Threat Advisory: Iran-Aligned Cyber Actors Respond to Operation Epic Fury

Operation Epic Fury eliminated Iran's senior leadership and triggered the largest Iranian retaliatory response in recorded history. In particular, the strikes eliminated Khamenei, IRGC Commander Pakpour, Defense Minister Aziz Nasirzadeh, and Supreme National Security Council Secretary Ali Shamkhani, among at least 40 officials. ^[1] An interim governing council has assumed power while succession proceedings begin. Iran retaliated with ballistic missiles and drones targeting Israel and U.S. military assets across Bahrain, Qatar, Kuwait, Saudi Arabia, Jordan, the UAE, and Oman. On 2 March 2026, Hezbollah launched rockets and drones into northern Israel from Lebanon, expanding the conflict to a second front. ^[3]

Iran's offensive cyber operations are assessed to be distributed across two principal organizations: the IRGC Cyber-Electronic Command (IRGC-CEC), which has conducted state-directed ICS/OT targeting operations, and the Ministry of Intelligence and Security (MOIS), which has conducted espionage, hack-and-leak operations, and disruptive wiper attacks. ^{[6] [7]} Both organizations employ hacktivist personas to conduct operations with plausible deniability. While the strikes likely degraded Iran's centralized command structure, these cyber units are assessed to operate with a degree of autonomy that may enable continued operations, even under degraded coordination. ^[2]

Unit 42 (Palo Alto Networks) assesses that the loss of internet connectivity and significant degradation of Iranian leadership and command structures will likely hinder the ability of state-aligned threat actors to coordinate and execute sophisticated cyberattacks in the near term. ^[2] Iran's available internet connectivity dropped to approximately 1 to 4 percent beginning 28 February, which limits both defensive visibility into adversary operations and the operators' own ability to coordinate. State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. ^[2] As connectivity stabilizes, a transition from the current claim-driven phase to confirmed disruptive operations is assessed as likely.

This section profiles the actors assessed to represent the most credible threat based on demonstrated capability, established attribution, and observed activity since 28 February 2026. Multiple hacktivist groups are assessed to be conducting DDoS or defacement activity that, while visible, does not pose a material risk to production environments or customer data. ^[2] However, organizations should not dismiss this activity entirely: for security vendors, even a brief disruption to internet-exposed web properties carries reputational risk that is disproportionate to the technical severity of the attack itself.

CyberAv3ngers is assessed as the highest-priority state-directed cyber actor in this threat landscape. The group presents as an ideological hacktivist collective, but the U.S. Treasury Department sanctioned six IRGC-CEC officials for directing its operations, establishing state control beyond reasonable doubt. ^[4] The group has targeted water treatment facilities, fuel management systems, and programmable logic controllers (PLCs) across the United States and Israel using both default credential exploitation and custom malware.

Their primary tool is IOCONTROL, a custom-built malware targeting IoT and OT devices including routers, PLCs, HMIs, firewalls, and fuel management systems from vendors including Unitronics, D-Link, Hikvision, Orpak, and Gasboy. ^[13] In late 2023, CyberAv3ngers compromised Unitronics Vision Series PLCs across multiple U.S. water systems by exploiting default passwords on internet-accessible devices. ^[5] A multi-government joint advisory from CISA, FBI, NSA, and allied agencies documented the TTPs in detail, including the group's use of custom ladder logic files and modification of default port numbers to forestall owner access.

Why This Matters: CyberAv3ngers has demonstrated the capability and willingness to compromise U.S. critical infrastructure. Their TTPs center on exploiting internet-facing devices with default or weak credentials. Remote access and privileged access products deployed in OT environments, particularly in energy, water, and manufacturing, represent potential pivot points into industrial networks.

Recommended Actions: Audit all internet-facing ICS/SCADA devices for default credentials and unnecessary internet exposure. Devices from Unitronics, Orpak, Gasboy, and similar vendors with internet-facing management interfaces should be moved behind segmented networks with deny-by-default access and phishing-resistant MFA. The CISA joint advisory AA23-335A provides specific TTPs and detection guidance. ^[5]

Handala Hack Team is assessed by multiple cybersecurity vendors and governments as a persona operated by Void Manticore, an actor linked to Iran's Ministry of Intelligence and Security (MOIS). ^{[6] [7] [8]} This distinction is analytically significant: Handala operates under MOIS direction, not IRGC-CEC, making it organizationally separate from CyberAv3ngers. Sophos X-Ops notes that the group routinely overstates its capabilities but has confirmed ability to execute data theft and wiper attacks. ^[7] Unit 42 identifies Handala as the most prominent Iranian hacktivist persona currently active in the conflict. ^[2]

Handala's assessed operational pattern is opportunistic and velocity-focused: compromising low-security systems, often through supply-chain footholds in IT service providers, exfiltrating data, and timing publication for maximum psychological impact. ^[6] Check Point Research observed Handala campaigns originating from Starlink IP ranges during Iran's internet blackout in January 2026, indicating the group is likely able to operate during domestic connectivity disruptions.

A potentially significant development: on 2 March 2026, Iran International reported that Israeli strikes on the MOIS headquarters eliminated Seyed Yahya Hosseini Panjaki, the MOIS deputy intelligence minister assessed to have led the Handala, Karma Below, and Homeland Justice personas. ^[9] Panjaki was sanctioned by the U.S. Treasury in September 2024 for overseeing Iranian dissident assassination operations. ^[10] If confirmed, this could represent a material disruption to MOIS hack-and-leak operational leadership. However, the extent and duration of any resulting capability degradation remains uncertain, and this reporting should be treated as unconfirmed pending additional corroboration.

