000 incidents across GCC states. Targets expanded from public portals to banks (Riyad Bank, Al Rajhi Bank), aviation (Kuwait International Airport), telecom (Batelco, du), and government. Attack nature shifted from reactive DDoS to complex breach claims, persistent access, and financial exploitation. Saudi Arabia saw the sharpest increase. | Actor: Multiple Iran-Aligned Groups (Moderate confidence) | Campaign type: hacktivism | Severity: High | TLP: TLP:GREEN

CSIS: Iran Shifts from Episodic Cyberattacks to Sustained Campaign Against Critical Infrastructure

Multiple Iranian State Actors — Fri, 10 Apr 2026 12:00:00 GMT

The Center for Strategic and International Studies assessed that Iran's cyber approach is "no longer episodic or symbolic" but reflects a "sustained, strategic posture that treats cyberspace as an extension of state power." CSIS flagged Iranian actors are pre-positioning access in energy, water, and transportation sectors, exploiting legacy ICS and weak segmentation, creating latent risk that may only surface during future escalation. | Actor: Multiple Iranian State Actors (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Handala Leaks 19,000+ Files from Ex-IDF Chief Halevi's Personal Devices

Handala / Void Manticore — Thu, 09 Apr 2026 12:00:00 GMT

Handala claimed years-long persistent access to former IDF Chief of Staff Lt. Gen. Herzi Halevi's personal phone and digital accounts, exfiltrating 19,000+ files including secret diplomatic footage, strategic maps, and personal family content. Leaked materials revealed previously secret meetings with Jordanian and US military counterparts. | Actor: Handala / Void Manticore (High confidence) | Campaign type: espionage | Severity: Critical | TLP: TLP:GREEN

CloudSEK: APT35 Pre-Mapped Every Country Iran Struck in Operation Epic Fury — Multi-Year Pre-Positioning Across Seven Gulf and Israeli Networks

APT35 (Charming Kitten / Mint Sandstorm) — Thu, 09 Apr 2026 12:00:00 GMT

CloudSEK published an April 9, 2026 report assessing that Iranian APT35 (Charming Kitten / Mint Sandstorm / Educated Manticore) had infiltrated and conducted reconnaissance against the digital infrastructure of every country struck by Iranian ballistic-missile and drone retaliation following Operation Epic Fury — Jordan, UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel — in the years prior to the February 28, 2026 strikes. Tooling observed across the dataset includes BellaCiao, the Sagheb RAT, web shells, and tunneling utilities. CloudSEK assesses the alignment between cyber reconnaissance and kinetic targeting as too consistent to dismiss as coincidence, while stopping short of claiming a formal intelligence-to-strike handoff. The disclosure parallels separate Microsoft MSTIC reporting that Cotton Sandstorm (IRGC-affiliated) staged malware inside Israeli and broader Middle Eastern networks ahead of the February 28 strikes. | Actor: APT35 (Charming Kitten / Mint Sandstorm) (High confidence) | Campaign type: espionage | Severity: Critical | TLP: TLP:GREEN

US-Iran Ceasefire Announced; Handala Vows Continued Cyber Operations Against Israel

Handala / Void Manticore — Wed, 08 Apr 2026 12:00:00 GMT

The US and Iran agreed to a two-week Pakistan-mediated ceasefire. Within hours, IRGC-linked Handala declared it would pause attacks on US targets but continue cyber operations against Israel indefinitely, stating "The cyber war did not begin with the military conflict, and it will not end with any military ceasefire." Nozomi Networks predicted cyber ops would increase during the ceasefire as actors shift targeting to US defense-adjacent organizations. | Actor: Handala / Void Manticore (High confidence) | Campaign type: hacktivism | Severity: High | TLP: TLP:GREEN

NERC Activates Grid Watch Operations for Iranian Cyber Threats to US Energy Sector

CyberAv3ngers / IRGC-CEC — Wed, 08 Apr 2026 12:00:00 GMT

Following CISA AA26-097A, the North American Electric Reliability Corporation activated Watch Operations and issued warnings to E-ISAC members, encouraging heightened vigilance and lower thresholds for sharing suspicious cyber activity. First NERC grid-wide monitoring activation specifically in response to confirmed Iranian operations against US energy infrastructure. | Actor: CyberAv3ngers / IRGC-CEC (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

CISA AA26-097A: Iranian APT Exploiting Rockwell/Allen-Bradley PLCs Across US Critical Infrastructure Since March 2026

CyberAv3ngers (Iranian-affiliated APT) — Tue, 07 Apr 2026 12:00:00 GMT

CISA advisory AA26-097A confirms Iranian APTs exploiting internet-exposed Rockwell Automation PLCs across US water, energy, and government sectors since March 2026 — using the vendor's own Studio 5000 software to extract project files and manipulate SCADA displays. | Actor: CyberAv3ngers (Iranian-affiliated APT) (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Handala Leaks ~100,000 Emails from Retired IAF Colonel Tied to Elbit Squadron 166 and Hermes Drone Programs

Handala / Void Manticore — Tue, 07 Apr 2026 12:00:00 GMT

Handala announced a data leak of approximately 100,000 emails exfiltrated from the personal and business accounts of retired Israeli Air Force Colonel Vered Haimovich, whose post-service career includes roles connected to Elbit Systems' Squadron 166 and the Hermes family of unmanned aerial vehicles. The group published selected samples purporting to show procurement, testing, and operational discussions relating to Israeli UAV programs. | Actor: Handala / Void Manticore (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Handala Claims Breach and Data Leak of Israeli Wind Energy Firm PSK Wind Technologies

Handala / Void Manticore — Thu, 02 Apr 2026 12:00:00 GMT

Handala announced on its Telegram channel the compromise and exfiltration of internal data from PSK Wind Technologies, an Israeli renewable-energy firm specializing in wind-turbine engineering services. The group published samples purporting to show engineering drawings, project documentation, and internal correspondence, framing the operation as retaliation against Israeli energy infrastructure. | Actor: Handala / Void Manticore (High confidence) | Campaign type: hacktivism | Severity: Medium | TLP: TLP:GREEN

IRGC Publicly Threatens 18 US Tech Companies as Legitimate Targets

IRGC — Wed, 01 Apr 2026 12:00:00 GMT

| Actor: IRGC (Low confidence) | Campaign type: signaling | Severity: Critical | TLP: TLP:GREEN

Handala Claims St. Joseph County IT Takeover — Fax Server Breach Weaponized as Influence Operation

Handala / Void Manticore — Wed, 01 Apr 2026 12:00:00 GMT

Handala claimed to have 'completely taken control of the centralized IT infrastructure of St. Joseph County' in Indiana, alleging seizure of police reports, court documents, child support payments, and health records. Investigation revealed the actual breach was limited to a single cloud-based fax server with no data deleted. FDD analysis (April 14) assessed the operation as a deliberate influence template: Iran converted a minor intrusion into a narrative of omnipresence targeting US local government confidence. | Actor: Handala / Void Manticore (High confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

ESET WeLiveSecurity: Iran-Aligned Actors Disproportionately Target Engineering and Manufacturing; Iran-IAB Engagement on Russian Forums Confirmed

Multi-actor (Iran-aligned ecosystem; MuddyWater named operationally) — Thu, 12 Mar 2026 12:00:00 GMT

ESET researcher Tomáš Foltýn published a strategic synthesis of the post-Operation-Roaring-Lion cyber landscape, anchored on three findings from ESET's own April-September 2025 telemetry: (1) Iran-aligned APT groups disproportionately target entities in engineering and manufacturing sectors; (2) Iran-linked operators are actively engaging Initial Access Brokers on Russian cybercrime forums — first vendor confirmation of supply-side collaboration with Russian eCrime; (3) pro-Russian hacktivist groups have joined the conflict in support of Iran. The piece also cites Broadcom/Symantec confirmation of MuddyWater intrusions at a US airport, US bank, and software firm with Israel ties as fresh 2026 operational tempo evidence. | Actor: Multi-actor (Iran-aligned ecosystem; MuddyWater named operationally) (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Handala Wipes 200,000+ Stryker Devices via Compromised Microsoft Intune

Handala / Void Manticore — Wed, 11 Mar 2026 12:00:00 GMT

Handala (MOIS/Void Manticore) weaponized a stolen Stryker Intune Global Admin credential to remote-wipe 200,000+ endpoints across 79 countries and exfiltrate 50TB — executing mass destruction entirely through legitimate MDM functionality, with no custom malware required. | Actor: Handala / Void Manticore (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Halcyon: Iran Activates Multi-Tier Cyber Ecosystem Post-Roaring-Lion — Sicarii Surfaces as Functional Wiper, HydraC2-Killnet Coordination Confirmed, MuddyWater Olalampo↔RedKitten TTP Overlap

Sun, 08 Mar 2026 12:00:00 GMT

Halcyon Ransomware Research Center (RRC) published a strategic synthesis of the post-February-28 Iranian cyber ecosystem activation. Three analytic contributions are novel: (1) Sicarii ransomware (surfaced December 2025) is reclassified as a functional wiper — a critical encryption-key-handling defect causes keys to be discarded after encryption, making decryption permanently impossible regardless of ransom payment, repurposing the brand as destruction-tooling-with-criminal-cover; (2) HydraC2 and Russian DDoS crew Killnet signaled explicit support for the Iranian regime via private channels and Telegram — first vendor-confirmed Iran-Russia hacktivist coordination signal of the conflict; (3) MuddyWater Operation Olalampo TTP overlap with a separate 'RedKitten' campaign identified by Harfang Lab. Six new IOCs added (1 RedKitten phishing domain + 4 MuddyWater filenames + 1 SHA1) plus the article's framing of Iran's destructive doctrine as a 'murky blend of state sponsorship, personal profiteering, and outright criminal behavior'. | Actor: Multiple Iran-Aligned Groups (Sicarii, MuddyWater, HydraC2, Handala, APT34/35/39/42) (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Trellix: Iranian Cyber Capability 2026 — Multi-Actor Strategic Assessment

Multiple Iranian State Actors (IRGC / MOIS) — Thu, 05 Mar 2026 12:00:00 GMT

Trellix profiled ten active Iranian threat groups (2024–Mar 2026): MuddyWater retools in Rust, APT42 deploys TameCat via WhatsApp, CyberAv3ngers introduces IOCONTROL OT malware, Parisite relaunches Pay2Key ransomware ($4M+), and Infy's pause aligns precisely with an Iranian internet blackout. | Actor: Multiple Iranian State Actors (IRGC / MOIS) (Low confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Halcyon: Sicarii Admin 'Uke' Redirects Pro-Iran Ransomware Operators to BQTLock RaaS — React2Shell (CVE-2025-55182) Identified as BQTLock Initial-Access Vector

Multi-Actor — Wed, 04 Mar 2026 12:00:00 GMT

On March 3, 2026, Sicarii ransomware administrator 'Уке Б3 / Uke' publicly stated the group could not keep pace with the post-Operation-Roaring-Lion surge in affiliate request volume and redirected pro-Iran ransomware operators to Baqiyat 313 Locker (BQTLock), a pro-Palestinian RaaS active since July 2025. BQTLock is operated by Liwaa Mohammad — a hacktivist group led by Karim Fayad (alias ZeroDayX/ZeroDayX1) under the Cyber Islamic Resistance umbrella. BQTLock now offers free RaaS access via Telegram with explicit Israeli-target operator recruitment ('to all hacktivists who have the ability to target the Zionist entity'). The Cyber Fattah Team — collaborating on the liwaamohammad Telegram channels — identified as BQTLock's initial-access partner, leveraging CVE-2025-55182 ('React2Shell'), a critical unauthenticated RCE in React Server Components / RSC Flight protocol, to deploy BQTLock at an Israeli victim on December 20, 2025. The migration consolidates pro-Pal and pro-Iran ransomware operations under a single ideologically-motivated RaaS platform with double-extortion tradecraft (UAE/US/IL hospitality and education victims published on the BQTLock leak site). | Actor: Multi-Actor (High confidence) | Campaign type: ransomware | Severity: High | TLP: TLP:GREEN

Iran-Nexus M365 Password Spray Campaign Hits 300+ Israeli Organizations in Three Waves

Iran-nexus Actor (Gray Sandstorm-linked) — Tue, 03 Mar 2026 12:00:00 GMT

An Iran-nexus actor ran a three-wave M365 password-spray campaign (March 3, 13, 23) against 300+ Israeli and 25+ UAE organizations — primarily municipalities — assessed to support kinetic Bombing Damage Assessment by correlating targeted cities with concurrent missile strikes. | Actor: Iran-nexus Actor (Gray Sandstorm-linked) (Moderate confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Conflict-Themed Phishing & StealC Infostealer Wave — 7,381 URLs Exploit Iran War Across UAE, Saudi Arabia, and Iran

