CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure and Kinetic Targeting

First reported
Last updated
5 unique sources, 18 articles

Summary

Hide ▲

Iranian state-sponsored and affiliated cyber threat actors have **formalized a cyber-kinetic war doctrine**, integrating digital reconnaissance with physical strikes following the February 28, 2026, joint US-Israel military operation (*Epic Fury*). New research confirms Iran’s systematic compromise of **Hikvision and Dahua IP cameras** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon—exploiting **five patched but widely unpatched vulnerabilities** to enable **real-time battle damage assessment and missile-targeting support**. Check Point Research assesses this activity as a **predictive indicator of kinetic strikes**, mirroring tactics used during the June 2025 Israel-Iran conflict. **As of April 2026, Iranian APT actors have escalated direct targeting of U.S. critical infrastructure**, focusing on **Rockwell/Allen-Bradley PLCs** in Government Services, Water and Wastewater Systems, and Energy sectors. The joint FBI/CISA/NSA advisory warns of **financial losses, operational disruptions, and malicious manipulation of HMI/SCADA displays**, with confirmed extraction of PLC project files. This follows prior CyberAv3ngers (IRGC-linked) campaigns that compromised **75 Unitronics PLCs** in 2023–2024. In parallel, **pro-Iranian hacktivist group Handala wiped 80,000 devices** on U.S. medical giant Stryker’s network in March 2026, signaling a shift toward **destructive hybrid operations** blending state-backed and proxy activity. The campaign extends beyond surveillance: **pro-Iranian actors breached Jordan’s Silos and Supply General Company via phishing**, while IRGC-linked groups conducted **limited but targeted ICS/SCADA attacks** and **DDoS campaigns against UAE/Bahrain government entities**. CrowdStrike and Flashpoint warn of escalating hybrid tactics, including **propaganda operations, data center missile strikes, and hacktivist proxies** (e.g., Russian Legion) expanding targets to US-based critical infrastructure. **Pay2Key**, an Iranian-linked ransomware group active since 2020, has **re-emerged in March 2026 with enhanced evasion capabilities**, targeting a US healthcare provider in a three-hour encryption blitz that leveraged TeamViewer, credential harvesting (Mimikatz/LaZagne), and backup enumeration—raising concerns about its **strategic destruction motives** amid geopolitical tensions.

Timeline

  1. 07.04.2026 21:02 1 articles · 14h ago

    Iranian APT Actors Target U.S. Critical Infrastructure PLCs

    A **joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command CNMF** warns that Iranian-affiliated APT actors are **actively targeting internet-exposed Rockwell/Allen-Bradley PLCs** in U.S. critical infrastructure sectors, including **Government Services and Facilities, Water and Wastewater Systems, and Energy**. The campaign, ongoing since **March 2026**, has resulted in **financial losses, operational disruptions, and malicious manipulation of data displayed on HMI and SCADA systems**, including the **extraction of PLC project files**. The FBI assesses the escalation as a direct response to **geopolitical hostilities between Iran, the United States, and Israel**, aligning with prior tactics by **CyberAv3ngers (IRGC-linked)**, which compromised **75 Unitronics PLCs** in 2023–2024 (half in Water and Wastewater Systems networks). The advisory urges defenders to **disconnect PLCs from the internet or secure them behind firewalls**, monitor OT ports for suspicious traffic (especially from overseas hosting providers), enforce **multifactor authentication (MFA)**, apply **latest firmware updates**, and disable **unused services/default authentication methods**. The targeting of **U.S.-based OT systems** marks a **significant shift from regional surveillance and hacktivism to direct, disruptive operations against American critical infrastructure**, raising concerns about potential **follow-on kinetic effects** or **multi-stage hybrid attacks**.

