Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

This Flare brief covers confirmed and credibly reported cyber operations from the seven days running April 28 through May 4, 2026, linked to the US-Israel-Iran conflict. The window opens at Day 60 of the conflict and closes at Day 66.

One attributed cyber operation falls inside the window: the Handala WhatsApp threat campaign against US service members at Naval Support Activity Bahrain on 27 to 28 April, paired with a Telegram-channel doxxing post claiming the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf. Identical Persian-themed messages were sent to civilian recipients across Israel on the same day.The cyber threat picture remains governed by the detection baselines established earlier in April: DomainTools unified MOIS attribution (Apr 20), CISA AA26-097A PLC advisory (Apr 7), Unit 42 CL-STA-1128 FactoryTalk-on-VPS tradecraft (Apr 17), Check Point Void Manticore TTPs (Apr 2), and FBI FLASH-20260320-001 Telegram C2 malware. The Bahrain campaign is consistent with the Halcyon assessment that Handala’s reduced public output since January reflects active execution rather than dormancy. The standing kinetic and diplomatic backdrop (continued blockade, shoot-and-kill posture, MSC seizures, Tifani interdiction, Israel-Lebanon ceasefire extension) is unchanged. Hold all established detection posture at maximum sensitivity. The shift from enterprise targets to direct intimidation of named US military personnel is the operational signal worth flagging; treat it as the start of a personnel-targeted information-operations phase rather than a one-off.

We will continue to update this timeline with the most recent information as the situation develops.

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

This covers the seven-day window from April 28 to May 4, 2026.

Handala WhatsApp Threat Campaign Against US Service Members in Bahrain; 2,379 USMC Records Published on Telegram (Apr 27-28, 2026)

• Threat actor: Handala / Void Manticore / Storm-0842 / Banished Kitten / Dune (Iran MOIS); persona aligned with the unified MOIS operation per DomainTools (Apr 20)
• Target: US Marine Corps personnel at Naval Support Activity Bahrain; US service members in the wider 5th Fleet area of operations; civilian residents in Israel receiving identical Persian-themed messages
• Attack type: Targeted intimidation via WhatsApp from a spoofed Bahraini commercial number; Telegram-channel doxxing of names and phone numbers; psychological operation tied to claimed surveillance and missile-targeting capability

On Monday 27 April, US service members at Naval Support Activity Bahrain began receiving WhatsApp messages signed Handala that warned the recipients were under surveillance and would be targeted by Shahed drones and Kheibar and Ghadeer missiles. Stars and Stripes reviewed identical messages sent to two service members in Bahrain. The messages appeared to come from a Bahraini cellphone number registered to a legitimate local business, suggesting a spoof or hijack of a Bahrain-based number to defeat foreign-number filters.

On Tuesday April 28, the same persona posted to its public Telegram channel claiming it had published the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf, framed as a sample of a larger cache. The post claimed Handala also held home addresses, family details, daily commutes, shopping habits, and what it described as nightly leisure activities of the targets. Straight Arrow News analysis of the published sample found multiple invalid or partial entries, including incomplete phone numbers and apparent military contract numbers in place of names. Of two dozen test calls placed by Straight Arrow against the data, three reached voicemail names matching the list.

The same persona pushed identical Persian-themed messages to civilian recipients across Israel on April 27 per Jerusalem Post reporting. US Central Command referred press inquiries to NCIS, which had not provided a public statement at the close of the window. Then-Navy Secretary John Phelan had earlier in April directed all sailors to lock down their phones and social media accounts in response to a separate adversary social-engineering campaign against Navy personnel and their families.

Defender takeaway: even if portions of the Marine data are recycled or scraped from data brokers, the operational effect of the campaign on personnel and family confidence is the design goal, not the indicator of access. Treat any communication referencing personnel data as in-scope for the conflict-themed phishing playbook. Brief all personnel and dependents on the WhatsApp lure pattern. Validate that personal-device security guidance from Navy Secretary Phelan’s April advisory has been distributed and acknowledged.

Sources: Stars and Stripes (Apr 28, 2026); SecurityWeek (Apr 30); Bitdefender (Apr 30); Straight Arrow News (Apr 28); SOCRadar Handala blog (Apr 28); Jerusalem Post (Apr 27)

CISA AA26-097A and Unit 42 CL-STA-1128 Detection Baselines Hold; No New Federal Cyber Advisory in Window (April 28 to May 4, 2026)

• Threat actor: IRGC CEC / CyberAv3ngers / CL-STA-1128 / Storm-0784 / Hydro Kitten / Bauxite
• Target: US water and wastewater systems; energy sector; government services; Rockwell / Allen-Bradley PLC operators; 3,000+ internet-exposed Rockwell devices
• Attack type: PLC exploitation; project file manipulation; HMI / SCADA display manipulation; configuration wiping; mechanical sensor tampering; FactoryTalk-on-VPS tradecraft

The April 7 joint advisory AA26-097A from CISA, FBI, NSA, EPA, DOE, and US Cyber Command CNMF on Iranian-affiliated exploitation of internet-facing Rockwell / Allen-Bradley PLCs remains the anchoring federal OT guidance. No new federal cyber advisory was issued in the seven-day window. Unit 42’s April 17 assessment that the actor installed Rockwell FactoryTalk software on VPS infrastructure to enable exploitation remains the operative detection picture.

