CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian Cyber Threat Activity Against U.S. Critical Infrastructure and Kinetic Targeting

First reported
Last updated
5 unique sources, 20 articles

Summary

Hide ▲

As of **April 10, 2026**, Iranian state-sponsored and affiliated cyber threat actors continue to escalate attacks against **U.S. critical infrastructure**, with new data revealing that **3,891 internet-exposed Rockwell Automation/Allen-Bradley PLCs**—74.6% of the global total—are vulnerable to ongoing Iranian APT campaigns. The FBI, CISA, and allied agencies confirm that these attacks have resulted in **PLC project file exfiltration, HMI/SCADA data manipulation, and operational disruptions**, marking a direct expansion of Iran’s cyber-kinetic doctrine into U.S. industrial control systems (ICS). The broader campaign remains defined by **Iran’s integration of cyber and kinetic warfare**, including the **systematic exploitation of Hikvision/Dahua IP cameras** for real-time battle damage assessment and the **re-emergence of destructive ransomware groups like Pay2Key**, which executed a **three-hour encryption blitz** against a U.S. healthcare provider in March 2026. Despite the **April 8 ceasefire announcement by Handala**—temporarily pausing U.S.-targeted attacks but continuing operations against Israel—**low-level cyberactivity by groups like 313 Team and Conquerors Electronic Army persists**, targeting Australian government systems, Israeli infrastructure, and U.S.-based platforms. Analysts warn that **ceasefires historically inflame cyber operations**, as actors exploit diplomatic pauses to pivot tactics or prepare for future escalations. **Strategic trends** highlight Iran’s use of **false-flag operations, ransomware-as-a-smokescreen, and multi-actor obfuscation** to stretch adversary defenses. The targeting of **U.S. OT systems**—mirroring prior CyberAv3ngers (IRGC) campaigns against Unitronics PLCs—signals a **shift from regional surveillance to direct, disruptive operations**, with risks of **follow-on kinetic effects**. Defenders are urged to **segment OT networks, eliminate public PLC exposure, and monitor for Iranian VPN/VPS infrastructure** (Mullvad, NordVPN, Surfshark) linked to ongoing campaigns.

Timeline

  1. 07.04.2026 21:02 2 articles · 3d ago

    Iranian APT Actors Target U.S. Critical Infrastructure PLCs

    A **joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command CNMF** warns that Iranian-affiliated APT actors are **actively targeting internet-exposed Rockwell/Allen-Bradley PLCs** in U.S. critical infrastructure sectors, including **Government Services and Facilities, Water and Wastewater Systems, and Energy**. The campaign, ongoing since **March 2026**, has resulted in **financial losses, operational disruptions, and malicious manipulation of data displayed on HMI and SCADA systems**, including the **extraction of PLC project files**. The FBI assesses the escalation as a direct response to **geopolitical hostilities between Iran, the United States, and Israel**, aligning with prior tactics by **CyberAv3ngers (IRGC-linked)**, which compromised **75 Unitronics PLCs** in 2023–2024 (half in Water and Wastewater Systems networks). **As of April 10, 2026, Censys identified 5,219 globally exposed Rockwell Automation/Allen-Bradley PLCs**, with **74.6% (3,891 hosts) located in the U.S.**—disproportionately on cellular carrier ASNs, suggesting field-deployed vulnerabilities. The advisory urges defenders to **disconnect PLCs from the internet or secure them behind firewalls**, monitor OT ports for suspicious traffic (especially from overseas hosting providers), enforce **multifactor authentication (MFA)**, apply **latest firmware updates**, and disable **unused services/default authentication methods**. The targeting of **U.S.-based OT systems** marks a **significant shift from regional surveillance and hacktivism to direct, disruptive operations against American critical infrastructure**, raising concerns about potential **follow-on kinetic effects** or **multi-stage hybrid attacks**.