Why This Matters: Handala's targeting of IT service providers for downstream access makes any organization in the supply chain for Israeli or U.S. defense-adjacent entities a potential target. The group's data exfiltration-before-announcement pattern means that, by the time a public breach claim appears, the actual compromise may have occurred days or weeks earlier.

Recommended Actions: Monitor for anomalous outbound data transfers, particularly to unfamiliar cloud storage endpoints during off-hours. Validate access controls on service provider accounts. Organizations with Israeli technology partnerships or defense-adjacent supply chain relationships should exercise heightened vigilance for targeted phishing, particularly credential harvesting attempts masquerading as Google Meet, Microsoft Teams, or WhatsApp invitations. ^[6]

Multiple sources report that Iranian actors were likely preparing cyber operations before the kinetic strikes began. Check Point Research documented Cotton Sandstorm (IRGC-affiliated) deploying WezRat, a custom modular infostealer delivered via spear phishing campaigns disguised as urgent software updates, in the months preceding the conflict. In some cases, these intrusions were followed by WhiteLock ransomware deployment against Israeli targets. ^[6] Unit 42 identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application, designed to deliver mobile surveillance and data-exfiltrating malware. ^[2]

The speed with which Iran-nexus actors claimed operations after the strikes, combined with these pre-conflict indicators, suggests that Iran had likely pre-authorized continued cyber activity in the event of a leadership decapitation scenario, consistent with its documented succession and crisis contingency planning. ^[2]

Why This Matters: The operational preparation phase is assessed to be already complete for at least some actors. Tools have been staged, reconnaissance has been reported, and targets have been identified. As Iran's internet connectivity stabilizes and surviving command elements restore coordination, a transition from claim-driven activity to confirmed disruptive operations is assessed as likely.

The elimination of Iran's senior leadership has not neutralized its cyber offensive capability. It has likely decentralized it. The actors profiled in this advisory were operational before the strikes and are now assessed to be operating in the highest-motivation environment in their recorded history. The most immediate risk comes not from the reconstituting IRGC command structure, which will require time to restore coherence, but from the pre-positioned proxy ecosystem that operates under delegated authority or independent ideological motivation.

The analytical picture is currently obscured by Iran's internet blackout, a disinformation-heavy claim environment, and the fog of active kinetic conflict. What is established with confidence is that these actors have demonstrated real capability against critical infrastructure, that pre-conflict staging has been reported by multiple credible sources, and that their documented TTPs center on exploiting known vulnerabilities in internet-facing systems with weak authentication. Those are problems that defenders can address today.

Organizations should treat the next 14 days as the highest-risk window for opportunistic attacks and invest monitoring effort accordingly, while using the 30 to 90 day horizon to implement structural controls, such as phishing-resistant MFA, network segmentation, OT device isolation, and behavioral detection, for ransomware and wiper precursors. These are the controls that will matter when reconstituted Iranian cyber units resume deliberate operations.

[1] Al Jazeera. "Who are Iran's senior figures killed in US-Israeli attacks?" 1 March 2026. https://www.aljazeera.com/news...

[2] Palo Alto Networks Unit 42. "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran." 2 March 2026. https://unit42.paloaltonetwork...

[3] NPR. "Hezbollah strikes Israel as American and Israeli planes pound Iran." 2 March 2026. https://www.npr.org/2026/03/02...

[4] U.S. Department of State, Rewards for Justice. "CyberAv3ngers." https://rewardsforjustice.net/...

[5] CISA, FBI, NSA, et al. Joint Advisory AA23-335A: "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors." Updated December 2024.

[6] Check Point Research. "What Defenders Need to Know about Iran's Cyber Capabilities." 1 March 2026. https://blog.checkpoint.com/re...

[7] Sophos X-Ops. "Cyber Advisory: Increased Cyber Risk Amid U.S., Israel, Iran Escalation." 28 February 2026. https://www.sophos.com/en-us/b...

[8] Government of Canada, Rapid Response Mechanism. "Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots." 2025.

[9] Iran International. "Iran's deputy minister of intelligence for Israel affairs killed." 2 March 2026. https://www.iranintl.com/en/20...

[10] U.S. Department of the Treasury. "Treasury Sanctions Iranian Officials Connected to Human Rights Violations." 18 September 2024. https://home.treasury.gov/news...

[11] The Register. "Iran's cyberwar has begun." 2 March 2026. https://www.theregister.com/20...

[12] Nextgov/FCW. "Intelligence firms watch for uptick in Iran cyber activity after US, Israel strikes." 2 March 2026. https://www.nextgov.com/cybers...

[13] Claroty Team82. "Inside a New OT/IoT Cyberweapon: IOCONTROL." December 2024. https://claroty.com/team82/res...

[14] SecurityWeek. "Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low." 3 March 2026. https://www.securityweek.com/i...

The following is a consolidated set of all defensive guidance provided in this advisory, organized for operational implementation.

This document is classified as TLP:GREEN. This advisory may be shared within the recipient's community for defensive purposes. Redistribution beyond the recipient's sector or community requires prior written permission from BeyondTrust Corporation.