Skip to content
.ca
sign in
Work being done in the backend.
4 minhigh

Hacktivist campaigns increase as United States, Iran, and Israel conflict intensifies

Following coordinated military strikes by the U.S. and Israel against Iran, there has been a significant surge in hacktivist activity. Pro-Iran groups are conducting website defacements, DDoS attacks, doxxing, and claiming unverified attacks on critical infrastructure, while pro-Israel groups are retaliating, elevating the cyber threat landscape for organizations in the U.S., Israel, and the Middle East.

Sens:ImmediateConf:mediumAnalyzed:2026-03-03reports

Authors: Sophos Counter Threat Unit Research Team

ActorsHandala Hack TeamCOBALT MYSTIQUEAPTIranCyber ToufanCyber Support FrontIranian AvengerCyb3r Drag0nzBaqiyatLockTroll Hacker Team
Middle East ConflictRansomwareDDoSHacktivism

Source:Sophos

IOCs · 1

Key Takeaways

  • Elevated hacktivist activity observed following U.S. and Israeli military strikes on Iran in February 2026.
  • Pro-Iran groups like Handala Hack Team and APTIran are claiming unverified attacks on Israeli critical infrastructure and doxxing individuals.
  • BaqiyatLock (BQTlock) RaaS is offering free affiliate memberships to hacktivists targeting Israel.
  • Pro-Israel groups like Troll Hacker Team are conducting counter-operations, claiming to take down Iranian hacktivist infrastructure.
  • Organizations in the U.S., Israel, and GCC states face an elevated risk of retaliatory cyberattacks.

Affected Systems

  • Israeli government and military networks
  • Israeli critical infrastructure (water control, oil and gas)
  • U.S. organizations
  • Gulf Cooperation Council (GCC) States organizations

Attack Chain

Hacktivist groups are leveraging the geopolitical conflict to launch retaliatory cyber operations. Initial activities primarily involve low-sophistication attacks such as website defacements, DDoS, and doxxing campaigns against targeted individuals. Some groups are amplifying their impact by offering Ransomware-as-a-Service (RaaS) tools to affiliates for targeted disruption, while others claim unverified access to Operational Technology (OT) layers in critical infrastructure.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can detect ransomware payloads like BaqiyatLock, but DDoS and website defacements occur primarily at the network and web-tier levels. Network Visibility: High — DDoS attacks and web defacements are highly visible at the network edge and through Web Application Firewalls (WAF). Detection Difficulty: Moderate — While the impact of DDoS and defacements is easily detected, attributing these attacks to specific hacktivist groups amid geopolitical noise can be challenging.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Network flow logs
  • Endpoint EDR telemetry

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Monitor for sudden, sustained spikes in inbound network traffic targeting public-facing web applications, indicating potential DDoS activity.Network flow logs, WAF logsImpactMedium
Search for unauthorized modifications to external-facing web server directories or unexpected changes to index files, which may indicate website defacement.Web server logs, File Integrity Monitoring (FIM)ImpactLow
Look for execution of known ransomware payloads or unauthorized mass encryption of files, particularly linked to the BaqiyatLock RaaS.EDR, Windows Event LogsImpactLow

Control Gaps

  • Lack of robust DDoS mitigation services
  • Unpatched internet-facing vulnerabilities

Key Behavioral Indicators

  • High volume of traffic from unexpected geolocations
  • Unexpected changes to web root files
  • Spikes in failed authentication attempts (password spraying)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Expedite patching of internet-facing systems, prioritizing vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.
  • Minimize internet-facing services to reduce the available attack surface.

Infrastructure Hardening

  • Implement and maintain robust DDoS mitigation services.
  • Ensure Web Application Firewalls (WAF) are properly configured and updated.

User Protection

  • Maintain awareness for topical phishing campaigns and password-spraying activity.
  • Implement and monitor Endpoint Detection and Response (EDR) and Antivirus solutions.

Security Awareness

  • Review and update business continuity plans and restoration processes to address potential ransomware or wiper malware attacks.

MITRE ATT&CK Mapping

  • T1498 - Network Denial of Service
  • T1491.002 - Defacement: External Defacement
  • T1486 - Data Encrypted for Impact
  • T1583.006 - Acquire Infrastructure: Web Services

Additional IOCs

  • Domains:
    • handala-redwanted[.]to - Domain for Handala Hack Team 'RedWanted' site
  • Urls:
    • hxxp://handala-redwanted[.]to - URL for Handala Hack Team 'RedWanted' site
  • Other:
    • @HANDALA_RSS - X (Twitter) handle for Handala Hack Team
    • @ZeroDayX1 - Telegram contact for BaqiyatLock RaaS

Related