    Show sources
    Open in new tab
  2. 02.03.2026 17:00 7 articles · 1mo ago

    Iran Launches Massive Cyber Retaliation After Military Strikes

    Following joint Israeli-US strikes on Iranian leadership, military, and nuclear sites on February 28, 2026, **149 hacktivist DDoS attacks** targeted **110 organizations across 16 countries** between February 28–March 2, with **70% of activity driven by Keymous+ and DieNet**. The Middle East accounted for 76.6% of regional attacks, disproportionately hitting **Kuwait (28%), Israel (27.1%), and Jordan (21.5%)**, while pro-Russian groups (Cardinal, Russian Legion) claimed breaches of Israeli military networks, including the **Iron Dome missile defense system**. Iran’s IRGC expanded kinetic cyber retaliation by striking **Saudi Aramco and an AWS data center in the U.A.E.** to inflict global economic pain, while **Cotton Sandstorm (Haywire Kitten) revived its *Altoufan Team* persona** to deface Bahraini websites. An **SMS phishing campaign** exploited wartime urgency, deploying surveillance malware via a **fake *RedAlert* app**—a replica of Israel’s emergency alert system—tricking users into sideloading malicious APKs. UNC1549 (Nimbus Manticore) remained the **fourth most active threat actor in H2 2025**, sustaining focus on defense, aerospace, and telecommunications sectors. **In March 2026, the Iranian-linked ransomware group Pay2Key re-emerged with advanced TTPs**, targeting a US healthcare provider in a **three-hour encryption blitz** that combined **TeamViewer for interactive access**, credential theft (Mimikatz/LaZagne/ExtPassword), and backup enumeration (IBackup, Barracuda Yosemite). The attack deployed a **‘No Defender’ evasion toolkit** (later removed) and a **7zip SFX ransomware payload (abc.exe)**, with no evidence of data exfiltration—suggesting a focus on **destruction over financial gain**. Pay2Key’s ties to Iran remain debated due to its **2025 attempted sale** and **Russian-speaking forum links**, but its **geopolitically timed resurgence** underscores risks of **strategic cyber destruction** amid US-Iran tensions. **The same month, pro-Iranian hacktivist group Handala wiped approximately 80,000 devices** on the network of **U.S. medical giant Stryker**, including employees' mobile devices and company-managed personal computers, demonstrating an escalation in **destructive proxy operations** against U.S. entities. The UK NCSC and Google’s Threat Intelligence Group (GTIG) reiterated warnings of heightened risks for organizations with Middle East exposure, emphasizing **DDoS resilience, ICS segmentation, and supply-chain hardening**. **As of April 8, 2026, Handala announced a temporary pause in cyberattacks against the U.S.** per orders from Iran’s leadership, but clarified that **operations against Israel would continue** and that the cyber war would resume post-ceasefire. Concurrently, **313 Team and Conquerors Electronic Army conducted attacks** on an **Australian government portal** and **U.S.-based Upwork**, signaling that **low-level cyberactivity persists** despite diplomatic pauses. Analysts warn that **ceasefires historically inflame cyber operations**, with actors using the reprieve to pivot tactics, expand targeting, or prepare for future escalations.

