Executive Summary
The cyber environment surrounding the U.S.-Iranian conflict and regional tensions has produced a decentralized wartime cyber ecosystem in service of Iran. It is not a single organized force, instead, it is a loose mix of jihadist-aligned cyber collectives, nationalist actors, and state-adjacent influence networks that converge around shared enemies and geopolitical narratives. This activity has intensified with tensions around the events in Iran and the attacks on regional infrastructure.
The ecosystem operates through Telegram channels and websites, shared target lists, DDoS-for-hire tools, recycled breach data and leak-amplification campaigns. Attack claims and propaganda often appear within hours of kinetic events. This gives actors a deniable auxiliary role while keeping them separate from formal state structures.
Most activity remains technically unsophisticated. DDoS attacks, website defacements, and hack & leak extortion-style messaging with exaggerated claims are more common than verified advanced intrusions. The strategic effect comes less from technical capability than from speed, visibility, and ideological framing that make it into news cycles. In practice these actors use cyber activity as scalable asymmetric information warfare. Even with limited high-end capability, loosely aligned ideological and state-adjacent networks can impose psychological, political, and economic pressure on adversaries during periods of regional crisis.
Iran Aligned Actor Groups

The current pro-Iran and “Axis of Resistance” cyber ecosystem is decentralized, blending hacktivist groups, ideological cyber militias, influence operators, and jihadist cyber propagandists. This ecosystem does not operate as a single command infrastructure, instead functioning as a loose knit cyber mobilization network. Coordination happens through online platforms like Telegram and websites created for dumps of data and propaganda release. All of these are then amplified by social media and news reporting picking up on splashy reports of hack-and-leak operations for the most part.
The groups in this report show how modern cyber conflict is moving beyond traditional espionage toward more influence operations. Much of this activity is built for wartime influence by leveraging public visibility for asymmetric pressure against perceived enemies.
Their primary tradecraft centers on DDoS campaigns, hack-and-leak operations, propaganda amplification, and extortion-style messaging. Targeting is often symbolic, with activity directed against government, telecommunications, healthcare, finance, logistics, and open-source infrastructure that is aligned with, or within the borders of, the enemies of the state they are supporting.

The ecosystem matters less because of proven advanced capability and more because of scale, coordination, and visibility. It can turn low-cost disruption into wartime psychological pressure. Groups such as Handala, 313 Team, Cyber Islamic Resistance, Fatimiyoun/FAD Team, Dark Storm, CJM, Keymous+, DieNet, MONARCH, Killnet, and other coalition actors create the appearance of a broad transnational cyber front. They do this primarily through synchronized propaganda and hacking campaigns.
One notable example of this activity is the May 2026 DDoS campaign against Canonical and Ubuntu infrastructure. This campaign demonstrated how commercial stresser tools and coalition amplification could be used to create outsized disruption against globally important digital platforms.
As tensions rise around the Strait of Hormuz and the wider regional conflict these actors should be treated as deniable asymmetric auxiliaries (e.g. proxies). They may not always demonstrate high-end capability but they can still generate persistent disruption, economic and reputational damage, and psychological instability.
Islamic Cyber Resistance in Iraq / 313 Team

The Islamic Cyber Resistance in Iraq, also known as 313 Team, is one of the most visible Iraqi resistance-branded cyber personas in the pro-Iran ecosystem. Its “313” branding draws from Shia theology and militia culture, giving the group ideological weight inside Iran-aligned media and militia networks.
Operationally, 313 Team focuses on DDoS attacks and website disruption. It also uses Telegram propaganda, symbolic targeting and wartime messaging. The group gained visibility during the aforementioned May 2026 DDoS campaign against Canonical and Ubuntu infrastructure. The campaign affected ubuntu.com, Launchpad package repositories and security APIs update systems as well as related services used by enterprise and cloud environments.
The group claimed use of the “Beamed” DDoS-for-hire platform. This reinforces the assessment that its model relies more on commercial stressers, shared infrastructure, and coalition tooling than it does on custom malware or advanced tradecraft.The Ubuntu campaign was significant because of asymmetric leverage rather than technical sophistication. By targeting open-source infrastructure used across enterprise cloud DevOps and security-update environments, the group created outsized visibility and operational friction with relatively simple methods, in this case DDoS.
313 Team has also been linked to GitHub-hosted tooling. It has used public proof-of-impact services such as check-host[.]net to confirm events. Reporting also connects the group to SQL-injection tools, AI-generated propaganda, and defacement-style activity against government and institutional targets in Kuwait and the wider Gulf. 313 Team operates inside the broader coalition environment of similar groups. Reported aligned actors include RipperSec, Cyb3rDrag0nz, Cyber Fattah Team, Fatimiyoun/FAD Team, Conquerors Electronic Army, and other resistance-branded groups. These actors coordinate through Telegram, shared narratives, target lists, and synchronized public claims. This structure lets low-to-moderate capability actors create the appearance of a larger cyber front.
Threat Assessment:
Moderate-to-high for DDoS, disruption, propaganda amplification, and wartime information operations; low-to-moderate for opportunistic intrusion activity; currently low for verified advanced destructive or cyber-physical capability.
Handala Hack Team

