{ "id": "29246c41-c17d-4a38-b7c8-e1da8216c39e", "created_at": "2026-04-06T00:08:08.3516Z", "updated_at": "2026-04-10T03:37:59.134866Z", "deleted_at": null, "sha1_hash": "6d1a7d2e8271aa0f997aad53db6bb03fcba041d9", "title": "Telegram Hacktivist Activity Timeline of Iran - Israel \u0026 US War", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 213037, "plain_text": "Telegram Hacktivist Activity Timeline of Iran - Israel \u0026 US War\r\nPublished: 2026-03-10 · Archived: 2026-04-05 13:06:50 UTC\r\nFrom the first hours of Iran vs. Israel \u0026 US War: Operation Epic Fury, hacktivist groups mobilized faster than any\r\nstate-sponsored actor could. What started as DDoS campaigns against Israeli government sites quickly expanded\r\ninto a global coalition of pro-Iranian, pro-Palestinian, and Russian-aligned collectives hitting Gulf states,\r\nEuropean targets, and US infrastructure.\r\nThis blog post tracks that activity day by day, since the first coalitions forming on March 1.\r\n📅 Date 🔎 Update\r\nMarch 25,\r\n2026\r\nHandala Doxxes Former Mossad Chief, BD Anonymous ‘’Hits’’ Interpol, and Keymous\r\nReturns to Egypt\r\nMarch 24,\r\n2026\r\nAlliance Fractures, Bounties, and a Kurdish Front Opens\r\nMarch 23,\r\n2026\r\nHandala Publishes Power Grid Maps, NoName Reaches Denmark, and DieNet Tests\r\nGoogle\r\nMarch 22,\r\n2026\r\nKeymous Reaches Egypt, a New Channel Geolocates Hotels, and the Lockheed Claim\r\nGets a PoC\r\nMarch 21,\r\n2026\r\nNoName Sweeps Romania for the Second Time, DieNet Claims 100 Attacks in a Day\r\nMarch 20,\r\n2026\r\nEid, Nowruz, and a Quiet Day With a Loud Claim\r\nMarch 19,\r\n2026\r\nFBI Seizes Handala’s Domain, 313 Team Takes Down the Internet Archive, and the\r\nCoalition Keeps Expanding\r\nMarch 18,\r\n2026\r\nLarijani Killed, Iran Retaliates, NoName Hits Israeli Insurers, INDOHAXSEC Drops 8.3\r\nMillion Records\r\nMarch 17,\r\n2026\r\nMicrosoft Services Targeted, South Korea Swept, Israeli Lawyers Doxxed, and the\r\nCoalition Expands\r\nMarch 14-16,\r\n2026\r\nGolden Falcon Leak, MME Targeting, Syria Joins Both Sides, and the Cyber Front Enters\r\nIts Third Week\r\nMarch 13,\r\n2026\r\nCyber Islamic Resistance Targets Israeli Cybersecurity Firm, 313 Team Strikes UAE,\r\nCyprus Becomes NoName’s Fixation\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 1 of 33\n\nMarch 12,\r\n2026\r\nHandala Wipes Stryker, Keymous Sweeps the Gulf, and 313 Team Crosses into Europe\r\nMarch 11,\r\n2026\r\nNew Alliances, Kuwait Swept, and the Short Story of NetStrike\r\nMarch 10,\r\n2026\r\nCritical Infrastructure in the Crosshairs as FSociety Issues 42-Hour Threat\r\nMarch 7-9,\r\n2026\r\nNew Supreme Leader, Wider Borders, Deeper Systems\r\nMarch 6, 2026 Gulf Governments Under Siege, Iraqi Cyber Resistance Declares War on Kuwait\r\nMarch 5, 2026 Two Wars, One Cyber Front, Data Breaches, New Recruits, and the Expanding Target Map\r\nMarch 4, 2026 OT Intrusion Claims, Multi-Vector Escalation, and the Expanding Target Map\r\nMarch 3, 2026 Pro-Russian Hackers Have Joined the Lobby, Critical Infrastructures Under Attack\r\nMarch 2, 2026 Escalation Across Critical Infrastructure, Ransomware, and Coordinated Campaigns\r\nMarch 1, 2026 Hacktivist Collectives \u0026 Alliances Emerging\r\nFor the full threat intelligence feed, visit the Iran vs. Israel \u0026 US Cyber War 2026: Operation Epic Fury Threat\r\nIntelligence blog.\r\nMarch 25, 2026: Handala Doxxes Former Mossad Chief, BD Anonymous ‘’Hits’’\r\nInterpol, and Keymous Returns to Egypt\r\nDay 26 opened with Handala’s most personally targeted operation since the conflict began. While DDoS\r\ncampaigns continued across Egypt and international organizations, the day’s defining moment was a hack-and-leak post naming a former intelligence chief and claiming 14 gigabytes of documents to prove it.\r\nHandala Targets Former Mossad Chief \r\nOn March 25, Handala published a post on its website titled “From Hunter to Hunted: Mossad’s Former Chief\r\nFalls into the Trap.” The post named him directly, published photographs of him at what appear to be public\r\nevents, and claimed to have released 14 gigabytes of personal and confidential documents as a Proof of Concept.\r\nHandala website post titled “From Hunter to Hunted” showing photographs of Tamir Pardo at public events\r\nalongside Handala branding and a download link for the alleged 14GB document release\r\nThe claim is unverified. No independent researcher has confirmed the authenticity of the files. Pardo is a public\r\nfigure with a documented history of public appearances, and some of the photographs in the post appear to come\r\nfrom open sources. Handala’s documented pattern of inflating claims and combining real with exaggerated\r\nmaterial makes independent verification essential before drawing any conclusions about the files’ contents.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 2 of 33\n\nWhat is clear is the intent. Following the FBI’s seizure of its domain on March 19 and the DOJ’s $10 million\r\nbounty on its members, Handala has consistently ‘’escalated’’ rather than retreated. The $50 million counter-bounty on March 24, the power grid maps on March 23, and now the personal targeting of a named former\r\nintelligence official represent a deliberate escalation curve in the group’s public posture.\r\nBD Anonymous Takes Aim at Interpol\r\nBD Anonymous claimed a DDoS attack against interpol.int on March 25, publishing the target’s IP address, port\r\nconfiguration, and ISP details showing Akamai Technologies as the host. The attack was timed to 10:40 UTC and\r\nframed explicitly around the ICC arrest warrant for Netanyahu, with the message telling global law enforcement\r\nto “open your eyes” and arrest war criminals.\r\nBD Anonymous post showing an ICC-style “WANTED” poster of Netanyahu alongside attack details for\r\ninterpol.int including IP, ports, and ISP information\r\nInterpol is a neutral international organization with no role in the Iran conflict. Its targeting is symbolic, chosen for\r\nthe message it sends rather than any operational value. The Akamai hosting makes a sustained outage unlikely, but\r\nthe framing of the attack as a law enforcement accountability operation marks BD Anonymous as one of the more\r\nmessaging-focused groups in the current coalition.\r\nKeymous Plus Returns to Egypt’s Ministry of Interior\r\nKeymous Plus published a Check-Host report on March 25 showing connection timeouts for Egypt’s Ministry of\r\nInterior website across more than 20 global nodes, confirming the site was still down at time of posting. The\r\noperation was tagged under #Op_Epstein_Gulf and #Elite_Network.\r\nEgypt has now been targeted across multiple days. Like other countries in the campaign’s expansion phase, its\r\ninclusion appears to follow geographic sweep logic rather than any specific Egyptian political action that triggered\r\nthe operation.\r\nMarch 24, 2026: Alliance Fractures, Bounties, and a Kurdish Front Opens\r\nMarch 24 produced one of the most significant structural shifts of the conflict’s cyber dimension. Two of the day’s\r\ndevelopments had nothing to do with DDoS claims or data leaks. They had to do with who was still in the\r\ncoalition and who had left.\r\nCyb3r Drag0nz Kurdish Breaks from CIR and Turns Against Iran\r\nCyb3r Drag0nz Kurdish had been a member of the Cyber Islamic Resistance coalition from the conflict’s early\r\ndays, participating in joint operations against Israeli and Gulf targets. On March 24, the group published a post\r\nmourning six Peshmerga fighters killed in Iranian strikes, naming each one and condemning the Iranian regime\r\ndirectly. The post called on the Kurdish diaspora to stand against Iran alongside Israel and the United States.\r\nCyb3r Drag0nz Kurdish post showing six named Peshmerga fighters with their photographs, Kurdish text, and\r\ncondemnation of Iran\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 3 of 33\n\nThe departure has context. Early in the conflict, reports circulated that Kurdish forces in Iraq might be used by the\r\nUS in operations against Iran. Around the same time, Cyb3r Drag0nz Kurdish had already begun distancing itself\r\nfrom CIR operations targeting Israel. The Iranian strikes on Peshmerga positions appear to have been the final\r\ntrigger.\r\nThis is one of the conflict’s clearest alliance fractures. A group that was operating against Israeli targets three\r\nweeks ago is now explicitly aligned against Iran. The reversal reflects the fact that Iran’s missile and drone\r\ncampaign has not been limited to Israel and Gulf states. Kurdish-controlled Iraq has also been struck, and Kurdish\r\nforces have taken casualties.\r\nFynix Announces Operations Against Kurdish Targets\r\nOn the same day, Iran-aligned group Fynix announced it was beginning attacks on Kurdish government websites,\r\norganizations, and companies. The stated justification was “insults to the Islamic Republic of Iran by Kurdish\r\ncyber teams.” The post was a direct mirror of the Cyb3r Drag0nz situation, confirming that the fracture between\r\npro-Iranian actors and Kurdish groups had opened a new sub-front within the conflict’s cyber dimension.\r\nFynix post announcing attacks on Kurdish governments, organizations, and companies in response to Kurdish\r\ncyber groups insulting Iran\r\nHandala Posts a $50 Million Bounty on Trump and Netanyahu\r\nHandala published a statement on its website offering $50 million to any individual or group that eliminates\r\nTrump and Netanyahu, describing it as a direct response to the US DOJ’s $10 million bounty on Handala members\r\nannounced alongside the domain seizure. The post used Session as its communication channel and promised\r\nencrypted, anonymous payment.\r\nHandala’s reward post for Trump \u0026 Netenyahu on their website\r\nThe post is incitement. Its publication via an app and domain outside FBI jurisdiction reflects the group’s\r\nadaptation following the March 19 seizure.\r\nCyber Fattah Issues Reconnaissance Statement\r\nCyber Fattah published a statement announcing that planned attacks would follow after the group finished\r\n“collecting specific resources.” The post warned that “all types of attacks” would be used and framed the\r\noperation in explicitly anti-Zionist terms. No technical activity was published alongside the statement.\r\nMarch 23, 2026: Handala Publishes Power Grid Maps, NoName Reaches\r\nDenmark, and DieNet Tests Google\r\nOn March 23, Handala published a nine-panel grid of detailed schematic maps on its website, each showing what\r\nappeared to be Israeli power plant and electrical grid infrastructure, including transmission lines, substations, and\r\nfacility layouts. Each panel was watermarked with the Handala logo. A short URL linked to the full post on the\r\nHandala site.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 4 of 33\n\nHandala post showing nine schematic maps of Israeli power and electrical infrastructure, each panel watermarked\r\nwith the Handala logo\r\nThis is qualitatively different from any previous Handala publication in this conflict cycle. Prior posts involved\r\nbreach claims, doxxing of military personnel, and propaganda. This post is targeting intelligence against critical\r\nnational infrastructure, specifically the kind of information that would be useful not for a DDoS campaign but for\r\na kinetic or destructive cyber operation against power systems. Thus, does Handala’s effort really effect the\r\nphysical war?\r\nNoName057(16) Shifts to Denmark and Greenland\r\nNoName057(16) opened a new front on March 23, targeting Denmark under #OpDenmark. The framing was\r\nexplicit: the Danish Prime Minister had announced early elections for March 24, driven in part by her rising\r\napproval ratings amid Trump’s threats to annex Greenland. NoName said it had decided to “join, but in our own\r\nway.”\r\nVerified targets included the Air Greenland Authorization Portal and Nuup Bussii, the public transport system in\r\nNuuk, Greenland’s capital. Both were confirmed via Check-Host. The Denmark operation is unrelated to the Iran\r\nconflict and reflects NoName’s consistent pattern of using geopolitical news events as operational triggers for\r\ncampaigns that serve Russian rather than Iranian objectives.\r\nConquerors Electronic Army Hits Israeli Business Directory\r\nConquerors Electronic Army, operating under CIR, claimed a DDoS against t.co.il, an Israeli companies and\r\nservices directory. Check-Host verification was published. The attack was attributed to Beamed.cc infrastructure.\r\nDieNet Tests Google’s Defenses via Lamborghini\r\nDieNet published a claim that it had bypassed Google LLC’s hosting protection on the Lamborghini website,\r\npublishing a Check-Host verification link confirming the site was inaccessible. The post framed this as proof that\r\nGoogle’s infrastructure is not adequate protection regardless of the scale of the host, stating that “it’s a big lie” that\r\npowerful machines provide immunity.\r\nThe Lamborghini website has no connection to the Iran conflict. The targeting reflects DieNet’s ongoing effort to\r\ndemonstrate that its capabilities extend beyond government and military portals to commercially hosted civilian\r\nsites protected by major cloud providers.\r\nMarch 22, 2026: Keymous Reaches Egypt, a New Channel Geolocates Hotels, and\r\nthe Lockheed Claim Gets a PoC\r\nKeymous Plus continued its systematic country-by-country sweep under #Op_Epstein_Gulf, turning to Egypt on\r\nMarch 22. The group published verified downtime for six targets: the Egypt Government Portal, the Cabinet\r\n(Prime Minister’s office), the Ministry of Interior, the Ministry of Finance, the Ministry of Petroleum, and the\r\nMinistry of Water Resources and Irrigation. All were confirmed via Check-Host links.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 5 of 33\n\nKeymous Plus post showing six Egyptian government targets verified down under #Op_Epstein_Gulf\r\nIts targeting by Keymous Plus appears to be part of the operation’s geographic expansion logic rather than a\r\nresponse to any specific Egyptian political position. The same pattern applied to Syria in the March 12 and 14\r\nsweeps.\r\nHarvesting Time: A New Channel Geolocating Civilian Sites\r\nA newly surfaced Telegram channel calling itself “Harvesting Time” published satellite imagery on March 22 with\r\nprecise geolocations of two civilian hotel sites. The first post identified the King David Hotel in Jerusalem, Israel.\r\nThe second identified the Erbil Rotana Hotel on Gulan Street in Erbil, Kurdistan, Iraq. Neither post contained a\r\nbreach claim, data dump, or DDoS target list.\r\nHarvesting Time channel post showing satellite imagery of the King David Hotel in Jerusalem with location label\r\nHarvesting Time channel post showing aerial imagery of the Erbil Rotana Hotel with nighttime fire visible nearby\r\nand location identified as Gulan Street, Erbil, Kurdistan, Iraq\r\nThe Erbil post is more significant than it first appears. Erbil is in the Kurdistan Region of Iraq, which has been\r\ncaught in the middle of the conflict. The lower image in the Erbil post shows what appears to be fire near the\r\nhotel, which may reflect the kinetic strikes on Erbil that occurred during this period.\r\nHarvesting Time is a new actor with no prior track record. Its channel name in Arabic translates roughly to “It Is\r\nTheir Time.” The combination of civilian hotel targeting and Erbil’s position in Kurdish-controlled territory gives\r\nthe channel a distinct profile from the hotel geolocation posts seen from other groups.\r\nCyber Fattah Publishes Lockheed PoC Forwarded from APT IRAN\r\nOn March 22, Cyber Fattah forwarded a post from APT IRAN claiming a Proof of Concept for the Lockheed\r\nMartin breach announced on March 20. The PoC post included a dark web .onion domain, IOC strings, and\r\nreferences to sample data via Telegram and qTox contact channels.\r\nMarch 21, 2026: NoName Sweeps Romania for the Second Time, DieNet Claims\r\n100 Attacks in a Day\r\nNoName057(16) had already targeted Romania’s National Tax Agency on March 12 following the Romanian\r\npresident’s statements on US military base access. On March 21 the group returned with a far more\r\ncomprehensive sweep, publishing two separate rounds of verified downtime across Romanian transport,\r\ngovernment, legal, and industrial targets.\r\nThe first wave hit MOL Romania’s oil division, TIM Rail Cargo SRL, Romanian Railways Authority, Bucharest\r\nMetro, the Chamber of Deputies, and Romanian Railways. The second wave, published shortly after, added the\r\nSupreme Court, the Supreme Court of Cassation, the Industrial Real Estate Management Agency, and a state plant\r\nfor the construction and modernization of passenger and freight rail cars.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 6 of 33\n\nNoName057(16) first Romania wave showing Check-Host verified downtime for MOL Romania, TIM Rail\r\nCargo, Romanian Railways Authority, Bucharest Metro, Chamber of Deputies\r\nNoName057(16) second Romania wave showing Supreme Court, Supreme Court of Cassation, Industrial Real\r\nEstate Management Agency all verified down, courts closed by geo-restriction\r\nBoth courts were found to be closed by geo-restriction at time of verification, meaning NoName’s Check-Host\r\nlinks showed the sites inaccessible but the closure may have been a pre-existing access restriction rather than the\r\nresult of the attack. The group acknowledged this in its framing, calling it “continuing our journey around\r\nRomania.”\r\nRomania’s consistent appearance as a target through March reflects the group’s Operation Time of Retribution\r\nframework, which explicitly targets NATO-aligned European countries. Romania’s specific role began with the\r\npresident’s statements on US military base access. It has since become a standing target.\r\nDieNet Reports 100+ Attacks in a Single Day Under #CanYouResist\r\nDieNet, the DDoS infrastructure supplier and primary volume driver for the pro-Iranian coalition since day one,\r\nannounced it had carried out more than 100 attacks against more than 50 Israeli websites in a single day as part of\r\nits #CanYouResist operation. Targets listed included El Al (Israel’s national airline), the IDF’s military news\r\nportal, Rafael defense contractor, Hotnet ISP, IsraelInternet, and SEM, a local web service provider. The network\r\nreported that some military websites and services remained down for longer periods than usual.\r\nDieNet’s role throughout the conflict has been less about individual named targets and more about sustained\r\nvolume, providing the DDoS infrastructure that many smaller coalition groups rely on for their own claimed\r\noperations. A 100-attack single-day claim, even with typical inflation factored in, is consistent with its established\r\noperational tempo.\r\nRuskiNet Republishes 2025 Bank of Jerusalem Data\r\nRuskiNet Group published what it described as Bank of Jerusalem data, noting the leak originated from a security\r\nvulnerability exploited in 2025 and was being republished for those who had missed it at the time. The post\r\ninvited users to find the data at the linked address.\r\nThe re-publication of old leaks is a common tactic used to maintain pressure and media presence without the\r\noperational cost of a new breach. The data itself is not new. Its republication on March 21 is a visibility play timed\r\nto the conflict’s ongoing coverage cycle.\r\nMarch 20, 2026: Eid, Nowruz, and a Quiet Day With a Loud Claim\r\nMarch 20, 2026 was the first day of Eid al-Fitr and the Persian New Year Nowruz, a rare alignment of the two\r\nmost significant holidays in the Islamic and Iranian calendars. Hacktivist activity dropped noticeably, as expected.\r\nPro-Iranian groups that had been posting multiple operations daily went quiet or published symbolic messages\r\nrather than attack claims. The absence of coordinated DDoS sweeps and target lists was itself a data point.\r\nAPT IRAN used the relative quiet to publish a different kind of claim.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 7 of 33\n\nAPT IRAN Claims ICS Access at Kupferle Water Solutions\r\nAPT IRAN published a screenshot of what appeared to be an active HMI panel for a water treatment control\r\nsystem belonging to Kupferle Water Solutions, a company operating in Fenton, Missouri. The panel showed\r\nchlorine levels, temperature readings, a “Flushing in Progress” status, and a date stamp of March 10, 2026. The\r\ngroup claimed the device had been accessed, rebooted, and that a backup had been taken.\r\nAPT IRAN post showing water treatment HMI panel with active readings, chlorine and temperature levels visible,\r\ndate 03-10-2026\r\nIf the screenshot is genuine, it shows a publicly exposed or weakly secured industrial control panel connected to a\r\nwater treatment process. The claim is unverified. The ten-day gap between the alleged access date and the\r\npublication date is consistent with either delayed publication for propaganda purposes or a staged screenshot. No\r\nservice disruption was reported. Water utilities have been a recurring target category for Iranian-linked actors in\r\nprior conflict cycles, making the claim pattern-consistent even if the specific incident is unconfirmed.\r\nThe Lockheed Martin Claim: Treat With Skepticism\r\nAlso on March 20, a post attributed to APT IRAN circulated claiming the group had infiltrated Lockheed Martin’s\r\ninfrastructure and exfiltrated 375 terabytes of data, including F-35 Block 4 documentation, future missile defense\r\nsystem architecture, Pentagon contracts through 2030, and personnel records for 63,000 current and former\r\nemployees. The claim valued the stolen data at approximately $330 million and offered it for sale via\r\nThreatMarket on a .onion domain.\r\nThe figures are implausible at face value, Lockheed Martin made no public statement, and no third-party\r\nresearcher confirmed any indicators of compromise. Until verified evidence emerges, this should be treated as an\r\nunverified actor claim designed for media amplification.\r\nMarch 20 was otherwise the quietest day of the conflict’s third week on the cyber front. Iran and Israel continued\r\ntrading strikes on Eid and Nowruz, with Kuwait’s Mina al-Ahmadi refinery hit by two waves of Iranian drones.\r\nThe holiday did not stop the kinetic war.\r\nMarch 19, 2026: FBI Seizes Handala’s Domain, 313 Team Takes Down the Internet\r\nArchive, and the Coalition Keeps Expanding\r\nDay 20 of Operation Epic Fury brought one of the conflict’s clearest signals that the cyber front was drawing\r\ndirect US government attention. The FBI seized Handala’s primary web domain, the group migrated and kept\r\noperating, and the day’s hacktivist activity continued at pace with the Internet Archive taken offline, South Korea\r\ntargeted again, and a new Southeast Asian operation announced for the days ahead.\r\nThe FBI Steps In: Handala’s Domain Seized\r\nThe most significant development of the day had nothing to do with a DDoS claim or a data leak. Visitors to\r\nhandala-redwanted.to were met with a federal seizure banner, carrying the seals of the Department of Justice and\r\nthe Federal Bureau of Investigation.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 8 of 33\n\nFBI seizure notice on handala-redwanted.to showing DOJ and FBI seals and the text “This Website Has Been\r\nSeized\r\nThe seizure notice stated the domain had been taken under a warrant from the US District Court for the District of\r\nMaryland, citing its use to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination\r\nwith, a foreign state actor. The notice warned that individuals who knowingly assist with or attempt to restore\r\nseized infrastructure may face criminal prosecution, sanctions, or other legal action under US law.\r\nHandala’s nameservers were redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov, a pattern consistent with\r\nprevious FBI domain seizure operations. The group responded with characteristically defiant messaging, framing\r\nthe seizure as proof of the enemy’s fear, and migrated to a new domain. The operation did not disrupt Handala’s\r\nTelegram activity, which continued uninterrupted.\r\nThe seizure matters less for its operational impact than for what it signals. It places Handala explicitly within the\r\nUS government’s active enforcement posture, and formally connects the group’s infrastructure to the broader legal\r\nframework used against state-adjacent cyber actors. The US DOJ had previously placed a $10 million bounty on\r\nHandala members.\r\n313 Team Takes Down the Internet Archive\r\n313 Team, the Iraq-based CIR affiliate responsible for some of the conflict’s most consistent DDoS operations,\r\nturned its attention to archive.org on March 19. The group published a post confirming the attack was ongoing and\r\nthat the Internet Archive remained offline at time of announcement, alongside a Check-Host verification link.\r\n313 Team post showing archive.org displaying “Temporarily Offline” message with Check-Host verification link\r\nThe Internet Archive is not a military or government target. It is a civilian digital library hosting hundreds of\r\nbillions of web pages, books, audio, and video. Its targeting reflects the coalition’s continued expansion beyond\r\noperationally meaningful infrastructure toward anything associated with the United States or the broader Western\r\ninternet ecosystem.