    Show sources
    Open in new tab
  2. 02.03.2026 17:00 6 articles · 1mo ago

    Iran Launches Massive Cyber Retaliation After Military Strikes

    Following joint Israeli-US strikes on Iranian leadership, military, and nuclear sites on February 28, 2026, **149 hacktivist DDoS attacks** targeted **110 organizations across 16 countries** between February 28–March 2, with **70% of activity driven by Keymous+ and DieNet**. The Middle East accounted for 76.6% of regional attacks, disproportionately hitting **Kuwait (28%), Israel (27.1%), and Jordan (21.5%)**, while pro-Russian groups (Cardinal, Russian Legion) claimed breaches of Israeli military networks, including the **Iron Dome missile defense system**. Iran’s IRGC expanded kinetic cyber retaliation by striking **Saudi Aramco and an AWS data center in the U.A.E.** to inflict global economic pain, while **Cotton Sandstorm (Haywire Kitten) revived its *Altoufan Team* persona** to deface Bahraini websites. An **SMS phishing campaign** exploited wartime urgency, deploying surveillance malware via a **fake *RedAlert* app**—a replica of Israel’s emergency alert system—tricking users into sideloading malicious APKs. UNC1549 (Nimbus Manticore) remained the **fourth most active threat actor in H2 2025**, sustaining focus on defense, aerospace, and telecommunications sectors. **In March 2026, the Iranian-linked ransomware group Pay2Key re-emerged with advanced TTPs**, targeting a US healthcare provider in a **three-hour encryption blitz** that combined **TeamViewer for interactive access**, credential theft (Mimikatz/LaZagne/ExtPassword), and backup enumeration (IBackup, Barracuda Yosemite). The attack deployed a **‘No Defender’ evasion toolkit** (later removed) and a **7zip SFX ransomware payload (abc.exe)**, with no evidence of data exfiltration—suggesting a focus on **destruction over financial gain**. Pay2Key’s ties to Iran remain debated due to its **2025 attempted sale** and **Russian-speaking forum links**, but its **geopolitically timed resurgence** underscores risks of **strategic cyber destruction** amid US-Iran tensions. **The same month, pro-Iranian hacktivist group Handala wiped approximately 80,000 devices** on the network of **U.S. medical giant Stryker**, including employees' mobile devices and company-managed personal computers, demonstrating an escalation in **destructive proxy operations** against U.S. entities. The UK NCSC and Google’s Threat Intelligence Group (GTIG) reiterated warnings of heightened risks for organizations with Middle East exposure, emphasizing **DDoS resilience, ICS segmentation, and supply-chain hardening**.

    Show sources
    Open in new tab
  3. 20.11.2025 09:35 4 articles · 4mo ago

    Iranian Threat Actors Use Cyber Reconnaissance for Kinetic Attacks

    Iranian threat actors, including Imperial Kitten and MuddyWater, have **systematically integrated cyber reconnaissance with kinetic strikes**, with a surge in IP camera exploits against **Hikvision and Dahua devices** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon beginning February 28, 2026. The campaign leverages **five distinct vulnerabilities** (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikvision; CVE-2025-34067, CVE-2021-33044 for Dahua), all of which have available patches but remain widely unpatched. Check Point Research assesses that **tracking this activity from attributed infrastructures may serve as an early indicator of follow-on kinetic missile strikes**, citing prior examples such as the June 2025 Weizmann Institute attack, where Iran compromised a street camera before a ballistic missile strike. The article further reveals **expanded tactical integration**: pro-Iranian actors breached the **Jordan Silos and Supply General Company via phishing** (logistics sabotage); Flashpoint identified **ongoing propaganda campaigns, missile strikes against data centers, and DDoS attacks on UAE/Bahrain government entities**; and CrowdStrike observed **muted but targeted IRGC-linked cyberattacks**, including a surge in **pro-Iranian Russian hacktivism** targeting ICS/SCADA systems and CCTV networks of **US-based entities**. Analysts characterize this as a **‘new blueprint for modern warfare’**, where cyber operations are **‘fully blended’** with kinetic strikes to impose costs across domains. **By April 2026, Iranian APT actors have escalated direct targeting of U.S. critical infrastructure PLCs**, with the FBI/CISA/NSA advisory confirming **financial losses, operational disruptions, and malicious manipulation of HMI/SCADA displays** in Government Services, Water and Wastewater Systems, and Energy sectors. The activity mirrors prior CyberAv3ngers (IRGC) campaigns that compromised **75 Unitronics PLCs** in 2023–2024, half of which were in Water and Wastewater Systems networks.

    Show sources
    Open in new tab
  4. 14.11.2025 16:40 1 articles · 4mo ago

    APT42 Launches SpearSpecter Espionage Campaign

    The Iranian state-sponsored threat actor APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts.

    Show sources
    Open in new tab
  5. 23.09.2025 00:00 2 articles · 6mo ago

    Nimbus Manticore Expands Operations to Western Europe

    The Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  6. 19.09.2025 16:59 4 articles · 6mo ago

    Subtle Snail Targets Global Telecommunications and Aerospace Companies

    The Iran-nexus cyber espionage group UNC1549, also known as Subtle Snail, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  7. 03.09.2025 13:30 2 articles · 7mo ago

