Back to Posts

Track Iran Cyber Threats Live, Real Time

March 15, 2026

Live cyber threat intelligence dashboard tracking Iranian APT group activity and cyberattacks.

When we published our breakdown of the Stryker cyberattack, the attack itself was still fresh and the full scope of damage was still being assessed.

Since then, the Cybersecurity and Information Security Agency (CISA) has opened a formal investigation, Stryker has confirmed disruptions to order processing, manufacturing, and shipping across its global operations. And security researchers are tracking a growing list of Iran-affiliated hacktivists indicating their next targets. The conflict that produced the Stryker attack is widening.

If you want to understand the scope of what's active right now, cyber threat intelligence platform SOCRadar has published a live dashboard tracking the Iran-Israel-U.S. cyber conflict as it develops. Updated continuously, it logs verified attacks, hacktivist claims, active threat actors and a running timeline of major incidents.

The platform was designed for journalists and security teams, but any business leader trying to assess risk in this environment should have it bookmarked. Access it here: Iran–Israel/US Cyber War 2026: Iranian Hackers, APT Groups & Cyber Attacks.

Cyber Threats Escalating

A detail from the early days of the conflict gave some analysts brief reassurance: when the joint U.S.-Israel strikes hit Iran on Feb. 28, Iran's available internet connectivity collapsed to between 1 and 4 percent of normal. State-linked cyber units lost the ability to coordinate. Sophisticated attacks require coordination. The thinking was that the near-total blackout had bought time.

That window is closing. Iran's advanced persistent threat (APT) groups don't dissolve when operational tempo gets disrupted. They retool, restore access, and return.

Researchers at Symantec and Carbon Black documented that, before the war started, Seedworm had already placed backdoors inside U.S. companies. Also known as MuddyWater, Seedworm is the Iranian group linked to the Ministry of Intelligence and Security. Those U.S. footholds don't disappear when Iran's internet goes dark. They were built precisely to survive disruption.

The SOCRadar dashboard captures this reality in real time. It shows a structured, state-directed campaign running in parallel with every news cycle, with credential harvesting operations, hacktivist mobilization on Telegram channels and active dark web coordination continuing regardless of what's happening on the ground in the Middle East.

Threat Actors Behind Headlines

Our earlier post covered Handala in detail. This group claimed the Stryker attack and is widely assessed by intelligence firms as a front for Iranian state operations rather than an independent hacktivist collective. But Handala is one actor in a much larger ecosystem that the SOCRadar dashboard tracks in full.

On the state-sponsored side, Iranian APT groups, including APT34, APT35, APT39, and APT42 are running active intelligence operations against companies holding large individual-level data sets such as telecommunications providers, medical systems, and internet service providers (ISPs).

The assessed intent is locating and identifying regime dissidents and tracking individuals connected to Iranian opposition. APT42 specifically targets Western non-governmental organizations (NGOs), media outlets, and academic institutions.

Beyond those, a group tracked as Cotton Sandstorm, affiliated with the Islamic Revolutionary Guard Corps, was caught staging malware inside Israeli and Middle Eastern networks before the Feb. 28 strikes. This behavior is consistent with a pattern security professionals call "pre-positioning." Hackers establish access and plant latent tools so they don't need to find the door when they need it. It's already open.

Attack Vector Made Stryker Possible

Our earlier post described what happened at Stryker: a global wipe, 79 countries, 56,000 employees sent home. What it didn't cover in depth is the specific mechanism, because the full technical picture wasn't confirmed yet. It is now.

Handala didn't require novel malware or an elite technical operation. The attack appears to have exploited Microsoft Intune, a legitimate enterprise device management platform that allows IT teams to remotely configure, push updates to and, when necessary, wipe corporate devices. Intune is widely deployed across mid-market and enterprise environments.

Under normal operations Intune is an invaluable productivity tool. In the hands of hackers with compromised administrative credentials, it becomes a weapon capable of mass destruction across an entire global fleet in a single command sequence.

This matters because it reframes the conversation about what "getting hacked" actually looks like in 2026. There was no ransomware. There was no exotic payload. There was stolen access to administrative infrastructure that most businesses treat as a backend IT function, not a security perimeter. The attack surface wasn't a vulnerability in the traditional sense. It was an over-privileged administrative account with insufficient access controls around it.

Security researchers responding to the Stryker incident have recommended that any business running Microsoft Intune or similar unified endpoint management platforms review who holds global administrator privileges in that environment and restrict those credentials to a small number of break-glass accounts used only in emergencies. Routine administration should run through lower-privilege accounts scoped to specific functions.

Segregating those privileges takes an afternoon. Rebuilding from a mass wipe takes longer.

Federal Gap Changes Calculus

CISA launched an investigation into the Stryker attack the day after it was confirmed. That's notable and appropriate. What's equally notable is that no specific advisory or alert was issued on the day of the attack itself. And this was the first confirmed major cyberattack on a U.S. corporation since the Iran war began.

CISA is currently operating at about 38 percent staffing due to a federal funding lapse, leaving the agency tasked with coordinating critical infrastructure defense significantly constrained at precisely the wrong moment.

Businesses in sectors that have historically relied on government advisories as a layer of situational awareness can't treat that channel as a reliable primary signal right now. Commercial threat intelligence sources, including the SOCRadar dashboard, sector-specific information sharing groups, and managed security providers with active monitoring capabilities, are filling a gap the federal apparatus isn't currently positioned to fill at full capacity.

What Dashboard Says Headlines Don't

The SOCRadar dashboard tracks the conflict at a level of granularity that general news coverage doesn't reach. It identifies which specific threat actors are active on any given day, what sectors they're targeting, what attack techniques they're using, and which countries are absorbing the most impact. In the week of Feb. 27 through March 6, Israel absorbed the heaviest volume, followed by Kuwait and Jordan. The most impacted industries globally were national government, aerospace and defense, and technology. But the dashboard also flags activity directed at financial services, health care, and shipping.

It also surfaces something the Stryker headlines largely missed: the supply chain targeting logic that security firm Palo Alto Networks identified in Handala's recent behavior. The group has shown a focus on establishing footholds through IT service providers and managed service partners to reach downstream customers. That's not a peripheral concern for businesses that work with IT vendors, managed security providers, or cloud service companies. It's a direct exposure pathway. If your IT provider is compromised, the attacker is already inside your network before anyone knows to look.

Conflict Has No End Date

The Center for Strategic and International Studies assessed that the Feb. 28 strikes were more likely to mark the beginning of a new phase of cyber escalation than its conclusion. That assessment has held.

The businesses compromised in the months ahead will largely be those that treated the Stryker attack as a one-time event, concluded it had nothing to do with them, and moved on without taking action.

The SOCRadar dashboard exists because this threat requires ongoing monitoring. Bookmark it. Check it periodically. And if what it shows raises questions about whether your environment is adequately protected, that question deserves a real answer before someone else provides one for you.

STACK Cybersecurity works with businesses across the country to assess vulnerabilities, implement layered defenses, and build compliance programs that protect operations and contracts. Contact our team to find out where your greatest exposures are.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment