A Note From Us

Anvilogic is actively monitoring an elevated and rapidly evolving Iranian threats directed at U.S critical infrastructure, supply chains, and allied digital assets. Following coordinated U.S & Israeli military operatives against Iran on February 28, 2026 (Operation Epic Fury | Operation Roaring Lion), state-sponsored and IRGC-aligned threat actors have significantly escalated reconnaissance, espionage, and disruptive cyber operations and threats against U.S, Israeli, U.K and Gulf Cooperation Council targets.

This advisory synthesizes intelligence from Unit 42 (Palo Alto Networks), Flashpoint, Google Threat Intelligence, CrowdStrike, CISO, and X & Reddit community-sourced reporting to provide situation context, a history of Iranian APT capabilities, CVEs exploited in the past, and concrete defensive recommendations.

Iran has a long, well-documented track record of targeting internet-facing systems — firewalls, VPNs, remote access tools, industrial controllers — as their primary way into networks. They’re patient and methodical. They also routinely work through proxy organizations and hacktivist groups to maintain distance and deniability, which means the threat doesn’t always look like a nation-state attack when it first hits your logs.

‍

What that means for you practically: while your specific exposure depends on your environment, your industry, and your supply chain relationships, the starting point for defense is almost always the same. Harden the edge. Know exactly what’s sitting at your perimeter. Get rid of anything unpatched or end-of-support that’s internet-facing. 

‍

Use the intelligence here to inform your own risk picture. Not every threat profile applies equally to every organization — a financial org and a pharmaceutical company face different parts of this landscape. But the edge hardening guidance applies broadly, and that’s where we’d start.

We will continue to monitor and provide updates as necessary.

‍

What Triggered This Escalation

On February 28, 2026, the U.S. and Israel launched coordinated strikes against Iran (Operation Epic Fury / Operation Roaring Lion), targeting senior leadership, missile systems, and air defense infrastructure. Iran’s response was swift and multi-domain, and the conflict has continued to expand since.

‍

Key kinetic developments that directly frame the cyber threat environment:

‍

• Strikes on Gulf transit infrastructure including Dubai's Jebel Ali port, Al Udeid Air Base (Qatar), and Ali Al Salem Air Base (Kuwait), disrupting critical commercial logistics corridors.
• Iran's reported blockade of the Strait of Hormuz, triggering global energy market volatility and maritime supply chain disruption.
• A strike on Saudi Aramco's Ras Tanura facility, signaling direct energy infrastructure targeting as part of an explicit IRGC "war on energy supplies" strategy.
• Physical impact to an AWS data center in the UAE, demonstrating that commercial cloud infrastructure is no longer insulated from kinetic or cyber spillover.
• Iran's available internet connectivity dropped to between 1-4% following the initial strikes — temporarily constraining the ability of in-country state-aligned threat actors to coordinate sophisticated operations, while potentially pushing autonomous decision-making to cells outside Iran.

‍

What the Research Is Saying (Unit 42, March 2, 2026)

A few key takeaways from Unit 42’s latest threat brief that are worth calling out:

Near-Term State Actor Constraints

Unit 42 assesses that the loss of Iranian internet connectivity and significant degradation of leadership and command structures will likely hinder state-aligned threat actors from coordinating and executing sophisticated cyberattacks in the near term. However, this introduces new risk dynamics:

• State-aligned cyber units may be acting in operational isolation, potentially deviating from established patterns in unpredictable ways.
• Iranian command-and-control degradation may lead to tactical autonomy for cells operating outside of Iran — including geographically dispersed operators and affiliated cyber proxies.
• Other nation-state-aligned threat actors may attempt to exploit the situation to activate their own cyberattacks for independent strategic objectives.

‍

Active Phishing Campaign: Weaponized RedAlert APK

Unit 42 identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert emergency alert application. The weaponized Android package (APK) delivers mobile surveillance and data-exfiltrating malware, targeting users who download what appears to be a legitimate emergency notification app.

Electronic Operations Room: Coordinated Hacktivist Ecosystem

On February 28, 2026, a new coordination structure called the "Electronic Operations Room" was established, serving as an umbrella command for Iranian-aligned hacktivist groups. Unit 42 estimates approximately 60 individual groups are currently active — including pro-Russian groups — operating under this broader coalition. The following threat actors have been tracked with confirmed or claimed activity:

Additional Opportunistic Threat Activity

• Cybercriminals are exploiting the conflict with UAE-targeted vishing scams, impersonating the Ministry of Interior to harvest Emirates Identification Numbers (EID) from victims.
• Tarnished Scorpius (aka INC Ransomware), a ransomware-as-a-service group, listed an Israeli industrial machinery company on its leak site — signaling opportunistic ransomware actors are exploiting the geopolitical moment.

