On February 28, 2026, the United States and Israel launched a significant joint offensive against Iran. Following these initial strikes, Iran initiated a multi-vector retaliatory campaign, resulting in a transregional conflict. Unit 42 observed an escalation in cyberattacks from actors outside the country, particularly focusing on destructive malware and sophisticated phishing campaigns.
Iranian threat actors have a history of destructive attacks dating back to 2012, indicating a pattern of capability and intent. As of March 26, 2026, Iran's internet connectivity had dropped to between 1% to 4%, significantly impacting state-aligned threat actors' ability to conduct sophisticated operations.
Unit 42 has identified 7,381 phishing URLs related to conflict themes. These campaigns target both enterprise and consumer sectors through the impersonation of trusted entities. The operations leverage agile evasion tactics such as domain rotation and subdomain chaining. Additionally, phishing lures are exploiting current geopolitical events to facilitate donation and cryptocurrency scams. This multi-pronged approach underscores the threat actors' focus on financial and data theft, utilizing regional brand trust for maximum impact.
These cyberattacks highlight the ongoing risk to global cybersecurity infrastructure related to the conflict with Iran.