Unattributed — Sun, 01 Mar 2026 12:00:00 GMT

Two complementary vendor disclosures (Zscaler ThreatLabz Mar 6, Unit 42 Apr 17) document a mass mobilisation of conflict-themed phishing and infostealer infrastructure exploiting the Iran-Israel war. Zscaler tracked 8,000+ newly-registered conflict-themed domains and analysed five distinct cases including a GCC-region LNK→CHM→DLL-sideload targeted attack, China-nexus Mustang Panda's LOTUSLITE backdoor weaponising Iran-strikes-on-US-bases lures, and Persian-language phishing kits exfiltrating to Telegram bots. Unit 42 separately mapped 7,381 active phishing URLs across 1,881 hostnames — Iranian-bank impersonations, Trump-vs-Iran crypto scams, Dubai-customs/police spoofs, Etisalat/IranCell sub-domain chaining — alongside the parallel StealC infostealer mass-distribution wave using numbered-increment domain evasion. | Actor: Unattributed (Low confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

'The Great Epic' — Iranian Multi-Actor Retaliatory Cyber Campaign

Multiple Iranian-Aligned Groups — Sat, 28 Feb 2026 12:00:00 GMT

Following the February 28 US-Israeli airstrikes, Flashpoint identified Iran's 'The Great Epic' — a multi-group retaliatory campaign of DDoS attacks, wiper deployments, and ICS targeting against Israeli, US, and Jordanian targets. | Actor: Multiple Iranian-Aligned Groups (Moderate confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

US-Israeli Offensive Cyber Operations Against Iran: IRNA, IRGC C2, Energy, Aviation, Internet Blackout

US-Israeli Cyber Forces — Sat, 28 Feb 2026 12:00:00 GMT

Concurrent with kinetic strikes, US-Israeli cyber operations disrupted Iran's IRNA news agency, IRGC command infrastructure, energy and aviation systems, hijacked a prayer app to broadcast 'Help has arrived!', and caused a 48+ hour nationwide internet blackout. | Actor: US-Israeli Cyber Forces (Moderate confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Handala Strikes Israel Opportunity Energy and Jordanian Fuel-Station Infrastructure — Energy-Sector Expansion in Feb-28 Cyber Surge

Handala / Void Manticore — Sat, 28 Feb 2026 12:00:00 GMT

On and immediately after the February 28, 2026 US-Israel strikes on Iran, the MOIS-linked hacktivist persona Handala / Void Manticore expanded its target aperture beyond its prior Israel-only focus. Handala claimed compromise of Israel Opportunity Energy Resources — an Israeli oil-and-gas exploration company — and disruption of Jordanian fuel-station infrastructure, with the Israel Opportunity Energy claim posted publicly on March 2, 2026. The widening into the energy sector and into a third-country (Jordan) target marks a notable scope expansion versus Handala's documented Feb-April 2026 wave (IRN-ISR-2026-0009) which focused on Israeli healthcare, finance, government, and academia, and is documented in Unit 42's Threat Brief on the Iran 2026 cyberattacks alongside Picus Security and Industrial Cyber reporting. | Actor: Handala / Void Manticore (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

GTIG: Iran-Nexus Defense Industrial Base Targeting — UNC1549, UNC6446, Handala (UNC5203), Cyber Toufan (UNC5318), Cyber Isnaad Front

Multi-Actor — Tue, 10 Feb 2026 12:00:00 GMT

Google Threat Intelligence Group's Feb 10, 2026 strategic disclosure 'Beyond the Battlefield: Threats to the Defense Industrial Base' enumerates five Iran-nexus actors persistently targeting Israeli, US, UK, and Middle East defense contractors. Headline disclosures: (1) a previously-unprofiled Iran-nexus actor UNC6446, active since at least 2022, delivering custom malware via trojanised resume-builder and personality-test applications including one designed for employees of a UK-based multinational aerospace and defense company; (2) Cyber Toufan (UNC5318) used a supply-chain compromise of one Israeli defense contractor to compromise at least 17 additional Israeli defense contractor organisations, with leaked material exposing Australian Defense Force plans to purchase Spike NLOS anti-tank missiles from Israel; (3) Handala (UNC5203) launched 'RedWanted' on the two-year anniversary of al-Aqsa Flood (Oct 2025) — a coordinated doxxing/intimidation campaign targeting members of Israel's Armed Forces, intelligence and national security apparatus, and military-industrial complex personnel — and subsequently signalled an expansion via 'Handala Alert' to 'support anti-regime activities abroad'; (4) UNC1549 continues to use spoofed job portals, fake job offer lures, and trusted-third-party supplier exploitation, with post-compromise tooling including the custom credential-theft tool CRASHPAD and RDP session hijacking against IT staff; (5) Cyber Isnaad Front contributes hack-and-leak operations against the Israeli military-industrial sector. GTIG assesses pro-Iran hacktivist activity has shifted from nuisance disruption to sophisticated hack-and-leak, supply-chain compromise, and aggressive psychological warfare since the October 2023 Israel-Hamas conflict onset. | Actor: Multi-Actor (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Handala Multi-Target Destructive Operations: Healthcare, Finance, Government, and Academia (Feb–April 2026)

Handala / Void Manticore — Sun, 01 Feb 2026 12:00:00 GMT

Handala ran a sustained Feb–Apr 2026 campaign hitting Clalit Health (10K+ records leaked), St. Joseph County IN (2TB stolen, 12TB wiped), Hebrew University (40TB wiped via vCenter), Verifone, and FBI Director Patel's personal email — spanning healthcare, government, and academia. | Actor: Handala / Void Manticore (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

RedAlert Trojanized APK — SMS Phishing Spoofs Israeli Home Front Command Rocket-Alert App

Unattributed — Sun, 01 Feb 2026 12:00:00 GMT

Iran-aligned operators distributed a trojanized APK impersonating the Israeli Home Front Command's RedAlert rocket-warning application, delivered via SMS phishing to civilian Israeli devices for mobile surveillance and data exfiltration during the post–Operation Epic Fury escalation. | Actor: Unattributed (Low confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Pay2Key Encrypts US Healthcare Organization in 3 Hours — Sabotage-Focused Iranian Ransomware, No Exfiltration

Pay2Key (Fox Kitten / Parisite operator) — Sun, 01 Feb 2026 12:00:00 GMT

In late February 2026 — coinciding with the opening days of the US-Iran-Israel war — the Iranian-linked Pay2Key ransomware (operated by Fox Kitten / Parisite, IRGC-Cyber-Electronic-Command-aligned) encrypted the full IT environment of an unnamed US healthcare organization in approximately three hours. The intrusion was investigated by Beazley Security with Halcyon assistance: the attacker entered via a compromised administrator account, dwelled for several days, then deployed Pay2Key with no observable data exfiltration. The departure from double-extortion norms — encryption-only, aggressive log-clearing, anti-forensics — is operationally consistent with state-directed disruption rather than financially motivated ransomware, and frames Pay2Key as a wartime sabotage tool wearing criminal-ransomware brand cover. | Actor: Pay2Key (Fox Kitten / Parisite operator) (High confidence) | Campaign type: ransomware | Severity: High | TLP: TLP:GREEN