\r\nBD Anonymous Hits South Korea’s Ministry of National Defence\r\nBD Anonymous, the Bangladeshi group that had previously swept South Korean targets alongside Hider_Nex\r\nunder #OpSouthKorea, returned on March 19 with a direct claim against mnd.go.kr, the official website of South\r\nKorea’s Ministry of National Defence, publishing two Check-Host verification links and a DownDetector\r\nconfirmation.\r\nBD Anonymous post showing Operation South Korea branding alongside mnd.go.kr showing “This site can’t be\r\nreached” error\r\nThe stated grievance was that the South Korean government had not raised its voice for Palestine and was blindly\r\nsupporting the US-Israel coalition. South Korea has no direct military involvement in the Iran conflict. Its\r\nrepeated appearance on target lists across multiple groups reflects a pattern of expanding the definition of\r\nlegitimate targets to include any US-aligned democracy, regardless of its actual role in the conflict.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 9 of 33\n\nConquerors Electronic Army Hits Israeli Business Directory\r\nConquerors Electronic Army, operating under the CIR umbrella, claimed a DDoS against t.co.il, an Israeli\r\ncompanies and services directory, with Check-Host verification and the attack attributed to Beamed.cc. The\r\noperation was tagged under the Battle of the Great Confrontation framing used consistently by CIR groups\r\nthroughout the conflict.\r\n#OpsShadowStrike: A New Campaign Announced for After Eid\r\nA Malaysia-based channel published an announcement for #OpsShadowStrike, declaring the operation would\r\nlaunch after Eid al-Fitr. The post, written in both Malay and English, stated the operation’s targets would be\r\ncountries allied with Israel.\r\nOpsShadowStrike announcement post showing campaign branding and the tagline “One Attack, a Thousand\r\nEffects. Targeting countries allied with IsraHell\r\nThe announcement was mobilization rather than active operations. It is notable primarily as evidence that new\r\ngroups continue to form and announce intent even three weeks into the conflict, with the post-Eid timing\r\nsuggesting the group was explicitly planning around the religious calendar.\r\nMarch 18, 2026: Larijani Killed, Iran Retaliates, NoName Hits Israeli Insurers,\r\nINDOHAXSEC Drops 8.3 Million Records\r\nD+19 opened with the most significant leadership decapitation since the war’s opening day. Iran confirmed the\r\nkilling of Ali Larijani, secretary of the Supreme National Security Council and the highest-ranking Iranian official\r\nkilled since Khamenei’s assassination on February 28.Israel also confirmed the killing of Basij commander\r\nGholamreza Soleimani, his deputy, and the IRGC’s Aerospace Force chief in the same operation. Iran’s IRGC said\r\nits missiles struck more than 100 military and security targets inside Israel in retaliation.On the cyber front, the\r\nday’s activity reflected the coalition’s continued expansion into new target categories with little slowdown in\r\ntempo.\r\nNoName057(16) Sweeps Israeli Insurance Sector\r\nOn March 18, NoName057(16) published a verified sweep of Israeli insurance and defense-adjacent companies\r\nunder #OpIsrael, hitting Gahat Systems Ltd, Shlomo Insurance Company, Shomera Insurance Company, Harel\r\nInsurance Company, Igudbit Insurance Association, and Hachshara Insurance Company. Check-Host verification\r\nlinks confirmed downtime across all targets. Gahat Systems, which specializes in firefighting, rescue, and tactical\r\ndefense technology, was highlighted as the anchor target. Hachshara was noted as closed by geo-restriction at time\r\nof reporting.\r\nNoName057(16) post showing downtime for six Israeli insurance and defense-technology targets\r\nINDOHAXSEC Leaks 8.3 Million Israeli Voter Records\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 10 of 33\n\nINDOHAXSEC published what it described as 8.3 million Israeli residents’ records taken from general election\r\nresults, framing the leak as support for Palestine and Iran. The dataset allegedly contains 1,618 files across 116\r\nfolders, with an original size of 2GB compressed to 617MB, hosted via Anonymous File Upload. Data fields\r\ninclude names, addresses, emails, phone numbers, geolocation, national ID numbers, and voter registration details.\r\nINDOHAXSEC post showing alleged 8.3 million Israeli citizen data leak from general election results\r\nCyber Islamic Resistance Claims Breach of Logit E.D\r\nCyber Islamic Resistance published a video claim of breaching Logit E.D, an Israeli company, on March 17,\r\nframing the operation as part of the ongoing Battle of the Great Confrontation. The post referenced the Yemeni\r\nIslamic Resistance and was published under #Cyber_Islamic_Resistance_Axis. Server access was claimed.\r\nUnverified.\r\nCyber Islamic Resistance Telegram post claiming breach of Logit E.D with 58.1MB video proof\r\nAPT IRAN Issues Starlink Warning, Threatens VPN Sellers\r\nAPT IRAN published a warning to Iranian Starlink device users, claiming the tool had been compromised by\r\nIsraeli intelligence to track precise locations of users inside Iran. The group warned users to stop using the\r\ndevices, claiming Israeli forces were using Starlink terminal data to locate and target individuals. In follow-up\r\nposts, the group threatened to expose VPN sellers and their customer networks operating inside Iran, naming them\r\nas collaborators. The posts signal an active counter-surveillance and intimidation operation targeting Iranians\r\nusing circumvention tools, consistent with MOIS-linked activity patterns.\r\nAPT IRAN Telegram post -auto translated- warning Starlink users in Iran of Israeli intelligence tracking\r\nMarch 17, 2026: Microsoft Services Targeted, South Korea Swept, Israeli Lawyers\r\nDoxxed, and the Coalition Expands\r\nOur Week 2 Threat Assessment Report is now available. Check it for a summary of both weeks’ developments.\r\nThe conflict’s third week opened with a notable change in targeting scope. The coalition’s focus shifted away from\r\nregional governments toward global technology infrastructure, with Microsoft’s cloud services drawn into the\r\ncrossfire for the first time. Simultaneously, two groups expanded their geographic footprint to corners of the world\r\nwith no obvious connection to the Iran-Israel conflict, South Korea and Egypt, signaling that the\r\n#Op_Epstein_Gulf and allied campaigns are no longer bounded by the Middle East.\r\n313 Team and Anti-Zionist Cyber Group Take Aim at Microsoft\r\nOn March 17, two groups operating under the Cyber Islamic Resistance umbrella launched coordinated DDoS\r\nclaims against Microsoft’s core cloud services: office.com, m365.cloud.microsoft, and copilot.cloud.microsoft.\r\nCheck-Host verification links confirmed gateway timeouts and Azure Front Door errors across multiple nodes,\r\naffecting Microsoft 365, Outlook, and Copilot.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 11 of 33\n\n313 Team, Anti-Zionist Cyber Group, and Keymous Plus posts showing Microsoft downtime and Check-Host\r\nverification links\r\nAn emerging group, Anti-Zionist Cyber Group framed Microsoft Store as a global target, stating intentions to\r\ncontinue targeting US companies over Trump’s military actions. 313 Team published the Check-Host links. The\r\ntwo groups are both CIR-affiliated but operated this campaign independently from Keymous Plus, which\r\nsimultaneously claimed disruption of the same Microsoft 365 infrastructure.\r\nKeymous Plus Takes Down Telecom Egypt\r\nUnder #Op_Epstein_Gulf, Keymous Plus claimed disruption of Telecom Egypt (te.eg), the country’s primary\r\ntelephone operator. Egypt’s inclusion in the operation is the first time the campaign has reached North Africa,\r\nextending a sweep that began in the Gulf and has now touched Syria, Romania, and Egypt within a single week.\r\nKeymous Plus post showing te.eg downtime confirmation\r\nHider_Nex Opens a New Front in South Korea\r\nIn the most geographically ambitious operation of the day, Hider_Nex launched a sweep of South Korean\r\ngovernment infrastructure under #OpSouthKorea, publishing Check-Host verified downtime for more than 15\r\ndomains.\r\nHider_Nex posts showing Check-Host verification for 15+ South Korean government domains\r\nSouth Korea has no direct role in the Iran-Israel conflict. Its appearance on the target list follows the same logic\r\nseen in the Romania and Cyprus attacks. Hider_Nex tagged the operation #Justice and #DDoS with no specific\r\nstated grievance against Seoul.\r\n29,300 Records Israeli Lawyers Database\r\nNetStrike, the group that appeared for a single day on March 11, published what it described as a database of\r\n29,300 Israeli lawyers under #OpIsrael, allegedly including names, addresses, emails, phone numbers, firm\r\naffiliations, geolocation data, and website details. The claim is unverified.\r\n29,300 Records Israeli Lawyers Database\r\nIf the data is genuine, it represents a significant doxxing operation targeting a civilian professional class rather\r\nthan government or military infrastructure.\r\nMarch 14–16, 2026: Golden Falcon Leak, MME Targeting, Syria Joins Both Sides,\r\nand the Cyber Front Enters Its Third Week\r\nD+14 through D+16 brought a shift in tone. The raw volume of the first two weeks, hundreds of DDoS claims,\r\nsweeping coalition announcements, and daily country-wide operations, gave way to something more deliberate.\r\nFewer groups, more targeted claims, and a growing emphasis on intelligence value over disruption volume. The\r\nconflict’s cyber front was maturing.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 12 of 33\n\nGolden Falcon: A Military Satellite Site Surfaces Online\r\nOne of the more operationally significant posts of the period came from an account identifying itself as Golden\r\nFalcon, which published what appeared to be satellite imagery of a military facility inside Israel, labeling it “a\r\nmilitary satellite site.” The image showed an aerial view of a compound with large satellite dishes, runways, and\r\nassociated infrastructure in a desert setting.\r\nGolden Falcon Telegram post showing aerial satellite imagery of Israeli military compound with coordinates\r\nThe post carried no wiper claim, no data dump, and no DDoS target list. It was pure targeting intelligence, the\r\nkind of post designed not to disrupt, but to locate, identify, and mark. Whether the imagery was sourced from open\r\nsatellite services or exfiltrated from a compromised network, the effect is the same: a potential military installation\r\npublicly geolocated and circulated across Telegram channels followed by thousands of users. This type of activity\r\nrepresents a quieter but more consequential form of cyber-enabled warfare than the DDoS pile-ons dominating the\r\nfirst two weeks.\r\nKeymous Plus Turns to Syria — Every Major Ministry Down\r\nOn March 14, Keymous Plus extended its #Op_Epstein_Gulf sweep to Syria, publishing a verified target list that\r\nincluded the Presidency of the Syrian Arab Republic, the Syrian Parliament, the Ministry of Foreign Affairs and\r\nExpatriates, the Ministry of Social Affairs and Labor, the Ministry of Transport, the Ministry of Information, the\r\nMinistry of Agriculture and Agrarian Reform, and the Ministry of Defense..\r\nKeymous Plus Telegram post showing Check-Host verification of Syrian government domains\r\nSyria’s inclusion is notable for two reasons. First, Syria had only recently re-entered the international fold\r\nfollowing the fall of the Assad government. Second, this marks the second time in the current conflict that\r\nDamascus has been targeted after its initial appearance in the March 12 Gulf sweep, suggesting Keymous Plus has\r\ndesignated it a standing target rather than an opportunistic one.\r\nFree Hacker Claims MME/PGW Telecom Infrastructure Attack in Israel\r\nMad Ghost, forwarding a post from the Free Hacker channel, claimed a successful attack against MME/PGW\r\ndevices belonging to Israeli mobile network operators. The group published IP addresses for four affected systems\r\nbelonging to Cyberpower Ltd, LB Annatel Ltd, and Welcome Mobile Ltd, describing them as the core Mobility\r\nManagement Entity infrastructure handling session control and movement in Israel’s 4G network.\r\nMad Ghost Telegram post listing four Israeli mobile operator IP addresses with GTP-C protocol details and port\r\nnumbers\r\nIf accurate, an MME/PGW disruption would affect how subscribers connect to mobile data services rather than\r\ncutting voice calls entirely, but would degrade network performance across the affected operator’s user base. The\r\npost included technical detail including GTP-C protocol, UDP port 2123, and TCP/SCTP port 3868, giving the\r\nclaim more specificity than typical DDoS announcements. Unverified but technically coherent.