Handala Hack Team is among the most consequential and psychologically sophisticated actors in the pro-Iran ecosystem. Unlike many disruption-focused hacktivist groups, Handala specializes in hack-and-leak operations, intimidation campaigns, identity exposure, and coercive information operations.
The group has repeatedly demonstrated a focus on:
- high-visibility leaks
- personal targeting
- reputational attacks
- and psychologically impactful operations
Its activity aligns closely with Iranian information warfare objectives, even where formal command relationships remain unconfirmed. Handala’s operations frequently blend cyber intrusion claims with propaganda, coercive messaging, and public intimidation. Within the ecosystem, Handala functions as a high-credibility influence and leak node whose operations provide aspirational models for smaller hacktivist crews. It is also of note that recent attacks have leveraged hack and wiper activities that place Handala at a higher level of damage capabilities than the others profiled here.
Threat Assessment:
High for psychological operations, hack-and-leak activity, and reputational damage; moderate for broader disruptive capability.
Cyber Fattah Team

Cyber Fattah ( فاتح سايبر) is a pro-Iran hacktivist persona focused on wartime propaganda, DDoS activity, defacement operations, and symbolic disruption. The group operates within the broader Axis-aligned propaganda ecosystem and contributes to coalition attack volume during periods of regional escalation.
Its operations are consistent with mid-tier wartime hacktivism:
- public target selection
- disruption claims
- Telegram amplification
- and symbolic attacks against state and infrastructure targets
The group’s strategic importance lies more in participation and coalition signaling than technical sophistication.
Threat Assessment:
Moderate for DDoS, disruption, and propaganda amplification.
Fatimiyoun Cyber Team / FAD Team

Fatimiyoun Cyber Team, also referred to as FAD Team, combines militia-aligned ideological branding with rhetoric centered on cyber sabotage, destructive operations, and critical infrastructure intimidation. The group frequently references wiper malware, permanent destruction narratives, and infrastructure targeting themes.
The “Fatimiyoun” branding invokes the Afghan Shia militia ecosystem aligned with Iran’s regional proxy architecture, providing ideological legitimacy and escalation signaling.
Although public evidence of mature destructive capability remains limited, the group’s strategic value lies in psychological escalation. By repeatedly framing itself around cyber sabotage and infrastructure destruction, it injects uncertainty into the wartime information environment.
Threat Assessment:
Moderate-to-high for intimidation and escalation signaling; unverified for sophisticated destructive operations.
Cyber Isnaad Front

Cyber Isnaad Front ("الجبهة الإسناد السيبرانية) represents the evolution of pro-Iran cyber activity from infrastructure disruption toward individualized coercive targeting. The group has reportedly published target lists and conducted intimidation-oriented campaigns focused on individuals tied to critical sectors. Its operations demonstrate the increasing fusion of cyber operations with psychological warfare and harassment tactics. Rather than focusing solely on institutional compromise, the group attempts to generate fear and pressure through exposure, intimidation, and public targeting.
Threat Assessment:
Moderate for intimidation, doxxing, and psychological pressure campaigns.
Dark Storm Team

Dark Storm Team occupies a hybrid space between ideological hacktivism and criminal-adjacent cyber operations. The group has been linked to DDoS campaigns, ransomware claims, and attacks targeting financial-sector organizations.
Unlike purely ideological DDoS crews, Dark Storm’s association with ransomware narratives increases its risk profile by blending coercive financial pressure with wartime propaganda.The group contributes to the ecosystem by providing both disruption capability and criminal-style intimidation mechanics.
Threat Assessment:
High for DDoS; moderate-to-high if ransomware capability is operationally validated.
APT Iran

APT Iran (مرکز تحقیقاتی) is primarily a branding-oriented pro-Iran hacktivist persona rather than a formally identified state APT. The name itself is strategically useful because it implies sophistication and state linkage regardless of actual operational capability.
The group appears focused on:
- symbolic targeting (retribution ops)
- propaganda-oriented disruption
- and coalition participation for propaganda
Its value within the ecosystem is narrative inflation rather than uniquely advanced capability.
Threat Assessment:
Moderate for disruption claims and propaganda amplification.
Evil Markhors

