Keymous Plus
Keymous Plus is a pro-Iran/pro-Palestine hacktivist group identified in reporting on the Middle East cyber threat landscape during early 2026. The group is described as operating from Bangladesh as part of a globally distributed ecosystem of pro-Iran-aligned hacktivists. It was one of the most active groups in the February-March 2026 escalation, with reporting attributing 182 incidents to it and describing it as the broadest sustained geographic campaign among pro-Iran/Palestine groups, including operations across six countries in a single week. Its activity in the provided content is primarily DDoS-focused. Reported operations include a coordinated campaign under #Op_Epstein_Gulf targeting government ministries across Bahrain, Kuwait, Jordan, Qatar, Syria, and the UAE, with Check-Host-verified DDoS claims in a single coordinated post. The group also claimed broad DDoS sweeps against Syrian government ministries, including the Presidency, Parliament, and the ministries of Foreign Affairs, Transport, Information, Agriculture, and Defense. It also claimed verified downtime for six Egyptian government targets, including the Egypt Government Portal, Cabinet, Ministry of Interior, Ministry of Finance, Ministry of Petroleum, and Ministry of Water Resources and Irrigation, and later continued that Egypt-focused campaign by claiming Egypt’s Ministry of Interior website remained down. The content states that Keymous Plus led in claimed operation volume alongside DieNet and 313 Team during the first week of the conflict, when government infrastructure was the most targeted sector. It is also mentioned as announcing large-scale intended operations against Israel and India together with Babayo Error System, although the content notes limited technical substantiation for those announced operations. No additional aliases or sub-groups beyond "keymous_plus" / "Keymous Plus" are directly provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Utilities
- Banks
- Telecommunication Services
Where they target
Geographies tied to known operations.
- 🇧🇭 Bahrain
- 🇰🇼 Kuwait
- 🇯🇴 Jordan
- 🇶🇦 Qatar
- 🇸🇾 Syria
- 🇦🇪 United Arab Emirates
- 🇪🇬 Egypt
- 🇮🇱 Israel
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Pro-Iran/Palestine threat group conducting a broad geographically distributed campaign across multiple countries.
Named as another highly active pro-Iranian hacktivist group during the March 2026 escalation, involved in DDoS claim activity against regional targets.
High-volume disruptive actor running geographically expanding DDoS sweeps across Gulf and regional government targets, while also making sensitive breach claims such as alleged access to Israel’s Ministry of Education portal.
Pro-Iran hacktivist group operating from Bangladesh as part of Iran’s globalized recruitment ecosystem.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.