Iran's Cyber Forces in 2026: Wiper Attacks, Kinetic Escalation, and a 700% Surge in Operations

On March 11, 2026, the Handala hacktivist group wiped over 200,000 systems, servers, and mobile devices belonging to medtech giant Stryker, forcing offices across 79 countries offline [5]. The attackers claimed to have exfiltrated 50 terabytes of data before deploying the wiper [5]. Handala, first surfacing in December 2023, is linked to Iran's Ministry of Intelligence and Security (MOIS) [2]. This attack didn't happen in a vacuum. It followed Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), kinetic military strikes launched against Iran on February 28, 2026 [2]. Iran's internet connectivity dropped to between 1 and 4 percent the same day [2], and its cyber apparatus has been scrambling to retaliate ever since.

The Stryker wiper is one data point in a broader pattern. According to Radware data cited by CSIS, cyberattacks targeting Israel surged 700 percent following 2025 military strikes against Iran [7]. By March 2, 2026, Palo Alto's Unit 42 had observed 60 individual hacktivist groups active in the conflict [2]. Iran formed an Electronic Operations Room on February 28 to coordinate this response [2]. We assess that Iranian cyber operations are now functioning as a primary retaliatory instrument during a period when conventional military options are constrained by infrastructure damage and connectivity loss.

The Operational Ecosystem: Who Does What

Iran's cyber apparatus is not monolithic. Multiple groups operate under overlapping mandates from the Islamic Revolutionary Guard Corps (IRGC) and MOIS, each with distinct tooling and targeting profiles.

APT42 has been active since at least 2015, operating on behalf of the IRGC [4]. Its primary targets include Western and Middle Eastern NGOs, media outlets, and academic institutions [8]. APT42's focus on credential harvesting and social engineering makes it a likely collector feeding intelligence to more operationally destructive units.

APT34 was observed conducting pre-operational staging from November 2024 through April 2025 [4]. This staging activity, rather than immediate exploitation, suggests patient preparation for operations that could be activated during escalation windows. Available evidence indicates this group likely had contingency operations ready before the February 2026 strikes.

MuddyWater conducted Operation Olalampo, targeting organizations in the Middle East, Turkey, and Africa (META) region [3]. In July 2025, this group deployed DCHSpy, a new implant with both Android and desktop variants [8]. MuddyWater has historically served as a broad-access operator, and reporting indicates this role persists.

Tortoiseshell (overlapping with designations UNC1549, CURIUM, and Crimson Sandstorm) sustained a multi-year campaign using the MiniBike backdoor via DLL sideloading until 2025 [4]. Nozomi Networks identified UNC1549 as the fourth most active threat actor in the second half of 2025 [6].

Emennet Pasargad, also tracked as Cotton Sandstorm and Haywire Kitten, had its operational infrastructure exposed in a December 2025 leak that revealed records including cryptocurrency payments [4]. This group has been linked to influence operations, including the compromise of the BadeSaba prayer app used in a cyber-influence campaign [7].

CyberAv3ngers, an IRGC-affiliated group, targeted U.S. and Israeli water utilities with IOControl malware designed for OT/IoT infrastructure [8]. A U.S. Rewards for Justice bounty of up to $10 million for attribution information remains active [8].

Technical Detail: How Iranian Operators Gain and Maintain Access

Brute Force and Credential Abuse

A joint advisory from the FBI, CISA, NSA, CSE, AFP, and ASD's ACSC published in October 2024 documented Iranian actors using brute force techniques, including password spraying and MFA push bombing, to compromise user accounts since at least October 2023 [1]. Targeted sectors include healthcare, government, IT, engineering, and energy [1]. Once inside, these actors modified MFA registrations to establish persistent access [1]. Critically, compromised credentials and network access were sold on cybercriminal forums [1], blurring the boundary between state-sponsored espionage and criminal activity.

Nozomi Networks corroborated this pattern, noting that default credential abuse and valid account usage, combined with brute force and scanning, characterized Iranian intrusion attempts against critical infrastructure [6].

Living-off-the-Land and Custom Tooling

Trellix's 2026 assessment confirmed that Iranian-linked threat actors prioritize living-off-the-land binaries (LOLBins) to maintain a low profile within compromised environments [4]. This technique reduces the likelihood of detection by endpoint security products because the tools used (PowerShell, WMI, legitimate administrative utilities) are already present on target systems.

When custom tooling is required, Iranian groups deploy purpose-built malware. APT35 operates PowerLess, a backdoor featuring AMSI and ETW bypass techniques designed to evade Windows security telemetry [4]. The same group developed BellaCPP, a C++ reimplementation of the earlier BellaCiao .NET implant [4]. This reimplementation almost certainly reflects an effort to reduce detection rates associated with the original variant.

Destructive Capabilities: Wipers and Weaponized Ransomware

The Stryker attack demonstrated the destructive scale Iran can achieve. But Handala is not the only group fielding wipers. The Anon-g Fox Wiper was configured to execute only on systems running Israel Standard Time, a targeting constraint designed to limit collateral damage outside the intended target country [8].

