Summary:
The Halcyon Ransomware Research Center (RRC) has seen increased activity in the Middle East region and calls to action, since the initiation of kinetic activity against Iran over the weekend. As Iran considers its response to US and Israeli military actions, it is likely to consider destructive cyber operations if it believes they can deliver meaningful retaliatory impact. In the past week, destructive activity has already occurred with kinetic attacks on AWS data centers in UAE and Bahrain; impacting cloud services in the Middle East for multiple security providers. The RRC is monitoring activity and threat actors related to DDoS botnet HydraC2, hacktivist group Handala, ransomware group Sicarii, and state-sponsored groups including Muddy Water APT.
In particular, Halcyon has observed Muddy Water APT setting up a cyber offensive operation known as Operation Olalampo targeting Middle East, Turkey, and Africa (META) region with TTPs that overlap a separate campaign tracked as RedKitten. We anticipate that Iran may use attempted obfuscation, proxies, and destructive tools against US networks in the coming weeks:
- Using Distributed Denial of Service (DDoS) against hosting providers.
- Deploying ransomware before wiping an organization’s data and/or using destructionware, or destructive malware, that render system recovery impossible
- Leveraging long-term access for espionage and data exfiltration for destructive attacks and/or to locate dissidents for further targeting.
Background:
Iran has a long track record of using cyber operations to retaliate against perceived political slights. From disabling US financial websites between 2011 and 2013, erasing data from the Las Vegas Sands Casino in 2014, to defacing websites after the death of Iranian military commander Qasem Soleimani and issuing online death threats to US election officials in 2020 and 2021, Tehran’s cyber playbook has been aggressive and evolving.
Ransomware is increasingly incorporated into these operations, with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage. Last year, an Iranian national pleaded guilty to ransomware attacks that crippled Baltimore and other US municipalities, causing tens of millions in damages. Since at least 2017, Iranian operators have targeted US critical infrastructure including a thwarted attempt on Boston Children’s Hospital.
In practice, Iran’s destructive cyber operations often emerge from a murky blend of state sponsorship, personal profiteering, and outright criminal behavior. Hackers may monetize access gained through government-backed campaigns, bringing together espionage and extortion efforts. Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries.
Having access to cyber criminals provides the government with numerous options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact.
For example, in July 2022, Iranian state hackers launched a devastating cyberattack on Albanian government networks, destroying data and disrupting critical services. Masquerading as a fictitious hacktivist group, the attackers combined ransomware, extortion, and data-wiping tactics in an apparent act of retribution.
Threat Analysis:
The groups involved are multi-faceted and seem to be focused on DDoS, Hacktivism, Ransomware, and Intelligence Operations:
Distributed Denial of Service (DDoS)
HydraC2 is a high-reputation DDoS botnet operator that has been active since August 2023 with their prior involvement with the Five Families (a well-known hacktivist and ransomware group consisting of GhostSec, Stormous, ThreatSec, SiegedSec, and Blackforums). Another prominent hacktivist group, Killnet is a Russian threat group known for DDoS and hacktivism and has been in existence since November 2021. These two groups and other related threat actors indicated support for the Iranian regime as seen in private channels and on Telegram. The focus of these groups is to conduct DDoS attacks by sending a flood of packets, typically UDP, and in certain cases TCP. The intent is to cause disruption and outages to critical infrastructure such as hospitals, aviation, defense, and government entities.
Hacktivism
Handala is a pro-Palestinian hacktivist group that has been active since at least December 2023. The group primarily targets organizations located in or supporting Israel and other META entities. Handala keeps a full list of company and individual targets listed on hxxp[://]handala-redwanted[.]to. Halcyon RRC observed very few updates on their handala-hack[.]to blog since January 2026, which typically indicates the group is actively conducting operations. This group does list victims and has traditionally been focused on exposing individuals, locations of vulnerable entities, and demonstrating flaws in infrastructure via hacktivism and intelligence operations
Ransomware
Sicarii is a RaaS operation that surfaced in December 2025 with a critical flaw in its encryption: the malware discards its own keys after encrypting files, making decryption permanently impossible for both victims and operators, rendering any ransom payment futile. While Sicarii ransomware has only reported several victims since its creation, the group has recently indicated they intend to encrypt everything against as many victims as possible. Observed victim targeting is mostly within the META region with one entity based in the US.
Intelligence Operations
Groups including APT34, APT35, APT39, MuddyWater, and APT42 are active with a focus on locating dissidents of the Iranian regime by targeting specific entities. They target entities with large data sets of individuals, including internet service providers, medical systems, transportation, utilities, and telecommunications. The primary methods of initial access appear to be phishing with the documents that exploit macros within Microsoft Excel to enable malware and persistence.
Mitigations:
- Phishing, User Awareness, and Macros: Notify all employees to be alert for attachments that may contain macros and enable preventions of macro execution. [M1017] [M1038]
- Initial Access Hardening for Edge Appliances: Prioritize hardening and access control for perimeter devices and remote access, including accounts and management interfaces, as well as protections against DDoS. Apply updates promptly, restrict administrative exposure, and enforce strong authentication for all remote and privileged access. [M1051] [M1032] [M1026]
- Containment for Cross-Platform and ESXi Impact: Assume Sicarii and other ransomware groups may target Windows, Linux, and VMware ESXi. Segment management networks, restrict access to hypervisor management planes, and limit lateral movement paths through administrative protocols and file shares. [M1030] [M1035]
- Deploy Dedicated Anti-Ransomware Controls: Deploy a dedicated anti-ransomware solution that blocks execution of malicious binaries before they run [M1038], detects and prevents ransomware runtime behavior and data exfiltration attempts [M1040], and prevents tampering and network intrusion that enable propagation and encryption [M1031].
Indicators of Compromise (IOCs):
References:
Source Summary:
This alert is based on information from dark web monitoring and published threat intelligence. Technical claims attributed to the advertisement reflect the group’s self-reported capabilities and have not been verified through independent reverse engineering. Assessments may be revised as additional evidence becomes available.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
