Full Report
'Expect elevated activity for the foreseeable future' Iranian hackers have launched spying expeditions, digital probes, and distributed denial of service (DDoS) attacks in the wake of the US and Israel launching missile strikes over the weekend, and security researchers urge organizations to expect more cyber intrusions as the war continues.…
Analysis Summary
# Threat Actor: Cotton Sandstorm
## Attribution & Identity
* **Primary Name:** Cotton Sandstorm
* **Aliases:** Haywire Kitten, Altoufan Team (cyber persona/hacktivist front).
* **Associated Groups:** Affiliated with the Islamic Revolutionary Guard Corps (IRGC) of Iran.
* **Other Noted Groups in Context:** APT IRAN, Cyber Islamic Resistance, and CyberAv3ngers (mentioned as part of the broader Iranian state-sponsored ecosystem).
## Activity Summary
Cotton Sandstorm has been observed launching intelligence-gathering and disruptive operations coinciding with military strikes involving the US and Israel in early 2026. Activities began with "scouting" and gauging regional vulnerabilities in February 2026. Following a brief lull during kinetic strikes, the group revived its "Altoufan Team" persona to claim attacks in Bahrain and has deployed ransomware and infostealers against Israeli targets.
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing campaigns masquerading as "urgent software updates."
* **Reconnaissance:** High-sophistication probing of APIs and mobile applications to identify vulnerabilities in regional government infrastructure.
* **Execution/Impact:**
* Deployment of custom modular malware.
* Deployment of ransomware for disruptive purposes.
* Distributed Denial of Service (DDoS) attacks.
* **Information Operations:** Use of social media personas (e.g., Altoufan Team) to claim hacks, engage in disinformation, and amplify the psychological impact of cyber operations.
* **MITRE ATT&CK IDs (Inferred):**
* T1566 (Phishing)
* T1486 (Data Encrypted for Impact)
* T1498 (Network Denial of Service)
* T1584 (Compromise Infrastructure)
## Targeting
* **Sectors:** Defense contractors, government suppliers, critical infrastructure, telecommunications (mobile apps), and Industrial Control Systems (ICS/OT).
* **Geography:** Primarily Israel, Bahrain, Jordan, and other Persian Gulf/GCC countries. Secondary focus on the United States and Poland.
* **Victims:** Regional governments in the Middle East; organizations using Israeli-made operational technology (e.g., Unitronics PLCs).
## Tools & Infrastructure
* **Malware Families:**
* **WezRat:** A custom modular infostealer.
* **WhiteLock:** Ransomware used against Israeli targets.
* **Infrastructure:**
* Compromised Israel-based internet routers.
* Hacktivist front personas on social media (e.g., hxxps[://]x[.]com/altoufanteam).
## Implications
Iranian cyber strategy is increasingly "reactive" and synchronized with kinetic military developments. The transition from espionage to disruptive attacks (ransomware/wiping) serves as a force multiplier for conventional warfare. There is a high probability of "overflow" targeting where US-linked organizations or those in the global supply chain using Israeli OT/IT equipment become collateral or intentional targets.
## Mitigations
* **Patch Management:** Ensure all critical systems and edge-facing devices are fully patched to prevent exploitation during "probing" phases.
* **Supply Chain Auditing:** Identify and monitor operational technology (OT) or industrial equipment manufactured in Israel, as these are historically targeted by Iranian actors (e.g., CyberAv3ngers).
* **API Security:** Implement strict authentication and rate-limiting for mobile application APIs, which are currently being scouted for vulnerabilities.
* **Security Awareness:** Educate staff on spearphishing tactics, specifically those disguised as urgent software or security updates.
* **Veracity Checks:** Treat claims of massive data breaches or infrastructure compromise on social media with skepticism to avoid falling victim to Iranian psychological operations (influence campaigns).