America, Israel and ‘facilitating’ Gulf states received malicious attacks from Iranian APTs within days of Epic Fury, and there are around 60 Iran-linked hacktivist groups currently operating.
It is little surprise that malicious Iranian cyber activity increased immediately after the US/Israel strikes commenced at the end of February 2026. It is more surprising that MOIS (Iranian Ministry of Intelligence and Security) and IRGC linked cyber groups seemed to be preparing themselves for this event.
A study by Augur Security, which uses AI and behavioral modeling to provide early identification and mapping of malicious infrastructure, demonstrates that numerous government-linked groups (either with MOIS or one of the Islamic Revolutionary Guard Corps – IRGC – cyber units) showed increased infrastructure activity in the six months prior to Epic Fury.
Augur’s analysis describes Iranian actors’ typical multi-tier infrastructure designed to obscure origin. It starts from Sefroyek Pardaz Engineering, an Iranian ISP and hosting company based in Tehran.
The second tier involves bulletproof hosting providers, such as Moldovan ALEXHOST and Wyoming-based shell company RouterHosting LLC, historically associated with infrastructure linked to Iranian threat actors.
A third tier involves further shell companies. Such as Cloudblast, registered in the US but operating from Dubai and routing through a Netherlands-based upstream provider, further complicating investigation and enforcement with an additional jurisdiction layer. A second example, UltaHost has dual registration – UltaHost Inc in the US and ULTAHOST Ltd in the UK. It operates as a US parent company with a UK subsidiary. On February 5, 2025, ICANN issued a formal notice of ‘breach of registrar accreditation agreement’ against UltaHost Inc. Such notices are generally considered a red flag.
“Before attacks reach a target network, they require infrastructure,” comments Joe Lea, CEO at Augur Security. “Mapping and disrupting that infrastructure is one of the most effective ways defenders can stop operations before they begin.”
The report describes a spike in infrastructure activity by the major Iranian APT groups in the six months preceding the February 28, 2026 US/Israeli strikes against Iran.
MuddyWater, for example, had seven CIDRs flagged within 72 hours in mid-September 2025. Five are related to an Estonian ASN provider, with country codes spanning Russia, UK, and Estonia; and the remaining two are on Clouvider, “a UK-based general hosting provider with a documented history of abuse by multiple threat actor groups.”
Augur suggests this MuddyWater activity timeframe is consistent with pre-operational infrastructure staging prior to the commencement of the combined US Operation Epic Fury and Israeli Operation Roaring Lion. “This assessment for the temporal correlation, states Augur, “is made with medium confidence that this specific buildup was in preparation for post-strike operations.”
Handala, responsible for the attack against US-based medical tech giant Stryker, is a more recent addition to MOIS-linked cyber groups, emerging as recently as 2023. It exhibits no specific infrastructure activity in Augur’s analysis, but has in the past conducted data exfiltration and wiper operations primarily targeting Israel. It has intensified its activities this year and is part of the coordinated Iranian cyber response to the February 28 strikes.
Other Iranian APTs included in Augur’s report include OilRig/APT34 (MOIS), APT35/Charming Kitten (IRGC-IO), APT33/Peach Sandstorm (IRGC), Cotton Sandstorm/Emennet Pasargad (IRGC), and CyberAv3ngers (IRGC-CEC).
The report notes a rapid and coordinated expansion of hacktivist activity after February 28. “An Electronic Operations Room was established within 24 hours of the strikes, providing centralized coordination for an estimated 60 or more hacktivist groups.” This mirrors the coordination that followed escalation of the Gaza conflict in October 2023.
These groups include Cyber Fattah, Fatimiyoun Cyber Team, Handala, and affiliated collectives operating under Cotton Sandstorm coordination. The primary focus has been on Israeli and the US government, financial, and critical infrastructure organizations. A secondary focus is on Gulf states considered to be facilitating the US/Israel strikes.
It is worth noting that although the IRGC works closely with the Iranian government, its primary purpose is to protect ‘the Islamic revolution’ rather than the country of Iran. The Iranian army defends the borders of Iran, while the IRGC defends the revolution with its private army and separate cyber units. It is effectively a multi-national conglomerate with extensive presence beyond Iran itself.
So, although the US/Israel strikes damaged Iran’s internal internet connectivity, they did not seriously affect the ability of Iranian APTs to continue and expand their cyber operations. It is difficult to see how kinetic action against the country of Iran can degrade Iran’s APT capabilities.
Related: Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During War
Related: Iranian APT Hacked US Airport, Bank, Software Company
Related: Iranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical Disasters