    Iranian Cyber Threat Actors Conduct Global Phishing Campaign

    The first email in this campaign was sent on August 19, 2025, from a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, directed back at the organization. The emails were forwarded through a NordVPN exit node in Jordan to mask their origin. The emails included a blurred Word document attachment requiring users to enable macros to view it clearly. The document concealed malicious Visual Basic for Applications (VBA) macros, which, when enabled, executed a payload that gathered basic system information. The campaign targeted around four dozen embassies, consulates, and government ministries from nearly every corner of the earth. The attackers also targeted at least 10 other notable international organizations, including the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab
  8. 30.06.2025 15:00 5 articles · 9mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    Iranian state-sponsored or affiliated cyber threat actors are targeting U.S. industries and government agencies with a rise in malicious cyber activity, including destructive 'wiper' attacks aimed at causing complete network loss. These actors exploit known vulnerabilities, compromise weak passwords, and use tactics like spear phishing, password spraying, and credential stuffing to escalate from account compromise to full network destruction. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is actively monitoring these threats, sharing intelligence with partners, and urging organizations to strengthen basic defenses, such as multi-factor authentication, and report suspected incidents immediately to [email protected]. Following joint Israeli-US strikes on Iran in late February 2026, Iranian cyber retaliation surged, with over 150 hacktivist incidents—including DDoS attacks, defacements, and data breach claims—recorded in 48 hours. Experts warn of escalated Iranian operations leveraging ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation tactics against U.S. and allied networks. The UK NCSC advised organizations with Middle East exposure to review risk postures and secure offline backups, though no direct increase in threats to the UK was observed as of March 2, 2026.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ransomware Attacks Decline in France in 2025, ANSSI Reports

France's National Cybersecurity Agency (ANSSI) reported a decline in ransomware attacks in 2025, attributing the drop to successful preventive interventions and law enforcement operations. Despite the decrease, ransomware remains a significant threat, particularly targeting SMBs, healthcare, and education sectors. The most prevalent ransomware strains observed were Qilin, Akira, and LockBit 3.0/LockBit Black. ANSSI also noted a rise in data exfiltration incidents and a drop in DDoS attacks. The agency highlighted the increasing overlap between nation-state groups and cybercriminals, complicating attribution efforts. Vincent Strubel, ANSSI’s director general, warned of potential hybrid attacks on critical infrastructure by 2030.

Open in new tab

Iranian Hacktivist Group Claims Wiper Attack on Stryker

The Iranian hacktivist group Handala—linked to Iran’s Ministry of Intelligence and Security (MOIS)—conducted a destructive wiper attack against Stryker, a U.S. Fortune 500 medical technology company, on March 11, 2026. The attack affected over 200,000 systems across 79 countries, disrupted operations in Ireland, and sent over 5,000 workers home. Handala claimed responsibility, citing retaliation for a U.S. missile strike. The attack leveraged Microsoft Intune to issue remote wipe commands and defaced Stryker’s Entra login page. Stryker confirmed the incident in an SEC filing and reported no evidence of data exfiltration. Recovery efforts prioritized restoring supply-chain systems. In a separate but related development, Handala breached the personal email account of FBI Director Kash Patel on March 28, 2026, and leaked historical emails from 2010 and 2019. The FBI acknowledged the targeting and stated the leaked data was not government-related. Handala operates under multiple monikers, including Banished Kitten and Void Manticore, and has integrated criminal tools such as Rhadamanthys stealer to enhance its operations. The group’s activities align with broader Iranian cyber operations targeting Western entities amid heightened geopolitical tensions, including destructive attacks, hack-and-leak campaigns, and psychological influence operations. U.S. authorities have seized multiple domains linked to Handala and offered a $10 million reward for information on group members.

Open in new tab

RedAlert Spyware Campaign Exploits Wartime Panic With Trojanized App

A new mobile espionage campaign, dubbed RedAlert, targets civilians during the Israel-Iran conflict by distributing a trojanized version of Israel's official Red Alert rocket warning app. The malicious app mimics the legitimate application, delivering real alerts while running a surveillance payload in the background. The malware aggressively requests high-risk permissions, including access to SMS messages, contacts, and precise GPS location data. It uses sophisticated anti-detection techniques to evade standard integrity checks and conceal secondary payloads. The campaign poses strategic and physical security risks, including the potential exposure of civilian shelter locations and the bypassing of two-factor authentication (2FA).

Open in new tab

Drone Strikes Damage AWS Data Centers in Middle East

Drone strikes have damaged three AWS data centers in the UAE and one in Bahrain, causing extensive outages across multiple cloud services. The attacks are suspected to be part of Iran's response to recent U.S. and Israeli strikes in the Middle East. The incidents have disrupted the AWS Middle East (UAE) Region (ME-CENTRAL-1) and the AWS Middle East (Bahrain) Region (ME-SOUTH-1), with significant structural and power infrastructure damage reported. Amazon is working on recovery efforts, including restoring physical infrastructure and implementing software-based recovery paths. Customers are advised to back up data and migrate workloads to unaffected regions.

Open in new tab

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab