HawkEye Conflict Intelligence: Active Threat Advisories
HawkEye Conflict Intelligence: Iranian Threat Actor Advisories — March 2026
As the regional conflict continues, Iranian state-sponsored groups and aligned hacktivist collectives are conducting coordinated cyber operations against organisations across the GCC and EMEA. HawkEye’s threat intelligence team is tracking these actors in real time and publishing advisories as intelligence develops.
Seven advisories have been published to date, all rated TLP:WHITE and available to read and share freely.
Advisory 01: Operation Epic Fury — Iran APT
HawkEye’s opening advisory on the conflict covers the broader Iranian APT campaign dubbed Operation Epic Fury. Iranian state-sponsored threat actors are conducting coordinated, multi-vector attacks against government, critical infrastructure, and private sector organisations across the GCC and EMEA. This advisory sets the strategic context for all subsequent threat actor reporting.
Advisory 02: Handala and the Stryker Wiper Attack
Iranian-aligned hacktivist group Handala has deployed the Stryker Wiper, a destructive malware strain targeting healthcare and critical infrastructure across the region. Unlike ransomware, wiper attacks are designed purely to destroy. There is no recovery without clean backups.
Advisory 03: DieNet — Pro-Iranian Hacktivist Collective
DieNet operates as a DDoS-as-a-Service collective aligned with Iranian interests, coordinating large-scale denial-of-service campaigns against government, financial, and critical infrastructure targets across the GCC and EMEA. The group is active, organised, and targeting the region now.
Advisory 04: APT42 / Charming Kitten — IRGC-IO Cyber Espionage
APT42, operating under the Islamic Revolutionary Guard Corps Intelligence Organisation, is one of Iran’s most active espionage units. The group specialises in credential harvesting, surveillance of dissidents and journalists, and long-term infiltration of government and policy organisations across the Middle East and beyond.
Advisory 05: 313 Team — Islamic Cyber Resistance in Iraq
The 313 Team is an Iraqi-based cyber group aligned with Iranian interests, conducting politically motivated attacks against regional adversaries. Operating under the banner of Islamic Cyber Resistance, the group targets government and defence-adjacent organisations with defacement, data exfiltration, and disruptive attacks.
Advisory 06: MuddyWater / MERCURY — MOIS Espionage Operations
MuddyWater, attributed to Iran’s Ministry of Intelligence and Security, is a persistent espionage operator targeting government, telecoms, and defence organisations across the Middle East, Europe, and Central Asia. The group uses spearphishing, remote administration tools, and living-off-the-land techniques to maintain long-term access to compromised networks.
Advisory 07: APT33 / Elfin — IRGC Aerospace and Energy Espionage
APT33 is an IRGC-linked threat actor with a long track record of targeting aerospace, aviation, and energy sector organisations across Saudi Arabia, the UAE, and the United States. The group conducts both espionage operations and destructive attacks, and has been linked to the development and deployment of wiper malware against Gulf energy infrastructure.
This series is ongoing.
The threat actors covered in these advisories are active. HawkEye will continue publishing intelligence as the situation develops. Bookmark this page, share these advisories with your security teams, and reach out to HawkEye if you need help assessing your exposure.
All advisories are TLP:WHITE. Read them, share them, act on them.
