Surge in Hacktivist DDoS Attacks Targets 110 Organizations Across 16 Countries Amid Middle East Tensions
In the wake of the U.S.-Israel coordinated military operations against Iran, codenamed Epic Fury and Roaring Lion, cybersecurity experts have observed a significant increase in hacktivist activities. Between February 28 and March 2, 2026, a total of 149 distributed denial-of-service (DDoS) attacks were reported, impacting 110 organizations across 16 countries.
Radware’s recent analysis highlights that two hacktivist groups, Keymous+ and DieNet, were responsible for nearly 70% of these attacks during the specified period. The initial DDoS assault was executed by Hider Nex, also known as the Tunisian Maskers Cyber Force, on February 28, 2026.
Hider Nex is a clandestine Tunisian hacktivist collective that emerged in mid-2025. The group supports pro-Palestinian causes and employs a combination of DDoS attacks and data breaches to leak sensitive information, thereby advancing its geopolitical objectives.
The majority of the 149 DDoS attacks were concentrated in the Middle East, with 107 incidents targeting public infrastructure and state-level entities. Europe accounted for 22.8% of the global attack activity during this timeframe. Globally, government organizations were the most affected, representing 47.8% of the targets, followed by the finance sector at 11.9% and telecommunications at 6.7%.
Radware’s report emphasizes the expanding digital front in the region, noting that hacktivist groups are targeting more Middle Eastern nations than ever before. The attacks were predominantly focused on Kuwait (28%), Israel (27.1%), and Jordan (21.5%).
In addition to Keymous+, DieNet, and NoName057(16), other groups involved in these disruptive operations include Nation of Saviors (NOS), the Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, the Cyber Islamic Resistance, Dark Storm Team, the FAD Team, Evil Markhors, and PalachPro.
The current landscape of cyber attacks includes:
– Pro-Russian Hacktivist Breaches: Groups such as Cardinal and Russian Legion have claimed to infiltrate Israeli military networks, including the Iron Dome missile defense system.
– Malicious Mobile Applications: An ongoing SMS phishing campaign has been identified, utilizing a counterfeit version of the Israeli Home Front Command RedAlert application to deploy surveillance and data-exfiltrating malware. CloudSEK reports that adversaries are tricking victims into sideloading this malicious APK under the guise of an urgent wartime update, effectively deploying a functional alert interface that conceals invasive surveillance mechanisms.
– Targeting Energy and Digital Infrastructure: Iran’s Islamic Revolutionary Guard Corps (IRGC) has directed attacks at the energy and digital infrastructure sectors in the Middle East, including strikes on Saudi Aramco and an Amazon Web Services data center in the U.A.E., aiming to inflict significant global economic disruption as a countermeasure to military setbacks.
– Revival of Cyber Personas: The group known as Cotton Sandstorm, also referred to as Haywire Kitten, has reactivated its previous cyber persona, Altoufan Team, claiming responsibility for hacking websites in Bahrain. Check Point notes that this reflects the reactive nature of the actor’s campaigns and indicates a high probability of further intrusions across the Middle East amid the ongoing conflict.
– State-Sponsored Cyber Activities: Data from Nozomi Networks indicates that the Iranian state-sponsored hacking group UNC1549, also known as GalaxyGato, Nimbus Manticore, or Subtle Snail, was the fourth most active actor in the latter half of 2025. Their focus has been on defense, aerospace, telecommunications, and regional government entities to advance Iran’s geopolitical priorities.
– Cryptocurrency Exchange Adjustments: Major Iranian cryptocurrency exchanges have remained operational but have implemented changes such as suspending or batching withdrawals and issuing risk guidance to users, advising them to prepare for potential connectivity disruptions.
– Hacktivist Activity Surge: Sophos has observed an increase in hacktivist activities, primarily from pro-Iran personas like Handala Hack team and APT Iran, manifesting as DDoS attacks, website defacements, and unverified claims of compromises involving Israeli infrastructure.
– Heightened Cyber Attack Risks: The U.K. National Cyber Security Centre (NCSC) has alerted organizations to an elevated risk of Iranian cyber attacks, urging them to bolster their cybersecurity measures to better respond to DDoS attacks, phishing activities, and industrial control system targeting.
Cynthia Kaiser, Senior Vice President at Halcyon and former Deputy Assistant Director with the FBI’s Cyber Division, notes that Iran has a history of using cyber operations to retaliate against perceived political slights, increasingly incorporating ransomware into their activities. She emphasizes that Tehran often turns a blind eye to private cyber operations against targets in the U.S., Israel, and allied countries, as having access to cyber criminals provides the government with strategic options.
SentinelOne assesses with high confidence that organizations in Israel, the U.S., and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.
Nozomi Networks highlights that Iranian threat actors have historically blended espionage, disruption, and psychological operations to advance strategic objectives. During periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry beyond the immediate conflict zone.
To mitigate the risks associated with the kinetic conflict, organizations are advised to:
– Activate Continuous Monitoring: Implement systems to reflect escalated threat activity.
– Update Threat Intelligence Signatures: Ensure that threat detection mechanisms are current.
– Reduce External Attack Surface: Minimize exposure to potential cyber threats.
– Conduct Comprehensive Exposure Reviews: Assess connected assets for vulnerabilities.
– Validate Network Segmentation: Ensure proper separation between information technology and operational technology networks.
– Isolate IoT Devices: Implement measures to secure Internet of Things devices from potential threats.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, notes that in past conflicts, Tehran’s cyber actors have aligned their activities with broader strategic objectives, increasing pressure on targets such as energy, critical infrastructure, finance, telecommunications, and healthcare. He adds that Iranian adversaries have evolved their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, positioning them to act rapidly across hybrid enterprise environments with increased scale and impact.