    Show sources
    Open in new tab
  3. 20.11.2025 09:35 4 articles · 4mo ago

    Iranian Threat Actors Use Cyber Reconnaissance for Kinetic Attacks

    Iranian threat actors, including Imperial Kitten and MuddyWater, have **systematically integrated cyber reconnaissance with kinetic strikes**, with a surge in IP camera exploits against **Hikvision and Dahua devices** across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus, and Lebanon beginning February 28, 2026. The campaign leverages **five distinct vulnerabilities** (CVE-2017-7921, CVE-2021-36260, CVE-2023-6895 for Hikvision; CVE-2025-34067, CVE-2021-33044 for Dahua), all of which have available patches but remain widely unpatched. Check Point Research assesses that **tracking this activity from attributed infrastructures may serve as an early indicator of follow-on kinetic missile strikes**, citing prior examples such as the June 2025 Weizmann Institute attack, where Iran compromised a street camera before a ballistic missile strike. The article further reveals **expanded tactical integration**: pro-Iranian actors breached the **Jordan Silos and Supply General Company via phishing** (logistics sabotage); Flashpoint identified **ongoing propaganda campaigns, missile strikes against data centers, and DDoS attacks on UAE/Bahrain government entities**; and CrowdStrike observed **muted but targeted IRGC-linked cyberattacks**, including a surge in **pro-Iranian Russian hacktivism** targeting ICS/SCADA systems and CCTV networks of **US-based entities**. Analysts characterize this as a **‘new blueprint for modern warfare’**, where cyber operations are **‘fully blended’** with kinetic strikes to impose costs across domains. **By April 2026, Iranian APT actors have escalated direct targeting of U.S. critical infrastructure PLCs**, with the FBI/CISA/NSA advisory confirming **financial losses, operational disruptions, and malicious manipulation of HMI/SCADA displays** in Government Services, Water and Wastewater Systems, and Energy sectors. The activity mirrors prior CyberAv3ngers (IRGC) campaigns that compromised **75 Unitronics PLCs** in 2023–2024, half of which were in Water and Wastewater Systems networks.

    Show sources
    Open in new tab
  4. 14.11.2025 16:40 1 articles · 4mo ago

    APT42 Launches SpearSpecter Espionage Campaign

    The Iranian state-sponsored threat actor APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts.

    Show sources
    Open in new tab
  5. 23.09.2025 00:00 2 articles · 6mo ago

    Nimbus Manticore Expands Operations to Western Europe

    The Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  6. 19.09.2025 16:59 4 articles · 6mo ago

    Subtle Snail Targets Global Telecommunications and Aerospace Companies

    The Iran-nexus cyber espionage group UNC1549, also known as Subtle Snail, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. The group's operations are associated with the Iranian Revolutionary Guard Corps (IRGC) and have been active since at least 2022, focusing on the aerospace and defense sectors in Israel and the Middle East. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication.

    Show sources
    Open in new tab
  7. 03.09.2025 13:30 2 articles · 7mo ago

    Iranian Cyber Threat Actors Conduct Global Phishing Campaign

    The first email in this campaign was sent on August 19, 2025, from a legitimate address belonging to the Oman Ministry of Foreign Affairs in Paris, directed back at the organization. The emails were forwarded through a NordVPN exit node in Jordan to mask their origin. The emails included a blurred Word document attachment requiring users to enable macros to view it clearly. The document concealed malicious Visual Basic for Applications (VBA) macros, which, when enabled, executed a payload that gathered basic system information. The campaign targeted around four dozen embassies, consulates, and government ministries from nearly every corner of the earth. The attackers also targeted at least 10 other notable international organizations, including the United Nations, its Office on Drugs and Crime (UNODC), and its Children's Fund (UNICEF); the African Union; and humanitarian organizations like the Order of Malta. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive.

    Show sources
    Open in new tab
  8. 30.06.2025 15:00 5 articles · 9mo ago

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    Iranian state-sponsored or affiliated cyber threat actors are targeting U.S. industries and government agencies with a rise in malicious cyber activity, including destructive 'wiper' attacks aimed at causing complete network loss. These actors exploit known vulnerabilities, compromise weak passwords, and use tactics like spear phishing, password spraying, and credential stuffing to escalate from account compromise to full network destruction. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is actively monitoring these threats, sharing intelligence with partners, and urging organizations to strengthen basic defenses, such as multi-factor authentication, and report suspected incidents immediately to [email protected]. Following joint Israeli-US strikes on Iran in late February 2026, Iranian cyber retaliation surged, with over 150 hacktivist incidents—including DDoS attacks, defacements, and data breach claims—recorded in 48 hours. Experts warn of escalated Iranian operations leveraging ransomware-as-a-smokescreen, destructive wipers, and multi-actor obfuscation tactics against U.S. and allied networks. The UK NCSC advised organizations with Middle East exposure to review risk postures and secure offline backups, though no direct increase in threats to the UK was observed as of March 2, 2026.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

APT28 (GRU GTsSS Military Unit 26165) has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers. On April 7, 2026, US authorities dismantled APT28’s US-based DNS hijacking network as part of ‘Operation Masquerade,’ neutralizing compromised routers across 23 states. The operation, led by the FBI and authorized by a court, reset DNS settings on affected TP-Link routers to restore legitimate DNS resolvers from ISPs without impacting functionality or collecting user content. The FBI is working with ISPs to notify affected users and urges router owners to replace outdated devices, update firmware, and verify DNS settings to prevent further exploitation.