On the ransomware front, the Sicarii ransomware-as-a-service operation contains a permanent encryption defect that makes data recovery impossible [3]. Whether this defect is intentional or accidental, the operational effect is the same: Sicarii functions as a wiper masquerading as ransomware. An Iranian national has pleaded guilty to ransomware attacks against Baltimore and other U.S. municipalities [3], confirming the overlap between state objectives and criminal tactics.

Targeting Critical Infrastructure at Scale

Manufacturing and transportation sectors were the most frequently targeted by Iranian-linked actors during the second half of 2025 [6]. In the Middle East specifically, 61 percent of detected vulnerabilities carry HIGH or CRITICAL CVSS scores, and vulnerabilities with an EPSS score above 1 percent account for 8 percent of the regional total compared to 4 percent globally [6]. This higher attack surface likely makes the region a more permissive operating environment for exploitation.

During the June 2025 escalation period, SOCRadar tracked over 600 distinct cyberattack claims across more than 100 Telegram channels within a 15-day window [8]. The volume alone makes triage a significant challenge for defenders.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting Guidance

Credential Abuse Detection: Monitor for password spraying patterns: multiple failed authentication attempts against many accounts from a small number of source IPs within short time windows. MFA push bombing generates anomalous volumes of MFA challenges for single accounts. Alert on any MFA method registration changes, particularly additions of new devices or phone numbers, outside normal IT provisioning workflows [1].

LOLBin Activity: Iranian operators' preference for living-off-the-land means defenders should baseline normal PowerShell, WMI, and administrative tool usage across their environments. Hunt for PowerShell executions with encoded commands (-EncodedCommand, -ec), AMSI bypass patterns (e.g., Set-MpPreference -DisableRealtimeMonitoring), and ETW tampering via ntdll.dll patching. The PowerLess backdoor specifically targets AMSI and ETW [4], so degraded security telemetry is itself a detection signal.

Wiper Pre-staging: Monitor for bulk file enumeration, shadow copy deletion (vssadmin delete shadows), and recursive directory traversal patterns that precede wiper deployment. The Anon-g Fox Wiper's time zone check [8] means defenders should watch for processes querying HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation or calling GetTimeZoneInformation outside expected application behavior.

OT/IoT Monitoring: Organizations running operational technology should audit for IOControl-related activity against PLCs, HMIs, and IoT gateways [8]. Default credential audits are critical given the documented abuse of default credentials in Middle Eastern infrastructure [6].

Telegram and Dark Web Monitoring: Credential sales from Iranian access brokers appear on cybercriminal forums [1]. Threat intelligence teams should monitor for organizational domain mentions in credential dump marketplaces. The 100+ Telegram channels used during June 2025 [8] are also sources of early warning for claimed compromises.

Assessment

Iran's cyber posture in 2026 presents a paradox. The near-total internet blackout resulting from kinetic strikes has almost certainly degraded Tehran's ability to command and control ongoing operations from within Iranian territory [2][7]. Yet the pre-positioned access, the breadth of proxy groups, and the formation of the Electronic Operations Room [2] indicate that Iranian cyber leadership anticipated this scenario. We assess with moderate confidence that many of the 60-plus hacktivist groups observed [2] operate from infrastructure outside Iran or had pre-delegated operational authorities that reduce dependence on real-time coordination from Tehran.

The Stryker attack [5] is highly likely a signal of what retaliatory operations will look like going forward: large-scale, destructive, targeting Western corporations with global footprints. The use of wiper malware disguised as or paired with ransomware [3] complicates victim response and attribution. Defenders should treat ransomware incidents involving Iranian TTPs as potential destructive attacks where recovery may be impossible by design.

Iran's sale of compromised credentials on criminal forums [1] represents a force multiplier. Access initially obtained for espionage purposes can be monetized or transferred to other actors, expanding the blast radius well beyond Iran's original targeting. This convergence of state and criminal activity makes traditional attribution models harder to apply.

The 700 percent surge in attacks against Israel [7] and the 600-plus attack claims across Telegram in 15 days [8] suggest that Iran is likely prioritizing volume and disruption over precision during the current escalation. For defenders outside the immediate conflict zone, the risk calculus has shifted. Iranian operators have demonstrated willingness to strike medtech companies [5], water utilities [8], and municipalities [3] across multiple continents. Geographic distance from the Middle East is not a mitigating factor.

Organizations in healthcare, manufacturing, energy, government, and transportation should review their exposure to the specific TTPs documented here. The credential abuse and MFA manipulation techniques [1] are low-sophistication but high-impact. Addressing them requires no exotic technology, just disciplined identity security fundamentals.

References

1. CISA: Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
2. Palo Alto Unit 42: Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
3. Halcyon: Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates
4. Trellix: The Iranian Cyber Capability 2026
5. BleepingComputer: Medtech giant Stryker offline after Iran-linked wiper malware attack
6. Nozomi Networks: Iranian APT Activity During Geopolitical Escalation
7. CSIS: How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?
8. SOCRadar: Iran vs. Israel & US Cyber War 2026: Operation Epic Fury Threat Intelligence