‍

Iran’s Cyber Apparatus: Two Decades of Persistent Threat Activity

Iran has spent nearly two decades building one of the most capable and persistent state-aligned cyber ecosystems in the world. This infrastructure expanded significantly following the Stuxnet operation, which accelerated Tehran’s investment in offensive cyber capabilities. Unit 42 tracks various Iranian state-sponsored actors under the constellation name Serpens, and notes these groups could increase or escalate activity in the coming weeks. Operations are anchored primarily in the IRGC and MOIS, spanning espionage, sabotage, influence operations, and criminal collaboration.

Unit 42 notes that state-sponsored Iranian cyber capabilities are frequently used to project and amplify political messaging using destructive and psychological tactics, with a focus on regional targets (Israel) and high-value targets such as key decision-makers and politicians. Supply chain, critical infrastructure, vendors, and service providers are all explicitly in scope.

‍

Current Threat Activity: What We’re Seeing Now

DDoS & Service Disruption

• 60+ individual hacktivist groups are active and coordinating through the "Electronic Operations Room," including pro-Russian groups operating in parallel.
• NoName057(16) and Cyber Islamic Resistance have claimed large-scale DDoS against Israeli defense contractors, municipal entities, and regional banking infrastructure.
• DieNet has claimed attacks on multiple Gulf airports and banks, targeting UAE, Bahrain, Saudi Arabia, and Jordan.

‍

Mobile Malware & Phishing Campaigns

• Unit 42 identified an active campaign delivering a weaponized RedAlert emergency app APK targeting Israeli and potentially allied-nation users, designed to harvest data and enable surveillance.
• Iranian APT35 (Charming Kitten) continues AI-enhanced targeted spearphishing against dissidents, military personnel, policy experts, and healthcare organizations.
• UAE-targeted vishing scams are impersonating the Ministry of Interior to harvest Emirates ID credentials.

‍

ICS / OT & Industrial Control System Intrusions

• FAD Team has claimed unauthorized access to SCADA/PLC systems in Israel and multiple other countries via their public Telegram board.
• Cyber Islamic Resistance claimed access to 130 remote-control systems at an Israeli industrial automation firm.
• Handala Hack claimed compromise of Jordan's fuel control systems and an Israeli energy exploration company.
• CrowdStrike confirmed that Hydro Kitten has made specific threats targeting the U.S. financial services sector.

‍

Espionage & Reconnaissance

• Google Threat Intelligence confirmed that Iranian cyber espionage resumed rapidly after the initial operational pause, suggesting pre-positioning during the kinetic cover.
• Unit 42 notes that geographically dispersed Iranian operators and affiliated proxies may target governments in regions hosting U.S. military bases to disrupt logistics.
• Cardinal (pro-Russian) claimed to have infiltrated IDF networks and posted operational documents referencing troop movements and command contacts.

‍

Ransomware & Opportunistic Crime

• Tarnished Scorpius (INC Ransomware) has listed an Israeli industrial machinery company on its leak site, demonstrating that RaaS actors are exploiting the conflict window.
• Pioneer Kitten’s established pattern of ransomware collaboration represents ongoing risk to U.S. critical infrastructure organizations.

‍

Critical Vulnerability Context: End-of-Support Edge Devices

On February 5, 2026, CISA issued Binding Operational Directive 26-02, requiring U.S. Federal Civilian Executive Branch agencies to inventory and remove end-of-support (EOS) edge devices. CISA explicitly urges all organizations to take the same action.

‍

Nation-state threat actors — including Iranian APT group Pioneer Kitten — are specifically known to exploit internet-facing edge devices as primary initial access vectors. Edge devices including firewalls, routers, load balancers, VPN gateways, and switches that no longer receive vendor patches are ideal entry points for threat actors seeking persistent network access. Unit 42's tactical recommendations specifically call out ensuring internet-facing infrastructure is fully patched and hardened as a top priority in the current environment.

‍

CISA's directive requires agencies to update supported devices, inventory all EOS devices, remove unsupported hardware from networks, and establish continuous lifecycle management processes. Non-federal organizations should treat this as a direct call to action.

‍

Recommended Actions for Security Teams

The following recommendations are drawn from Unit 42, CISA, and Anvilogic's own detection engineering guidance, prioritized by urgency:

‍

1. Harden Edge Device Posture (Immediate)

• Inventory all edge devices (firewalls, VPN gateways, routers, load balancers, switches) and flag any running end-of-support software.
• Apply all available patches immediately — particularly for known exploited vulnerabilities in CISA’s KEV catalog.
• Remove or isolate EOS devices; eliminate unnecessary external exposure on all internet-facing assets.
• Increase response to any threat signals from internet-facing assets such as websites, VPN gateways, and cloud assets (Unit 42 recommendation).
• Consider implementing geographic IP address blocking from high-risk regions where legitimate business is not conducted.

