Iran's APTs Just Woke Up — Prepare Now

Executive Summary

On 28 February 2026, the United States launched Operation Epic Fury and Israel executed Operation Roaring Lion — a combined kinetic and cyber offensive against Iran. Israel's cyber component is being described by analysts as the largest cyberattack ever conducted against a nation-state, reducing Iran's internet connectivity to an estimated 4% and crippling command-and-control infrastructure across military and civilian systems.

Within hours, Nerd@Heart analysts observed simultaneous activation signatures from five major Iranian Advanced Persistent Threat (APT) groups: MuddyWater, BANISHED KITTEN, APT42, APT33, and APT34. This coordinated mobilization — observed on 27 February 2026, the day before strikes commenced — indicates pre-planned contingency operations and a high probability of imminent retaliatory cyber campaigns.

This assessment is issued with HIGH confidence. Retaliation is assessed as virtually certain.

Key Findings

• Five Iranian APT groups (MuddyWater, BANISHED KITTEN, APT42, APT33, APT34) showed simultaneous activation on 27 February 2026, indicating coordinated response preparation.
• Israel's cyber operation reduced Iran's internet to 4% connectivity, crippling the National Information Network and military command infrastructure.
• The operation was preceded by the June 2025 twelve-day conflict featuring Predatory Sparrow operations, including Bank Sepah data destruction and a $90M Nobitex cryptocurrency theft.
• Domestic Iranian instability — mass protests since December 2025 and the Supreme Leader assassination — compounds the regime's pressure to demonstrate retaliatory capability.
• Primary targets for retaliation: Israel, the United States, and allied entities across government, critical infrastructure, defense, finance, and media sectors.

Geopolitical Context

Escalation Timeline

The current crisis represents the culmination of an escalatory cycle that accelerated through 2025. The June 2025 twelve-day conflict saw Israel's Predatory Sparrow unit conduct destructive cyber operations against Iranian financial infrastructure, including the destruction of Bank Sepah data systems and the theft of approximately $90 million in cryptocurrency from the Nobitex exchange.

Iran's domestic situation has deteriorated in parallel. Mass protests erupted in December 2025, and the assassination of the Supreme Leader has created a leadership vacuum that the IRGC is attempting to fill. This convergence of external military pressure and internal instability creates powerful incentives for the regime to project strength through cyber retaliation — one of the few domains where Iran retains meaningful offensive capability despite the degradation of conventional and digital infrastructure.

Strategic Calculus

Iran's cyber apparatus has historically served as a force multiplier, allowing asymmetric retaliation against technologically and militarily superior adversaries. With conventional military options severely constrained by the operations of 28 February, cyber operations become the primary available channel for retaliatory signaling and punitive action. The simultaneous APT activation suggests pre-positioned contingency plans are now being executed.

Threat Actor Profiles

MuddyWater (MERCURY / Static Kitten)

MOIS-affiliated group historically targeting government and telecommunications sectors across the Middle East, Europe, and North America. Known for living-off-the-land techniques, PowerShell-based tooling, and supply-chain compromises. Likely tasked with intelligence collection and pre-positioning for destructive operations.

BANISHED KITTEN

IRGC-linked operator specializing in disruptive and destructive attacks against critical infrastructure. Previously associated with wiper malware deployments against energy sector targets. High probability of involvement in any destructive retaliatory operations.

APT42 (Charming Kitten / Phosphorus)

IRGC Intelligence Organization (IRGC-IO) unit focused on credential harvesting, surveillance, and espionage targeting policy researchers, journalists, and government officials. Expected to conduct intelligence collection operations to support targeting for follow-on attacks.

APT33 (Elfin / Refined Kitten)

Historically focused on aviation, energy, and petrochemical sectors. Known for deploying Shamoon-variant wipers and destructive payloads. Represents a significant destructive capability against industrial and energy sector targets.

APT34 (OilRig / Helix Kitten)

MOIS-affiliated group targeting financial, government, energy, and telecommunications sectors. Sophisticated tooling with emphasis on DNS-based exfiltration and long-term persistent access. Likely pre-positioned in target networks for data theft and potential disruption.

Monitoring Indicators

• CISA / NSA / FBI joint advisories related to Iranian cyber activity — monitor for emergency directives.
• Iranian APT infrastructure reactivation: novel C2 channels, renewed credential harvesting campaigns, and spearphishing surges targeting government and defense sector personnel.
• Telegram hacktivist mobilization: Nerd@Heart is tracking 178+ pro-Iranian hacktivist groups for coordination signals and target lists.
• Wiper malware indicators: monitor for Shamoon variants, ZeroCleare, and novel destructive payloads targeting Windows and Linux systems.
• DNS anomalies consistent with APT34 exfiltration techniques and APT33 C2 beaconing patterns.

Recommendations

• Assess exposure: Map your organization's connections to Israeli defense, technology, and government entities. Any relationship — vendor, partner, customer — represents a potential targeting vector.
• Elevate security posture: Move to heightened alert status. Activate wiper malware and ransomware response playbooks. Verify offline backup integrity and test restoration procedures.
• Engage threat intelligence sharing: Contact national CERTs and sector-specific ISACs for updated indicators of compromise and tactical advisories.
• Prepare disinformation response: Iranian operations frequently combine cyber attacks with information operations. Establish protocols for identifying and responding to disinformation targeting your organization or sector.
• Budget emergency measures: Authorize emergency cybersecurity spending for enhanced monitoring, additional SOC staffing, and incident response retainer activation.
• Review cyber insurance: Examine policy exclusions related to state-sponsored attacks and acts of war. Engage insurers proactively regarding coverage applicability under current geopolitical conditions.

Intelligence Gaps

• Specific unit attribution for Operation Epic Fury's cyber component remains unconfirmed.
• Post-assassination IRGC command continuity and cyber operations chain of command is unclear.
• Full extent of damage to Iran's National Information Network is still being assessed.
• Degree of Chinese involvement in Iran's internet kill switch project and its implications for network reconstitution require further analysis.