\r\nAnonymous Syria Hackers Runs #Op_Iran Against Iranian Educational Institution\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 13 of 33\n\nOn March 14, Anonymous Syria Hackers published what it described as a 3.2GB data leak from an Iranian\r\neducational institution linked to Khamenei loyalists, framing the operation under #Op_Iran. The published\r\nmaterial allegedly included full personal details of staff and government specialists: names, fathers’ names,\r\nnational ID numbers, dates of birth, scanned certificates, and personal photos. Screenshots showed a file archive\r\nwith hundreds of entries and official Iranian certificates overlaid with group branding.\r\nAnonymous Syria Hackers post showing file archive and Iranian certificate overlaid with group branding under\r\n#Op_Iran\r\nThe group has been operating consistently on the pro-Israel side of the conflict throughout the period, targeting\r\nIranian propaganda infrastructure and IRGC-linked channels. This marks its most data-heavy operation to date\r\nand its first confirmed targeting of an Iranian civilian educational institution.\r\nMarch 13, 2026: Cyber Islamic Resistance Targets Israeli Cybersecurity Firm, 313\r\nTeam Strikes UAE, Cyprus Becomes NoName’s Fixation\r\nMarch 13 brought one of the heaviest kinetic escalations yet. Israel launched a new extensive wave of strikes on\r\nTehran, Kuwait’s airport was hit, and Iran’s new Supreme Leader Mojtaba Khamenei issued his first public\r\nstatement vowing to keep the Strait of Hormuz closed. Iran’s President Pezeshkian outlined three conditions for\r\nending the war: recognition of Tehran’s rights, reparations, and international guarantees against future aggression.\r\nA US KC-135 refueling aircraft went down in western Iraq, France confirmed its first casualty of the conflict, and\r\nsix vessels were struck in the Gulf in two days. The IEA described the oil supply disruption as the largest in\r\nhistory. On the cyber front, the day’s activity pushed further into new territory, with a cybersecurity firm becoming\r\na target and the UAE absorbing its heaviest single-day hacktivist pressure of the conflict.\r\nNoName057(16) Has a Thing for Cyprus\r\nNoName057(16) published two more rounds of DDoS claims against Cyprus, continuing what has become one of\r\nthe most sustained single-country campaigns of the conflict. Targets across both posts included Nicosia city\r\nauthorization portal, Limassol city, Paphos City, Payment of Bills e-Paphos, Morphou Town, Politis newspaper,\r\nAlithia news portal, Register of Insurance Companies, Organization of Local Government of Limassol,\r\nAuthorization Portal, Ayia Napa city, and the EAC Cyprus Electricity Authority. Several targets had implemented\r\ngeo-based access restrictions in an attempt to limit impact, which the group acknowledged and framed as a failed\r\nevasion attempt, publishing check-host links showing the sites remained inaccessible. The campaign continues\r\nunder #FuckEastwood and #TimeOfRetribution, tied to Ukraine-related grievances rather than the Iran theater\r\ndirectly.\r\nNoName057(16) continues #OpCyprus with Check-Host verified DDoS claims across Cypriot municipal, media,\r\nand infrastructure targets, noting Cyprus attempted geo-based access restrictions in response\r\nCyber Islamic Resistance Claims Breach of Israeli Cybersecurity Firm MEGINIM DATA\r\nSERVICES\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 14 of 33\n\nCyber Islamic Resistance, the Iraqi-Syrian joint collective operating under the broader Cyber Islamic Resistance\r\nAxis, claimed a breach of MEGINIM DATA SERVICES, an Israeli cybersecurity company. The group published\r\nthree sequential batches of alleged exfiltrated data, describing the operation as part of the “Great Battle”\r\nframework. Screenshots showed what appeared to be file directories, spreadsheets, and database exports from the\r\ncompany’s servers. Targeting a cybersecurity firm rather than a civilian or government entity carries clear\r\nsymbolic intent: the group is deliberately attempting to undermine confidence in Israeli defensive cyber\r\ncapabilities. No independent verification of the breach has been established.\r\nCyber Islamic Resistance publishes alleged data from Israeli cybersecurity firm MEGINIM DATA SERVICES\r\nacross three sequential posts, framing the operation as part of the “Great Battle”\r\n313 Team Turns to the UAE, Hitting 20 Government Domains Across Abu Dhabi and Dubai\r\n313 Team published a coordinated DDoS campaign against 20 UAE government servers spanning Abu Dhabi and\r\nDubai, conducted in partnership with the elitestress.st stress testing platform. Targets included the Abu Dhabi\r\nDigital Authority, Economic Development Council, Social Support Authority, Agriculture and Food Safety\r\nAuthority, Civil Defence Authority, Abu Dhabi Municipality and its e-Portal, Urban Planning and Public Transport\r\nDepartment, Building and Real Estate Services e-Portal, Department of Community Development, National Anti-Piracy UAE, Dubai Public Prosecution Portal and Services e-Portal, and the UAE Government Empowerment\r\nDepartment. The operation marks the group’s most concentrated focus on UAE infrastructure since the conflict\r\nbegan.\r\n313 Team publishes a coordinated DDoS target list covering 20 UAE government servers across Abu Dhabi and\r\nDubai, conducted in partnership with elitestress.st\r\nINDOHAXSEC Claims Data Breach of Israeli Online Shopping Platform\r\nINDOHAXSEC claimed a data breach against P1000 (p1000.co.il), an Israeli online shopping platform,\r\npublishing samples of alleged customer records -only 2 person- including identity numbers, email addresses,\r\nnames, phone numbers, delivery addresses, and passwords across two posts. The group continues its pattern of\r\nselecting Israeli civilian and commercial targets for maximum public visibility rather than operational impact.\r\nINDOHAXSEC claims breach of Israeli e-commerce platform P1000 by publishing 2 customer records including\r\nidentity documents, contact details, and credentials\r\nMarch 12, 2026: Handala Wipes Stryker, Keymous Sweeps the Gulf, and 313 Team\r\nCrosses into Europe\r\nThe most significant incident of the day sits well outside the usual DDoS noise. Handala, the MOIS-linked group,\r\nclaimed a destructive wiper attack against a global medical technology company with real, confirmed operational\r\nimpact.\r\nSimultaneously, Keymous Plus published the broadest single-day target list of the conflict, sweeping across six\r\nArab countries in one operation. And 313 Team extended the conflict’s geographic reach into Europe for the first\r\ntime, targeting Romania directly over its government’s public statements.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 15 of 33\n\nHandala Claims Wiper Attack on Stryker via Microsoft Intune\r\nHandala claimed a mass data-wiping attack against Stryker, a global medical technology company with 56,000\r\nemployees across 61 countries. The group alleged it erased data from more than 200,000 systems, servers, and\r\nmobile devices across Stryker’s offices in 79 countries. News reports from Ireland, Stryker’s largest hub outside\r\nthe US, confirmed more than 5,000 workers were sent home. A voicemail at Stryker’s Michigan headquarters\r\nstated the company was “experiencing a building emergency.”\r\nAccording to a source cited by KrebsOnSecurity, the attack appears to have been carried out by abusing Microsoft\r\nIntune, a cloud-based device management platform, to issue remote wipe commands across all enrolled devices.\r\nEmployees on Reddit confirmed they were urgently instructed to uninstall Intune. The Irish Examiner reported\r\nthat staff were communicating via WhatsApp, that anything connected to the network was down, and that personal\r\nphones with Microsoft Outlook installed had also been wiped.\r\nHandala framed the attack as retaliation for a February 28 missile strike on an Iranian school that killed at\r\nleast 175 people, most of them children. The group labeled Stryker a “Zionist-rooted corporation,” referencing its\r\n2019 acquisition of Israeli company OrthoSpace.\r\nHandala’s Telegram post claiming a mass wiper attack against Stryker across 79 countries\r\nHandala Also Claims Verifone Breach — Company Denies It\r\nSeparately, Handala claimed on March 11 to have breached Verifone’s systems in Israel. Verifone responded,\r\nstating it had “found no evidence of any incident related to this claim and has no service disruption to our clients”\r\nafter monitoring its systems following the allegations. The denial was shared by breach researcher Dissent Doe via\r\nLinkedIn.\r\nKeymous Plus Targets Six Arab Countries, 50+ DDoS Attacks\r\nKeymous Plus published its most expansive operation of the conflict under #Op_Epstein_Gulf, targeting\r\ngovernment ministries across Bahrain, Kuwait, Jordan, Qatar, Syria, and the UAE with Check-Host verified DDoS\r\nclaims in a single coordinated post. Targets spanned nearly every major ministry in each country, including\r\nInterior, Finance, Foreign Affairs, Justice, Transport, and Economy, alongside the Qatar Central Bank and the\r\nUAE Government Official Portal. Syria’s addition to the target list is notable, marking the first time the group has\r\nexplicitly included Damascus in a Gulf-focused operation, suggesting the campaign is expanding beyond US-allied Gulf states toward the broader regional order.\r\nKeymous Plus publishes Check-Host verified DDoS claims against six Arab countries in a single post under\r\n#Op_Epstein_Gulf\r\nNoName057(16) Extends #OpCyprus with 14 Additional Targets\r\nNoName057(16) returned to Cyprus with a new wave under #OpCyprus, adding 14 verified targets to its previous\r\nlist. New targets included the Register of Insurance Companies, Organization of Local Government of Limassol,\r\nJCC Payment Systems, Authorization Audit Office, Cyprus Statistics Service, Cyprus Government Portal, Live\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 16 of 33\n\nBuses OSYPA, EAC portal of the Cyprus Electricity Authority, Supreme Court of Cyprus, Ministry of Justice, and\r\nCyprus Ports Authority.\r\nNoName057(16) extends #OpCyprus with a new wave of verified DDoS claims against Cypriot government,\r\nfinancial, and infrastructure targets\r\n313 Team Hits Romania Over Base Access Statement\r\n313 Team targeted Romania’s National Tax Agency (anaf.ro), one of the most frequently visited government\r\nwebsites in the country, in direct response to the Romanian president’s statements allowing the US to use\r\nRomanian bases to strike Iran. The group framed the attack explicitly as retaliation, shut the site down completely\r\nfor one hour, and provided a Check-Host verification link. The operation marks the first confirmed European\r\ngovernment target hit by an Iraq-based group in this conflict cycle, and signals that public political statements by\r\nEuropean leaders are now being treated as sufficient justification for targeting.\r\n313 Team shuts down Romania’s National Tax Agency for one hour, citing the Romanian president’s statements\r\non US military base access\r\nMarch 11, 2026: New Alliances, Kuwait Swept, and the Short Story of NetStrike\r\nThe day’s activity was driven less by new capabilities and more by new relationships. A Tunisian group entered\r\nthe coalition with a formal alliance declaration, immediately put it to work against Kuwait, and the pattern of\r\nshort-lived groups materializing, claiming attacks, and going quiet continued with NetStrike.\r\nHider_Nex Forms Alliance with NoName057(16), Immediately Targets Kuwait\r\nHider_Nex, a Tunisian-flagged group new to this conflict, announced a formal alliance with pro-Russian\r\nNoName057(16) under the banner “Together nothing can stop us.” Within the same hour, the group launched its\r\nmost coordinated operation so far under #OpKuwait, publishing DDoS claims against 18 Kuwaiti government\r\ndomains with Check-Host verification links for each. Targets included the Ministry of Defense, Ministry of\r\nForeign Affairs, Ministry of Health, Ministry of Education, Ministry of Finance, the national electricity and water\r\nauthority, the civil registration authority PACI, the national news agency KUNA, and Burgan Bank. The breadth\r\nof the target list, spanning defense, civil services, finance, and public infrastructure in a single post, mirrors the\r\nmulti-sector sweep pattern established by 313 Team against Kuwait on March 6.\r\nHider_Nex announces formal alliance with NoName057(16)\r\nMoroccon Black Cyber Army Claims DDoS on Israeli Bank\r\nMoroccon Black Cyber Army claimed a DDoS attack against Discount Bank, one of Israel’s largest financial\r\ninstitutions based in Tel Aviv, framing it as a strike against the “Zionist economy.” A Check-Host link\r\naccompanied the post. The site was temporarily unreachable during the claimed window. The disruption was real\r\nbut limited, a brief outage rather than the breach the group’s language implied.