Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

This brief catalogues confirmed and credibly reported cyber operations directly linked to the escalating US-Israel-Iran military conflict spanning June 2025 through March 2026. The conflict has generated one of the most intensive periods of state-linked cyber warfare since the Russia-Ukraine war, with operations conducted by both sides across multiple domains including critical infrastructure, financial systems, communications networks, and social media platforms.

We will continue to update this timeline with the most recent information as the situation develops.

For customers seeking further details, please reach out to your Customer Success Manager, and for non-customers please reach out here.

US-Israel-Iran Conflict Timeline & Cyber Context

The cyber operations documented in this brief are responses to three major kinetic escalations:

Confirmed & Credibly Reported Cyber Attacks

We are updating this section to include only the newest incidents. For customers seeking further details of past incidents, please reach out to your Customer Success Manager, and for non-customers please reach out here.

Check Point Research Publishes Handala/Void Manticore Technical TTP Analysis (Apr 2, 2026)

• Threat Actor: Handala Hack (Iran MOIS / Void Manticore)
• Target: Defensive community; organisations at risk of Handala targeting
• Attack Type: Threat intelligence publication; TTP disclosure

Check Point Research published a detailed technical analysis of Handala/Void Manticore tradecraft on April 2, covering intrusions from 2024 through 2026. The report documents that Handala continues to rely on manual, hands-on operations, off-the-shelf wipers, and publicly available deletion and encryption tools. Newly observed TTPs include the deployment of NetBird to tunnel traffic into compromised networks and the use of an AI-assisted PowerShell script for wiping activity. The group’s initial access relies heavily on compromised VPN accounts, with Check Point identifying hundreds of logon and brute-force attempts against organisational VPN infrastructure linked to Handala-associated infrastructure. The report confirms that Void Manticore overlaps with activity linked to the MOIS Internal Security Deputy’s Counter-Terrorism Division, operating under the supervision of Seyed Yahya Hosseini Panjaki. Panjaki was killed during the opening phase of Israeli strikes on Iran in early March 2026. The Irish Examiner reported that the group was forced to reorganise after two of its most prominent figures were killed. The analysis provides IOCs, MITRE ATT&CK mappings, and specific detection guidance for VPN brute-force patterns, NetBird tunnelling, and Intune abuse.

Sources: Check Point Research (Apr 2, 2026); Irish Examiner; Wikipedia; Handala Hack Team article

313 Team Claims Four-Hour DDoS Shutdown of Amazon Saudi Arabia; IRGC Deadline Alignment (Apr 1, 2026)

• Threat Actor: 313 Team (Islamic Cyber Resistance in Iraq / Cyber Islamic Resistance)
• Target: Amazon Saudi Arabia (amazon.sa)
• Attack Type: Distributed denial-of-service (DDoS)

313 Team claimed a complete four-hour shutdown of Amazon Saudi Arabia’s official e-commerce platform on April 1, with Check-Host verification confirming full downtime during the claimed window. The attack coincided directly with the IRGC’s declared deadline of 8:00 pm Tehran time against 18 named US tech companies, including Amazon. The timing represents the first confirmed hacktivist operation to directly align with a stated IRGC threat timeline during the current conflict. 313 Team has been among the most active hacktivist groups throughout the conflict, previously claiming 26 Kuwaiti government domains in a single operation on March 6 and taking down the Internet Archive on March 19. The group operates as part of the broader Cyber Islamic Resistance coalition coordinated through the Electronic Operations Room established on February 28.

Sources: Conflict dashboard monitoring (Apr 1, 2026); Check-Host verification; Telegram OSINT

Handala Claims Wiper Attack on St. Joseph County, Indiana; 12TB Allegedly Erased (Apr 1, 2026)

• Threat Actor: Handala Hack (Iran MOIS / Void Manticore)
• Targets: St. Joseph County, Indiana; Prosecutor’s Office; health centres; police departments
• Attack Type: Claimed wiper attack; data exfiltration; unverified

Handala claimed full control of St. Joseph County’s centralised IT infrastructure in Indiana on April 1, alleging extraction of 2TB of data from the Prosecutor’s Office, health centres, and police departments, and the wiping of 12TB from main servers. Over 2,000 documents were published on Handala’s website as alleged proof. The claim was posted on April 1. No independent confirmation has been issued by St. Joseph County, Indiana state agencies, or US federal agencies. The claim follows Handala’s documented pattern of targeting US local government infrastructure following the Stryker wiper attack on March 11. The FDD assessed on April 1 that Handala’s attacks have not relied on sophisticated capabilities, and that the group frequently takes advantage of exposed organisations rather than pursuing strategic targets. If confirmed, the attack would represent continued expansion of Handala’s US targeting beyond the healthcare sector.

Sources: Conflict dashboard monitoring (Apr 1, 2026); Telegram OSINT; ransomware.live; FDD (Apr 1)

Coordinated Information Operations Amplify F-15E Shoot-Down Across Hacktivist Channels (Apr 3, 2026)

• Threat Actor: Pro-Iranian hacktivist ecosystem; Iranian state media
• Target: US and allied public perception; US military credibility
• Attack Type: Coordinated information operation; psychological amplification

Iranian state media, Handala Telegram channels, and at least a dozen allied hacktivist groups amplified the F-15E Strike Eagle shoot-down on April 3 within hours of the event. The shoot-down was framed as direct evidence that Iranian air defences remain operational, contradicting President Trump’s claim days earlier that Iranian radar was “100% annihilated.” Hacktivist channels paired shoot-down imagery with earlier cyber breach claims against PSK WIND Technologies and the 14-company wiper operation, building a unified narrative of Iranian military and cyber resilience. Videos showing Iranian civilians firing automatic weapons at US rescue helicopters were amplified across conflict-linked Telegram channels and pro-Iranian accounts on X. The information operation followed the established pattern documented by SecurityScorecard’s STRIKE team, which found that attack timings, target selection, and messaging across hacktivist groups during the June 2025 conflict suggested institutional IRGC orchestration rather than organic activity. Organisations in the F-15 supply chain should anticipate increased reconnaissance and targeting by Iranian cyber actors seeking symbolic or retaliatory impact.

