Iranian-aligned hacktivist group 313 Team deploys destructive wiper malware against $100B medical technology giant 313 Team Corporation — wiping 200,000+ devices, defacing Entra login portals, and shutting down operations across 79 countries.
On March 2026, 313 Team Corporation — a Fortune 200 medical technology company headquartered in Portage, Michigan — experienced a catastrophic cyberattack attributed to 313 Team (a.k.a. 313 Team Hack Team), a pro-Palestinian hacktivist group with strong ties to Iran's Ministry of Intelligence and Security (MOIS).
The attack deployed destructive wiper malware that permanently erased data from corporate servers, endpoint devices, and personal smartphones enrolled in 313 Team's Microsoft Intune mobile device management. The attackers defaced Microsoft Entra (Azure AD) login pages with 313 Team's distinctive logo and remotely wiped managed devices at approximately 3:30 AM EDT.
Over 5,500 employees in Cork, Ireland — 313 Team's largest hub outside the US — were sent home. Operations halted across manufacturing, R&D, and engineering facilities worldwide. The company's main US headquarters voicemail reported a "building emergency." 313 Team stock dropped approximately 4% within hours.
313 Team claimed the operation affected 200,000+ systems and exfiltrated 50 terabytes of data. While these figures remain unverified, the operational impact is confirmed by multiple sources including 313 Team's own statements, Irish media, and employee reports.
313 Team confirmed: "We have no indication of ransomware or malware." This was a destructive wiper attack — the goal was permanent data destruction, not extortion. Wiper attacks may cause irreversible data loss with no recovery path. This aligns with 313 Team's documented operational doctrine of disruption over monetization.
This attack comes ~2 weeks after US-Israeli strikes against Iran (late February 2026). CSIS analysis warns this marks "the beginning of a new phase of cyber escalation" under Iran's "Great Epic" cyber campaign. 313 Team explicitly framed this as retaliation for the "attack on a school in Minab" and "ongoing cyber assaults against the Resistance Axis."
313Team prioritizes operational visibility over technical sophistication or permanent damage. Attacks are designed to generate headlines, social media engagement, and psychological impact — not data theft or ransomware monetization. This aligns with IRGC influence operations doctrine.
Multiple independent vendors and government sources have converged on attributing 313 Team to the same MOIS-linked cluster:
| Vendor | Cluster Name | Confidence |
|---|---|---|
| Check Point Research | Void Manticore | HIGH |
| Microsoft | Storm-0842 / Storm-842 | HIGH |
| CrowdStrike | BANISHED KITTEN | HIGH |
| Recorded Future | Dune | MEDIUM-HIGH |
| Sophos | COBALT MYSTIQUE | MEDIUM-HIGH |
| IBM X-Force | 313 Team Hacking Team | HIGH |
"313 Team" refers to a character created in 1969 by Palestinian political cartoonist Naji al-Ali — a barefoot boy with his back turned, symbolizing Palestinian identity and defiance. The hacktivist group adopted this symbolism upon emergence in December 2023, shortly after the onset of the Gaza conflict.
The group operates as an influence-enabled intrusion threat — not a traditional cybercrime or espionage actor. Their operational model fuses technical compromise with rapid public messaging, timed data leaks, and narrative amplification designed to maximize reputational damage beyond direct system impact.
Key characteristics:
The 313 Team's primary offensive capability is Distributed Denial of Service (DDoS) attacks against web-accessible government and institutional portals. The group leverages a combination of infrastructure from the Liwa Awli Aleazm software development wing, coalition-pooled botnet resources, and open-source DDoS tooling shared across Islamic Cyber Resistance Axis members. Attack proof methodology follows a consistent pattern: CheckHost.net or similar uptime verification services are used to generate third-party connection timeout screenshots, which are posted to the group's Telegram channel with target URL, timestamp, and claimed duration.
Secondary to DDoS, the 313 Team conducts website defacements as psychological operations. Defaced pages deploy coordinated coalition branding — unified 'Electronic Operations Room' banners referencing 313 Team, Moroccan Black Cyber Army, RipperSec, Cyb3rDrag0nzz, and affiliated groups. This branding strategy serves dual purposes: amplifying apparent coalition size and creating sustained psychological pressure on target governments. Joint defacement operations with Cyber Islamic Resistance against Saudi UBT are confirmed by multiple intelligence sources.