Evil Markhors (ایول مارخور) occupies a more operationally useful niche within the ecosystem by focusing on credential harvesting, reconnaissance, and exposed-system discovery. While less visible publicly than DDoS-centric actors, credential and recon-focused groups are strategically important because they can enable downstream compromise by coalition participants.
The group’s activities likely include:
- password spraying
- reconnaissance scanning
- exposure discovery
- and credential aggregation
In a decentralized coalition environment, such access-enablement actors can disproportionately increase ecosystem effectiveness.
Threat Assessment:
Moderate for credential compromise and reconnaissance; potentially higher if access-sharing occurs across coalition actors.
Conquerors Electronic Army (CEA)

Conquerors Electronic Army (جيش الفاتحين الإلكتروني,) functions as a coalition-aligned DDoS and propaganda actor participating in wartime disruption campaigns. The group contributes to coalition messaging, attack volume, and amplification operations targeting Israeli and Western infrastructure.
Its operational profile is consistent with high-visibility wartime hacktivism:
- DDoS
- defacement
- and public disruption claims
Threat Assessment:
Moderate for DDoS and defacement activity.
Nation of Saviors (NOS)

Nation of Saviors is a smaller coalition participant operating within pro-Palestinian and anti-Israel narratives. Its significance lies primarily in coalition breadth and amplification rather than technical specialization.
The group contributes:
- DDoS participation
- propaganda reinforcement
- and wartime messaging
Threat Assessment:
Moderate for coalition participation and DDoS activity.
Hider Nex / Tunisian Maskers Cyber Force

Hider Nex, also known as Tunisian Maskers Cyber Force, is a regional pro-Palestinian actor associated with telecom-focused DDoS campaigns and symbolic infrastructure targeting.
The group’s operations demonstrate the ecosystem’s ability to rapidly mobilize around visible civilian infrastructure targets where even limited disruption can generate substantial media attention and psychological impact.
Threat Assessment:
Moderate for symbolic disruption and telecom-targeted DDoS operations.
RipperSec

RipperSec (新闻频道) is a coalition-aligned hacktivist group focused on DDoS, defacement, and propaganda amplification based in Malaysia. The group’s importance lies in demonstrating how the ecosystem absorbs or aligns with preexisting hacktivist brands in order to rapidly increase campaign scale.
Its activity is primarily tactical:
- disruption
- visibility
- and social-media amplification
Threat Assessment:
Moderate for DDoS and defacement operations.
Cyb3rDrag0nz

Cyb3rDrag0nz represents another coalition-density actor contributing to DDoS campaigns, Telegram amplification, and wartime disruption messaging. Like many smaller crews in the ecosystem, its primary value lies not in technical specialization but in attack-volume generation and coalition optics.
Threat Assessment:
Moderate for DDoS and propaganda participation.
Cyber Jihad Movement (CJM)

Cyber Jihad Movement (CJM الجهاد السيبراني) represents one of the most strategically significant developments within the wartime cyber ecosystem because it bridges Sunni jihadist cyber mobilization with the broader Iranian Axis-aligned cyber environment.
The group’s public statements call for “global cyber jihad” against the United States, Israel, and allied governments. This messaging signals a tactical convergence between historically hostile ideological ecosystems united temporarily around shared anti-Western objectives.
CJM’s importance is therefore ideological and mobilizational rather than purely technical. It expands the ecosystem’s recruitment potential, propaganda reach, and cross-platform amplification capacity.
Threat Assessment:
Moderate for ideological mobilization, propaganda amplification, and public-sector disruption.
Keymous+

Keymous+ emerged as one of the highest-volume DDoS actors during the early 2026 wartime surge. Its strategic importance lies in attack tempo and operational persistence rather than advanced intrusion capability.
The group demonstrates how commodity stresser infrastructure and coordinated attack waves can create disproportionate operational burden and media attention.
Threat Assessment:
High for DDoS volume and sustained disruption.
DieNet

DieNet functions similarly to Keymous+, contributing persistent high-volume DDoS activity against government and public-sector targets.
Its role within the coalition is to sustain operational noise, repeated disruption, and public claim generation during escalation cycles.
Threat Assessment:
High for DDoS and operational disruption.
NoName057(16)
NoName057(16) aka DDoSiaProject is primarily a pro-Russian hacktivist actor that entered the broader anti-Western and pro-Iran wartime ecosystem opportunistically. Its participation demonstrates increasing convergence between Russian-aligned cyber activism and Middle East wartime cyber narratives.
The group is already well known for high-volume DDoS operations, making it a natural participant in coalition-style wartime disruption campaigns.
Threat Assessment:
High for DDoS and coalition amplification.
Killnet

