Cyber Strategy Under Fire: Iranian APT and Proxy Retaliation Risks

CYBERSTRATEGY2026

Executive Summary

On February 28th, US and Israeli military forces conducted a coordinated and multifaceted attack on Iran. Known as Operation Epic Fury by the Americans and Operation Lion’s Roar by the Israelis, the objective was to neutralize a long-term threat and prevent the Iranian regime from obtaining nuclear missiles. As with any conflict involving Iran, practitioners monitoring the cybersecurity threat landscape expect kinetic warfare to spill over into the cyber realm and wait with bated breath to see what retaliatory attacks may occur. As of early March 2026, the conflict remains active, with ongoing strikes, regional disruptions, and uncertain regime stability.

Key Takeaways

US and Israeli kinetic and cyber strikes have significantly disrupted Iran’s command structure, internet infrastructure, and near-term ability to conduct coordinated state-directed cyber operations.
Despite leadership upheaval and blackouts, Iran’s asymmetric doctrine suggests cyber retaliation remains likely, primarily through proxies, hacktivist fronts, and semi-autonomous APT elements.
Iranian-aligned groups such as Charming Kitten, OilRig, Static Kitten, Moses Staff, and CyberAv3ngers retain tradecraft capable of phishing, ransomware, wipers, OT disruption, and influence operations.

Background

Escalation of tensions between Iran and the US/Israel began with the Twelve-Day War in June 2025, when Israel launched major airstrikes on Iranian nuclear and military facilities, killing top leaders and damaging infrastructure. Iran retaliated with missile and drone barrages on Israeli cities. The US intervened days later, striking key nuclear sites including Natanz, Fordow, and Isfahan under Operation Midnight Hammer, claiming significant degradation of Iran's nuclear program. A US-brokered ceasefire ended the fighting on June 24, but tensions persisted amid failed nuclear talks and Iranian protests.

By early 2026, diplomacy collapsed, with Iran advancing uranium enrichment and facing internal unrest. On Saturday February 28th, US and Israeli military forces conducted a coordinated and multifaceted attack on Iran. Known as Operation Epic Fury by the Americans and Operation Lion’s Roar by the Israelis, the objective was to neutralize a long-term threat and prevent the Iranian regime from obtaining nuclear missiles. As with any conflict involving Iran, practitioners monitoring the cybersecurity threat landscape expect kinetic warfare to spill over into the cyber realm and wait with bated breath to see what retaliatory attacks may occur. As of early March 2026, the conflict remains active, with ongoing strikes, regional disruptions, and uncertain regime stability.

Iran has already made moves to retaliate, primarily via kinetic attacks leveraging missiles and drones. So far, Iran has targeted multiple nations in the region, some of which have military or strategic alliances with the US and Israel. In the last few days, Iran has directly targeted Israel, Jordan, Bahrain, Qatar, UAE, Kuwait, Saudi Arabia, Iraq, Oman, Cyprus and others, and continues to issue threats to the US and Israel.

Iran’s Approach to Cyberwar

Iran emphasizes asymmetric tactics in conflicts, where mismatched opponents exploit each other’s vulnerabilities through unconventional methods. This includes launching attacks that hinder retaliation due to legal constraints and employing proxy hacker groups to bolster limited conventional power. Additionally, Iran incorporates psychological elements, such as public statements about relaxing online restrictions, which may serve as disinformation to divert attention while ramping up regime-aligned cyber intrusions.

Historically, Iran has had a robust cyber operations arsenal. APT groups have posed a threat to the US, Israel, and their allies worldwide as well as to any opposition within Iran. Key elements of Iran’s cyber framework include building safeguards for national systems, tools to curb internal dissent, aggressive measures against foreign digital targets in the West, and efforts to reduce external, primarily Western, cultural impacts. It is also worth noting from an analyst’s perspective that Iran’s cyber activity often appears to be reactive rather than proactive.

The Usual Suspects For Retaliatory Attacks

The following is an overview of Iran nexus ATP groups known to exhibit activity within the past two years. Any cyber threat actors conducting retaliatory activity in an official capacity on behalf of Iran are likely to belong to these threat actor groups or related groups.

Charming Kitten

Charming Kitten, active since 2014 and linked to the IRGC, specializes in espionage through spear-phishing with fake personas and compromised emails to deliver POWERSTAR malware, exploiting Microsoft Exchange vulnerabilities, deploying Android malware, and using password-spraying. Recently in 2024, they targeted US election accounts and Israeli cybersecurity experts with phishing via benign PDFs for credential harvesting; in June 2025, they attacked Israeli academics for espionage purposes.

Refined Kitten

Refined Kitten, also known as Peach Sandstorm, has been active since 2013 and linked to the IRGC, focusing on destructive attacks and espionage via spear-phishing to deliver SHAMOON wiper malware, exploiting industrial control systems, and using custom droppers like POWERTON for satellite communications targeting. In 2024, they compromised a US local government in a swing state and deployed Tickler malware against US and UAE satellite, government, and energy sectors.

Imperial Kitten

Imperial Kitten, active since 2015 and linked to the IRGC, engages in espionage and dissident monitoring through spear-phishing with malicious links to deliver VINETHORN malware, exploiting Android vulnerabilities, and using cloud-based C2 servers. In 2024, they targeted US election accounts and Israeli NGOs with phishing using benign PDFs; in 2023, they struck Israel’s tech and transportation sectors.

Static Kitten

Static Kitten, active since 2017 and associated with Iran’s MOIS, performs espionage via spear-phishing with malicious documents to deliver POWERSTATS malware, utilizing open-source tools, exploiting Microsoft Office vulnerabilities, and deploying PowerShell backdoors. In 2024, they employed DarkBeatC2 and BugSleep backdoors in phishing campaigns targeting Israeli entities.

Pioneer Kitten

Pioneer Kitten, active since 2017 and linked to the IRGC, conducts ransomware attacks and espionage by exploiting VPN/firewall vulnerabilities like CVE-2019-11510, deploying ransomware, using SSH tunneling, and harvesting credentials..

Tortoiseshell

Tortoiseshell, active since 2018 and linked to the IRGC, engages in espionage through spear-phishing with job-themed lures to deliver MINIBIKE/MINIBUS backdoors, leveraging cloud infrastructure like Azure for C2, and targeting supply chains. In 2024, they targeted Israeli aerospace with phishing campaigns posing as the “Bring Them Home Now” movement to deploy MINIBUS.

Curious Serpens

Curious Serpens, active since 2020 and suspected of IRGC ties, focuses on espionage using spear-phishing with tailored lures, exploiting zero-day vulnerabilities, deploying custom backdoors, and targeting supply chains. In June 2025, they attacked Israeli defense contractors through phishing and supply chain compromises.

Haywire Kitten

Haywire Kitten, also known as Cotton Sandstorm, has been active since 2018, employing spear-phishing with malicious documents to deliver DNSpionage malware, exploiting Microsoft Exchange vulnerabilities, and using PowerShell scripts. In 2024, operating as Aria Sepehr Ayandehsazan, they hacked Israeli IP cameras and a French provider to protest Israel’s Olympics participation, incorporating AI for influence operations.

Remix Kitten

Remix Kitten, active since 2014 and associated with Iran’s MOIS, conducts espionage via spear-phishing with malicious attachments to deliver custom malware, exploiting Microsoft Exchange vulnerabilities like ProxyShell, using remote access tools for persistence, and harvesting credentials. In 2024, they targeted Middle Eastern telecommunications by exploiting ProxyShell to steal data.

OilRig

OilRig, active since 2014 and linked to Iran’s MOIS, specializes in cyberespionage with modular malware, PowerShell-based tools, DNS tunneling for C2, custom backdoors like Helminth and QUADAGENT, exploiting vulnerabilities, and using stolen credentials for lateral movement. In 2025, they targeted US transportation and manufacturing organizations, evolving tactics after a 2019 tool leak to enhance credential theft and network persistence.

Nemesis Kitten

Nemesis Kitten, active since 2021 and suspected of IRGC affiliation, engages in ransomware attacks disguised as hacktivism by deploying ransomware with hacktivist branding, exfiltrating data before encryption, and leaking it on websites or social media for psychological impact. From 2024-2025, they combined encryption attacks with fear-mongering messages to undermine confidence in US critical infrastructure and other targets.

Iran’s Cyber Capabilities Face Setbacks

At this time, based on OSINT, it appears the attacks on Iran may have severely disrupted Iran’s cyber capabilities. This has affected Iran’s network infrastructure, its leadership hierarchy, and its intelligence capabilities. Quantifying setbacks in cyber programs is inherently speculative, as it involves rebuilding hardware, networks, human expertise, and codebases, factors more distributed than traditional military assets. Based on analogous events like Stuxnet, the current multi-domain assault could delay Iran's cyber maturation by roughly 1-3 years

Infrastructure Disruption

Iran has been experiencing a near-total internet blackout, with connectivity dropping to single-digit percentages of normal levels. Monitoring groups and analysts link this both to intentional regime blackout policies and possible infrastructure damage from cyber and kinetic strikes.

According to General Dan Caine, Chairman of the US Joint Chiefs of Staff, “The first movers were USCYBERCOM and USSPACECOM, layering non-kinetic effects, disrupting and degrading and blinding Iran's ability to see, communicate and respond… Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate, or respond effectively… Across every domain, land, air, sea, cyber, the US Joint Force delivered synchronized and layered effects designed to disrupt, degrade, deny and destroy Iran's ability to conduct and sustain combat operations.”

This has led to leadership communication breakdowns, segmented national intranet failures, and unstable critical services, effectively hampering coordinated offensive cyber operations in the short term.

Based on monitoring from NetBlocks and Cloudflare, the following major Iranian ASNs are likely among those disrupted in the current event:

AS58224 (Telecommunication Company of Iran - TCI): Iran's largest fixed-line provider, handling much of the national backbone; traffic volumes have reportedly fallen to near zero in affected areas.
AS197207 (Mobile Communication Company of Iran - MCCI): A primary mobile network which has observed sharp declines in connectivity during shutdowns.
AS44244 (IranCell): Another major mobile operator, with similar outages noted in real-time data.

The ongoing internet blackout in Iran can make it easier for the US or Israeli military and intelligence agencies to monitor outgoing internet traffic from the country. During such shutdowns, Iran's regime typically implements a "whitelisting" system, where only a select few government-approved networks, datacenters, and users retain access. This drastically reduces overall traffic volume, currently at around 1-4% of normal levels, inverting the signal-to-noise ratio and creating a bottleneck effect. Everyday civilian or benign communications drop off, making the remaining activity, which is more likely tied to regime operations, stand out and easier to fingerprint, track, and analyze for patterns or intent.

For instance, APT groups linked to Iran often use innocuous government infrastructure as cover for cyberattacks. In a blackout, these become the primary exit nodes, revealing their true purpose rather than blending into normal traffic. This aligns with historical patterns from Iran's previous shutdowns where limited connectivity exposed key paths used by state sponsored threat actors. The blackout also serves as a defensive measure for Iran, limiting external reconnaissance and cyberattacks against its own infrastructure by reducing the attack surface. Overall, the net effect leans toward enhanced monitoring opportunities for entities like the US, as the sparse, prioritized traffic becomes more conspicuous in global networks.

Leadership Upheaval

Based on official US and Israeli reports, it appears the following individuals in Iran’s political and military hierarchy have been eliminated:

Ayatollah Ali Khamenei, Supreme Leader of Iran
Ali Shamkhani, Senior Advisor to the Supreme Leader and former Secretary of the Supreme National Security Council
Mohammad Pakpour, Commander of the IRGC Ground Forces
Abdolrahim Mousavi, Chief of Staff of the Armed Forces
Aziz Nasirzadeh, Minister of Defense
Hossein Salami, IRGC Commander-in-Chief
Mohammad Bagheri, Chief of Staff of the Armed Forces
Amir Ali Hajizadeh, Commander of the IRGC Aerospace Force
Esmail Qaani, Commander of the IRGC Quds Force
Mohammad Shirazi, Head of the Supreme Leader’s Military Bureau
Gholamali Rashid, Head of the Khatam al-Anbiya Central Headquarters
Hassan Jalali, Commander of the Air Defense Force
Mohsen Fakhrizadeh, Director of the Organization of Defensive Innovation and Research (SPND)
Javad Pourhossein, Head of Foreign Espionage Division in the Intelligence Ministry
Saleh Asadi, High-Ranking Intelligence Official

Among these individuals were key IRGC commanders with potential cyber ties:

Mohammad Pakpour (IRGC Commander-in-Chief): Confirmed killed in the initial strikes on February 28, 2026, at Khamenei's compound in Tehran. Pakpour, who assumed the top IRGC role after Hossein Salami's death in the 2025 Israel-Iran conflict, oversaw the IRGC's broad operations, including its Electronic Warfare and Cyber Defense Organization (IRGC-CEC). This unit handles Iran's offensive and defensive cyber activities, such as state-sponsored hacking, electronic warfare integration with missile programs, and infrastructure disruptions. While Pakpour's background was primarily in ground forces and internal security, his position as IRGC chief gave him command authority over cyber elements, including coordination during recent escalations.
Abdolrahim Mousavi (Armed Forces General Staff Chief): Killed on March 1, 2026. As head of the AFGS, Mousavi coordinated between the IRGC and conventional army, including joint cyber initiatives. Reports from his tenure highlight involvement in enhancing Iran's cyber infrastructure alongside missile and drone programs, though his role was more strategic than specialized in cyber.
Ali Shamkhani (Supreme National Security Council Secretary and Top Security Advisor): Eliminated alongside Khamenei. Shamkhani influenced Iran's overall security strategy, including cyber retaliation plans against US and Israeli targets. His role in the 2025 war involved overseeing asymmetric responses, which encompassed cyber operations.

Iran's cyber capabilities are primarily managed under the IRGC-CEC, which reports to the IRGC commander and integrates with other branches for hybrid warfare. Eliminated leaders like Pakpour and Mousavi were part of the chain of command that directed these efforts, especially in the lead-up to and during the current conflict, where cyber has played a role in disruptions. These strikes have disrupted Iran's command-and-control, potentially weakening coordinated cyber retaliation. Iran has since appointed Ahmad Vahidi as the new IRGC commander, a veteran with ties to the Quds Force, but his cyber involvement remains unclear.

Intelligence Hindered

As noted above, multiple high ranking IRGC intelligence officials were lost in the attacks. Reports indicate Iran's intelligence agencies were "decimated," which likely extends to cyber oversight, disrupting strategic direction and resource allocation. However, lower-level APTs operate semi-autonomously and may not be as affected. Due to reduced intelligence capabilities, which likely had an impact on their cyber intelligence as well, choosing what targets to strike and when becomes an issue. Effective strategy relies on good intelligence. As a result, Iranian threat actors likely have neither the capacity or the direction to do anything significant at the moment without painting targets on themselves.

Iran’s Proxies and Allies

With Iran’s cyber capabilities potentially hindered in the short term, retaliatory cyber attacks are likely to originate from outside Iran in the form of attacks conducted by proxies including hacktivist groups, terrorist networks, or Iran’s strategic allies.

Terrorist Networks

Hezbollah

Hezbollah, founded in 1982 with Iranian backing during Lebanon’s civil war, serves as Tehran’s primary proxy in the “Axis of Resistance.” Iran provides extensive funding, weapons, training, and operational guidance via the Islamic Revolutionary Guard Corps, enabling Hezbollah to project Iranian influence against Israel and the US while offering plausible deniability. Based in Lebanon, particularly southern regions and Beirut, Hezbollah controls significant territory and operates as a hybrid political-military force with 20,000-40,000 fighters. As a cyber proxy, Hezbollah possesses limited but evolving capabilities, including intelligence gathering, phishing, and disruptions, often in collaboration with IRGC units. In retaliation for 2026 US-Israeli strikes on Iran, it may conduct asymmetric cyber ops targeting infrastructure, though its focus remains kinetic.

Hamas

Hamas, founded in 1987 as a Palestinian Sunni Islamist group during the First Intifada, receives significant Iranian support. Iran provides funding, weapons, training, and strategic guidance via the IRGC to advance anti-Israel goals within the “Axis of Resistance.” It is based in the Gaza Strip (Palestine), with networks in the West Bank and diaspora communities. Hamas’s cyber capabilities are limited, emphasizing propaganda, doxing, and low-level disruptions. As an Iranian proxy, it could aid retaliatory cyber ops following the US-Israeli strikes, but its degraded state after the 2023-2024 Gaza war prioritizes kinetic survival over advanced cyber threats.

Pan-Islamic Proxies

There are a few notable examples of Iranian-aligned proxy groups with operational bases or activities extending beyond the Middle East. These are often ideologically motivated hacktivists or semi-autonomous cells that receive indirect Iranian support, allowing for plausible deniability. Their global dispersion, via diaspora networks, offshore servers, or recruitment in non-Middle Eastern countries, makes them less susceptible to monitoring or direct kinetic or cyber responses from US and Israeli forces.

Fatimiyoun Electronic Team

Fatimiyoun Electronic Team is linked to the Fatimiyoun Brigade, an Afghan Shia militia proxy of Iran. This group operates from Afghanistan or Pakistan-based networks, coordinating via Telegram. They've claimed attacks outside the Middle East, including reconnaissance on Western targets. The group has used custom wiper malware similar to Shamoon variants in attacks on financial and energy firms in Europe and the US. They have employed botnets such as those based on DieNet or Mirai variants for DDoS attacks, flooding targets with traffic to disrupt services. Fatimiyoun Electronic team is also known for social engineering via job recruitment scams or phishing emails disguised as humanitarian aid/NGO communications, often delivering backdoors like Tickler for persistence. With Iran's command disrupted, this group could ramp up opportunistic strikes on US-affiliated entities.

Cyber Islamic Resistance

Cyber Islamic Resistance is a Pan-Islamic group with cells in North Africa and Europe.They coordinate via Telegram or Reddit, avoiding direct ties to Iranian infrastructure, which allows operations from less-monitored regions. They have deployed ransomware fronts and hack-and-leak operations, exfiltrating data for public dumps to amplify propaganda. They have utilized DDoS-for-hire services or custom scripts for website takedowns, as seen in past defacement campaigns against Israeli and US sites. If they retaliate on behalf of Iran, expect escalation in low-sophistication but high-volume attacks from European or African IP ranges and defacements or leaks tied to "pro-Iranian" claims, without direct attribution.

Islamic Hacker Army

Islamic Hacker Army is a pan-Islamic hacktivist collective with claimed members in Venezuela, Indonesia and Malaysia, using offshore proxies to obscure origins. They've historically avoided Middle Eastern servers, favoring global cloud infrastructure. Their tools include custom backdoors like FalseFont or Powerless for espionage, often combined with wipers in destructive ops against energy and telecom targets. They have leveraged coordinated DDoS via botnets and vulnerability scanners for mass exploitation in past campaigns against Gulf and Western entities. Their ideological alignment could drive proxy retaliation, especially if Iran's core capabilities remain degraded.

Other Hacktivist Groups

CyberAv3ngers

CyberAv3ngers, active since 2020 and potentially affiliated with the IRGC, conducts hacktivist-style geopolitically motivated attacks by exploiting weak credentials on internet-facing devices like Unitronics Vision Series PLCs to manipulate operational technology systems, deploying defacement messages and claiming attacks via Telegram. In 2024, they compromised US water facilities to display anti-Israel messages on PLCs and claimed similar attacks on Israeli PLCs.

Moses Staff

Moses Staff, active since 2021 with ties to Iranian interests, conducts hacktivist operations involving data theft, encryption, website defacement, and leaking stolen data via Telegram channels accompanied by ideological propaganda. In 2024, they performed data exfiltration and defacement attacks against Israeli entities, using leaks to promote anti-Israel narratives.

Handala

Handala, active since 2023 and aligned with Iranian geopolitical goals, carries out hacktivist operations with destructive elements using wiper malware, DDoS attacks, and data-wiping tools disguised as ransomware for disruption. In 2025-2026, they escalated wiper and disruptive attacks against Israeli targets amid regional conflicts, including data destruction and propaganda dissemination.

Strategic Allies

Russia

Russia and Iran have had a strategic partnership since 2015, expanded in 2021 with cyber cooperation pacts for tech transfers, surveillance tools, and joint exercises. Russia has previously supplied hardware like S-400 systems and satellites, enabling Iranian ops. Russia may engage in cyber activity on Iran’s behalf indirectly, sharing malware and exploits, coordinating disinformation, or aiding attacks via proxies to avoid escalation. Following the recent strikes on Iran, Russia condemned the attacks. It remains to be seen whether they will provide cyber-defense support or intel for retaliation.

China

China and Iran signed a 25-year cooperation deal in 2021, including cyber tech, 5G infrastructure, and AI for surveillance and ops. China could support Iranian cyber efforts via backdoors in Huawei/ZTE-built networks, satellite imagery for targeting, or AI tools for attacks. China may also provide indirect cyber-defense aid and components for ops, potentially enabling hacks on Middle East or US infrastructure.

Analyst Commentary

The coordinated US-Israeli strikes have inflicted unprecedented damage on Iran's cyber apparatus, combining physical destruction of leadership, near-total internet blackouts, and intelligence decapitation. This has created a rare, short-term suppression of state-directed offensive operations from Iranian soil, with outbound traffic now funneled through regime-controlled channels that are far easier to monitor and attribute.

Yet cyber threats do not disappear. In the immediate future, retaliation will likely manifest through proxies and aligned hacktivists, such as CyberAv3ngers, Handala, Moses Staff, or dispersed groups like Fatimiyoun Electronic Team or Islamic Hacker Army conducting opportunistic DDoS attacks, or using wipers, defacements, OT exploits, and propaganda leaks against US, Israeli, and regional targets. Russia and China may quietly amplify these efforts via indirect attacks not easily attributed to them. Medium-term risks remain elevated as allied support could accelerate reconstitution, potentially restoring Iran’s APT capabilities at an accelerated rate. Defenders must maintain aggressive threat hunting for Iranian APT and proxy linked IOCs and prepare for persistent asymmetric cyber activity as a durable element of regime survival strategy in this ongoing conflict.

IOCs

PolySwarm has samples associated with multiple threat actors noted in this report. Below is a limited selection of hashes.

Charming Kitten

0e51029ba28243b0a6a071713c17357a8eb024aa4298d1ccc9e2c4ac8916df4d

dbdb14e37fc4412711a1e5e37e609e33410de31de13911aee99ab473753baa4a

07384ab4488ea795affc923851e00ebc2ead3f01b57be6bf8358d7659e9ee407

5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422

bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8

c99cc10f15f655f36314e54f7013a0bc5df85f4d6ff7f35b14a446315835d334

Static Kitten

73c677dd3b264e7eb80e26e78ac9df1dba30915b5ce3b1bc1c83db52b9c6b30e

960d4c9e79e751be6cad470e4f8e1d3a2b11f76f47597df8619ae41c96ba5809