The group has claimed CCTV access to Bahraini government facilities, publishing still images as evidence of surveillance system compromise. Additionally, the Electronic Operations Room coordination has involved claims of ICS/OT access to Gulf government portals — a qualitative escalation that, if verified, would represent a significant capability expansion beyond typical hacktivist profiles. These claims remain unverified by independent technical sources; however, RH-ISAC notes that 'the shift from web defacements toward claimed PLC access and power plant manipulation marks a qualitative escalation' across the broader Cyber Islamic Resistance coalition.
All 313 Team operations are coordinated, claimed, and amplified through Telegram. The group maintains dedicated operational channels for attack announcements, target lists, proof screenshots, and coalition coordination. ICT analysis of Telegram messaging patterns identified over 250,000 messages across 178+ hacktivist and proxy groups during the June 2025 conflict cycle, with 313 Team and Islamic Cyber Resistance maintaining sustained activity. The group also uses Telegram Stars (Telegram's payment system) for potential financing flows, consistent with broader pro-Iranian hacktivist monetization observed by ICT.
The 313 Team GitHub organization hosts HackBar — a browser-based security audit tool enabling SQL injection, XSS testing, and web application reconnaissance. This tooling, developed under the Liwa Awli Aleazm wing, indicates the group maintains basic web application attack capabilities beyond volumetric DDoS. The FAD Team (a coalition partner also operating from Iraq) has claimed SQL injection-based data exfiltration against similar target sets, suggesting capability sharing across Axis members.
The group deploys AI-generated propaganda imagery across Telegram — burning city imagery, Islamic iconography, and multilingual threat messages targeting Kuwaiti, Saudi, Jordanian, and US audiences. This psychological operations component is coordinated with SEPAHCYBERY (an IRGC-linked channel) and broader pro-Iranian media infrastructure. The aim is to create public uncertainty about government service availability and amplify the perceived impact of technical disruptions.
1. Initial Access — 313 Team typically uses spear-phishing with current-events lures. For the 313 Team attack, initial access vector is under investigation. Previous campaigns used phishing PDFs masquerading as software updates, SMS phishing, and abuse of trusted supplier channels. The attackers gained access to administrative accounts with Intune/Entra management privileges.
2. Payload Delivery — Documented 313 Team toolkit uses NSIS (Nullsoft Scriptable Install System) installers containing obfuscated batch scripts. Files within the NSIS package use no-file-extensions to evade static analysis. Commercial file-sharing services (Storj, Mega) used for payload hosting.
3. Execution — Batch script ("Carroll") copies itself to .cmd extension and executes. Contains garbage/invalid Windows commands interspersed with real instructions to hinder analysis. Checks for AV processes (Webroot, Quick Heal, Avast, AVG, Bitdefender, Norton, Sophos) and introduces 90–180 second delays if not found.
4. Defense Evasion — Multi-component payload distributed across several files, concatenated at runtime into AutoIt3.exe and .a3x script. Simple string obfuscation in AutoIt component. Architecture-aware shellcode (x32/x64) using RtlDecompressFragment() API.
5. Impact — Wiper overwrites files with 4,096 bytes of random data (files < 4,096 bytes overwritten with zeroes). Files deleted after overwrite. BYOVD technique using ListOpenedFileDrv_32.sys driver to access kernel memory for file enumeration. Deceptive "update installation" message box displayed while wiping occurs. System information exfiltrated to Telegram bot C2 before destruction.
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Resource Dev. | Acquire Infrastructure | T1583 | DDoS botnet infrastructure; coalition tool pooling |
| Resource Dev. | Establish Accounts | T1585 | Telegram channel networks; GitHub tooling repos |
| Initial Access | Exploit Public-Facing Application | T1190 | SQL injection tooling (HackBar); web portal targeting |
| Initial Access | Drive-by Compromise | T1189 | Defacement delivery via web server exploitation |
| Execution | Command and Scripting Interpreter | T1059 | HackBar web audit tool; custom DDoS scripts |
| Persistence | Defacement | T1491.001 | Government portal homepage replacements with coalition branding |
| Collection | Screen Capture | T1113 | Alleged CCTV access — Bahrain government facilities |
| Impact | Network Denial of Service | T1498 | Primary tactic — 26 Kuwait gov domains targeted |
| Impact | Endpoint Denial of Service | T1499 | Web application flooding — e-government portal |
| Impact | Defacement: External | T1491.001 | Joint defacements with CIR (Saudi UBT, Israeli sites) |
| C&C | Application Layer Protocol: Web | T1071.001 | Telegram C2 and coordination channels |
| ICS — Impact | Denial of Control (ICS) | T0813 | Claimed ICS/OT access to Gulf gov portals (unverified) |
| Domain / URL | Entity | Attack Type Claimed |
|---|---|---|
| kuwaitarmy[.]gov[.]kw | Kuwait Armed Forces | DDoS — 1hr shutdown claimed |
| mod[.]gov[.]kw | Ministry of Defense | DDoS — disruption claimed |
| e[.]gov[.]kw | Kuwait e-Government Portal | DDoS — 18hr outage claimed |
| knguard[.]gov[.]kw | Kuwait National Guard | DDoS — disruption claimed |
| moe[.]gov[.]kw | Ministry of Electricity | DDoS — disruption claimed |
| moh[.]gov[.]kw | Ministry of Health | DDoS — disruption claimed |
| cait[.]gov[.]kw | Central Agency for IT | DDoS — disruption claimed |
| pam[.]gov[.]kw | Public Authority for Manpower | DDoS — disruption claimed |
| mpw[.]gov[.]kw | Ministry of Public Works | DDoS — disruption claimed |
| paci[.]gov[.]kw | Public Authority for Civil Info | DDoS — disruption claimed |
| csb[.]gov[.]kw | Civil Service Commission | DDoS — disruption claimed |
| kcb[.]com[.]kw | Kuwait Credit Bank | DDoS — disruption claimed |
# 313T-SIGMA-001 — DDoS Volumetric Attack — Government Portal
title: 313 Team DDoS Volumetric Attack Against Government Web Portal
status: experimental
description: Detects HTTP/HTTPS flood patterns consistent with 313 Team
DDoS methodology targeting .gov.kw and regional government portals
logsource:
category: network
product: firewall
detection:
selection:
dst_port|in: [80, 443]
dst_host|endswith:
- '.gov.kw'
- '.gov.jo'
- '.mod.gov.kw'
threshold:
field: src_ip
count: '>500'
timespan: '60s'
condition: selection and threshold
falsepositives: Legitimate traffic spikes during peak hours
level: high
tags: [313Team, Islamic_Cyber_Resistance, ddos, kuwait]
# 313T-SIGMA-002 — Web Application SQL Injection — HackBar Patterns
title: 313 Team HackBar SQL Injection Attempt
status: experimental
description: Detects SQL injection and XSS probing consistent with
HackBar tooling used by Liwa Awli Aleazm development wing
logsource:
category: webserver
product: apache|nginx
detection:
selection_sqli:
cs-uri-query|contains:
- "' OR '1'='1"
- "UNION SELECT"
- "1=1--"
- "admin'--"
selection_xss:
cs-uri-query|contains:
- '<script>'
- 'javascript:'
- 'onerror='
condition: selection_sqli or selection_xss
falsepositives: Security scanners, penetration tests
level: medium
tags: [313Team, HackBar, sqli, xss, web_exploit]
# 313T-SIGMA-003 — Website Defacement — Government Portal Content Replace
title: 313 Team Coalition Branding Defacement Upload
status: experimental
description: Detects file uploads or webshell writes consistent with
313 Team / Cyber Islamic Resistance defacement methodology
logsource:
category: file_event
product: windows|linux
detection:
selection:
TargetFilename|endswith:
- 'index.html'
- 'index.php'
- 'default.aspx'
EventType: 'FileCreate'
User|not-contains: 'SYSTEM'
web_root:
