149 Hacktivist DDoS Attacks 110 Organizations in 16 Countries After Middle East Conflict

Cybersecurity researchers have warned of an increase in hacker retaliation following the US-Israel coordinated military campaign against Iran, dubbed Epic Fury and Roaring Lion.

“The threat from hacktivists in the Middle East is severe, with two groups, Keymous+ and DieNet, driving nearly 70% of all hacking activity between February 28 and March 2,” Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisia Maskers Cyber ​​Force) on February 28, 2026.

According to information shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports Palestinian causes. It uses a hacking and leaking strategy that includes DDoS attacks and data breaches to leak sensitive data and advance its geopolitical agenda. The group appeared in mid-2025.

In total, 149 DDoS requests by hacktivists were recorded targeting 110 different organizations in 16 countries. The attack was carried out by 12 different groups, including Keymous+, DieNet, and NoName057(16), which accounted for 74.6% of all activity.

Of these attacks, the majority, 107, were focused on the Middle East, targeting disproportionately public infrastructure and state-level targets. Europe was the destination of 22.8% of the total global activity during that period. About 47.8% of all targeted organizations worldwide were in the public sector, followed by the financial (11.9%) and telecommunications (6.7%) sectors.

“The digital front is increasingly close to the real one in the region, with hacktivist groups simultaneously targeting more countries in the Middle East than ever before,” Radware said. “The distribution of attacks in the region was concentrated in three specific countries: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel 27.1%, and Jordan 21.5% of the total attack requests.”

Besides Keymous+, DieNet, and NoName057(16), other groups involved in disruptive activities include Nation of Saviors (NOS), Conquerors Electronic Army (CEA), Sylhet Gang, Team 313, Handala Hack, APT Iran, Cyber Islamic Resistance, Dark Storm Team, Favil Storm Team, Error Team, Early Storm Team, Dark Storm Team Flashpoint, Palo Alto Networks Unit 42, and Radware.

The current scope of cyber attacks is listed below –

• Pro-Russian hacktivist groups such as Cardinal and the Russian Legion claim to have breached Israeli military networks, including its Iron Dome missile defense system.
• An active phishing campaign has been spotted using a rogue clone of Israel’s Home Front Command app RedAlert to deliver mobile surveillance and data-mining malware. “By tricking victims into sideloading a malicious APK under the guise of an emergency wartime update, adversaries are effectively using a warning interface that disables the attacker’s surveillance engine designed to catch many people off guard,” CloudSEK said.
• Iran’s Islamic Revolutionary Guard Corps (IRGC) has targeted the energy and digital infrastructure sectors in the Middle East, hitting Saudi Aramco and an Amazon Web Services data center in the UAE with the aim of “causing great pain to the global economy as a countermeasure to military losses,” Flashpoint said.
• Cotton Sandstorm (aka Haywire Kitten) has revived his old cyber persona, Team Altoufan, which claims to hack websites in Bahrain. “This shows the reaction of the actor’s campaigns and the more likely they are to re-enter the Middle East during the conflict,” Check Point said.
• Data collected by Nozomi Networks shows that the Iranian government-sponsored hacking group known as UNC1549 (also known as UNC1549, Nimbus Manticore, or Subtle Snail) was the fourth most active player in the second half of 2025, focusing its attacks on defense, space, telecommunications, and regional government institutions to promote the country’s priorities.
• Iran’s largest cryptocurrency exchange remains operational but announced operational fixes, temporary suspensions or withdrawals, and issued a risk advisory urging users to prepare for possible communication disruptions.
• “What we are seeing in Iran is not clear evidence of a big plane flying, but rather a control of market volatility under limited coordination and legal intervention,” said Ari Redbord, Global Head of Policy at TRM Labs. “For years, Iran operated a shadow economy that, in part, used crypto to evade sanctions, including a complex offshore infrastructure. What we’re seeing now — under the strain of war, communications shutdowns, and volatile markets — is a real-time stress test of that infrastructure and the regime’s ability to use it.”
• Sophos said it has “seen an increase in hacktivist activity, but not an increase in risk,” particularly from pro-Iran groups, including the Handala Hack group and APT Iran in the form of DDoS attacks, website defacement, and unverified claims of compromise involving Israeli infrastructure.
• The UK National Cyber ​​Security Center (NCSC) has informed organizations of the increased risk of Iranian cyber attacks, urging them to strengthen their cybersecurity posture to better respond to DDoS attacks, phishing, and ICS Targeting.

In a post shared on LinkedIn, Cynthia Kaiser, SVP of ransomware research at Halcyon and former Deputy Director of the Federal Bureau of Investigation’s Cyber ​​​​Division, said that Iran has a history of using cyber operations to retaliate for “politically motivated crimes,” adding that these activities have increased by including ransomware.

“Tehran has long chosen to turn a blind eye, or at least ignore, private cyber use against targets in the US, Israel, and other allied countries,” Kaiser said. “That’s because access to cybercriminals gives the government options. As Iran considers its response to U.S. and Israeli military actions, it may turn on any of these cyber actors if it believes their operations could have a meaningful retaliatory impact.”

Cybersecurity company SentinelOne also assessed with high confidence that organizations in Israel, the US, and allied countries may face direct or indirect targeting, particularly within the government, critical infrastructure, defense, financial services, education and media sectors.

“Iranian threat actors have historically demonstrated a willingness to combine espionage, disruption, and counterintelligence to advance strategic objectives,” Nozomi Networks said. “In times of instability, these activities tend to intensify, directing critical infrastructure, power networks, government agencies, and private industries far from existing conflicts.”

To deal with the risk caused by the kinetic conflict, organizations are advised to open continuous monitoring to show the increasing threat activity, review the signatures of threat intelligence, reduce the external attack surface, conduct a comprehensive review of the exposure of connected goods, ensure the proper separation between information technology and operational technology networks, and ensure the proper separation of IoT devices.

“In past conflicts, Tehran’s cyber actors have aligned their work with broader strategic objectives that increase pressure and visibility on targets, including energy, critical infrastructure, finance, communications and healthcare,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement shared with The Hacker News.

“Iranian adversaries have continued to develop their business, expanding beyond traditional penetration into cloud-focused and proprietary operations, positioning them to rapidly operate in all areas of hybrid business with increasing scale and impact.”