\r\nDisruption against Discount Bank under #OpIsrael\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 17 of 33\n\nNetStrike: A Complete Hacktivist Arc in One Day\r\nNetStrike ran through the full hacktivist lifecycle in a matter of hours. Channel created, alliance declared with\r\nKeymous+, DDoS claim published against Galey Israel, a Hebrew-language radio station serving central and\r\nnorthern Israel, Check-Host link posted, and activity stopped. The operational impact was minimal. The pattern,\r\nhowever, is consistent with dozens of short-lived groups that have emerged since March 1: the conflict is\r\nfunctioning as a recruitment and visibility event, pulling in actors who contribute to aggregate volume even when\r\nindividual impact is low.\r\nNetStrike announces alliance with Keymous+\r\nNetStrike claims DDoS disruption against Galey Israel, a Hebrew-language radio station based in Jerusalem\r\nINDOHAXSEC Defacement Hits US Corporate Target\r\nINDOHAXSEC claimed a defacement of CareerLab America, a career consulting firm based in Denver, Colorado,\r\nserving major corporations including Coca-Cola, AT\u0026T, and KPMG. The group replaced the homepage with its\r\nown branding. The target has no direct government or military connection, continuing the pattern of Southeast\r\nAsian pro-Iranian aligned groups selecting symbolic US civilian targets for visibility rather than operational\r\nimpact.\r\nINDOHAXSEC claims defacement of CareerLab America\r\nMarch 10, 2026: Critical Infrastructure in the Crosshairs as FSociety Issues 42-\r\nHour Threat\r\nTeam Fearless continued its #OpIsrael campaign, claiming DDoS disruption against four Israeli targets: a digital\r\nmarketing and online advertising firm, Alon Israel Oil Company, Goldtec Technologies (an advanced defense\r\nfirm), and Amarel Ltd., an industrial and technology services company. Check-Host verification links\r\naccompanied each claim. The inclusion of a defense-adjacent and an energy company alongside commercial\r\ntargets suggests the group is deliberately mixing sector coverage rather than focusing on a single vertical.\r\nTeam Fearless claims DDoS disruption against Israeli energy, defense, and commercial targets under #OpIsrael\r\nNoName057(16) Hits Israeli Critical Infrastructure and Continues Cyprus Campaign\r\nNoName057(16) published a fresh round of Israeli targets under #OpIsrael, claiming disruption of Bezeq (Israel’s\r\nprimary telecom provider), Mekorot (the national water supply company), Kavim (a major bus operator), and\r\nE.M.I.T. Aviation, an Israeli UAV systems company. Check-Host links were provided for each. The combination\r\nof telecom, water, public transit, and defense-adjacent targets in a single post reflects the group’s consistent\r\npattern of targeting operationally significant infrastructure rather than symbolic web assets.\r\nNoName057(16) claims disruption of Bezeq, Mekorot, Kavim, and E.M.I.T. Aviation under #OpIsrael\r\nIn a separate post, NoName057(16) claimed ongoing DDoS attacks against Cyprus under the #OpCyprus banner,\r\nhitting the Office of the Republic of Cyprus, Limassol Airport Express, the OSYPA live bus tracking system, and\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 18 of 33\n\nthe EAC portal of the Cyprus Electricity Authority. The group tagged the campaign with #FuckEastwood and\r\n#TimeOfRetribution alongside #OpCyprus, reinforcing that this is treated as a distinct operational theater from\r\ntheir Israeli targeting, tied to their Ukraine conflict grievances rather than the Iran theater.\r\nNoName057(16) continues its #OpCyprus campaign\r\nFSociety Threatens 42-Hour Operation Against Israel and the US\r\nA Telegram channel operating under the FSociety banner published a threat declaring that within 42 hours the\r\ngroup would “destroy Israel and the Israeli alliance.” The Russian-language post calls on followers to join the\r\nchannel, share the message, and launch cyberattacks against Israel and the US. The statement frames America as\r\nan aggressor attacking Iran without justification and condemns those cooperating with it. At this stage the post is\r\nmobilization and threat signaling with no technical evidence of active operations, but FSociety has a history of\r\ncapitalizing on high-profile conflict moments for recruitment and visibility.\r\nTranslation: “Within the next 42 hours we will destroy Israel and the Israeli alliance, and everyone who supports\r\nus, join our channel to receive the latest news and share this message with friends and strangers. We hate this\r\nsociety and this world. We hate such animals as America and some fools, because they are involved in the killing\r\nof people etc. Israel kills people. America attacks Iran without reason. We condemn America and those who\r\ncooperate with it. Everyone cooperates with us. Join us and start cyberattacks on Israel and America!”\r\nMarch 7–9, 2026: New Supreme Leader, Wider Borders, Deeper Systems\r\nOur Week 1 Threat Assessment Report is now available. Check it for a summary of last week’s developments.\r\nThe first week of the conflict generated 368 tracked cyber incidents across a dozen countries, with Israel\r\nabsorbing 184 of them, followed by Kuwait (53) and Jordan (41). Government infrastructure was the single most\r\ntargeted sector with 84 claims, trailed by financial services, defense, aviation, and education. DieNet led all\r\ngroups in volume with 59 claimed operations, followed by Keymous Plus (51) and 313 Team (42). Attack volume\r\npeaked on March 2 with 77 daily claims before stabilizing at 52–63 per day through the end of the week.\r\nThe second week opened with a kinetic development that will shape the cyber domain going forward: Mojtaba\r\nKhamenei was elected Supreme Leader, succeeding his father. Senior figures, including Ghalibaf, Larijani, and\r\nPezeshkian, pledged allegiance. A new leadership consolidating power under IRGC influence is likely to\r\naccelerate rather than temper state-directed cyber operations, particularly as the regime seeks to project continuity\r\nand strength. Against that backdrop, the three days covered here show the hacktivist front pushing into new\r\ngeographies, deeper into OT systems, and for the first time consistently targeting non-Middle Eastern soil.\r\nOT Claims Intensify: Hotels, Universities, Banks, and Water Systems\r\nThe most operationally significant claims of the period came from three separate groups, all asserting control over\r\nphysical infrastructure rather than just web-facing services.\r\nCyber Islamic Resistance published a coordinated claim against Prima Park Hotel in Tel Aviv, alleging electricity\r\nand water cutoffs alongside exfiltration of customer data. The same post claimed access to Technion’s\r\nadministrative network and Haifa’s main electrical line, framing the operation as retaliation for 165 students killed\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 19 of 33\n\nin Iran. A separate post from the group published a grid of screenshots showing alleged access to multiple ICS and\r\nSCADA systems simultaneously — building management panels, pipeline schematics, and process automation\r\ndashboards — described as a “first wave” with more to follow.\r\nCyber Islamic Resistance shares alleged SCADA grid screenshots\r\nAPT Iran published screenshots of live solar PV monitoring dashboards for Bank al Etihad in Jordan, claiming\r\nbackdoor access to the bank’s energy control systems. The same post alleged breach of the Aqaba Special\r\nEconomic Zone (ASEZA) and ISAR Engineering through legacy FileManager vulnerabilities, with full read/write\r\naccess to energy dashboards visible in the screenshots.\r\nAPT Iran -has a verified but thwarted ICS attack claim- shares the alleged Bank al Etihad OT dashboard\r\nscreenshot\r\nNoName057(16)’s DDoSia Project published what it described as full access to an Israeli industrial pump control\r\nHMI with a Hebrew-language interface, claiming real-time control of pumps, valves, alarms, and the ability to\r\nswitch between automatic and manual modes. The post stated volunteers “disabled an important part of Israel’s\r\ncritical infrastructure in a couple of minutes.” As with almost all OT claims in this conflict, independent\r\nverification has not been established — but the consistency of Hebrew-language interface screenshots across\r\nmultiple groups over multiple days suggests at minimum a coordinated effort to identify and probe exposed Israeli\r\nICS assets.\r\nNoName057(16) alleged water pump HMI screenshot\r\nGeographic Expansion: Cyprus, the United Kingdom, and Saudi Arabia\r\nTeam Fearless published Check-Host verified DDoS claims against five Saudi Arabian government portals: the\r\nSaudi Embassy website, Ministry of Interior, Ministry of Commerce, Ministry of Health, and the National Digital\r\nGovernment Information Portal.\r\nTeam Fearless Saudi Arabia target list\r\nCyber Islamic Resistance and 313 Team jointly claimed defacement of the Saudi University of Business and\r\nTechnology (UBT), replacing the homepage with group branding.\r\nCIR and 313 Team UBT defacement\r\nNoName057(16) expanded its geographic scope to Cyprus, claiming DDoS disruption of six targets: the\r\nAuthorization Audit Office, Hellenic Bank portal, Central Bank, Public Transport Cyprus, Cyprus Chamber of\r\nCommerce, and the CY Login national digital identity system. The group’s justification was explicit — Cyprus\r\nhosts Swarmly, the manufacturer of H-10 Poseidon drones supporting Ukrainian artillery.\r\nNoName057(16) Cyprus DDoS\r\nThe framing ties the Cyprus campaign directly to the group’s Ukraine conflict grievances, not the Iran theater,\r\nillustrating how pro-Russian actors are using the current moment to pursue parallel agendas under a single\r\noperational umbrella.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 20 of 33\n\nThe same group also claimed live surveillance access to Anglia Indoor Karting in Ipswich, UK, publishing real-time CCTV footage from inside the facility. Its high possibility that hacktivist groups are trying to show how they\r\ncan also gather ‘’intelligence,’’ significantly more targeting of CCTV cameras observed during this conflict\r\nperiod.\r\nNoName057(16)’s UK CCTV hijack claim\r\nCyber Isnaad Front Sustains Its Leak Campaign\r\nAllegedly IRGC-aligned, Cyber Isnaad Front, continued publishing material from its claimed breach of telecom\r\nand fuel logistics infrastructure — 160+ data centers allegedly compromised and 5TB exfiltrated from a national\r\nfuel logistics provider. The group’s sustained publication cadence across multiple days, regardless of verification\r\nstatus, functions as an information operation in its own right: maintaining narrative pressure and forcing defenders\r\nto allocate resources to triage claims of uncertain authenticity.\r\nWhat the Pattern Shows\r\nTaken together, the March 7–9 activity reflects three converging trends. First, OT and ICS claims are becoming\r\nroutine across multiple groups simultaneously, normalizing the targeting of physical infrastructure in ways that\r\nwill outlast this specific conflict.\r\nSecond, the geographic perimeter is no longer just the Middle East. Cyprus and the UK are active targets, with\r\ndistinct justifications from different actor clusters.\r\nThird, the election of a new Supreme Leader introduces a variable that could either consolidate and\r\nprofessionalize Iran’s cyber posture or trigger a surge in proxy activity as groups attempt to demonstrate loyalty to\r\nthe new leadership.\r\nMarch 6, 2026: Gulf Governments Under Siege, Iraqi Cyber Resistance Declares\r\nWar on Kuwait\r\nThe hacktivist front keeps expanding, but the more significant development today sits beneath it.\r\nUpcoming findings confirming that MuddyWater, an Iranian state-sponsored group operating under the Ministry\r\nof Intelligence and Security, had already planted backdoors inside a U.S. bank, airport, defense-adjacent software\r\ncompany, and NGOs in the U.S. and Canada before the first strike of Operation Epic Fury.\r\nThe group’s Israeli operation appears to have been the primary target, with a new implant named Dindoor\r\ndeployed across its networks alongside a second Python-based backdoor called Fakeset. Jordan’s National\r\nCybersecurity Center also officially confirmed it thwarted an Iranian attack on its wheat silo management\r\nsystem, the first government-confirmed foiled OT intrusion of this conflict, lending credibility to the APT Iran\r\nclaims covered in our March 4 update. \r\nThe surface noise is loud. The quieter activity underneath it may be the part that matters more.