MuddyWater Operation Olalampo: Rust Backdoor, Ethereum C2, and AI-Assisted Malware

MuddyWater — Mon, 26 Jan 2026 12:00:00 GMT

MuddyWater's Operation Olalampo deployed four new malware families (CHAR, GhostBackDoor, GhostFetch, HTTP_VIP) and the Dindoor JS backdoor with Ethereum-based C2, targeting US, Canadian, and Israeli entities. GenAI-assisted development confirmed in CHAR's Rust source. | Actor: MuddyWater (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Dust Specter Targets Iraqi Government via ClickFix Lures and Four Novel .NET Malware Families

Dust Specter — Thu, 01 Jan 2026 12:00:00 GMT

Dust Specter (Iran-nexus; APT34 infrastructure overlap) targeted Iraqi Ministry of Foreign Affairs officials with four novel .NET malware families via ClickFix lures impersonating Cisco Webex, using a compromised Iraqi government domain to host payloads. | Actor: Dust Specter (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

CRESCENTHARVEST — Iran-Aligned RAT Targets Farsi-Speaking Diaspora Supporters of Iran Protests

Unattributed — Thu, 01 Jan 2026 12:00:00 GMT

Acronis TRU disclosed (Feb 17, 2026) a previously undocumented Iran-aligned cyberespionage campaign, active since shortly after January 9, 2026, that exploits the ongoing nationwide anti-government protests in Iran as a social-engineering lure. The operation distributes a new RAT-and-infostealer family — CRESCENTHARVEST — via .LNK files bundled with authentic Farsi-language protest media (videos, reports). Given the concurrent Iranian internet blackout, the campaign is assessed to target Farsi-speaking diaspora protest supporters, journalists, and activists abroad rather than domestic dissidents — consistent with a HUMINT-collection counterintelligence priority designed to identify and map external supporters of the protest movement. | Actor: Unattributed (Moderate confidence) | Campaign type: espionage | Severity: Medium | TLP: TLP:GREEN

APT42 'SpearSpecter' Campaign Targets Senior Israeli Defense and Government Officials

APT42 — Thu, 13 Nov 2025 12:00:00 GMT

The Israel National Digital Agency (INDA) attributed a sustained spear-phishing campaign codenamed 'SpearSpecter' to APT42 (Charming Kitten subset) targeting senior Israeli defense and government officials. The campaign used personalised social-engineering tailored to each target's role and relationships, with multi-month rapport-building preceding payload delivery. | Actor: APT42 (High confidence) | Campaign type: espionage | Severity: Critical | TLP: TLP:GREEN

USCYBERCOM Operation Midnight Hammer — Cyber Disruption of Iranian Air Defenses Synchronised with Strikes on Fordo, Natanz, and Isfahan

USCYBERCOM (Israel/US Kinetic Operations Cluster) — Sun, 22 Jun 2025 12:00:00 GMT

Disclosed by The Record (Feb 4, 2026) and confirmed via Gen. Dan Caine and Lt. Gen. William Hartman public statements, USCYBERCOM executed an NSA-enabled cyber operation — codename 'Midnight Hammer' — against Iranian air-defense networks in the hours preceding US kinetic strikes on the Fordo, Natanz, and Isfahan nuclear sites in June 2025. The operation used an 'aim point' technique on routers, servers, and peripherals to degrade air-defense awareness and command-and-control. All three sites were struck within a 30-minute window. Lt. Gen. Hartman characterised it as the most sophisticated action Cyber Command has taken against Iran in its nearly 16-year history. | Actor: USCYBERCOM (Israel/US Kinetic Operations Cluster) (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Predatory Sparrow Burns ~$90M in Crypto from Iranian Exchange Nobitex

Predatory Sparrow — Wed, 18 Jun 2025 12:00:00 GMT

On day six of the 12-Day War, Predatory Sparrow stole approximately $90 million in cryptocurrency from Iran's largest crypto exchange Nobitex and destroyed the funds by sending them to inaccessible vanity addresses denouncing the IRGC. The group accused Nobitex of facilitating sanctions evasion and terror financing. Internal Nobitex source code was also leaked. | Actor: Predatory Sparrow (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Predatory Sparrow Destroys Data at Iran's State-Owned Bank Sepah

Predatory Sparrow — Tue, 17 Jun 2025 12:00:00 GMT

On the fifth day of the Israel-Iran 12-Day War, the pro-Israel hacking group Predatory Sparrow (Gonjeshke Darande) claimed an attack on Iran's state-owned Bank Sepah, destroying customer data and disrupting banking services. The bank — historically tied to Iran's Armed Forces and IRGC payroll — went offline, with customers unable to access accounts or use cards and several branches forced to close. | Actor: Predatory Sparrow (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

APT35 'Damselfly' AI-Enhanced Spear-Phishing Against Israeli Cybersecurity Researchers

APT35 — Sun, 15 Jun 2025 12:00:00 GMT

Beginning mid-June 2025, an APT35 (Charming Kitten / Mint Sandstorm) campaign tracked as 'Damselfly' targeted Israeli journalists, cybersecurity experts, and computer-science professors at leading Israeli universities with AI-enhanced spear-phishing. Operators impersonated fictitious assistants to technology executives or researchers, contacting targets via email and WhatsApp. | Actor: APT35 (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

12-Day War Cyber Operations Umbrella (Multi-Actor)

Fri, 13 Jun 2025 12:00:00 GMT

From 2025-06-13 to 2025-06-25, the Israel-Iran 'Twelve-Day War' included a parallel multi-actor cyber campaign. Iranian state and 60+ aligned hacktivist groups conducted ~30 DDoS claims/day (peaking 40 on Jun 14), ran 1,200 social-engineering and influence operations targeting Israeli civilians, and broadcast spoofed missile alerts. Israeli-aligned Predatory Sparrow conducted destructive operations against Iranian financial infrastructure (see IRN-ISR-2025-0002, IRN-ISR-2025-0003). Despite the volume and breadth, no major destructive impact on Israeli critical infrastructure was confirmed by INCD. | Actor: Multi-actor (Iranian state + 60+ hacktivist groups; Predatory Sparrow on Israel side) (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Mandiant M-Trends 2025: Iran-Nexus Threat Actor Landscape Synthesis (CY2024)

