Hacktivist Campaigns Surge Amid US-Iran-Israel Tensions
Hacktivist activity has increased as tensions involving the United States, Iran, and Israel intensify, according to Sophos threat research. The reported campaigns indicate a rise in politically motivated cyber operations tied to the regional conflict, with threat actors using disruptive and influence-focused tactics to target organizations and amplify geopolitical messaging.
The activity reflects a broader pattern in which international crises quickly spill into cyberspace, raising the risk of website defacements, distributed denial-of-service attacks, and other opportunistic intrusions against public- and private-sector targets. Sophos said the escalation underscores the need for organizations with exposure to the region or to politically sensitive sectors to monitor for hacktivist threats and strengthen defensive readiness.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Secureworks links Abraham's Ax to Moses Staff
Secureworks published research assessing that the threat activity tracked as Abraham's Ax was likely connected to the Moses Staff group. This introduced a specific attribution development separate from broader reporting on rising hacktivist activity tied to regional tensions.
DarkOwl assesses Ashab al-Yamin as part of Iranian-aligned Telegram network
DarkOwl published analysis concluding that Harakat Ashab al-Yamin al-Islamia, which surfaced in early 2026 claiming attacks in Europe, is better understood as a front identity or media node within a broader Iranian-aligned Telegram ecosystem rather than a clearly distinct organization. The report cited fragmented channels, reposting overlap, and shared propaganda artifacts as indicators of coordinated amplification across affiliated networks.
Sophos reports rise in hacktivist campaigns tied to U.S.-Iran-Israel tensions
Sophos published research stating that hacktivist activity had increased as conflict involving the United States, Iran, and Israel intensified. The reference does not provide specific underlying incident dates, so the publication date is used as the event date.
Cyber operations accompany U.S.-Israeli strikes on Iran
On February 28, cyber operations reportedly accompanied coordinated U.S.-Israeli airstrikes on Iran. Reported effects included compromise of the BadeSaba religious calendar app, defacements of Iranian news sites, attacks on government and military services, and major disruption to Iranian communications during a near-total internet blackout.
Hacktivists launch DDoS attacks on U.S. targets after Iran bombings
Cyble reported that hacktivist groups launched distributed denial-of-service attacks against U.S. targets following bombings involving Iran. This reflects a specific campaign development tied to regional geopolitical escalation, distinct from later attribution and trend reporting.
X bans Handala hacking group's account
X suspended the account of the pro-Palestinian hacking group Handala as U.S. officials publicly criticized Iran over cyberattacks. The action marked an earlier platform and policy response tied to the broader cyber activity later associated with regional tensions.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Harakat Ashab al-Yamin al-Islamia: New Group or Broader Network
darkowl.com
Open sourceIran actors’ claims raise questions about larger cyber threat to US, allies | Cybersecurity Dive
cybersecuritydive.com
Open sourceIsraeli, US strikes against Iran triggers a surge in hacktivist activity | Intel 471
intel471.com
Open sourceFalconFeeds.io Blog | Latest Cyber Threat Intelligence & Security Insights
falconfeeds.io
Open sourceIran's cyberwar has begun
theregister.com
Open sourceHacktivists Launch DDoS Attacks At U.S. Following Iran Bombings
cyble.com
Open source‘Pro-Palestine’ hacking group banned on X as US criticizes Iran over cyberattacks | The Record from Recorded Future News
therecord.media
Open sourceAbraham's Ax Likely Linked to Moses Staff | SOPHOS
secureworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Surge in Iran- and Russia-Aligned Hacktivist Activity Following U.S.-Israeli Strikes on Iran
Following recent U.S.-Israeli kinetic strikes on Iranian targets, reporting indicates a spike in cyber activity tied to the **#OpIsrael** campaign, including collaboration between Iran-linked operators and pro-Russia hacktivist groups targeting organizations in the U.S., Israel, and the broader region. Activity cited includes **DDoS** operations attributed to Iran’s **Cyber Islamic Resistance** working alongside **NoName057(16)** against an Israeli defense contractor and municipal entities, plus additional claimed intrusions against Israeli organizations and a wider set of targets (including a Pennsylvania town and various educational entities abroad) associated with groups such as **FAD Team**. FortiGuard Labs assesses that, despite heightened concern about state-directed retaliation, there is **limited evidence so far of a large-scale, coordinated Iranian cyber response** directly tied to the strikes. Instead, observed activity is characterized as a surge of *loosely affiliated hacktivism* and “geopolitical noise,” including defacements, opportunistic intrusion attempts, broadcast/media disruptions, internet connectivity issues inside Iran, and increased Telegram-based claims of attacks across the region; FortiGuard notes there is **no confirmed evidence** at this time of destructive Iranian **wiper** campaigns or large-scale retaliatory critical infrastructure attacks, while warning the risk could escalate based on historical patterns.
Mar 21, 2026
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
May 6, 2026
Iran–Israel–US conflict triggers rapid hacktivist mobilization and elevated DDoS risk to government and critical infrastructure
Cyber activity surged immediately following joint **U.S.–Israel strikes on Iran** (described as *Operation Epic Fury*), with reporting indicating a fast-moving “cyber swarm” of hacktivists and aligned collectives conducting disruption, influence messaging, and broad cyber claim activity within hours of the kinetic events. A day-by-day Telegram-focused timeline described early **DDoS campaigns against Israeli government sites** expanding into a wider coalition of **pro-Iranian, pro-Palestinian, and Russian-aligned** groups targeting additional regions and sectors, including Gulf states, Europe, and the U.S., with increasing attention on **critical infrastructure**; examples cited include claims of DDoS disruption against Israeli commercial, defense-adjacent, and energy-related entities (e.g., an oil company and an advanced defense firm), sometimes accompanied by third-party availability “verification” links. U.S. state and local governments were separately warned by **MS-ISAC** to expect heightened “low-level” activity—particularly **DDoS**—in the wake of the Iran-related escalation, and were urged to harden internet-facing and cloud services (e.g., remediation of critical/cloud infrastructure, use of firewalls/CDNs, and reducing exposed employee/organizational data). In parallel, a critical-infrastructure-focused interview tied to an upcoming OT security summit reiterated that energy, water, pipeline, and ICS environments face persistent probing by state adversaries and that “low-cost entry” cyber operations can be used to test and disrupt mission-critical systems; while not specific to the Iran conflict, it reinforces the broader risk context for OT operators amid heightened geopolitical tensions.
Apr 22, 2026