Situation Report: Operation Epic Fury
(Updated March 5, 2026)
On February 28, 2026, the United States and Israel launched Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), a coordinated military and cyber campaign targeting Iranian military installations, IRGC leadership, and government infrastructure. U.S. Cyber Command was designated the “first mover,” with cyber operations beginning before any kinetic weapons were deployed. In the first 48 hours, U.S. and allied forces struck more than 1,250 targets across Iran, while Israel conducted what has been described as the largest cyberattack in history, collapsing Iran’s internet connectivity to 1-4% of normal levels through multi-layered attacks on BGP routing, DNS infrastructure, and SCADA/ICS systems.
The cyber offensive compromised the BadeSaba Calendar prayer app (5+ million downloads) to send defection messages to military personnel, hijacked Iran’s state news agency IRNA and government websites, and severed IRGC command-and-control communications during the critical opening hours of the campaign.
On the cyber front, the situation has evolved rapidly. Despite the internet blackout degrading Iranian state cyber units’ ability to coordinate, approximately 60 hacktivist groups — including pro-Russian collectives — were activated outside Iran by March 2. Unit 42’s March 2026 Threat Brief confirms active SMS/phishing campaigns delivering malicious RedAlert APK mobile malware, alongside widespread DDoS attacks, website defacements, data exfiltration operations, and early-stage wiper deployments. Iran-aligned actors have already breached Israeli energy companies and Jordanian fuel distribution systems. State-aligned groups affiliated with the IRGC and MOIS — including revived groups like Altoufan Team and HANDALA — are expected to escalate cyberattacks against critical infrastructure as Iran’s connectivity recovers. Near-term attacks are expected to consist of low- to medium-sophistication disruptions, but experts warn that more destructive wiper attacks will materialize once the operational disruption subsides.
Why We Built This — And Why It Matters Now
History tells us what comes next. After the 2020 Soleimani strike, Iranian threat groups launched waves of destructive wiper attacks, credential harvesting campaigns, and espionage operations against Western critical infrastructure. The same playbook is unfolding now, but with significantly more capable tooling. Groups like MuddyWater, APT35/Charming Kitten, OilRig/APT34, and Agrius have spent years refining their tradecraft. ESET’s December 2025 discovery of MuddyWater’s new MuddyViper backdoor targeting Israeli and Egyptian critical infrastructure, and the February 2026 Operation Olalampo campaign deploying AI-assisted backdoors against MENA energy and marine sectors, confirm these groups remain operationally active and evolving even as kinetic operations intensify.
Nation-states have increasingly weaponized cyber operations as a first-response mechanism during geopolitical crises. Iran’s documented capabilities include destructive disk wipers (Shamoon, ZeroCleare, Dustman), ransomware disguised as wipers (Apostle), DNS hijacking campaigns (DNSpionage), sophisticated espionage backdoors (POWERSTATS, QUADAGENT, TONEDEAF), and newer tools like RustyWater and WezRAT. These tools have historically targeted energy, oil and gas, government, financial services, defense, telecommunications, and higher education sectors, with a geographic focus on the Middle East, Europe, and the United States. Organizations in regions hosting U.S. military bases face particular risk in the current environment.
In direct response to this elevated threat landscape, our team leveraged the AttackIQ platform to rapidly build, validate, and deploy a comprehensive Iranian threat assessment template.
Assessment Templates
AttackIQ has released a new assessment template focused on threats associated with Iranian adversaries. This release brings together recent payload samples linked to multiple Iranian intrusion sets, enabling organizations to evaluate their visibility and detection capabilities against techniques observed in real-world campaigns.
Iranian Adversaries – Latest Observed Payload Samples: This emulation consists of payload samples associated with Iranian adversaries observed over recent months. Its objective is to assist customers in validating their security controls and evaluating their ability to detect and defend against these threats. The assessment includes known payload samples associated with the following adversaries and malware families:
MuddyWater: Iranian state-sponsored adversary, closely associated with the Iranian Ministry of Intelligence and Security (MOIS), that has been active since at least 2017. The group was previously exposed as a contractor for the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces tasked with protecting the country’s political system.
MuddyWater is known for conducting espionage operations targeting government organizations, energy and telecommunication corporations, and other entities of strategic importance across Europe, North America, and the Middle East.
APT35: Iranian state-sponsored adversary, also referred to as Charming Kitten and Phosphorus, that has been active since at least 2014. The group is known for conducting long-term, resource-intensive operations to support Iran’s geopolitical and strategic interests by targeting government entities, academic institutions, and private organizations across Europe, North America, and the Middle East in order to collect strategic intelligence.
OilRig: Iranian state-sponsored adversary, also referred to as APT34, that was first identified in 2012 during a series of destructive activities targeting organizations in the Middle East. The group’s activities have consistently aligned with Iran’s national interests and have targeted multiple sectors globally, including government, financial services, energy, utilities, telecommunications, manufacturing, and technology.
Emerging Malware Families to Watch
As the conflict evolves, two newer Iranian malware families warrant heightened vigilance:
RustyWater: A Rust-based Remote Access Trojan (RAT), associated with MuddyWater, that incorporates multiple anti-debugging and anti-tampering mechanisms designed to hinder analysis and evade detection, while enabling remote command execution and persistent access to compromised environments.
WezRAT: A modular infostealer associated with Cotton Sandstorm that was observed in campaigns targeting multiple Israeli organizations through phishing emails impersonating the Israeli National Cyber Directorate (INCD). The malware supports multiple capabilities, including command execution, screenshot capture, file uploads, keylogging, clipboard monitoring, and the collection of browser cookies.
Call to Action
Organizations in energy, oil and gas, government, defense, financial services, telecommunications, and critical infrastructure should treat this as an immediate call to action. Deploy the “Iranian Adversaries – Latest Observed Payload Samples ” assessment .
The window between a geopolitical escalation and the first retaliatory cyber operation is measured in days, not weeks. With multiple hacktivist groups already active, Iranian state cyber units regaining connectivity, and Unit 42 confirming active phishing and wiper campaigns in progress, the time to validate your defenses is now.