Multi-Actor — Wed, 23 Apr 2025 12:00:00 GMT

Mandiant's annual M-Trends 2025 report (published Apr 23, 2025; coverage period Jan 1–Dec 31 2024) dedicates a full chapter — 'The 2024 Iranian Threat Landscape' (pp. 57–60) — to Iran-nexus operations. Headline findings: (1) a 35% surge in malware attributed to Iran-nexus actors versus 2023, with more than 45 new malware families discovered; (2) Israel was the focal point for destructive/disruptive wiper operations executed under hacktivist personas — 'Karma' and 'Homeland Justice' (both received access from UNC1860 / 'Sacred Manticore', publicly affiliated with MOIS), 'Handala Hack' (COOLWIPE wiper, Dec 2023 + Jul 2024 + ongoing fake-security-patch campaign), and 'Cyber Toufan' (POKYBLIGHT wiper, Oct 7 anniversary Telegram release, Android+Windows wiper campaigns posing as Israeli government security alerts); (3) APT34 deployed six new custom backdoors against Iraqi government, two of which (DODGYLAFFA, SPAREPRIZE) overlap with public reporting; (4) UNC3313 (subordinate to MuddyWater per US Government, MOIS-affiliated) ran spear-phishing with JELLYBEAN dropper and CANDYBOX backdoor, hosting payloads on file-sharing services with training/webinar lures, and abusing at least nine different RMM tools to blend with legitimate IT activity; (5) UNC2428 (overlaps with Israel National Cyber Directorate's 'Black Shadow') ran a complex October 2024 deception campaign impersonating Israeli defense contractor Rafael — RafaelConnect.exe → LONEFLEET installer → LEAFPILE launcher → MURKYTOUR backdoor — using a fake recruitment site and resume-submission GUI; (6) July 2024 saw CACTUSPAL backdoor masquerading as a Palo Alto Networks GlobalProtect installer; (7) UNC1549 leveraged customised, geolocated cloud infrastructure for C2 against aerospace/aviation/defense in Middle East; (8) APT42 maintained credential-harvesting against Israel and US targets — including individuals affiliated with US presidential campaigns, military personnel, diplomats, academics, and NGOs — using fake Google/Microsoft/Yahoo login sites, fake Google Meet landing pages, and lures customised to specific think tanks and named individuals. | Actor: Multi-Actor (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Pro-Iran Hijack of Tel Aviv Train Station Advertising Screens with Fake Missile Alerts

Handala (assessed) / Iranian-aligned hacktivist — Tue, 11 Mar 2025 12:00:00 GMT

Pro-Iran actors compromised the third-party advertising-display network at Herzliya and Tel Aviv Shalom train stations and broadcast fake missile-attack warnings instructing passengers to evacuate. Israel Railways clarified that the signage was operated by a private provider and isolated from rail infrastructure; no operational impact occurred. Influence/psychological operation, not OT compromise. | Actor: Handala (assessed) / Iranian-aligned hacktivist (Low confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

Cotton Sandstorm WezRat Spearphishing Campaign Impersonating Israel INCD

Cotton Sandstorm — Wed, 15 Jan 2025 12:00:00 GMT

Check Point Research documented an active Cotton Sandstorm campaign delivering WezRat modular infostealer via spearphishing emails impersonating the Israeli National Cyber Directorate (INCD), urging targets to install a fake Chrome browser update. WezRat provides command execution, keylogging, screenshot capture, and C2-delivered DLL modules. | Actor: Cotton Sandstorm (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Handala Compromises Israeli PA-System Supplier Maager-Tec, Triggers Air-Raid Sirens in Kindergartens

Handala — Wed, 15 Jan 2025 12:00:00 GMT

The Iranian-aligned Handala persona compromised Maager-Tec, an Israeli electronics supplier providing public-address systems to schools and public institutions. Handala hijacked the PA infrastructure to activate air-raid sirens and broadcast Arabic-language threatening messages inside Israeli kindergartens. A psychological-warfare operation exploiting third-party supplier access to civilian-facing infrastructure. | Actor: Handala (High confidence) | Campaign type: influence | Severity: High | TLP: TLP:GREEN

FBI/Treasury/INCD Joint Advisory: Cotton Sandstorm New Tradecraft — AI, Cover Hosting, and Global Targeting Expansion

Cotton Sandstorm — Wed, 30 Oct 2024 12:00:00 GMT

FBI, US Treasury, and Israel INCD published joint advisory documenting Cotton Sandstorm's (Aria Sepehr Ayandehsazan) expanded tradecraft: cover hosting infrastructure (VPS-Agent, Server-Speed), generative AI adoption, IP camera harvesting, Contact-HSTG hostage family psychological operations, and IPTV streaming hijack for AI-generated messaging targeting UAE audiences. | Actor: Cotton Sandstorm (High confidence) | Campaign type: influence | Severity: High | TLP: TLP:GREEN

MuddyWater MuddyViper Backdoor Campaign Against Israeli Multi-Sector Targets (Sep 2024 – Mar 2025)

MuddyWater — Sun, 01 Sep 2024 12:00:00 GMT

Threat Intelligence reporting (Dec 2025) disclosed a MuddyWater (Mango Sandstorm / TA450 / MOIS) campaign running from September 2024 to March 2025 that deployed the previously-undocumented MuddyViper backdoor against Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and public services — with one Egyptian technology victim. Initial access used phishing PDFs, VPN exploits, and remote-administration tools. | Actor: MuddyWater (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Pioneer Kitten / Parisite Enables Ransomware Affiliates Against US, Israeli, Gulf Critical Infrastructure

Pioneer Kitten — Wed, 28 Aug 2024 12:00:00 GMT

Joint CISA / FBI / DC3 advisory AA24-241A disclosed that Iranian-government cyber actors tracked as Pioneer Kitten / Fox Kitten / Lemon Sandstorm / UNC757 (‘parisite’ in IICT) compromised US, Israeli, UAE, and Azerbaijani organisations and provided initial access to ransomware affiliates (NoEscape, Ransomhouse, ALPHV/BlackCat) for revenue-sharing arrangements. Exploitation chains include CVE-2024-24919 (Check Point Security Gateway), CVE-2024-3400 (PAN-OS GlobalProtect), and Citrix NetScaler vulnerabilities. | Actor: Pioneer Kitten (High confidence) | Campaign type: ransomware | Severity: Critical | TLP: TLP:GREEN

Mandiant Exposes Iranian Counter-Intelligence 'Optima HR' / 'VIP Human Solutions' Persona Operation Against Dissidents and Foreign Intel Personnel