Public Shodan-style scanning continues to show roughly half a million devices reachable on ports 2222, 502, 44818, and 102 across the IPv4 internet, with more than 3,000 Rockwell-branded devices in that population per CISA’s accompanying analysis. The exposure population has not materially decreased in the window.

Defender takeaway: hold PLC detections at maximum sensitivity. Keep all Rockwell Automation and Allen-Bradley PLCs and OT devices out of direct internet exposure. Monitor ports 44818, 2222, 102, 22, and 502. Hunt for anomalous FactoryTalk client connections originating from VPS or commercial cloud IP ranges. Flag Studio 5000 Logix Designer sessions from non-engineering-workstation source networks. Verify project file and controller logic integrity. Report suspected compromise to CISA and Rockwell PSIRT.

Sources: CISA AA26-097A (Apr 7, 2026); Unit 42 CL-STA-1128 (Apr 17); EPA joint advisory (Apr 7); Cybersecurity Dive; Crowell

Iran Internet Blackout Enters Day 66; 1,584+ Hours; VSAT-Hunt Priority Sustained (May 4, 2026)

• Threat actor: Iranian government / state telecommunications apparatus; Supreme National Security Council
• Target: Iranian civilian population (approximately 90 million); defender VSAT-hunt posture
• Attack type: Near-total internet blackout at approximately 1 percent of pre-war connectivity; National Information Network whitelist enforcement; tiered International Stable Internet for vetted commercial actors only; Iranian state-actor operational shift to VSAT infrastructure

The blackout entered its 66th consecutive day on 4 May at approximately 1 percent of pre-war connectivity, surpassing 1,584 hours of disruption. Iran continues to restrict domestic access to the National Information Network whitelist. The 21-22 April International Stable Internet tiered policy approved by the Supreme National Security Council remains in enforcement, granting selective connectivity to commercial cardholders while the general population remains disconnected.

Unit 42’s April 17 high-confidence assessment that Iranian state-sponsored groups shifted to VSAT services through Starlink and other providers remains the operative public characterization of state-actor connectivity. The tiered commercial track does not retire the VSAT-hunt priority. Possession of Starlink terminals continues to carry potential capital-punishment risk under 2026 Iranian legislation. Externally based MOIS-proxy operators and the distributed hacktivist ecosystem continue to operate without material constraint from the domestic blackout, as evidenced by the in-window Handala activity.

Defender takeaway: hunt for anomalous outbound connections from infrastructure-adjacent networks to commercial satellite IP ranges. Validate administrative access paths do not permit unsanctioned satellite uplinks. Review vendor and contractor remote-access agreements for VSAT use.

Sources: NetBlocks; Unit 42 (Apr 17, 2026); NCRI; Iran News Update

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

Key Threat Actor Summaries

Relevant Government Advisories

No new federal cyber advisories issued in the seven-day window. Anchoring guidance below remains in effect:

For historical advisories, please reach out to your Customer Success Manager if you are a customer, and reach out here if you are not a customer.

Assessment & Outlook

The conflict has entered its 66th day. The following assessment reflects cyber developments from the previous seven days.

Near-Term Cyber Threat (1 to 4 weeks): CRITICAL & ELEVATED

The previous seven days produced one attributed cyber operation: the Handala WhatsApp threat campaign against US service members at Naval Support Activity Bahrain on April 27 to 28, paired with a Telegram-channel doxxing post claiming the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf. Identical Persian-themed messages were sent to civilian recipients across Israel on the same day. The genuine signal in the window is the shift from enterprise targets to direct intimidation of named US military personnel and their families.

The cyber threat picture remains governed by the detection baselines established earlier in April: DomainTools unified MOIS attribution, CISA AA26-097A, Unit 42 CL-STA-1128, Check Point Void Manticore, and FBI FLASH-20260320-001. Hacktivist DDoS tempo continues at post-April 18 baseline. The Iran internet blackout at Day 66 sustains the VSAT operational shift picture for state-actor infrastructure. The Bahrain campaign is consistent with the Halcyon thesis that prior quiet periods reflected covert execution rather than dormancy. Iranian retaliation probability against US critical infrastructure, IRGC 18-company target list organizations, Israeli defense and telecom, Gulf government portals, and MSC-adjacent vendors remains elevated. The Bahrain campaign also raises the probability that personnel-targeted information operations will spread from US Navy and Marine Corps personnel to other service branches and to defense-contractor employees with classification or critical-infrastructure roles.

Priority Cyber Targets (Updated for Window)

• US military personnel and dependents in CENTCOM AOR (CRITICAL, NEW IN WINDOW): Bahrain campaign establishes the personal-device intimidation pattern. Expected to spread to other branches and to families. Personnel data published may be partly recycled but the operational design is psychological pressure on individuals.
• US critical infrastructure with internet-facing Rockwell PLCs and OT devices (CRITICAL, SUSTAINED): CISA AA26-097A remains in effect. Unit 42 CL-STA-1128 FactoryTalk-on-VPS tradecraft remains the active detection picture. Over 3,000 Rockwell devices remain exposed.
• Israeli defense, telecom, and government (CRITICAL, SUSTAINED): Unified MOIS operation targeting weight sustained against this tier. No new in-window claims.
• Gulf state digital infrastructure (CRITICAL, SUSTAINED): Handala’s unverified Dubai claim at 528+ hours. 313 Team, DieNet, and Keymous Plus active against UAE, Bahrain, Kuwait, Qatar, and Saudi portals.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.