Augur Security’s analysis shows a significant buildup of Iran-linked MOIS and IRGC cyber infrastructure in the six months before the February 28, 2026 US/Israeli strikes, enabling rapid post-strike operations against the US, Israel, and Gulf states. A coordinated surge of roughly 60 hacktivist groups and established APTs—using multi-tier hosting and shell-company networks that begin with Sefroyek Pardaz and pass through providers like ALEXHOST, RouterHosting, Cloudblast, and UltaHost—complicated attribution and disruption efforts. #Handala #MuddyWater
Keypoints
- Augur identified increased infrastructure activity by MOIS- and IRGC-linked APTs in the six months before the February 28, 2026 strikes.
- Iranian threat actors use a multi-tier infrastructure chain starting with Sefroyek Pardaz and moving through bulletproof hosts and shell companies to obscure origin.
- MuddyWater exhibited a spike in CIDR activity in September 2025 consistent with pre-operational staging for post-strike operations.
- Handala and an estimated 60 hacktivist groups rapidly coordinated via an “Electronic Operations Room” to target US, Israeli, and facilitating Gulf-state organizations.
- Kinetic strikes disrupted Iran’s internal connectivity but did not substantially degrade the country’s APT capabilities or their ability to expand cyber operations.
Read More: https://www.securityweek.com/iran-readied-cyberattack-capabilities-for-response-prior-to-epic-fury/