Unattributed — Wed, 28 Aug 2024 12:00:00 GMT

Mandiant published 'I Spy With My Little Eye', detailing a long-running Iranian counter-intelligence persona operation that ran fake Israeli HR-recruitment fronts ('Optima HR' 2022–2024 and 'VIP Human Solutions' 2017–2023) to identify, lure, and surveil Iranian dissidents, Farsi-speaking diaspora, and personnel adjacent to Hezbollah and Syrian intelligence. Mandiant identified 37 IOC domains, persona infrastructure across Telegram / X / YouTube / Facebook, and a probable Persian-language operator artifact ('miladix'). Mandiant noted possible weak overlap with APT42 tooling but did not formally attribute to a named cluster. | Actor: Unattributed (Moderate confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Cotton Sandstorm Compromises French Display Provider During 2024 Paris Olympics

Cotton Sandstorm — Fri, 26 Jul 2024 12:00:00 GMT

Cotton Sandstorm (Emennet Pasargad / ASA) compromised a French commercial dynamic display provider during the 2024 Paris Olympics to display anti-Israel photo montages, coordinated with fake news articles and athlete intimidation under a fabricated French far-right persona ('Regiment GUD'). | Actor: Cotton Sandstorm (High confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

Handala Hacktivist Group Distributes HamsaUpdate Wiper via CrowdStrike-Outage-Themed Lures

Handala — Sat, 20 Jul 2024 12:00:00 GMT

Within 24 hours of the July 19 2024 CrowdStrike Falcon BSOD incident, the Iranian-aligned hacktivist persona Handala distributed PDF lures impersonating CrowdStrike remediation guidance. Targets opening the lure executed HamsaUpdate, a wiper component of the actor's Hamsa toolkit, against Israeli organisations. | Actor: Handala (Moderate confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Cotton Sandstorm Hack-and-Leak Against Israeli Civil Society

Cotton Sandstorm — Thu, 20 Jun 2024 12:00:00 GMT

Cotton Sandstorm (IRGC) targeted Israeli civil society through hack-and-leak operations, amplifying stolen data via fabricated domestic Israeli social media personas in a coordinated influence campaign. | Actor: Cotton Sandstorm (High confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

Void Manticore + Scarred Manticore Hand-off: 'Karma' Persona, BiBi Wiper Variants Against Israel

Void Manticore — Wed, 08 May 2024 12:00:00 GMT

Check Point Research disclosed a coordinated MOIS operation in which Scarred Manticore obtained initial access via internet-facing exploitation, then handed off victims to Void Manticore (Storm-0842) for destruction and leak-site shaming under the 'Karma' Telegram persona. New BiBi wiper variants were deployed across multiple Israeli organisations. | Actor: Void Manticore (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

APT42 Three-Cluster Credential Harvesting and M365 Cloud Infiltration (Mandiant/Google, 2021–2024)

APT42 — Wed, 01 May 2024 12:00:00 GMT

Mandiant and Google TAG profiled APT42's credential harvesting infrastructure and cloud post-compromise operations across three phishing clusters, targeting journalists, government officials, and Israeli/US defense personnel since 2019. | Actor: APT42 (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

MuddyWater Deploys MuddyC2Go Against Israeli Targets

MuddyWater — Fri, 15 Mar 2024 12:00:00 GMT

MuddyWater (Mango Sandstorm) deployed its custom MuddyC2Go C2 framework against Israeli government and telecom targets, marking a shift from commodity tools to bespoke infrastructure. | Actor: MuddyWater (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Microsoft Threat Intelligence: Iran Surges Cyber-Enabled Influence Operations in Support of Hamas — Three-Phase Model (Oct 2023 – Feb 2024)

Multi-Actor — Mon, 26 Feb 2024 12:00:00 GMT

Microsoft's Feb 26, 2024 strategic synthesis frames Iranian cyber and influence activity since the Oct 7, 2023 Hamas attacks as a three-phase escalation: (1) reactive/misleading (Oct 7 – mid-Oct), with IRGC-affiliated outlets (Tasnim) and Cyber Avengers persona recycling 2022 Moses Staff material to falsely claim Israeli power-plant compromise; (2) all-hands-on-deck (mid-late Oct), with the count of Iranian groups targeting Israel growing from nine in week one to 14 by day 15, introducing genuine destructive capability — Storm-0784/Shahid Kaveh customised ransomware on Israeli security cameras (Oct 18), Storm-1084 BiBi wiper, MOIS-linked Storm-0861/Storm-0842 collaborative destructive ops, Pink Sandstorm (Agrius) hospital data breach; (3) expanded targeting (late-Nov – Dec), spanning Albania (Storm-0861/0842 vs Parliament + national airline + telecom), Bahrain (Cotton Sandstorm 'Al-Toufan' persona), Pennsylvania water authority PLC compromise (Nov 25, Cyber Avengers logo on defaced PLC), US companies via Cyber Toufan Al-Aksa, and the December streaming-TV deepfake hijack against UAE/Canada/UK by Cotton Sandstorm's 'For Humanity' persona using an AI-generated news anchor. Microsoft assesses 43% of all Iranian nation-state cyber activity targeted Israel — more than the next 14 countries combined — and a 42% surge in Iranian state-media reach in war week one (28-29% above baseline one month in). Headline judgement: 'Microsoft has still not seen clear evidence...indicating Iranian groups had coordinated their cyber or influence operations with Hamas's plans to attack Israel on October 7.' Strategic concern: deepening collaboration among MOIS-linked Pink Sandstorm and Hezbollah cyber units, and a forecast that the post-Oct-7 operational pattern presages Iranian interference in the Nov 2024 US elections. | Actor: Multi-Actor (High confidence) | Campaign type: influence | Severity: High | TLP: TLP:GREEN

Google TAG: APT42 Steps Up Phishing Against Israel and US — Israeli Defense Officials and US Presidential Campaigns Targeted (Feb–Jul 2024)

APT42 — Thu, 01 Feb 2024 12:00:00 GMT

Google's Threat Analysis Group reported APT42 (IRGC-aligned) ran a sustained credential phishing campaign Feb–Jul 2024 against Israeli military officials, an aerospace executive, US presidential campaign personnel (both Biden and Trump), and policy researchers at Washington Institute, ISW, and Brookings. Roughly 60% of TAG-observed APT42 geographic targeting in the period hit Israel and the US. Operators used journalist and researcher personas, typosquat domains (understandingthewar[.]org, brookings[.]email), Google Sites + ngrok-fronted petition lures, and phishing kits supporting MFA, device PINs, and recovery codes (GCollection / DWP). One high-profile US political consultant Gmail account was successfully compromised. | Actor: APT42 (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Mint Sandstorm (APT35) Targets Middle East Affairs Researchers at Western Universities