Killnet represents a pro-Russian hacktivist brand whose wartime participation appears primarily opportunistic and ideologically adjacent rather than directly subordinated to Iranian coordination structures. The group contributes symbolic support, amplification, and anti-Western targeting consistent with broader wartime narratives.
Threat Assessment:
Moderate-to-high for DDoS and propaganda amplification.
Russian Legion aka CARDINAL aka MONARCH

The Russian Legion now increasingly uses the name MONARCH. It appears to function as an opportunistic anti-Western amplification actor within the wider Iran, Israel, and U.S. wartime cyber ecosystem.
The shift from Russian Legion to MONARCH fits a broader pattern of hacktivist identity cycling. It also fits the use of refreshed propaganda rebranding to maintain visibility and complicate attribution. The actor’s messaging remains focused on anti-Western, anti-Israel, and militarized geopolitical narratives. Its activity emphasizes symbolic targeting, wartime propaganda, and high-visibility disruption claims.
Operationally MONARCH appears to fill the same role previously associated with the Russian Legion. That role includes coalition participation, DDoS-focused disruption, influence amplification, and synchronized wartime messaging. However, there is limited public evidence of independently verified advanced intrusion capability.
Telegram and social media appear central to its model. These platforms allow the group to spread claims, announce targets, and amplify coalition building propaganda across loosely connected pro-Russian and pro-Iran information networks.
Analytically, MONARCH should be understood less as a standalone sophisticated threat actor and more as a coalition-force multiplier operating within a decentralized proxy cyber environment. Its strategic value derives from visibility, repetition, ideological alignment and the ability to reinforce a wider perception of coordinated cyber pressure.
Threat Assessment:
Moderate for DDoS, coalition amplification, and wartime propaganda operations; low-to-moderate for independently verified advanced intrusion capability; currently low for demonstrated destructive or cyber-physical operations.
Server Killers

Server Killers illustrates the opportunistic nature of wartime cyber ecosystems. The group appears motivated by visibility and coalition participation rather than deep strategic coordination. Its presence demonstrates how wartime cyber conflicts attract loosely affiliated actors seeking relevance or opportunistic influence within larger geopolitical narratives.
Threat Assessment:
Moderate for nuisance disruption and opportunistic DDoS activity.
Strategic Assessment
The pro-Iran cyber ecosystem increasingly resembles a form of decentralized digital proxy warfare rather than traditional state-centric cyber operations.
Its defining characteristics are:
- coalition behavior
- Telegram-native coordination
- rapid mobilization
- ideological amplification
- and psychological disruption
The ecosystem’s center of gravity is not advanced malware, covert espionage, or long-term persistence. Instead, it is rapid disruption turned into strategic psychological effect through coalition activity, synchronized propaganda, and wartime information operations.
As regional conflict continues to intensify, these actors are likely to remain focused on:
- DDoS campaigns
- symbolic infrastructure targeting
- leak operations
- coercive messaging
- and psychological pressure operations
Defensive Implications
Organizations should treat this cluster as a disruption and reputational-risk threat during periods of geopolitical escalation. Priority controls should focus on
- DDoS readiness
- WAF and CDN hardening
- credential-stuffing detection
- MFA enforcement
- leaked-credential monitoring
- abuse-desk escalation
- executive doxxing monitoring
- rapid response and communications procedures for false or exaggerated breach claims
The key analytic discipline is separating access from amplification. A Telegram claim does not prove intrusion. A DDoS screenshot does not prove compromise. A leaked sample does not prove current access.
Still, repeated low-end activity across many brands can create real operational pressure, reputational damage, and psychological cost.
Conclusions
The pro-Iran and “Axis of Resistance” cyber ecosystem is best understood as a decentralized wartime disruption network, not a traditional APT structure. Its strength is not advanced technical capability, but speed, visibility, coalition activity, and the ability to turn low-cost cyber actions into psychological and political pressure. Many of these groups function as proxies or cutouts for Iranian-aligned interests, with varying degrees of likely support, direction, encouragement, or operational tolerance from Iran. These groups and related actors help create the appearance of a broad transnational cyber front. That perception is itself part of the operation.
Most of these actors rely on basic tradecraft, including DDoS attacks, defacements, credential reuse, recycled breach data, public claims, and propaganda amplification to effect. These methods are often low-end, but they can still create real impact when many groups act at once during geopolitical escalation. The main defensive challenge is not only intrusion prevention, but also managing disruption, reputational risk, and alert fatigue across public-facing systems.
During future Gulf-region escalation, this ecosystem is likely to surge quickly, with claims appearing within hours of kinetic events.The core assessment is that this ecosystem is less a high-end cyber weapon than a scalable asymmetric pressure system, with value derived from mobilization, amplification, and psychological effect.



