Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury

America, Israel and ‘facilitating’ Gulf states received malicious attacks from Iranian APTs within days of Epic Fury, and there are around 60 Iran-linked hacktivist groups currently operating. It is little surprise that malicious Iranian cyber activity increased immediately after the US/Israel strikes commenced at the end of February 2026. It is more surprising that MOIS (Iranian Ministry of Intelligence and Security) and IRGC linked cyber groups seemed to be preparing themselves for this event. A study by Augur Security, which uses AI and behavioral modeling to provide early identification and mapping of malicious infrastructure, demonstrates that numerous government-linked groups (either with MOIS or one of the Islamic Revolutionary Guard Corps – IRGC – cyber units) showed increased infrastructure activity in the six months prior to Epic Fury. Augur’s analysis describes Iranian actors’ typical multi-tier infrastructure designed to obscure origin. It starts from Sefroyek Pardaz Engineering, an Iranian ISP and hosting company based in Tehran. The second tier involves bulletproof hosting providers, such as Moldovan ALEXHOST and Wyoming-based shell company RouterHosting LLC, historically associated with infrastructure linked to Iranian threat actors. A third tier involves further shell companies. Such as Cloudblast, registered in the US but operating from Dubai and routing through a Netherlands-based upstream provider, further complicating investigation and enforcement with an additional jurisdiction layer. A second example, UltaHost has dual registration – UltaHost Inc in the US and ULTAHOST Ltd in the UK. It operates as a US parent company with a UK subsidiary. On February 5, 2025, ICANN issued a formal notice of ‘breach of registrar accreditation agreement’ against UltaHost Inc. Such notices are generally considered a red flag. “Before attacks reach a target network, they require infrastructure,” comments Joe Lea, CEO at Augur Security. “Mapping and disrupting that infrastructure is one of the most effective ways defenders can stop operations before they begin.” The report describes a spike in infrastructure activity by the major Iranian APT groups in the six months preceding the February 28, 2026 US/Israeli strikes against Iran. MuddyWater, for example, had seven CIDRs flagged within 72 hours in mid-September 2025. Five are related to an Estonian ASN provider, with country codes spanning Russia, UK, and Estonia; and the remaining two are on Clouvider, “a UK-based general hosting provider with a documented history of abuse by multiple threat actor groups.” Augur suggests this MuddyWater activity timeframe is consistent with pre-operational infrastructure staging prior to the commencement of the combined US Operation Epic Fury and Israeli Operation Roaring Lion. “This assessment for the temporal correlation, states Augur, “is made with medium confidence that this specific buildup was in preparation for post-strike operations.” Handala, responsible for the attack against US-based medical tech giant Stryker, is a more recent addition to MOIS-linked cyber groups, emerging as recently as 2023. It exhibits no specific infrastructure activity in Augur’s analysis, but has in the past conducted data exfiltration and wiper operations primarily targeting Israel. It has intensified its activities this year and is part of the coordinated Iranian cyber response to the February 28 strikes.  Other Iranian APTs included in Augur’s report include OilRig/APT34 (MOIS), APT35/Charming Kitten (IRGC-IO), APT33/Peach Sandstorm (IRGC), Cotton Sandstorm/Emennet Pasargad (IRGC), and CyberAv3ngers (IRGC-CEC). The report notes a rapid and coordinated expansion of hacktivist activity after February 28. “An Electronic Operations Room was established within 24 hours of the strikes, providing centralized coordination for an estimated 60 or more hacktivist groups.” This mirrors the coordination that followed escalation of the Gaza conflict in October 2023. These groups include Cyber Fattah, Fatimiyoun Cyber Team, Handala, and affiliated collectives operating under Cotton Sandstorm coordination. The primary focus has been on Israeli and the US government, financial, and critical infrastructure organizations. A secondary focus is on Gulf states considered to be facilitating the US/Israel strikes. It is worth noting that although the IRGC works closely with the Iranian government, its primary purpose is to protect ‘the Islamic revolution’ rather than the country of Iran. The Iranian army defends the borders of Iran, while the IRGC defends the revolution with its private army and separate cyber units. It is effectively a multi-national conglomerate with extensive presence beyond Iran itself. So, although the US/Israel strikes damaged Iran’s internal internet connectivity, they did not seriously affect the ability of Iranian APTs to continue and expand their cyber operations. It is difficult to see how kinetic action against the country of Iran can degrade Iran’s APT capabilities. Related: Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During War Related: Iranian APT Hacked US Airport, Bank, Software Company Related: Iranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical Disasters WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches AI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks CISO Conversations: Aimee Cardwell ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Kevin Mandia’s Armadin Launches With $190 Million in Funding Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Hacker Conversations: Inti De Ceukelaire, Raging Against the Machine Creatively How Pirated Software Turns Helpful Employees Into Malware Delivery Agents Latest News Marquis Data Breach Affects 672,000 Individuals Security Firm Aura Discloses Data Breach Impacting 900,000 Records Hacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEO Russian APT Exploits Zimbra Vulnerability Against Ukraine Raven Emerges From Stealth With $20 Million in Funding CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks The Collapse of Predictive Security in the Age of Machine-Speed Attacks Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move SecurityBridge has promoted Holger Hügel to Chief Technology Officer. Armis has appointed Simon Mouyal as Chief Marketing Officer. Omada has named Jakob H. Kraglund as Chief Executive Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email