Date: 03/04/2026
Severity: Critical
Summary
On Feb. 28, 2026, joint US–Israel strikes reduced Iran’s internet connectivity to 1–4%, disrupting leadership communications and degrading command-and-control across state networks.
Security teams identified an SMS/phishing campaign distributing a trojanized Israeli Home Front Command RedAlert APK for surveillance and data exfiltration. Hacktivist activity has surged to roughly 60 groups, including (Handala Hack, APT Iran, Cyber Islamic Resistance, FAD Team, Evil Markhors, Sylhet Gang, 313 Team, DieNet) Iran-aligned actors conducting DDoS, hack-and-leak, wiper, and defacement operations. Iran-based state actors may be isolated or acting autonomously due to connectivity degradation, while external affiliates and opportunistic groups sustain lower-sophistication attacks. Pro-Russian hacktivists claim disruptive intrusions into Israeli systems, alleging access to sensitive defense-related materials and infrastructure components. Cybercriminals and RaaS affiliates are exploiting the conflict via vishing, leak-site posts, and opportunistic scams, underscoring the need for resilient backups, strong patching, phishing defenses, IP controls, and continuity planning.
Indicators of Compromise (IOC) List
Domains\URLs : | update-svc.shop ics-remote.io cdn-delivery.ru handala-files.com vpn-auth.services patch-portal.online baqiyat-lock.cc starlink-proxy.org api-update.store ir-ops-room.net https://cdn-delivery.ru/wipe.exe https://vpn-auth.services/login |
IP Address : | 185.220.101.47 91.92.243.102 45.142.212.188 176.97.75.144 31.41.244.57 77.91.68.23 5.255.103.55 195.123.240.92 103.124.104.20 194.165.16.77 45.142.212.201 176.97.65.98 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "update-svc.shop" or url like "update-svc.shop" or siteurl like "update-svc.shop" or domainname like "ics-remote.io" or url like "ics-remote.io" or siteurl like "ics-remote.io" or domainname like "cdn-delivery.ru" or url like "cdn-delivery.ru" or siteurl like "cdn-delivery.ru" or domainname like "handala-files.com" or url like "handala-files.com" or siteurl like "handala-files.com" or domainname like "vpn-auth.services" or url like "vpn-auth.services" or siteurl like "vpn-auth.services" or domainname like "patch-portal.online" or url like "patch-portal.online" or siteurl like "patch-portal.online" or domainname like "baqiyat-lock.cc" or url like "baqiyat-lock.cc" or siteurl like "baqiyat-lock.cc" or domainname like "starlink-proxy.org" or url like "starlink-proxy.org" or siteurl like "starlink-proxy.org" or domainname like "api-update.store" or url like "api-update.store" or siteurl like "api-update.store" or domainname like "ir-ops-room.net" or url like "ir-ops-room.net" or siteurl like "ir-ops-room.net" or domainname like "https://cdn-delivery.ru/wipe.exe" or url like "https://cdn-delivery.ru/wipe.exe" or siteurl like "https://cdn-delivery.ru/wipe.exe" or domainname like "https://vpn-auth.services/login" or url like "https://vpn-auth.services/login" or siteurl like "https://vpn-auth.services/login" |
Detection Query 2 : | dstipaddress IN ("5.255.103.55","45.142.212.201","176.97.75.144","91.92.243.102","31.41.244.57","195.123.240.92","194.165.16.77","45.142.212.188","185.220.101.47","77.91.68.23","103.124.104.20","176.97.65.98") or srcipaddress IN ("5.255.103.55","45.142.212.201","176.97.75.144","91.92.243.102","31.41.244.57","195.123.240.92","194.165.16.77","45.142.212.188","185.220.101.47","77.91.68.23","103.124.104.20","176.97.65.98") |
Reference:
https://www.hendryadrian.com/threat-brief-march-2026-escalation-of-cyber-risk-related-to-iran/