‍

2. Elevate ICS / OT Monitoring (Immediate)

• Segment industrial networks from corporate IT and all public internet access.
• Audit all remote access pathways into OT/ICS environments and enforce phishing-resistant MFA on all privileged and engineering accounts.
• Increase monitoring frequency on SCADA/PLC systems — particularly in energy, water, manufacturing, and logistics environments.
• Validate incident response runbooks for destructive malware and system manipulation scenarios; run tabletop exercises assuming loss of visibility or control.

‍

3. Protect Against Mobile & Social Engineering Threats (Immediate)

• Warn employees and executives not to download any emergency alert, news, or security apps from unofficial sources — the weaponized RedAlert APK campaign demonstrates this is an active attack vector.
• Implement strict out-of-band verification for any incoming requests via media or communications channels, verifying through a separate trusted corporate channel (Unit 42 recommendation).
• Train employees on phishing and social engineering tactics; continuously monitor for suspicious activity targeting executive and privileged accounts.

‍

4. Strengthen Detection Coverage (This Week)

• Ensure your SIEM/data lake environment has active detections tuned for Iranian APT TTPs — including lateral movement from edge devices, password spraying, and spearphishing.
• Anvilogic’s detection library includes pre-built scenarios mapped to MITRE ATT&CK techniques associated with APT33, APT34, APT35, MuddyWater, and Pioneer Kitten. Confirm these are active in your environment.
• Enable or validate detections for wiper malware behaviors (mass file deletion, MBR overwrite, shadow copy removal).
• Monitor for anomalous outbound traffic from OT/ICS environments — a key indicator of exfiltration or C2 staging.

‍

5. Prepare Breach Response & Communications Plan (This Week)

• Have a robust communications plan ready to address claims of unauthorized access versus confirmed system compromise. Hacktivist groups frequently exaggerate their reach — rapid scoping and verification prevents unnecessary public panic (Unit 42 recommendation).
• Begin or update business continuity plans for staff or assets that digital or physical attacks could disrupt.
• Ensure at least one copy of critical data is stored offline (air-gapped) to mitigate wiper and ransomware attacks that target network-accessible backups.

‍

6. Assess Supply Chain & Cloud Exposure (This Week)

• Identify third-party vendors or suppliers with infrastructure in the Gulf region and assess continuity risk.
• Confirm geographic redundancy for critical cloud workloads; validate RTO/RPO for Middle East-hosted environments.
• Model extended disruption to Gulf maritime routes rather than a short-term interruption given the explicit IRGC energy warfare doctrine.

‍

Indicators of Compromise (Unit 42 — March 2, 2026)

The following IOCs were published by Unit 42 in connection with the weaponized RedAlert APK campaign. Block or monitor these in your environment immediately:

Note: IOC indicators above have been defanged for safe distribution. Restore brackets to dots before implementing in detection tools.

‍

How Anvilogic Supports Your Defense

Anvilogic’s AI SOC Platform provides behavioral detection logic built on MITRE ATT&CK, enabling your team to:

‍

• Deploy pre-built detection scenarios mapped to Iranian APT techniques without requiring manual rule authoring for each new TTP.
• Run unified detection across your SIEM and data lake environments, eliminating blind spots from fragmented tooling.
• Correlate multi-stage attack behaviors across endpoints, network, cloud, and OT telemetry to detect threats that individual point solutions miss.
• Rapidly update and tune detection logic as new indicators and TTPs emerge from the evolving Iranian threat landscape.

‍

References & Sources

• Unit 42 (Palo Alto Networks): "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran" (March 2, 2026) — unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
• Flashpoint Intelligence: "Escalation in the Middle East: Tracking Operation Epic Fury" (March 2, 2026)
• Cybersecurity Dive: "Iran-linked hackers raise threat level against US, allies" (March 2, 2026)
• CISA Binding Operational Directive 26-02: Mitigating Risk From End-of-Support Edge Devices (February 5, 2026)
• CISA / FBI / NCSC Joint Fact Sheet: Reducing the Attack Surface for End-of-Support Edge Devices (February 5, 2026)
• Quixotic Ronin: "Iranian Hackers: Equal to any WMD and way harder to stop" (March 3, 2026)
• Google Threat Intelligence Group (John Hultquist) / CrowdStrike (Adam Meyers): Statements via Cybersecurity Dive (March 2, 2026)
• UK National Cyber Security Centre: Guidance on hacktivist threat posture (March 2026)

‍