\r\nRuskiNet Brings #OpIsrael to Israeli Industry\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 21 of 33\n\nOne of the less known actors, RuskiNet Group posts daily DDoS attacks. Their latest Check-Host verification\r\nlinks targeting turpaz.co.il, the website of Turpaz Industries, a TASE-listed Israeli manufacturer operating across\r\nfood, beverage, pharma, and cosmetics sectors. Before/after availability snapshots confirm a disruption window.\r\nAs primary government and financial sites harden behind DDoS mitigation, groups are pivoting toward publicly\r\ntraded industrial companies where uptime carries reputational and investor consequences.\r\nRuskiNet targets Turpaz Industries under #OpIsrael\r\nDieNet Strikes Qatar Through Amazon’s Network\r\nDieNet Media post framed the Qatar campaign as retaliation for Qatari state media blacking out coverage of\r\nIranian strikes on U.S. bases within its borders. Nine government sites were listed as targets: Ministry of Interior,\r\nHukoomi (Qatar’s eGovernment platform), Ministry of Labor, Central Municipal Council, General Authority of\r\nCustoms, Ministry of Transportation, and Ministry of Education. The framing of Qatar as complicit in US-aligned\r\ninformation suppression signals that the Gulf escalation is politically motivated, not opportunistic.\r\nDieNet’s API bot posts real-time disruption of Qatar’s open data portal via Amazon’s IP network, a routing choice\r\nthat signals capability beyond basic stresser tooling\r\nDieNet Media’s full Qatar target list spans nine government domains across customs, transport, labor, and\r\neGovernment infrastructure, framed explicitly as retaliation for media censorship\r\nA British Charity Site in Conquerors Electronic Army Propaganda\r\nA Conquerors Electronic Army propaganda poster, styled under the “Wa’d al-Akhira” banner with militant\r\nimagery and Quranic verse, references a UK-registered charity (est. 2008) described as collecting donations to\r\nfund civil society projects inside Israel, including psychological care and emergency relief. Whether the site was\r\ntargeted, breached, or merely cited in an influence operation is not confirmed, but a Check-Host link in the same\r\npost suggests a disruption attempt accompanied the claim.\r\nConquerors Electronic Army embeds a British-registered charity link under their operational banner. The Check-Host stub in the same post implies a disruption attempt, not just an information operation.\r\n313 Team Declares a Comprehensive Assault on Kuwait\r\nThe Islamic Cyber Resistance in Iraq, 313 Team, claimed targeting of 26 Kuwaiti government IP domains,\r\nalleging the national e-government portal was offline for over 18 hours. Named targets span Kuwait’s entire public\r\nadministration: Ministry of Defense, Kuwait Credit Bank, National Guard, Ministry of Electricity, the Army,\r\nPublic Authority for Civil Information, Ministry of Health, Central Agency for Information Technology, Public\r\nAuthority for Manpower, Public Works, Public Authority for Youth, the Government Performance Monitoring\r\nAgency, and the Civil Service Commission, among others. Kuwait has already been the single most targeted\r\nnation in this conflict cycle. The 313 Team’s sweep, if even partially confirmed, represents the most coordinated\r\nsingle-group assault on any Gulf government’s digital infrastructure so far.\r\n313 Team’s full Kuwait target list, 15 named government institutions spanning defense, civil information, and\r\ncommunications, claimed alongside an 18-plus hour shutdown of the national e-government portal\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 22 of 33\n\nMarch 5, 2026: Two Wars, One Cyber Front, Data Breaches, New Recruits, and\r\nthe Expanding Target Map\r\nIran’s hackers stay quiet behind a near-total blackout, but the groups filling the void are no longer just Middle East\r\nplayers. Pro-Iranian hacktivists and Russian-aligned collectives are running DDoS attacks, data leaks, and\r\ninfrastructure probes across the US, Israel, and the Gulf — and now India and Pakistan are appearing in the target\r\nmap too, suggesting the fallout from two separate regional conflicts is beginning to blur into a single cyber theater.\r\nCISA, the agency meant to hold the line, is understaffed and mid-reshuffle. The wars are still distinct on the\r\nground. In cyberspace, the boundaries are dissolving.\r\nCyber Jihad Movement Calls for Global Cyber Campaign\r\nA propaganda poster circulated online under the banner Cyber Jihad Movement. The message calls on\r\nsupporters to join a global cyber campaign described as “Cyber Jihad.” The statement urges participants to\r\nconduct cyber disruptions against government institutions, financial systems, and public agencies connected to the\r\nUnited States, Israel, “Arab governments,” Pakistan, and India.\r\nCyber Jihad Movement propaganda message calling for global cyber participation\r\nThe statement explicitly declares the group’s entry into what it describes as the Iranian–American war and the\r\nconflict environment in the Afghanistan–Pakistan region. The group claims it will provide cyber assistance to\r\nmilitant actors associated with the Taliban and the Islamic Emirate of Afghanistan.\r\nAt this stage, the announcement appears primarily ideological and mobilization-focused. No concrete technical\r\nevidence of attacks attributed to this specific group has surfaced yet.\r\nData Leaks and Credential Breaches: Israel and Iran Both Targeted\r\nThe hack-and-leak front intensified on March 5, with groups on both sides of the conflict claiming database access\r\nand credential dumps.\r\nAnonymous Syria Hackers escalated their #OP_IRAN campaign by claiming a breach of an Iranian e-commerce\r\nplatform, alleging access to PayPal login credentials, usernames, personal email addresses, and bcrypt-encrypted\r\npasswords.\r\nAnonymous Syria Hackers claims breach of Iranian e-commerce site, posting PayPal credentials to BreachForums\r\nunder #OP_IRAN\r\nThe data was posted to BreachForums with instructions requiring users to comment on the post to unlock the\r\ndownload link.\r\nThe leaked dataset was posted on BreachForums, gated behind a comment-to-unlock mechanic\r\nOn the other side, Keymous claimed a far more sensitive breach: the Israeli Ministry of Education’s internal\r\n“Education Institutions Portal” — a backend system used exclusively by school administrators and teachers to\r\nmanage student records, class lists, teacher employment data, and Bagrut (matriculation) exam records. The group\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 23 of 33\n\nalleged access to over 300,000 rows of data. This is not a public-facing website. If confirmed, it represents a\r\nmeaningful intrusion into national education infrastructure.\r\nKeymous claims 300,000+ records from Israel’s Ministry of Education internal portal, including student and\r\nteacher data\r\nDDoS Campaigns Continue Against Israeli Government and Financial Infrastructure\r\nDisruption operations against Israeli targets remained active, with multiple groups publishing Check-Host\r\nverification links as proof of impact.\r\nDarkStorm Team claimed coordinated DDoS attacks against seven Israeli targets under the #OpIsrael banner,\r\nlisting MAX (a financial services platform offering credit cards and loans), the Prime Minister’s Office, Ministry\r\nof Foreign Affairs, Ministry of Finance, Ministry of Justice, the Israel Security Agency, and the intelligence\r\nagency. The breadth of the target list — spanning financial, governmental, and intelligence infrastructure in a\r\nsingle campaign — reflects the group’s continued ambition to hit symbolic high-value targets simultaneously.\r\nDarkStorm Team claims DDoS across seven Israeli targets, including the PM’s Office and intelligence agency\r\nTeam Fearless published a similar multi-target DDoS claim hitting the Israeli Tax Authority, the official IDF\r\nwebsite, Sony Pictures Israel, a civic government engagement platform, a transit technology company, and the\r\nOron Group. The inclusion of Sony Pictures is notable — it suggests target selection is broadening beyond pure\r\ngovernment and military infrastructure toward commercial entities with Israeli presence.\r\nTeam Fearless claims DDoS hits on IDF site, Israeli Tax Authority, Sony Pictures Israel, and others\r\nNew Entrants and Internal Tensions\r\nServer Killers, a Russian-linked group, officially announced it has entered the conflict, citing the US-Israel\r\nstrikes as justification. The announcement continues the pattern observed since March 3, when pro-Russian actors\r\nbegan formally joining the pro-Iran hacktivist coalition. The cyber front is no longer regional — it is drawing in\r\nactors with their own grievances against the US-Israel.\r\nPro-Russian Server Killers officially joins the conflict, citing US-Israel strikes as justification\r\nDieNet issued a rare public statement addressing the Gulf populations directly, clarifying that their targeting is\r\ndirected at governments — not people — framing Gulf states as instruments of American regional power. What is\r\nmore telling is their admission that the decision to target Gulf governments came after significant internal\r\ndisagreement within the team. Public fractures like this are uncommon and worth monitoring.\r\nDieNet addresses Gulf populations directly, admitting internal disagreement over the decision to target Gulf\r\ngovernments\r\nAcademic and Media Infrastructure in the Crosshairs\r\nCyber Islamic Resistance, operating in coordination with FADTEAM in Iraq, claimed to have breached\r\nWeLearn, an Israeli academic platform, accessing its user database alongside series and episode content tables.\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 24 of 33\n\nThe post was dedicated to Khamenei and framed explicitly as retaliatory. Targeting academic platforms mirrors a\r\nbroader trend: as hardened government targets prove more resilient, groups are shifting toward softer institutional\r\ninfrastructure — universities, media, and education systems — where defenses are typically weaker.\r\nCyber Islamic Resistance claims breach of Israeli academic platform WeLearn, coordinated with FADTEAM\r\nMarch 4, 2026: OT Intrusion Claims, Multi-Vector Escalation, and the Expanding\r\nTarget Map\r\nThe hacktivist landscape continued to intensify on March 4. Three trends stand out: a shift toward claimed OT and\r\nICS intrusions, DieNet’s expansion into Jordanian civilian infrastructure, and new water infrastructure claims by\r\nZ-Pentest Alliance against Israeli targets.\r\nDieNet Expands Its Jordan Campaign to Civilian and Utility Sectors\r\nDieNet Network, previously observed targeting Kuwaiti government domains, has now declared Jordanian\r\ncyberspace its primary target. The group issued a preemptive warning urging Jordanian website administrators to\r\ntake their sites offline before an imminent attack wave. The message was paired with satellite imagery of Jordan\r\noutlined in red, a visual format designed to amplify psychological pressure.\r\nDieNet’s ‘’warning’’ post, shared in their Telegram channel\r\nClaimed activity on March 4 included the disruption of a university-linked radio stream, with CheckHost results\r\nshared as proof of outage. The group’s automated Telegram bot published real-time attack notifications.\r\nAutomated DDoS attack claim by DieNet API\r\nDieNet is targeting a streaming service in Jordan\r\nIn a separate post, also forwarded through SYLHET GANG-SG, DieNet claimed access to employee account data\r\nfrom the Jordanian Electricity Distribution Company, including payroll records, national ID numbers, and HR\r\ndata. The breadth of data fields listed suggests either a genuine credential-level compromise or access to a\r\npreviously stolen dataset being repackaged for narrative effect.\r\nDieNet’s Telegram post, claiming employee account access and PII data\r\nAPT Iran Claims OT-Level Intrusion into Jordanian Grain Storage\r\nThe most significant claims on March 4 come from a Telegram channel operating under the APT Iran banner,\r\nalleging deep intrusion into the Jordan Silos Company, a state-linked grain storage entity. The claim describes a\r\nphishing-enabled initial access operation roughly one month prior, followed by internal reconnaissance and\r\nalleged access to silo control systems governing temperature, humidity, weighing, and solar power infrastructure.\r\nThe alleged attack that is announced through the APT Iran Telegram channel\r\nThe actor claims to have gradually raised temperatures in northern silos to degrade stored wheat without triggering\r\nalarms, manipulated weighing software to underreport actual weight by 10%, and disabled solar inverters to force\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 25 of 33\n\nreliance on limited diesel backup power. A solar PV monitoring dashboard was published alongside the claim,\r\nshowing zero active power output, though this could reflect normal overnight readings rather than attacker-induced disruption.\r\nWarning: These claims require significant caution. The level of narrative detail is high enough to be either\r\ngenuine or deliberately crafted for psychological effect. Independent verification has not been confirmed. If any\r\nportion of the OT access claim is genuine, it would represent a meaningful escalation beyond DDoS into\r\noperationally relevant critical infrastructure interference.\r\nZ-Pentest Alliance Claims Access to Israeli Water Infrastructure\r\nThe pro-Russian Z-Pentest Alliance published a claim asserting full access to a pump control and water supply\r\nmanagement system in Israel. The post was accompanied by what appears to be a screenshot of an HMI panel\r\nshowing Hebrew-language controls for water pressure, flow rate, supply meters, and pump operating hours. The\r\ngroup claims the ability to switch equipment on and off, change settings, and trigger emergency processes.\r\nZ-Pentest Alliance’s Telegram post, Russian threat groups are dividing their attention between Ukraine and Israel  \r\nThe screenshot shows controls consistent with a real water management interface, but attribution to a specific\r\nIsraeli operator has not been confirmed. The claim may reflect access to a test or decommissioned system.\r\nRegardless, the targeting intent is clear and consistent with prior OT-focused campaigns by groups like Cyber\r\nAv3ngers, which have historically targeted water infrastructure across the region.\r\nConquerors Electronic Army Sustains Multi-Sector DDoS Campaign Against Israel\r\nOperating under the “Wa’d al-Akhira” operational banner, Conquerors Electronic Army claimed five separate\r\nattacks against Israeli targets within a 12-hour window on March 4. Sectors hit across the campaign included civil\r\nemergency alerting, financial services, media, industrial, and healthcare. Each claim referenced CheckHost proof-of-disruption links and rented stresser infrastructure. The targeting of a civil alert system is the most operationally\r\nsensitive claim, though no independent confirmation of sustained impact has been established.\r\nNoName057(16) Targets The Jerusalem Post\r\nPro-Russian collective NoName057(16) claimed DDoS disruption of an Israeli internet service provider and a\r\nmajor Israeli news outlet on March 4, noting that both targets had moved behind DDoS mitigation stubs. The\r\ngroup framed the mitigation as the defender “hiding” rather than a successful defense, a rhetorical move designed\r\nto maintain narrative momentum even when attacks are blocked.\r\nNoName’s Telegram post, the group is dividing its current attention between Germany and Israel\r\nNoName’s re-engagement with Israeli targets confirms that pro-Russian groups are joining the cyber activity in\r\nsupport of Iran, a trend we flagged a day before.\r\nBroader Context: The OT Threshold Is Being Tested\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 26 of 33\n\nTaken together, the March 4 activity marks a shift in claims being made. Groups are moving from DDoS against\r\nweb assets toward alleged access to operational technology systems in food storage, water supply, and energy\r\ninfrastructure. Whether the OT claims reflect genuine intrusions or elaborate information operations, the intent to\r\nsignal capability against physical infrastructure is deliberate.\r\nDespite the various claims, we haven’t spotted any major Iranian APT activity. The gap between hacktivist claims\r\nand verified impacts remains wide. But the normalization of OT-targeting rhetoric across pro-Iranian, pro-Palestinian, and pro-Russian actor clusters is itself a meaningful intelligence signal. Organizations operating\r\nwater, energy, food supply, and government infrastructure in Israel, Jordan, and the broader Gulf region should\r\ntreat the current environment as an elevated risk regardless of claim verification status.\r\nMarch 3, 2026: Pro-Russian Hackers Have Joined the Lobby, Critical\r\nInfrastructures Under Attack\r\nThe current wave of cyber activity reflects expansion rather than escalation. Compared to the previous 12-day war\r\ncycle, the number of active hacktivist groups remains noticeably lower. However, operations have widened\r\ngeographically, especially toward Gulf states perceived as politically aligned with Israel or the United States.\r\nAnother important visibility factor is Iran’s restricted internet environment. With domestic connectivity heavily\r\nlimited, direct activity from inside Iran is less observable. Instead, most visible operations originate from pro-Iranian actors outside Iran, particularly in Southeast Asia, Pakistan, the broader Middle East, and Shia-aligned\r\ncommunities abroad. This creates an ecosystem that is decentralized and narrative-driven rather than centrally\r\ncoordinated at scale.\r\nAt the same time, Russian-affiliated hacktivist clusters appear to divide their operational focus between Europe\r\nand the Middle East. This signals structured targeting priorities instead of spontaneous mobilization. Below are the\r\nhighlights of the last day:\r\nFurther Expansion into the Gulf\r\nKeymous is declaring daily targets, Kuwait, Jordan, and lastly Saudi Arabia\r\nKuwait, Jordan, and Saudi Arabia, respectively, emerged as declared “visit” targets under a themed campaign\r\nbranding of the group Keymous, followed by public sector disruption claims against multiple ministries, including\r\nInterior, Finance, Education, Oil, and the central government portal.\r\nKeymous’ alleged DDoS targets inside Kuwait\r\nScreenshots shared via Telegram show connection timeouts across international nodes using public uptime testing\r\nservices. Similar validation methods were used in claims against Oman’s government portal.\r\nDieNet is one of the first hacktivist groups to target Oman\r\nTargets Inside Israel\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 27 of 33\n\nIsraeli banking institutions named as targets in coordinated DDoS claims. Financial institutions remain high-value\r\nsymbolic assets due to public sensitivity and media amplification potential.\r\nDarkStorm’s Telegram post, targeting Israeli financial institutions\r\nShort-lived service disruptions can create an outsized psychological impact even when technical damage remains\r\nlimited. The repeated use of third-party uptime validation links suggests a standardized campaign method rather\r\nthan independent intrusion activity.\r\nHacktivists are gathering under the #OpIsrael hashtag\r\nLarge Scale Critical Infrastructure Narratives\r\nSome actors escalated rhetoric by claiming full control over Israeli and US military government systems,\r\nincluding defense manufacturers. These statements included language about shutting down systems and burning\r\nnetworks.\r\nMoroccan hacktivist claims ‘’complete control over all systems’’ with a DDoS attack(!)\r\nHowever, no technical evidence supports such claims. The proof material again points toward availability testing\r\nrather than internal compromise.\r\nAnother narrative involves the alleged targeting of Israeli healthcare infrastructure, including one of the country’s\r\nlargest health service providers. Shared imagery included CCTV-style screenshots branded with ideological logos.\r\n“In the great Battle of the Promised Conquest and the latest war, the Mujahideen carried out a raid on Clalit Health\r\nServices facilities (Hebrew: כללית בריאות שירותי(, which is considered the largest health fund in the occupied\r\nterritories.”\r\nHealthcare targeting claims raises psychological stakes. However, no validated evidence confirms operational\r\ncompromise.\r\nIn another claim, an IRGC-affiliated Telegram channel with more than 526,000 subscribers shared a post claiming\r\na large-scale cyber operation against Israeli communication networks.\r\nThe message alleges penetration of over 160 data centers and disruption of internal systems across multiple\r\nlocations. No technical evidence accompanies the claim, and the post appears primarily narrative-driven, aimed at\r\nsignaling scale and projecting impact rather than demonstrating verifiable compromise.\r\n“Large-scale cyber attack against the communication networks of the Zionist regime / Penetration into 160 data\r\ncenters”\r\nData Leak Operation\r\nSeveral channels distributed links to files labeled as Israeli military databases or intelligence personnel lists. File\r\nnames reference Mossad agents and military datasets.\r\nLiwaamohammad’s Telegram channel, sharing alleged data leaks\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 28 of 33\n\nAt this stage, authenticity remains unverified. In previous cycles, similar file naming tactics served propaganda\r\npurposes without substantiated data exposure. Verification requires forensic validation before drawing\r\nconclusions.\r\nMarch 2, 2026: Escalation Across Critical Infrastructure, Ransomware, and\r\nCoordinated Campaigns\r\nOn the third day of the conflict, multiple actors escalated operations toward critical infrastructure across Israel and\r\nthe Gulf states. Below we curated the highlights of the day:\r\nCyber Islamic Resistance and affiliated channels shared imagery allegedly showing access to industrial control\r\nenvironments, including PLC controller interfaces and energy monitoring dashboards. One screenshot references a\r\nVeroPoint PLC controller system. Another shows what appears to be a live energy production interface with\r\noperational data visualization.\r\nCyber Islamic Resistance’s alleged attack on PLC controllers\r\nAccompanying claims state that attackers accessed internal networks of energy-related facilities and manipulated\r\noperational parameters. The messaging suggests prolonged access before disclosure. While independent validation\r\nis pending, the emphasis on energy systems marks a shift from public-facing website disruption toward OT/ICS-themed targeting.\r\nAPT IRAN claims it infiltrated Jordan’s critical infrastructure, maintained access for over a month, and\r\nmanipulated power plant control systems, alleging up to a 75% reduction in electricity output.\r\nIn parallel, DieNet-affiliated messaging published a structured list of government, airport, financial, telecom, and\r\nutility targets across Qatar, Bahrain, the UAE, Kuwait, and Saudi Arabia. Specific references include ministries,\r\nairports, banks, and electricity and water authorities.\r\nTargets of the DDoS attacks shared by the group “DieNet”\r\nCheck-host screenshots indicate connection timeouts consistent with DDoS activity against government and\r\naviation infrastructure domains. Critical infrastructure is now being explicitly framed as the operational focus.\r\nRansomware Activity\r\nAn Israeli-linked entity, ramet-trom.co.il, appeared on a ransomware disclosure blog associated with INC\r\nRansomware. The listing claims approximately 1 terabyte of exfiltrated data, including blueprints and contracts.\r\nINC Ransomware’s alleged disclosures, listing an Israeli company, were claimed as a ‘’political’’ attack rather\r\nthan financial.\r\nWebsite Defacements\r\nCyber Islamic Resistance and Cyb3r Drag0nz Team claimed defacements of Israeli websites.\r\nDefacement attack by Cyb3r Drag0nz\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 29 of 33\n\nDefacement pages displayed coordinated branding and a unified coalition banner referencing multiple aligned\r\ngroups, including 313 Team, Moroccan Black Cyber Army, and others.\r\nDefacement attack by Cyb3r Drag0nz #2\r\nMessaging emphasizes collective mobilization under a shared “electronic operations room.” The branding\r\nindicates cross-group coordination rather than isolated defacement incidents.\r\nLeaks and Reconnaissance Announcements\r\nAnonghost published a file labeled “120K_USA_NetBlock.txt” claiming ownership or scanning of large U.S. IP\r\nranges. The shared screenshot shows active scanning activity across 72.x.x.x address ranges.\r\nAnonGhost’s reconnaissance sharings\r\nThe content appears to reflect reconnaissance or port scanning rather than confirmed compromise. However, the\r\nscale and framing signal intent toward U.S.-based network mapping.\r\nSeparately, groups using DieNet’s DDoS tools announce systematic attacks across Middle Eastern entities. It is\r\npossible to say that DieNet will provide the arsenal for many small hacktivist groups during this conflict.\r\nMad Ghost’s DDoS announcement\r\nDieNet’s messaging expands the perceived conflict zone to Cyprus, citing the presence of British military bases\r\nas a strategic trigger point. Notably, this narrative circulated even before public reporting that the UK had granted\r\npermissions related to U.S. operations, suggesting that Cyprus was already being framed as a legitimate target\r\nwithin aligned cyber channels.