TargetFilename|contains:
- '/var/www/'
- '/inetpub/wwwroot/'
- 'htdocs'
condition: selection and web_root
falsepositives: Legitimate web deployments
level: high
tags: [313Team, defacement, web_compromise, CIR]
# 313T-SIGMA-004 — Telegram C2 / Coalition Coordination Beacon
title: 313 Team Telegram Infrastructure Communication
status: experimental
description: Detects outbound HTTP connections to Telegram API endpoints
consistent with 313 Team attack coordination and C2 patterns
logsource:
category: proxy
product: proxy
detection:
selection:
cs-host|endswith: 'api.telegram.org'
cs-method: 'POST'
cs-uri-path|contains: '/bot'
internal_src:
src_ip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and internal_src
falsepositives: Legitimate Telegram bots, notification services
level: medium
tags: [313Team, telegram, c2, coordination]
# 313T-SIGMA-005 — Check-Host Uptime Verification Beacon
title: 313 Team Check-Host Attack Validation Pattern
status: experimental
description: Detects outbound connections to check-host.net or similar
uptime monitoring services used by 313 Team to validate DDoS impact
and generate proof screenshots for Telegram claim posting
logsource:
category: proxy
product: proxy
detection:
selection:
cs-host|endswith:
- 'check-host.net'
- 'isitdownrightnow.com'
- 'downdetector.com'
query_gov:
cs-uri-query|contains:
- '.gov.kw'
- 'mod.gov.kw'
- 'kuwaitarmy'
- '.gov.jo'
condition: selection and query_gov
falsepositives: Low — government IT staff performing availability checks
level: medium
tags: [313Team, ddos_validation, check_host, proof_collection]
# 313T-SIGMA-006 — CCTV / Surveillance System Unauthorized Access
title: Suspicious CCTV DVR/NVR Authentication — 313 Team TTPs
status: experimental
description: Detects brute force or default credential authentication
attempts against DVR/NVR systems consistent with 313 Team claimed
surveillance access in Bahrain government facilities
logsource:
category: network
product: ids
detection:
selection:
dst_port|in: [554, 8080, 8081, 37777, 34567, 9000]
brute:
EventType: 'auth_failure'
count: '>5'
timespan: '60s'
known_cctv_ua:
http.user_agent|contains:
- 'Dahua'
- 'Hikvision'
- 'RTSP'
condition: (selection and brute) or (selection and known_cctv_ua)
falsepositives: Legitimate CCTV management activity
level: medium
tags: [313Team, cctv, surveillance, initial_access, IoT]
# 313T-SIGMA-007 — HTTP Flood Signature — Multi-Source Same Target
title: Multi-Source HTTP Flood Consistent with 313 Team DDoS
status: experimental
description: Detects distributed HTTP flood from multiple source IPs
targeting same government web endpoint — characteristic of 313 Team
coalition-pooled DDoS infrastructure methodology
logsource:
category: network
product: waf
detection:
selection:
http.method: 'GET'
http.status: ['200', '503', '504']
concentration:
dst_host: same_value
src_ip:
unique_count: '>50'
timespan: '30s'
request_rate: '>1000/s'
condition: selection and concentration
falsepositives: Legitimate high-traffic events, CDN origin pulls
level: high
tags: [313Team, ddos, http_flood, botnet, coalition]
# 313T-SIGMA-008 — ICS/OT Protocol Anomaly — Government Utility Network
title: Suspicious ICS Protocol Access — 313 Team ICS Claim TTPs
status: experimental
description: Detects anomalous access to industrial control protocols
in government networks consistent with claimed 313 Team / CIR ICS
access targeting Gulf government utility and defense infrastructure
logsource:
category: network
product: ids
detection:
selection:
dst_port|in: [502, 102, 20000, 44818, 47808, 1911, 4840]
EventType: 'new_connection'
not_expected:
src_ip|not-cidr:
- '192.168.100.0/24'
- '10.10.10.0/24'
condition: selection and not_expected
falsepositives: Authorized ICS vendor access, patch windows
level: critical
tags: [313Team, ICS, OT, modbus, S7, dnp3, critical_infra]
# 313T-SIGMA-009 — Coordinated Defacement Branding Keywords
title: 313 Team / Cyber Islamic Resistance Defacement Content Detection
status: experimental
description: Detects web application response content containing
313 Team or Islamic Cyber Resistance coalition branding keywords
inserted during defacement operations
logsource:
category: webserver
product: apache|nginx|iis
detection:
selection:
cs-uri-stem|endswith:
- '/index.html'
- '/index.php'
- '/'
branding_keywords:
response_body|contains:
- '313 Team'
- 'Islamic Cyber Resistance'
- 'Electronic Operations Room'
- 'Al-Imamah313'
- 'Liwa Awli Aleazm'
condition: selection and branding_keywords
falsepositives: Near-zero — keywords unique to this group
level: critical
tags: [313Team, defacement, branding, IOC, web_compromise]
# 313T-SIGMA-010 — Coalition Target List Domain Reconnaissance
title: 313 Team Pre-Attack Government Portal Reconnaissance
status: experimental
description: Detects DNS resolution or HTTP probing of known 313 Team
declared target domains from non-government source IPs, consistent
with pre-attack reconnaissance pattern
logsource:
category: dns
product: dns
detection:
selection:
dns.query.name|in:
- 'kuwaitarmy.gov.kw'
- 'mod.gov.kw'
- 'knguard.gov.kw'
- 'moe.gov.kw'
- 'e.gov.kw'
- 'cait.gov.kw'
- 'moh.gov.kw'
suspicious_src:
src_ip|not-cidr:
- '10.0.0.0/8'
- '46.x.x.x'
query_rate:
count: '>10'
timespan: '60s'
condition: selection and suspicious_src
falsepositives: Search engines, CDN health checks
level: medium
tags: [313Team, recon, dns, kuwait_gov, pre_attack]
rule 313 Team_Wiper_Carroll_Batch {
meta:
description = "Detects 313 Team wiper obfuscated batch script (Carroll)"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
reference = "https://www.splunk.com/en_us/blog/security/313 Teams-wiper-threat-analysis-and-detections.html"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
strings:
$cmd_copy = "cmd /k copy" ascii nocase
$carroll = "Carroll" ascii
$cmd_ext = ".cmd" ascii
$exit = "& exit" ascii
// AV process checks
$av1 = "wrsa.exe" ascii nocase
$av2 = "opssvc.exe" ascii nocase
$av3 = "avastui.exe" ascii nocase
$av4 = "avgui.exe" ascii nocase
$av5 = "bdservicehost.exe" ascii nocase
$av6 = "nswscsvc.exe" ascii nocase
$av7 = "sophoshealth.exe" ascii nocase
// Time delay evasion
$ping_delay = "ping -n" ascii nocase
condition:
filesize < 500KB and
(($cmd_copy and $carroll and $cmd_ext) or
(3 of ($av*) and $ping_delay))
}
rule 313 Team_Wiper_AutoIt_Loader {
meta:
description = "Detects 313 Team AutoIt-based wiper payload loader"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
severity = "CRITICAL"
strings:
$autoit_header = "#AutoIt3Wrapper" ascii
$rtl_decompress = "RtlDecompressFragment" ascii wide
$shellcode_x86 = { 55 8B EC 83 EC ?? 53 56 57 }
$shellcode_x64 = { 48 89 5C 24 ?? 48 89 74 24 ?? 57 48 83 EC }
$regasm = "RegAsm" ascii wide nocase
$inject_api = "NtWriteVirtualMemory" ascii wide
$create_proc = "CreateProcessA" ascii wide
condition:
filesize < 5MB and
($autoit_header or $rtl_decompress) and
($regasm or $inject_api or $create_proc) and
any of ($shellcode_*)
}
rule 313 Team_Wiper_Disk_Overwrite {
meta:
description = "Detects 313 Team wiper disk overwrite component"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
severity = "CRITICAL"
strings:
// File overwrite patterns
$overwrite_func = { 8B ?? ?? 83 ?? 00 10 00 00 } // 4096 byte check
$random_fill = "RtlGenRandom" ascii wide
$zero_fill = { C7 ?? 00 00 00 00 C7 ?? 04 00 00 00 00 }
// System info gathering (pre-wipe recon)
$hostname = "COMPUTERNAME" ascii wide
$username = "USERNAME" ascii wide
$domain = "USERDOMAIN" ascii wide
$diskspace = "GetDiskFreeSpaceEx" ascii wide
// Telegram C2
$telegram = "api.telegram.org" ascii wide
$bot_token = "/bot" ascii wide
$send_msg = "sendMessage" ascii wide
$send_doc = "sendDocument" ascii wide
// IP check
$ip_check = "icanhazip.com" ascii wide
condition:
filesize < 10MB and
(2 of ($overwrite_func, $random_fill, $zero_fill)) and
(2 of ($hostname, $username, $domain, $diskspace)) and
($telegram or $ip_check)
}
rule 313 Team_BYOVD_ListOpenedFileDrv {
meta:
description = "Detects BYOVD driver used by 313 Team for kernel file enumeration"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
severity = "HIGH"
strings:
$pdb = "openfilefinder_src" ascii nocase
$driver_name = "ListOpenedFileDrv" ascii wide nocase
$device_io = "DeviceIoControl" ascii wide
$file_object = "FILE_OBJECT" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 100KB and
($pdb or $driver_name) and
($device_io or $file_object)
}
rule 313 Team_NSIS_NoExtension_Payload {
meta:
description = "Detects NSIS installer with no-extension payload files (313 Team delivery)"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
severity = "HIGH"
strings:
$nsis_header = { EF BE AD DE 4E 75 6C 6C } // NSIS magic
$nsis_str = "Nullsoft" ascii
$cmd_copy_pattern = "cmd /k copy" ascii nocase
$autoit_ref = "AutoIt" ascii nocase
$concat_pattern = /copy\s+\/b\s+\w+\+\w+/ ascii nocase
condition:
($nsis_header or $nsis_str) and
($cmd_copy_pattern or $autoit_ref or $concat_pattern)
}
rule 313 Team_BiBi_Wiper_Family {
meta:
description = "Detects BiBi wiper variants associated with 313 Team/Void Manticore"
author = "HAWK-EYE Threat Intelligence"
date = "2026-03-11"
reference = "Check Point Research - Void Manticore"
severity = "CRITICAL"
strings:
$bibi_str1 = "BiBi" ascii wide nocase
$bibi_str2 = "[+] Stats:" ascii
$wiper_msg = "You have been pwned" ascii wide nocase
$ext_target = ".pdf" ascii
$ext_target2 = ".docx" ascii
$ext_target3 = ".xlsx" ascii
// Disk operations
$raw_disk = "\\\\.\\PhysicalDrive" ascii wide
$partition = "\\\\.\\PHYSICALDRIVE" ascii wide
$mbr_access = { B8 00 00 00 00 BA 00 00 00 00 }
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
(($bibi_str1 or $bibi_str2 or $wiper_msg) and
($raw_disk or $partition or $mbr_access))
}
The 313 Team's explicit framing of Kuwait as a military front (citing US forces at Ali Al Salem Air Base), combined with the kinetic drone strike against that base on March 7, 2026, creates conditions for sustained, intensifying cyber operations against Kuwaiti critical infrastructure. Organizations operating water, electricity, health, and financial systems should activate elevated DDoS and ICS monitoring postures immediately.
| Source | Title |
|---|---|
| Palo Alto Unit 42 | Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (March 9, 2026) |
| Flashpoint | Escalation in the Middle East: Tracking Operation Epic Fury Across Military and Cyber Domains (March 10, 2026) |
| Cisco Talos | Update, March 10: Talos on the Developing Situation in the Middle East (March 10, 2026) |
| SOCRadar | Iran vs. Israel & US Cyber War 2026: Operation Epic Fury Threat Intelligence (March 10, 2026) |
| SOCRadar | Telegram Hacktivist Activity Timeline of Iran–Israel–US War (March 2026) |
| FalconFeeds.io | Islamic Cyber Resistance — Team 313 claims Kuwait MoD website attack (March 2026) |
| FalconFeeds.io | 313 Team Claims Ongoing Cyberattacks on Kuwait — 72-hour campaign, 26 domains (March 2026) |
| The Hacker News | 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict (March 9, 2026) |
| Radware | The hacktivist threat in the Middle East — Kuwait 28% of all attack claims. Radware DDoS Threat Report 2026 |
| RH-ISAC | Middle East Conflict Cyber Threat Landscape (March 2026) |
| ICT Cyber-Terrorism Desk | Monthly Trend Report: January 2026 — Islamic Cyber Resistance Axis structure |
| CSIS Strategic Technologies Blog | Beyond Hacktivism: Iran's Coordinated Cyber Threat Landscape (2025) |
| SecurityScorecard STRIKE | From the Depths of the Shadows: IRGC and Hacker Collectives of the 12-Day War (August 2025) |
| Computer Weekly | Iranian Hacktivists Muster Their Forces But State APTs Lay Low (March 6, 2026) |
| ISMC/GovInfoSecurity | Cyberattacks and Unpredictable Targeting Remain an Iran Risk (March 6, 2026) |
| Hunter Strategy | Surge in Cyber Threats: Middle East Activities (March 2026) |
| GitHub / 313Team | 313Team GitHub Organization — tooling repositories and group description |
| MITRE ATT&CK | Enterprise and ICS ATT&CK Framework v15 (2025) |
This report may be freely shared. Produced March 2026 | Version 1.0 | For Authorized Use