APT35 — Wed, 17 Jan 2024 12:00:00 GMT

Microsoft Threat Intelligence disclosed a Mint Sandstorm (APT35 / Charming Kitten) campaign targeting high-profile academics and researchers working on Middle East affairs at universities in Belgium, France, Gaza, Israel, the UK, and the US. The actor used novel social-engineering pretexts (think-tank invitations, podcast interviews) and a custom backdoor to harvest credentials and collect on-target research material. | Actor: APT35 (High confidence) | Campaign type: espionage | Severity: Medium | TLP: TLP:GREEN

Predatory Sparrow Disrupts Iranian Fuel Distribution

Predatory Sparrow — Mon, 18 Dec 2023 12:00:00 GMT

Predatory Sparrow, attributed to Israel, disrupted ~70% of Iran's fuel distribution network — their third major offensive operation against Iranian critical infrastructure. | Actor: Predatory Sparrow (Moderate confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Joint CISA/FBI/NSA/EPA/INCD/CCCS/NCSC Advisory AA23-335A Attributes CyberAv3ngers to IRGC-CEC

CyberAv3ngers (IRGC-CEC / Shahid Kaveh Group) — Fri, 01 Dec 2023 12:00:00 GMT

A multi-government joint advisory (CISA, FBI, NSA, EPA, INCD, Canadian CCCS, UK NCSC) was issued attributing the CyberAv3ngers persona to the IRGC's Cyber-Electronic Command (IRGC-CEC), specifically the Shahid Kaveh Group, and detailing the November 2023 exploitation of Unitronics Vision Series PLCs across the US Water and Wastewater Sector. The advisory is itself a meta-event — the highest-level public formal attribution of the post-Oct-7 IRGC OT campaign. | Actor: CyberAv3ngers (IRGC-CEC / Shahid Kaveh Group) (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Cotton Sandstorm 'For Humanity' AI-Generated Newscaster Hijacks Streaming TV in UAE, Canada, UK

Cotton Sandstorm — Fri, 01 Dec 2023 12:00:00 GMT

MSTIC documented Cotton Sandstorm using an AI-generated newscaster to hijack streaming TV services across the UAE, Canada, and UK — including BBC streams — broadcasting fabricated news of Palestinian casualties from Israeli operations. This is the first Iranian influence operation Microsoft observed using generative AI for video content. | Actor: Cotton Sandstorm (High confidence) | Campaign type: influence | Severity: Medium | TLP: TLP:GREEN

Pink Sandstorm (Agrius) Hack-and-Leak Against Israeli Hospital — Retaliation Framing for IDF al-Shifa Operation

Pink Sandstorm — Mon, 27 Nov 2023 12:00:00 GMT

MSTIC documented a Pink Sandstorm (Agrius) hack-and-leak operation against an Israeli hospital in late November 2023. The operation was framed publicly as retaliation for the IDF's days-long siege of al-Shifa Hospital in Gaza — the first MOIS-attributed cyber operation explicitly linked to a kinetic Gaza event in informational messaging. | Actor: Pink Sandstorm (High confidence) | Campaign type: hack-and-leak | Severity: High | TLP: TLP:GREEN

Cyber Toufan Releases Israel State Archives PII Trove

Cyber Toufan — Sat, 25 Nov 2023 12:00:00 GMT

The Cyber Toufan persona released a separate data trove containing PII of thousands of users associated with the Israel State Archives, in parallel with its serial Signature-IT leaks. The release continued the pattern of high-visibility hack-and-leak operations against Israeli government-adjacent targets. | Actor: Cyber Toufan (Moderate confidence) | Campaign type: hacktivism | Severity: Medium | TLP: TLP:GREEN

CyberAv3ngers Four-Wave PLC Campaign: 75+ Devices Compromised at US Critical Infrastructure

CyberAv3ngers — Wed, 22 Nov 2023 12:00:00 GMT

IRGC-affiliated CyberAv3ngers compromised 75+ Unitronics Vision Series PLCs across US water, energy, food, transport, and healthcare sectors by exploiting default credentials — defacing HMI displays and disrupting operational logic across four campaign waves. | Actor: CyberAv3ngers (High confidence) | Campaign type: hacktivism | Severity: High | TLP: TLP:GREEN

Cyber Toufan Hacks Signature-IT, Leaks Data of Major Israeli-Operating Brands

Cyber Toufan — Thu, 16 Nov 2023 12:00:00 GMT

The pro-Iran hacktivist persona Cyber Toufan (Al-Toufan) breached Signature-IT, an Israeli web-hosting and e-commerce provider, exfiltrating and publicly leaking customer databases from dozens of brands operating in Israel including Toyota Israel, IKEA Israel, SpaceX-affiliated subsidiaries, ACE Hardware, Shefa Online, and others. Cyber Toufan continued daily leak posts through December 2023. | Actor: Cyber Toufan (Moderate confidence) | Campaign type: hacktivism | Severity: High | TLP: TLP:GREEN

APT42 Phishing Wave Against Israeli and US Officials Researching Iran-Israel Relations

APT42 — Wed, 01 Nov 2023 12:00:00 GMT

Mandiant (Google Threat Intelligence Group) documented an APT42 phishing wave against current and former Israeli and US government officials, plus academic researchers focused on US-Israel relations. The campaign delivered credential-harvesting phishing pages and, in select cases, the NICECURL backdoor. | Actor: APT42 (High confidence) | Campaign type: espionage | Severity: Medium | TLP: TLP:GREEN

Scarred Manticore LIONTAIL Framework — Long-Running MOIS Espionage Across Middle East Including Israel

Scarred Manticore — Tue, 31 Oct 2023 12:00:00 GMT

Check Point Research and Sygnia disclosed Scarred Manticore — an MOIS-linked espionage actor running a custom passive-listener framework (LIONTAIL) on compromised Windows servers since at least 2019. The campaign targets Middle Eastern government, telecom, financial, and military networks, including Israeli organisations. | Actor: Scarred Manticore (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

BiBi Wiper Deployed Against Israeli Targets

Void Manticore — Mon, 30 Oct 2023 12:00:00 GMT

Void Manticore deployed BiBi wiper malware (Linux and Windows variants) against Israeli targets following the October 7 Hamas attack — Iran's first confirmed destructive cyber operation of the current conflict era. | Actor: Void Manticore (High confidence) | Campaign type: destructive | Severity: Critical | TLP: TLP:GREEN

Shahid Kaveh Group (Storm-0784) Customised Ransomware Against Israeli Security Cameras — First Destructive Post-Oct-7 Iranian Operation