\r\nGiven Cyprus’ role as a host to British bases, escalation toward it was foreseeable. Today’s reported Iranian drone\r\nimpact on the island further reinforces that Cyprus is no longer peripheral to the conflict dynamic.\r\nDieNet is targeting Cyprus due to British Bases\r\nThe overlap between kinetic activity and cyber threat signaling increases the likelihood of sustained targeting\r\nagainst Cypriot government, aviation, or infrastructure assets. The conflict perimeter is visibly widening beyond\r\nIsrael and the Gulf, and Cyprus is now positioned within that expanding operational geography.\r\nResurrected Threat Actors\r\nDay 3 also shows signs of reactivation among previously known collectives. Several groups that had remained\r\ndormant or low-visibility in recent months are now resurfacing with renewed messaging and operational signaling.\r\nTeam Fearless announced its return, framing the current conflict as a renewed mission. While no technical proof\r\naccompanied the statement, the tone and branding signal intent to re-enter the operational landscape.\r\nPro-Palestine group Team Fearless’ Telegram post\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 30 of 33\n\nCyberAv3ngers and Al Toufan channels have also shown signs of renewed activity. Even where direct attack\r\nclaims are limited, signaling behavior, messaging frequency, and cross-channel amplification indicate preparation\r\nor coordination phases.\r\nHandala is already highly active, with defacement activity and explicit threats directed at Israel’s fuel and energy\r\nsector. The group’s messaging focuses on strategic infrastructure rather than symbolic web assets, aligning with\r\nthe broader shift toward critical industry targeting.\r\nHandala claims compromise of an i24 News administrative interface\r\nCollectively, this pattern reflects a widening mobilization cycle. Dormant or semi-active groups are repositioning\r\nthemselves within the conflict narrative, increasing the likelihood of coordinated or parallel operations in the\r\ncoming days.\r\nMarch 1, 2026: Hacktivist Collectives \u0026 Alliances Emerging\r\nA collective operating under the name Cyber Islamic Resistance has announced the formation of a joint\r\n“Electronic Operations Room” and the launch of a general cyber mobilization campaign. The group publicly\r\ncalled for cyber warfare participants to join through an official contact channel and stated that multiple previously\r\nknown hacktivist teams have formally joined the initiative.\r\nCyber Islamic Resistance’s Telegram announcement\r\nIn subsequent messages, affiliated teams declared their integration into the operations room and claimed the start\r\nof coordinated attacks against Israeli websites. The campaign is framed as a unified electronic front under the\r\nbroader “Islamic Resistance Axis” narrative.\r\nThe RipperSec team joins the axis\r\nThe Cyb3rDrag0nzz team joins the axis\r\nThe messaging indicates consolidation of several hacktivist entities under a single umbrella brand, followed by the\r\ninitiation of coordinated disruptive cyber activity.\r\nAlleged proof-of-access screenshots shared by the “Cyber Islamic Resistance” collective, showing a compromised\r\nnetwork device management interface and ACL configuration panel, presented as evidence of intrusion into Israeli\r\ninfrastructure.\r\nCurrent #1 Targets are Gulf Countries\r\nThe “313 Team,” operating under the Islamic Cyber Resistance in Iraq banner, claimed responsibility for a\r\ndisruptive attack against the official portal of the Jordanian government (jordan.gov.jo), alleging full website\r\ndisablement. The group shared an SSL error screenshot as proof of impact and referenced third-party uptime\r\nverification links.\r\nAlleged DDoS attack targeting Jordan’s .gov domain\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 31 of 33\n\nIn a subsequent statement, the group expanded its threat posture, declaring that “the hand of revenge will reach the\r\nservers” of multiple states, explicitly naming Jordan, Saudi Arabia, the UAE, and Kuwait, alongside Israel and the\r\nUnited States.\r\n313 Team declaring their targets\r\nThis marks a clear geographic broadening of declared targets from Israel-centric disruption toward Gulf state\r\ngovernment infrastructure, signaling potential escalation across regional public sector domains.\r\nNation of Saviors claims breach of Saudi engineering firm Baran Company, alleging 21 GB of data exfiltration\r\nand announcing intent to release private data publicly.\r\nTargeting Will Expand Toward Israel and the United States\r\nWhile Gulf government portals were initial targets, recent activity suggests that operations are expanding toward\r\nIsraeli and U.S. entities.\r\nMoroccan Black Cyber Army claimed a large-scale cyberattack against TCS Communications in Tel Aviv, alleging\r\ndisruption of communication and server services. The group shared third-party uptime verification links to support\r\nits claim. Targeting a telecommunications provider indicates an intent to affect service-layer infrastructure rather\r\nthan isolated web assets.\r\nMoroccan Black Cyber Army’s Telegram post, claiming a DDoS attack\r\nKeymous Plus published a mobilization statement calling for intelligence gathering, alliances, and operational\r\ncoordination in the context of the current conflict. Although no technical evidence was provided, the messaging\r\nemphasized reconnaissance and collaboration, suggesting preparatory activity that could precede data exposure or\r\nintrusion attempts against Israeli and U.S.-linked organizations.\r\nKeymous’ mobilization announcement\r\nNation of Saviors released alleged personal data linked to a U.S. military-related entity, including contact details\r\nand IP information. The post framed the exposure as retaliation.\r\nA doxxing post by Nation of Saviors in their Telegram channel\r\nThe scope of activity is broadening, with Israel and the United States naturally positioned as central targets in both\r\ndisruption and exposure campaigns.\r\nDDoS Will Remain the Primary Attack Vector\r\nDistributed Denial of Service activity continues to emerge as the most frequently used technique across the current\r\nescalation. Recent posts from multiple collectives reinforce that service disruption, rather than deep network\r\ncompromise, remains the dominant operational approach.\r\nNation of Saviors claimed the takedown of Israel’s Ministry of Education portal, sharing third-party check-host\r\nscreenshots indicating connection failures and a reported 503 server error. The group stated the site would remain\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 32 of 33\n\ndown for an extended period, framing the action as a sustained disruption.\r\nAlleged DDoS attack by Nation of Saviors targeting Israeli governmental domains\r\nSimilarly, posts forwarded by SYLHET GANG-SG and related channels promoted ongoing “DieNet network”\r\nattacks targeting Kuwaiti government domains. The shared material included automated check-host results\r\nshowing connection timeouts across multiple nodes, consistent with volumetric or application-layer DDoS\r\nactivity.\r\nDieNet network notice indicating ongoing DDoS activity against Kuwaiti governmental domains\r\nThese examples align with patterns observed earlier in the escalation, where DDoS attacks were repeatedly used\r\nto generate visible service outages and public proof-of-impact screenshots. The technique offers rapid deployment,\r\nhigh visibility, and a low technical threshold compared to more complex intrusion or destructive operations.\r\nAutomated DieNet DDoS alert claiming active targeting of the Kuwaiti Airport website\r\nDDoS remains the preferred method for achieving immediate disruption, media amplification, and psychological\r\nimpact across both government and infrastructure-related targets.\r\nConclusion\r\nThe hacktivist front of this conflict showed how quickly a regional war can become a global cyber mobilization.\r\nDDoS remained the dominant method, but the more significant shift was the steady normalization of OT targeting,\r\nwith groups across multiple coalitions claiming access to water, energy, and food infrastructure regardless of\r\nwhether those claims held up to scrutiny. The rhetoric alone carries operational weight. As a new Supreme Leader\r\nconsolidates power in Tehran, both state-directed and proxy cyber activity are likely to intensify rather than wind\r\ndown.\r\nFor continued coverage, verified incident data, and deeper threat intelligence, follow SOCRadar’s full analysis at\r\nsocradar.io/blog/cyber-reflections-us-israel-iran-war.\r\nSource: https://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nhttps://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/" ], "report_names": [ "telegram-activity-timeline-iran-israel-us-war" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "daf2219f-08f1-44ef-9245-9a062ceff7a4", "created_at": "2023-11-08T02:00:07.120507Z", "updated_at": "2026-04-10T02:00:03.419124Z", "deleted_at": null, "main_name": "Cyber Av3ngers", "aliases": [], "source_name": "MISPGALAXY:Cyber Av3ngers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5245f2ea-fd7e-4b43-ada3-d9eb41923dd2", "created_at": "2024-11-03T02:00:03.635546Z", "updated_at": "2026-04-10T02:00:03.731596Z", "deleted_at": null, "main_name": "RipperSec", "aliases": [], "source_name": "MISPGALAXY:RipperSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dafc166f-0946-4870-9f6e-46ce02d2a40f", "created_at": "2024-11-13T13:15:31.105216Z", "updated_at": "2026-04-10T02:00:03.752358Z", "deleted_at": null, "main_name": "SYLHET GANG-SG", "aliases": [], "source_name": "MISPGALAXY:SYLHET GANG-SG", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "8b1844c0-671a-41e0-abb1-8abc556738b5", "created_at": "2023-01-06T13:46:39.074954Z", "updated_at": "2026-04-10T02:00:03.2046Z", "deleted_at": null, "main_name": "APT-C-34", "aliases": [ "Golden Falcon" ], "source_name": "MISPGALAXY:APT-C-34", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d51a1b-38b1-4cfb-bee0-cad7ad2b9651", "created_at": "2025-05-29T02:00:03.196955Z", "updated_at": "2026-04-10T02:00:03.852653Z", "deleted_at": null, "main_name": "DieNet", "aliases": [ "Shiite_Harvest" ], "source_name": "MISPGALAXY:DieNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6fe4b4f-9694-4ffc-94ef-a0cc5aef94d9", "created_at": "2022-10-25T16:07:23.556112Z", "updated_at": "2026-04-10T02:00:04.655561Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "APT-C-34", "DustSquad", "G0133", "Golden Falcon", "Nomadic Octopus" ], "source_name": "ETDA:DustSquad", "tools": [ "Garpun", "Paperbug", "Remote Control System" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c532a3a-8977-4f5e-aa4f-311e19952e2f", "created_at": "2026-03-24T02:00:04.630235Z", "updated_at": "2026-04-10T02:00:03.989041Z", "deleted_at": null, "main_name": "Z-Pentest Alliance", "aliases": [ "Z-Pentest" ], "source_name": "MISPGALAXY:Z-Pentest Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72e0be44-1b83-4ce9-bb67-ac14b3c3a402", "created_at": "2026-03-24T02:00:04.632404Z", "updated_at": "2026-04-10T02:00:03.98996Z", "deleted_at": null, "main_name": "313 Team", "aliases": [], "source_name": "MISPGALAXY:313 Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "51e3a492-d98d-4eed-afdc-fa940010aa06", "created_at": "2026-03-24T02:00:04.638479Z", "updated_at": "2026-04-10T02:00:03.992494Z", "deleted_at": null, "main_name": "Cyber Islamic Resistance", "aliases": [], "source_name": "MISPGALAXY:Cyber Islamic Resistance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3f7c08b-242e-4655-9277-62721ac68610", "created_at": "2026-03-24T02:00:04.640476Z", "updated_at": "2026-04-10T02:00:03.993248Z", "deleted_at": null, "main_name": "Conquerors Electronic Army", "aliases": [], "source_name": "MISPGALAXY:Conquerors Electronic Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fe6924d-bce6-4b56-9717-fe611932baec", "created_at": "2026-03-24T02:00:04.642588Z", "updated_at": "2026-04-10T02:00:03.993986Z", "deleted_at": null, "main_name": "Keymous+", "aliases": [ "keymous", "Keymous Plus" ], "source_name": "MISPGALAXY:Keymous+", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46f9e73c-51aa-4473-947f-2115f0317636", "created_at": "2026-04-10T02:00:04.017474Z", "updated_at": "2026-04-10T02:00:04.017474Z", "deleted_at": null, "main_name": "RuskiNet", "aliases": [], "source_name": "MISPGALAXY:RuskiNet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434088, "ts_updated_at": 1775792279, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d1a7d2e8271aa0f997aad53db6bb03fcba041d9.pdf", "text": "https://archive.orkl.eu/6d1a7d2e8271aa0f997aad53db6bb03fcba041d9.txt", "img": "https://archive.orkl.eu/6d1a7d2e8271aa0f997aad53db6bb03fcba041d9.jpg" } }