New data from Resecurity identified that the ongoing Iran war has fast evolved into a multi‑domain confrontation where traditional militarized strikes are tightly interwoven with digital operations, electronic interference, and psychological warfare, reshaping the nature of modern conflict. Noting that the Feb. 28, 2026, joint U.S.–Israeli offensive against Iran was not solely kinetic, it triggered a surge in cyber and electronic activities aimed at disrupting communications, gathering intelligence, and degrading Iranian command networks.
Hacktivist groups aligned with both sides have joined the fray, executing DDoS (distributed denial of service) attacks, website defacements, and reconnaissance missions targeting critical infrastructure and government resources across the Middle East. These digital campaigns are not isolated but synchronized with physical operations to intensify operational impact and strategic pressure.
Resecurity identified several key groups involved in the escalation, including Iranian-aligned hacktivist collectives such as Cyber Islamic Resistance, Fatimion Cyber Team, and Cyber Fattah. These groups have conducted reconnaissance, Distributed Denial of Service campaigns, website defacements, and data theft as part of coordinated cyber activity.
On the opposing side, pro-Western hacktivist groups have targeted Iranian religious applications and news platforms in an effort to undermine state narratives and influence domestic perception. The broader landscape also includes Iranian opposition actors operating from abroad, particularly in the United States, the United Kingdom, the European Union, Canada, and Australia, who are actively engaging in cyber efforts against the current regime.
Resecurity assessed that the Iran war is set to remain a prolonged and disruptive conflict with serious humanitarian and economic consequences. While a full-scale regional war remains unlikely, sustained missile, drone, and cyberattacks are expected to continue. Iran’s nuclear program continues to pose a significant risk, with concerns over potential breakout despite recent setbacks. Cyber activity is also likely to intensify, driven primarily by Iranian proxies and externally based operatives, as near-total internet restrictions inside Iran limit the operational capacity of state-sponsored groups.
The post highlights how cyber and electronic tactics are increasingly supporting battlefield objectives and shaping the psychological dimension of warfare. U.S. and allied forces reportedly leveraged cyber reconnaissance and offensive actions to facilitate kinetic targeting and battle damage assessment, while Iranian hacktivist networks exploited exposed digital assets and vulnerabilities to strike at regional and Western targets.
Additionally, AI (artificial intelligence)‑driven influence campaigns and social media manipulation have been woven into the broader conflict narrative, amplifying misinformation and undermining adversary morale. The convergence of these domains underscores significant shift in conflict dynamics where digital tools are deployed in concert with bombs and missiles, complicating defense postures and signaling a new era of hybrid warfare that blurs the lines between cyber operations and conventional combat.
Resecurity reported that there has been a sharp rise in cyber activity following the recent U.S.–Israeli strikes on Iran, with both Iranian-aligned and pro-Western hacktivist groups targeting critical infrastructure, military logistics, and symbolic digital assets. These cyberattacks extend beyond disruption, as both sides are also using cyber reconnaissance to support kinetic targeting and assess battle damage, reflecting a coordinated approach where cyber operations are integrated with military actions.
The escalation is further evident in targeted cyber incidents, including coordinated attacks on Pakistani media platforms and a significant Iran-linked breach of Stryker Corporation that disrupted global operations. At the same time, geopolitical developments such as evacuations and remote work shifts are expanding the cyberattack surface, exposing organizations to greater risk. Iran has also declared U.S. financial institutions and multinational technology companies as legitimate cyber targets, underscoring how offensive cyber capabilities are being used alongside broader strategic objectives in the conflict.
The DDoS attacks and reconnaissance operations targeting U.S. and Israeli assets aim to disrupt services and gather intelligence for follow-on activity. These campaigns appear loosely coordinated but largely ineffective, relying on basic tools that generate noise rather than significant operational damage, often forcing organizations across the Gulf region to divert limited defensive resources.
Iran’s cyber capabilities in this area remain constrained, with limited capacity to generate high-impact DDoS volumes, leading to reliance on hacktivists and underground services, some of which have refused support. At the same time, cyber operations are embedded in a broader strategic framework, with alliances such as the so-called Islamic Resilience Cyber Axis driving recruitment and influence campaigns, including AI-enabled information operations. The targeting of an IRGC-linked cyber operations center in Tehran further underscores how cyber infrastructure itself has become a direct component of the conflict.
“In fact, many of the activities are driven by the same alliances built in 2024-2025, nicknamed the Islamic Resilience Cyber Axis, a conglomerate of several ideologically motivated groups. These actors are actively recruiting new members to their movement and can generate influence campaigns via social media, including the use of artificial intelligence (AI),” Resecurity mentioned in its post. “One of its subdivisions, the Electronic Operations Room, is responsible for malicious cyber activity. These actors are often associated not only with Iranian but also with pro-Hamas groups. The ecosystem of such groups is extremely dynamic and may involve actors from other geographies joining them who follow a similar ideology.”
Resecurity detailed that many DDoS attacks have been conducted using third-party underground services, such as ‘stressers’ for rent, including Cosmic Network (V2), SpaceStresser, TheFlashDDOS, and EliteStresser. “Such tooling may cause short-term outages and load on web servers and applications, especially when leveraging a combination of attacks against commercial CDNs and WAFs. To scale the volume of attacks, threat actors leverage residential proxies, compromised servers, and IoT devices to generate malicious traffic.”
