According to a report published by Radware, 149 separate DDoS attack claims were documented between February 28 and March 2, 2026. These incidents targeted 110 distinct organizations spanning 16 countries. Twelve different groups participated in the activity. Three of them, Keymous+, DieNet, and NoName057(16), were responsible for 74.6 percent of the total claims. Radware further noted that Keymous+ and DieNet alone accounted for nearly 70 percent of activity during that period.
The earliest attack in this wave was attributed to Hider Nex, also known as the Tunisian Maskers Cyber Force, on February 28. Information shared by Orange Cyberdefense describes Hider Nex as a Tunisian hacktivist collective aligned with pro-Palestinian causes. The group reportedly employs a dual strategy that combines service disruption with data theft and public leaks to amplify political messaging. Researchers trace its emergence to mid-2025.
Geographically, 107 of the 149 DDoS claims were directed at organizations in the Middle East, where government bodies and public infrastructure entities were disproportionately affected. Europe accounted for 22.8 percent of the global targeting during the same timeframe. By sector, government institutions represented 47.8 percent of all affected entities worldwide. Financial services followed at 11.9 percent, while telecommunications organizations accounted for 6.7 percent.
Within the Middle East, three countries experienced the highest concentration of reported activity. Kuwait accounted for 28 percent of regional attack claims, Israel represented 27.1 percent, and Jordan comprised 21.5 percent, according to Radware’s analysis.
Threat intelligence from Flashpoint, Palo Alto Networks Unit 42, and Radware identified additional groups engaged in disruptive campaigns, including Nation of Saviors, Conquerors Electronic Army, Sylhet Gang, 313 Team, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, FAD Team, Evil Markhors, and PalachPro.
The cyber activity extended beyond DDoS operations. Pro-Russian hacktivist collectives Cardinal and Russian Legion publicly claimed breaches of Israeli military networks, including the Iron Dome missile defense system. These assertions have not been independently verified.
Separate threat reporting identified an active SMS-based phishing operation distributing a counterfeit version of Israel’s Home Front Command RedAlert mobile application. Victims were reportedly persuaded to install a malicious Android package disguised as a wartime update. Once installed, the application displayed a functional alert interface while covertly deploying surveillance and data-exfiltration capabilities.
Flashpoint also reported that Iran’s Islamic Revolutionary Guard Corps targeted energy and digital infrastructure sectors in the Middle East, including Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates. Analysts assessed that the intent was to impose broader economic pressure in response to military losses.
Researchers at Check Point observed that Cotton Sandstorm, also known as Haywire Kitten, revived a previous online identity called Altoufan Team and claimed responsibility for website compromises in Bahrain. The firm described the activity as reactive and warned of the likelihood of further involvement across the region.
Data from Nozomi Networks shows that the Iranian state-linked group UNC1549, also tracked as GalaxyGato, Nimbus Manticore, and Subtle Snail, ranked as the fourth most active threat actor in the second half of 2025. Its campaigns focused on defense, aerospace, telecommunications, and government entities in support of national strategic objectives.
Economic signals have also reflected the instability. Major Iranian cryptocurrency exchanges remain operational but have introduced adjustments such as batching or temporarily suspending withdrawals and issuing advisories about potential connectivity disruptions. Ari Redbord, Global Head of Policy at TRM Labs, stated that the situation does not yet indicate large-scale capital flight, but rather market volatility managed under connectivity constraints and regulatory intervention. He noted that Iran has long relied in part on cryptocurrency infrastructure to circumvent sanctions, and current conditions represent a real-time stress test of that system.
Despite heightened online activity, Sophos reported observing an increase in hacktivist operations without a corresponding escalation in confirmed impact. The firm cited DDoS attacks, website defacements, and unverified compromise claims attributed largely to pro-Iran personas, including Handala Hack and APT Iran.
The National Cyber Security Centre has warned organizations of elevated Iranian cyber risk and advised strengthening defenses against DDoS campaigns, phishing activity, and threats targeting industrial control systems.
Cynthia Kaiser of Halcyon, formerly Deputy Assistant Director of the Federal Bureau of Investigation’s Cyber Division, stated that Iran has historically used cyber operations to retaliate against perceived political provocations and has increasingly incorporated ransomware into its playbook. She added that Tehran’s tolerance of private cybercriminal actors provides strategic options when responding to geopolitical events.
SentinelOne assessed with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, particularly across government, critical infrastructure, defense, financial services, academic, and media sectors.
Nozomi Networks further emphasized that Iranian threat actors have a history of blending espionage, disruption, and psychological operations to achieve strategic objectives. During periods of instability, such campaigns often intensify and extend beyond immediate conflict zones.
To mitigate risk amid the ongoing conflict, security experts recommend continuous monitoring aligned with elevated threat conditions, updating threat intelligence signatures, minimizing external exposure, conducting comprehensive reviews of connected assets, enforcing strict segmentation between information technology and operational technology networks, and isolating Internet-of-Things devices.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, noted that Iranian cyber actors have historically synchronized digital campaigns with broader strategic goals. He added that these adversaries have evolved beyond traditional network intrusions, expanding into cloud and identity-focused operations capable of operating rapidly across hybrid enterprise environments with greater scale and impact.
As tensions persist, analysts caution that cyberspace is likely to remain an active parallel arena of confrontation, requiring sustained vigilance from organizations across affected and allied regions.
