Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury

Summary

Analysis by Augur Security reveals that Iranian Ministry of Intelligence (MOIS) and Islamic Revolutionary Guard Corps (IRGC) cyber units significantly expanded malicious infrastructure in the six months preceding the February 28, 2026 US/Israeli military strikes on Iran. The buildup included shell companies, bulletproof hosting, and multi-tier obscured infrastructure across Moldova, Wyoming, Dubai, and Europe. Within 24 hours of the strikes, an 'Electronic Operations Room' coordinated approximately 60 hacktivist groups targeting US, Israeli, and Gulf state infrastructure.

Full text

America, Israel and ‘facilitating’ Gulf states received malicious attacks from Iranian APTs within days of Epic Fury, and there are around 60 Iran-linked hacktivist groups currently operating. It is little surprise that malicious Iranian cyber activity increased immediately after the US/Israel strikes commenced at the end of February 2026. It is more surprising that MOIS (Iranian Ministry of Intelligence and Security) and IRGC linked cyber groups seemed to be preparing themselves for this event. A study by Augur Security, which uses AI and behavioral modeling to provide early identification and mapping of malicious infrastructure, demonstrates that numerous government-linked groups (either with MOIS or one of the Islamic Revolutionary Guard Corps – IRGC – cyber units) showed increased infrastructure activity in the six months prior to Epic Fury. Augur’s analysis describes Iranian actors’ typical multi-tier infrastructure designed to obscure origin. It starts from Sefroyek Pardaz Engineering, an Iranian ISP and hosting company based in Tehran. The second tier involves bulletproof hosting providers, such as Moldovan ALEXHOST and Wyoming-based shell company RouterHosting LLC, historically associated with infrastructure linked to Iranian threat actors. A third tier involves further shell companies. Such as Cloudblast, registered in the US but operating from Dubai and routing through a Netherlands-based upstream provider, further complicating investigation and enforcement with an additional jurisdiction layer. A second example, UltaHost has dual registration – UltaHost Inc in the US and ULTAHOST Ltd in the UK. It operates as a US parent company with a UK subsidiary. On February 5, 2025, ICANN issued a formal notice of ‘breach of registrar accreditation agreement’ against UltaHost Inc. Such notices are generally considered a red flag.Advertisement. Scroll to continue reading. “Before attacks reach a target network, they require infrastructure,” comments Joe Lea, CEO at Augur Security. “Mapping and disrupting that infrastructure is one of the most effective ways defenders can stop operations before they begin.” The report describes a spike in infrastructure activity by the major Iranian APT groups in the six months preceding the February 28, 2026 US/Israeli strikes against Iran. MuddyWater, for example, had seven CIDRs flagged within 72 hours in mid-September 2025. Five are related to an Estonian ASN provider, with country codes spanning Russia, UK, and Estonia; and the remaining two are on Clouvider, “a UK-based general hosting provider with a documented history of abuse by multiple threat actor groups.” Augur suggests this MuddyWater activity timeframe is consistent with pre-operational infrastructure staging prior to the commencement of the combined US Operation Epic Fury and Israeli Operation Roaring Lion. “This assessment for the temporal correlation, states Augur, “is made with medium confidence that this specific buildup was in preparation for post-strike operations.” Handala, responsible for the attack against US-based medical tech giant Stryker, is a more recent addition to MOIS-linked cyber groups, emerging as recently as 2023. It exhibits no specific infrastructure activity in Augur’s analysis, but has in the past conducted data exfiltration and wiper operations primarily targeting Israel. It has intensified its activities this year and is part of the coordinated Iranian cyber response to the February 28 strikes. Other Iranian APTs included in Augur’s report include OilRig/APT34 (MOIS), APT35/Charming Kitten (IRGC-IO), APT33/Peach Sandstorm (IRGC), Cotton Sandstorm/Emennet Pasargad (IRGC), and CyberAv3ngers (IRGC-CEC). The report notes a rapid and coordinated expansion of hacktivist activity after February 28. “An Electronic Operations Room was established within 24 hours of the strikes, providing centralized coordination for an estimated 60 or more hacktivist groups.” This mirrors the coordination that followed escalation of the Gaza conflict in October 2023. These groups include Cyber Fattah, Fatimiyoun Cyber Team, Handala, and affiliated collectives operating under Cotton Sandstorm coordination. The primary focus has been on Israeli and the US government, financial, and critical infrastructure organizations. A secondary focus is on Gulf states considered to be facilitating the US/Israel strikes. It is worth noting that although the IRGC works closely with the Iranian government, its primary purpose is to protect ‘the Islamic revolution’ rather than the country of Iran. The Iranian army defends the borders of Iran, while the IRGC defends the revolution with its private army and separate cyber units. It is effectively a multi-national conglomerate with extensive presence beyond Iran itself. So, although the US/Israel strikes damaged Iran’s internal internet connectivity, they did not seriously affect the ability of Iranian APTs to continue and expand their cyber operations. It is difficult to see how kinetic action against the country of Iran can degrade Iran’s APT capabilities. Related: Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During War Related: Iranian APT Hacked US Airport, Bank, Software Company Related: Iranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical Disasters Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Hacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEOThe Collapse of Predictive Security in the Age of Machine-Speed AttacksShadow AI Risk: How SaaS Apps Are Quietly Enabling Massive BreachesAI, APIs and DDoS Collide in New Era of Coordinated CyberattacksCISO Conversations: Aimee Cardwell‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating PayloadKevin Mandia’s Armadin Launches With $190 Million in FundingNation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Latest News Critical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security ThreatsNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveeSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.Kai has named Alfredo Hickman as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management P

Indicators of Compromise

• malware — MuddyWater
• malware — Handala
• malware — OilRig/APT34
• malware — APT35/Charming Kitten
• malware — APT33/Peach Sandstorm
• malware — Cotton Sandstorm/Emennet Pasargad
• malware — CyberAv3ngers
• mitre_attack — Infrastructure Staging