Full Report
Pro-Iran hackers urged “epic war” allies to stand as unified “mujahideen” as one team decided to withdraw from the coalition and settle into a neutral position due to Iran’s attacks on Kurdish territory and forces. Cyber Islamic Resistance, a pro-Iran hacking collective, posted a video Wednesday on its Telegram channel with a shadowy figure at…
Analysis Summary
# Threat Actor: Cyber Islamic Resistance Axis (and associated coalition)
## Attribution & Identity
* **Actor Name:** Cyber Islamic Resistance (also referred to as the Islamic Resistance Axis)
* **Leadership:** A figure identified as "Abu Omar," described as the "commander of the electronic Islamic resistance axis."
* **Affiliation:** Pro-Iran collective.
* **Associated Groups (Coalition Members):**
* 313 Team (Islamic Cyber Resistance in Iraq)
* Sylhet Gang-SG
* DieNet
* FAD Team
* Cyber Fatteh Team
* liwaamohammad
* Conquerors Electronic Army
* Mhawear
* Tharullah Brigade
* Moroccan Black Cyber Army
* RipperSec
* Systemadminbd
* *Note:* Cyb3r Drag0nz (Kurdish team) was formerly associated but recently withdrew.
## Activity Summary
In early March 2026, the collective launched a coordinated campaign termed the "great battle of epic war." This escalation was framed as retaliation for a February 28 strike on a school in Minab, Iran (attributed by the group to "occupying entities"). The campaign includes high-volume DDoS attacks against government services and critical infrastructure in Israel and Gulf nations perceived as supporting U. S. interests.
## Tactics, Techniques & Procedures
* **Distributed Denial of Service (DDoS):** Use of "massive IP address networks" to flood targets. DieNet claimed to send over nine billion requests in a single operation.
* **Website Defacement:** Collective hijacking of websites to post unified political manifestos and threats.
* **WAF/CDN Bypassing:** Explicit claims by member groups (DieNet) of the ability to bypass Web Application Firewalls and Content Delivery Networks.
* **Psychological Operations (PsyOps):** Use of Telegram and X (formerly Twitter) to post highly produced videos and "calls to jihad" to recruit other hackers and intimidate adversaries.
## Targeting
* **Sectors:** Government Services, Manufacturing (Glass), Military Infrastructure (indirectly via media blackout retaliation), Education (Seminaries/Schools).
* **Geography:** Israel, Kuwait, Qatar, and the Kurdistan region.
* **Victims:**
* Israeli government services portal (my.gov.il).
* Kuwaiti government websites (26 specific sites).
* Seedeco (Qatari glass manufacturer).
* Qatari government servers (hosted on Amazon Technologies Inc. infrastructure).
## Tools & Infrastructure
* **Infrastructure:** Extensive use of Telegram for Command and Control (C2) and communication.
* **Cloud Hosting Exploitation:** Targeting of targets hosted on Amazon Technologies Inc. (AWS).
* **Defanged References:**
* hXXps://t[.]me/ (Primary communication channels)
* my[.]gov[.]il
* seedeco[.]com[.]qa
## Implications
The formation of a unified "Islamic Cyber Front" indicates an increasing level of coordination among pro-Iran hacktivist groups, transitioning from isolated incidents to synchronized regional campaigns. The withdrawal of the Kurdish "Cyb3r Drag0nz" highlights internal geopolitical fractures within the coalition, specifically regarding Iran’s kinetic actions in Kurdistan. However, the remaining coalition poses a significant threat to Gulf state infrastructure and Israeli digital services, specifically aiming to punish nations that host U.S. military assets.
## Mitigations
* **DDoS Protection:** Implement robust anti-DDoS solutions capable of handling multi-billion request volume and high-velocity IP switching.
* **WAF Hardening:** Ensure Web Application Firewalls are configured to recognize and block botnet-like behavior, even when originating from distributed IP pools.
* **Geoblocking:** Organizations in the affected regions should consider temporary geoblocking of non-essential traffic from known high-risk origin points.
* **Vulnerability Management:** Patch public-facing web servers immediately to prevent the defacements utilized by this collective for propaganda.