Sources: NBC News (Apr 3, 2026); Military Times (Apr 3); CBS News (Apr 3); Washington Post (Apr 3); The War Zone (Apr 3); Telegram OSINT; SecurityScorecard STRIKE (prior reporting)

Iran Internet Blackout Enters Day 36; 816+ Consecutive Hours Offline; Connectivity at 1% (Apr 4, 2026)

• Target: Iranian civilian population (90+ million)
• Attack Type: State-imposed internet shutdown; National Information Network whitelist enforcement

The internet blackout entered its 36th day on April 4 with connectivity remaining at approximately 1% of normal levels. NetBlocks data indicates the blackout has surpassed 816 consecutive hours. The National reported that Iranians have spent roughly one third of 2026 in complete digital darkness. Only high-ranking officials and state-run media outlets retain access to the global internet through a whitelist system. NetBlocks director Alp Toker noted that no other country has shut off internet access at such scale in so many instances and for such duration. The domestic intranet remains operational, supporting local messaging apps, banking platforms, and state-controlled services. Access to the global internet remains cut off for 90 million civilians. The blackout continues to have no measurable impact on externally based proxy groups, who continue operating from Starlink and other circumvention infrastructure. A Tehran resident described April 3 as the most terrifying night of the conflict, with heavy strikes nearby while civilians remained isolated from outside communication.

Sources: NetBlocks; The National (Mar 10, 2026); Iran International; Wikipedia (Apr 4); NBC News (Apr 3-4)

Key Threat Actor Summaries

Relevant Government Advisories

New advisories issued since previous report (April 3):

For historical advisories, please reach out to your Customer Success Manager if you are a customer, and reach out here if you are not a customer.

Assessment & Outlook

The conflict has entered its 36th day. As of April 4, the following assessment reflects developments from the previous 24 hours.

Near-Term Threat (1-4 weeks): CRITICAL & DETERIORATING

Cyber reporting volume from the conflict has dropped noticeably over the past 48 hours compared to the sustained tempo observed from late February through late March. This reduction does not indicate a decrease in threat level. Several factors account for the drop: the Passover and post-Eid period has historically correlated with reduced hacktivist operational tempo; multiple conflict dashboard sources have not updated beyond April 2; and the fog of war around the F-15E shoot-down and stalled ceasefire negotiations has shifted media and analyst attention to the kinetic domain. Defenders should not interpret reduced public reporting as reduced risk. Halcyon previously noted that Handala’s periods of reduced public blog activity are historically consistent with active operational tempo rather than dormancy. The quiet may precede the next wave of operations, particularly as the April 6 energy strike deadline approaches.

The Check Point Research report published on April 2 provides the most detailed public documentation of Handala’s current tradecraft. The confirmation that the group uses NetBird for tunnelling, AI-assisted PowerShell for wiping, and sustained VPN brute-force for initial access gives defenders actionable detection priorities. The report’s finding that Handala relied on compromised VPN credentials for initial access in recent intrusions aligns with the FDD’s April 1 assessment that the group exploits credential reuse and exposed organisations rather than developing novel exploitation capabilities.

The 313 Team DDoS against Amazon Saudi Arabia on April 1, timed to the IRGC deadline, represents the first confirmed hacktivist operation to directly align with a stated IRGC threat timeline. This alignment warrants monitoring for similar coordination around the April 6 energy deadline. The Handala claim against St. Joseph County, Indiana, if verified, would represent continued expansion of US local government targeting following the Stryker wiper attack.

The F-15E shoot-down on April 3 generated a rapid information operations response across hacktivist channels. The event provides renewed narrative material for pro-Iranian cyber actors and is likely to increase both motivation and recruitment across the hacktivist coalition. Organisations in the F-15 supply chain should anticipate increased reconnaissance.

Priority Targets (Updated April 4)

• Maritime, energy, and financial sectors (CRITICAL, ESCALATED): The April 6 energy strike deadline approaches with no diplomatic progress. Dual chokepoint risk continues with Houthi operations ongoing.
• US technology companies with Middle East operations (CRITICAL, ESCALATED): The IRGC designation of 18 companies remains active despite the April 1 deadline passing without confirmed kinetic follow-through. The 313 Team DDoS against Amazon Saudi Arabia demonstrates hacktivist willingness to align operations with IRGC timelines. Named companies should maintain elevated defensive posture through at least the April 6 energy strike deadline.
• Organizations with exposed VPN infrastructure (CRITICAL, NEW): Check Point Research confirmed that Handala’s primary initial access vector is VPN brute-force using compromised credentials. Block inbound connections from Iran at the perimeter and on remote access services unless there is a verified business need. Monitor for brute-force patterns documented in the Check Point IOCs.
• US local government (CRITICAL, ESCALATED): The unverified Handala claim against St. Joseph County follows the group’s established pattern of targeting exposed organizations. US local government entities should review access controls, validate offline backups, and ensure Intune multi-admin approval is enabled.
• Israeli defense industrial base and air defence infrastructure (CRITICAL, ONGOING): The Handala claims against PSK WIND Technologies and 14 Israeli companies from April 2 remain unverified but consistent with confirmed patterns.
• US healthcare organizations (CRITICAL, ONGOING): Stryker entered Day 25 of recovery. Pay2Key ransomware variants remain active against healthcare targets.

At Flare, we will continue to monitor this conflict and update this article as we learn more information.