Identified attacks were also targeting Israeli defense contractors and entities associated with the defense industrial base in other countries cooperating with Israel. One of the most active groups releasing such claims is 313 Team, presumably associated with the Islamic Cyber Resistance in Iraq.
Besides DDoS claims, Pro-Iranian hacktivists such as Cyber Fattah, which calls itself an Iranian Cyber Team, were targeting other sectors. Attacks against energy infrastructure have been detected targeting Jordan. The actors have already used exposed infostealer data to obtain credentials and access web panels and applications.
The post disclosed that hacktivists attempted to attack publicly exposed IoT devices by scanning Israeli-based IP ranges. “The pro-Iranian actors were also targeting popular Hikvision and Dahua cameras with several authentication and command-related vulnerabilities. The bugs they use include CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067 for Hikvision; and CVE-2021-33044 for Dahua. Patches for all vulnerabilities are available now. DDoS attempts also targeted Israeli military resources by groups such as Conquerors Electronic Army.”
A Telegram channel presumably operated by Russian-speaking actors announced that the group Server Killers was joining the cyber war against the US and Israel. With a high level of confidence, this group’s activity is more opportunistic than state-directed. Their claims of providing substantial support to Iran are exaggerated. Other groups, such as Killnet, NNM057 (16), and Russian Legion, have also been involved in similar activities. Regardless of claims that Russia is providing Iran with intelligence to target U.S. forces, activity in cyberspace appears to be uncoordinated and conducted by multiple disconnected groups.
Resecurity reported that Iranian-affiliated hacktivist groups, including Cyber Islamic Resistance, have carried out website defacements, data theft, and data-wiping attacks targeting U.S. and Israeli military logistics providers in an effort to disrupt operations. At the same time, several Iranian-linked groups have called for cyber experts to join what they describe as a ‘Great Epic Battle,’ signaling efforts to expand their digital capabilities.
However, these activities remain largely opportunistic and have had limited impact on core operational processes. According to the assessment, Iran’s constrained cyber resources, compounded by damaged infrastructure and time pressures, limit its ability to mount more coordinated campaigns in the near term. The threat is expected to evolve toward ransomware-style operations, where critical data is held hostage for strategic leverage beyond financial gain.
Meanwhile, pro-Iranian channels have circulated alleged data on Israeli military personnel, though much of it appears to be recycled or misleading, aimed at creating uncertainty and amplifying psychological pressure through information operations.
Around the beginning of March, Resecurity identified the emergence of relatively new groups, such as Cyber Isnaad Front. “The group has targeted critical infrastructure and telecommunication providers of Israel, but also released a ‘hit list’ of people operating in various industries.”
The post also highlighted Handala Hack Team as one of the most credible actors, with increased data theft and ransomware activity during the Iran War. In addition to targeting organizations, they focus on individuals in the defense sector to exert influence.
Resecurity mentioned that clips from military video games were circulated as real combat footage, misleading viewers about the reality on the ground. Iranian-aligned cyber groups have carried out cyberattacks and exaggerated their impact to sow confusion and fear. In one of the misinformation episodes, a pro-Iranian group was circulating messaging that Khamenei had not been killed.
The post also highlights misinformation focused on both cyber activity and kinetic actions. For instance, “Iran claims to have struck the USS Abraham Lincoln with missiles and drones, but the US Central Command released images showing the carrier operating as normal. The claims by Iran are part of a bigger misinformation campaign attempting to discredit the US military.”
In addition to Iranian-aligned groups, pro-Western hacktivists have also been active, targeting Iranian apps and websites. These attacks are likely intended to counter Iran’s cyber retaliation and disrupt its digital infrastructure.
The surge in hacktivist activity underscores the growing role of cyber operations as a parallel front in geopolitical conflict, where loosely affiliated groups act as proxies or independent actors to amplify the impact of state-backed campaigns. Experts also warn of heightened volatility in the cyber domain, particularly in the immediate aftermath of the strikes, with hacktivists and proxy actors likely to drive escalation while Tehran’s central command regroups.
In conclusion, Resecurity said that hacktivist activity has significantly escalated following the US-Israeli strikes on Iran. Both Iranian-aligned and pro-Western groups are actively engaging in cyberattacks, including DDoS campaigns, data-wiping operations, and website defacements. These actions underscore the increasing importance of cyber warfare and hacktivism as tools of retaliation and influence in modern conflicts.
Both Iranian-aligned and pro-Western groups are actively engaging in cyberattacks, including DDoS campaigns, data-wiping operations, and website defacements. These actions underscore the increasing importance of cyber warfare and hacktivism as tools of retaliation and influence in modern conflicts.
This escalation manifests through increased proxy militia attacks (rocket, drone, and IED strikes), cyber operations, and asymmetric tactics such as maritime harassment and influence campaigns. These responses are strategically designed to retaliate, deter further US action, and advance Iran’s regional objectives, while carefully managing the risk of uncontrollable escalation.
