Palo Alto Networks’ Unit 42 has published an updated threat brief tracking a major escalation in cyber activity linked to the conflict with Iran. Since the U.S.-Israel joint offensive Operation Epic Fury launched on February 28, Unit 42 has documented wiper attacks, mass phishing campaigns, financial fraud, and surging hacktivist activity. Much of it is actually originating outside Iran’s borders, with the country itself in a “near complete internet blackout”.
As of March 26, 2026, Iran has surpassed 27 consecutive days of this internet blackout. Connectivity has dropped to between 1 percent and 4 percent of the typical traffic seen on the morning of February 28. Unit 42 assesses that this loss of connectivity has significantly disrupted the ability of state-aligned Iranian threat actors to coordinate and execute sophisticated cyberattacks in the near term. But that picture is more complicated than it appears.
Actors based outside Iran are filling the gap. Unit 42 counted around 60 individual hacktivist groups active as of early March, including pro-Russian collectives. A recently established “Electronic Operations Room,” formed on February 28, has served as a coordination point for multiple Iranian state-aligned personas. Related research has shown that a coalition of 12 or more hacktivist groups executed 149 DDoS attacks against 110 organizations across 16 countries within just the first 72 hours of the conflict.
Phishing, fraud and wiper malware
Unit 42 conducted an in-depth investigation into conflict-themed phishing lures, identifying 7,381 related phishing URLs spanning 1,881 unique hostnames. Threat actors are impersonating major telecommunications providers, national airlines, law enforcement agencies, and energy corporations. Tactics include top-level domain rotation, subdomain chaining, and purpose-built infrastructure designed to mimic corporate portals and government payment workflows.
Attackers have also weaponized the conflict itself. Thousands of conflict-themed domains have been registered for fake donation portals, cryptocurrency scams, and credential harvesting sites. Two separate campaigns target UAE residents, one exploiting Emirates-branded financial services, another using Dubai-themed real estate and luxury lifestyle lures. A third campaign impersonates Iranian banks. Unit 42 also identified active StealC infostealer infrastructure using incremental domain naming as an evasion tactic.
On the more destructive end, the risk of wiper attacks has increased. Iranian actors have a documented history of wiper attacks dating back to 2012. The state-aligned FAD Team claimed unauthorized access to multiple SCADA/PLC systems in Israel and elsewhere. The ransomware-as-a-service group Tarnished Scorpius listed an Israeli industrial machinery company on its leak site.
State actors and pro-Russian hacktivists
Unit 42 tracks Iranian state-sponsored actors under the constellation name Serpens. These groups are expected to intensify activity in the coming weeks, with a focus on regional targets and high-value individuals such as politicians and key decision-makers. As Unit 42 previously reported, Iranian state-aligned group Boggy Serpens (also known as MuddyWater) has a track record of exploiting vulnerabilities against targets in Israel and the Gulf region. Prime example of this was Log4Shell, the globally destructive vulnerability found in logging tool Log4J.
Pro-Russian groups have also entered the picture. The group Russian Legion claimed access to Israel’s Iron Dome missile defense system, while NoName057(16) claimed multiple Israeli targets including municipal, telecom, and defense entities. Cardinal, assessed as state-aligned, claimed to have infiltrated IDF networks and posted documents referencing the Northern Shield operation.
Iran’s degraded connectivity has temporarily constrained sophisticated cyber coordination. However, pre-positioned access from state actors could become activatable once connectivity is restored, potentially extending the cyber campaign well beyond any kinetic ceasefire.
Unit 42 recommends organizations store at least one critical data backup offline, patch internet-facing infrastructure, apply geographic IP blocking where applicable, and validate incident response plans in preparation for ongoing activity.