Shahid Kaveh Group — Wed, 18 Oct 2023 12:00:00 GMT

MSTIC documented the first observed Iranian destructive operation against Israeli infrastructure after October 7 2023: the IRGC's Shahid Kaveh Group (Storm-0784) deployed customised ransomware against Israeli security camera infrastructure, while the affiliated 'Soldiers of Solomon' persona falsely claimed to have ransomed data at Nevatim Air Force Base. | Actor: Shahid Kaveh Group (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

CyberAv3ngers Telegram Persona Claims Wave — Pre-Unitronics Activity Against Israeli Targets

CyberAv3ngers — Wed, 13 Sep 2023 12:00:00 GMT

Through September and October 2023 the CyberAv3ngers Telegram persona made a series of public claims of attacks against Israeli targets — some verifiable (small-scale defacements, water/fuel facility intrusions), others false or exaggerated. The activity established the persona's presence ahead of the Nov 22 Unitronics PLC campaign and CISA's December attribution. | Actor: CyberAv3ngers (High confidence) | Campaign type: signaling | Severity: Medium | TLP: TLP:GREEN

UNC1549 / Tortoiseshell — Iran-Linked Aerospace and Defense Recruitment Campaign Escalates Against Israel and Middle East

UNC1549 — Tue, 01 Aug 2023 12:00:00 GMT

Mandiant (Google Threat Intelligence Group) documented a marked 2023 escalation of UNC1549 (Tortoiseshell / Smoke Sandstorm), an IRGC-linked espionage actor specialised in aerospace and defense targeting. The 2023 wave introduced the MINIBUS backdoor (August 2023), advanced the MINIBIKE family to v2.0–2.2, and ran sustained credential-harvesting via fake recruiter websites and Boeing / Teledyne FLIR / DJI login-page spoofs against targets in Israel, UAE, Turkey, and India. | Actor: UNC1549 (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Agrius Deploys Moneybird Ransomware-as-Wiper Against Israeli Organisations

Agrius — Mon, 01 May 2023 12:00:00 GMT

Check Point Research disclosed that Agrius (Pink Sandstorm, MOIS-linked) deployed a new C++ payload — Moneybird — against Israeli organisations. Moneybird is presented as ransomware but functions as a wiper: encrypted files cannot be reliably recovered even with a key, continuing Agrius's pattern of destructive operations masquerading as financial crime. | Actor: Agrius (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

Educated Manticore: Iran-Aligned Actor Deploys Improved Arsenal Against Israel

Educated Manticore — Tue, 25 Apr 2023 12:00:00 GMT

Check Point Research documented Educated Manticore — assessed to overlap with APT35/Phosphorus — running an Iraq-themed lure campaign against Israeli targets using Hebrew and Arabic decoy documents and an updated implant chain delivered via ISO containers, marking a tooling-maturity step from prior Phosphorus operations. | Actor: Educated Manticore (Moderate confidence) | Campaign type: espionage | Severity: Medium | TLP: TLP:GREEN

Mint Sandstorm Subgroup Refines Tradecraft to Attack High-Value Targets — Rapid N-Day Exploitation + Drokbk / Soldier / CharmPower Against US Critical Infrastructure

Mint Sandstorm (subgroup) — Tue, 18 Apr 2023 12:00:00 GMT

Microsoft Threat Intelligence (Apr 18, 2023) disclosed that a 'technically and operationally mature' subgroup of Mint Sandstorm (Phosphorus / APT35 / Charming Kitten / TA453) has shifted from the slow-iteration credential-phishing tradecraft historically associated with the cluster to rapid N-day exploitation of internet-facing infrastructure, targeting US critical infrastructure organisations including energy companies, transportation systems, seaports, utilities, and the Defense Industrial Base. Microsoft assesses the subgroup is 'associated with an intelligence arm of Iran's military, the Islamic Revolutionary Guard Corps (IRGC).' Headline operational shifts: (1) exploitation of Zoho ManageEngine CVE-2022-47966 the same day a public PoC was released (Jan 19, 2023); (2) exploitation of IBM Aspera Faspex CVE-2022-47986 within five days of public disclosure; (3) continued opportunistic exploitation of Log4Shell (CVE-2021-44228 / CVE-2021-45046); (4) deployment of three custom .NET / PowerShell implants — Drokbk (custom .NET implant with installer; GitHub-README C2 domain rotator), Soldier (more sophisticated multistage .NET successor; same GitHub C2 rotation pattern; can self-uninstall), and CharmPower (modular PowerShell backdoor delivered via Office template injection — OneDrive PDF link → macro-enabled .dotm on Dropbox → remote template → payload); (5) low-volume targeted phishing (<10 organisations per campaign) themed around 'security policies affecting countries in the Middle East' against think tanks and universities in Israel, North America, and Europe. Microsoft contextualises the increased operational tempo against Iran's prior attribution of cyberattacks to Western/Israeli actors (2020 seaport attack, 2021 train disruption, 2021 gas-station compromise) and against structural changes in Iran's national security apparatus from September 2021. | Actor: Mint Sandstorm (subgroup) (High confidence) | Campaign type: espionage | Severity: High | TLP: TLP:GREEN

Storm-1084 Destructive Attack Against Israeli Organisation Enabled by MuddyWater

Storm-1084 — Wed, 01 Feb 2023 12:00:00 GMT

Microsoft disclosed that Storm-1084 (DarkBit), an MOIS-linked destructive actor, conducted a destructive cyberattack against an Israeli organisation in early 2023, with initial access provided by Mango Sandstorm (MuddyWater). The dual-actor model — espionage actor handing off to a destructive actor — is a hallmark of Iranian operational coordination. | Actor: Storm-1084 (High confidence) | Campaign type: destructive | Severity: High | TLP: TLP:GREEN

OilRig Outer Space (2021) and Juicy Mix (2022) Espionage Campaigns Against Israeli Targets

APT34 / OilRig — Sat, 31 Dec 2022 12:00:00 GMT

ESET WeLiveSecurity disclosed two consecutive APT34 (OilRig) cyberespionage campaigns running 2021–2022 against Israeli organisations exclusively. Outer Space (2021) introduced the previously-undocumented Solar C#/.NET backdoor and the SC5k downloader that abused Microsoft Exchange Web Services API for C2; Juicy Mix (2022) replaced Solar with the improved Mango backdoor (TLS-encrypted, native API execution) and added CDumper / EDumper / IDumper credential-harvesting tooling. The two campaigns are operationally continuous — same operator, same Israel-only victim set, evolving tooling — and represent the public starting point for APT34's Israel-focused tradecraft arc that continues through 2024-2026. | Actor: APT34 / OilRig (High confidence) | Campaign type: Espionage | Severity: High | TLP: TLP:GREEN