Open in new tab

Iran-linked Pay2Key operation resurfaces with pseudo-ransomware tactics and expanded affiliate network

Iran has reactivated the state-backed Pay2Key ransomware operation, recruiting affiliates from Russian cybercrime forums to conduct pseudo-ransomware attacks against high-impact US targets as part of its ongoing geopolitical conflict with the US and Israel. The campaign blends destructive wiper malware (e.g., Apostle retrofitted as ransomware) with extortion schemes to obscure geopolitical motives, complicate attribution, and maximize disruptive and financial impact. Affiliates receive profit-sharing incentives (up to 80% payouts) for attacks aligning with Iranian state objectives, effectively outsourcing cyber retribution to the global cybercrime ecosystem.

Open in new tab

Ransomware Attacks Decline in France in 2025, ANSSI Reports

France's National Cybersecurity Agency (ANSSI) reported a decline in ransomware attacks in 2025, attributing the drop to successful preventive interventions and law enforcement operations. Despite the decrease, ransomware remains a significant threat, particularly targeting SMBs, healthcare, and education sectors. The most prevalent ransomware strains observed were Qilin, Akira, and LockBit 3.0/LockBit Black. ANSSI also noted a rise in data exfiltration incidents and a drop in DDoS attacks. The agency highlighted the increasing overlap between nation-state groups and cybercriminals, complicating attribution efforts. Vincent Strubel, ANSSI’s director general, warned of potential hybrid attacks on critical infrastructure by 2030.

Open in new tab

Iranian Hacktivist Group Claims Wiper Attack on Stryker

The Iranian hacktivist group Handala—linked to Iran’s Ministry of Intelligence and Security (MOIS)—conducted a destructive wiper attack against Stryker, a U.S. Fortune 500 medical technology company, on March 11, 2026. The attack affected over 200,000 systems across 79 countries, disrupted operations in Ireland, and sent over 5,000 workers home. Handala claimed responsibility, citing retaliation for a U.S. missile strike. The attack leveraged Microsoft Intune to issue remote wipe commands and defaced Stryker’s Entra login page. Stryker confirmed the incident in an SEC filing and reported no evidence of data exfiltration. Recovery efforts prioritized restoring supply-chain systems. In a separate but related development, Handala breached the personal email account of FBI Director Kash Patel on March 28, 2026, and leaked historical emails from 2010 and 2019. The FBI acknowledged the targeting and stated the leaked data was not government-related. Handala operates under multiple monikers, including Banished Kitten and Void Manticore, and has integrated criminal tools such as Rhadamanthys stealer to enhance its operations. The group’s activities align with broader Iranian cyber operations targeting Western entities amid heightened geopolitical tensions, including destructive attacks, hack-and-leak campaigns, and psychological influence operations. U.S. authorities have seized multiple domains linked to Handala and offered a $10 million reward for information on group members.

Open in new tab

RedAlert Spyware Campaign Exploits Wartime Panic With Trojanized App

A new mobile espionage campaign, dubbed RedAlert, targets civilians during the Israel-Iran conflict by distributing a trojanized version of Israel's official Red Alert rocket warning app. The malicious app mimics the legitimate application, delivering real alerts while running a surveillance payload in the background. The malware aggressively requests high-risk permissions, including access to SMS messages, contacts, and precise GPS location data. It uses sophisticated anti-detection techniques to evade standard integrity checks and conceal secondary payloads. The campaign poses strategic and physical security risks, including the potential exposure of civilian shelter locations and the bypassing of two-factor authentication (2FA).

Open in new tab