Track Iran Cyber Threats Live, Real Time

When we published our breakdown of the Stryker cyberattack, the attack itself was still fresh and the full scope of damage was still being assessed.

Since then, the Cybersecurity and Information Security Agency (CISA) has opened a formal investigation, Stryker has confirmed disruptions to order processing, manufacturing, and shipping across its global operations. And security researchers are tracking a growing list of Iran-affiliated hacktivists indicating their next targets. The conflict that produced the Stryker attack is widening.

If you want to understand the scope of what's active right now, cyber threat intelligence platform SOCRadar has published a live dashboard tracking the Iran-Israel-U.S. cyber conflict as it develops. Updated continuously, it logs verified attacks, hacktivist claims, active threat actors and a running timeline of major incidents.

The platform was designed for journalists and security teams, but any business leader trying to assess risk in this environment should have it bookmarked.

Schedule Your Cybersecurity Risk Assessment (CSRA)

Use our Contact Form to schedule a CSRA or learn how we can protect your company from cyber incidents.

What Stryker Confirmed on March 24

Two weeks after the attack, Stryker released its most detailed technical disclosure yet. The company confirmed that the threat actor used a malicious file specifically designed to conceal their activity while inside Stryker's systems. Stryker says the file wasn't capable of spreading on its own and was never directed toward customer, supplier, vendor or partner systems.

Stryker also made public a March 20 assessment from Palo Alto Networks Unit 42 confirming that all known indicators of compromise have been identified and addressed, and that there is no evidence of active, unauthorized access remaining in the environment. The company filed that letter with the U.S. Securities and Exchange Commission (SEC) the same day, while noting it still hasn't determined whether the incident is likely to have a material financial impact.

Also filed today: a proposed class action lawsuit (PDF) alleging Stryker failed to implement reasonable cybersecurity measures to protect consumer and employee data. The suit claims stolen information has already been posted to the dark web and that Stryker has yet to notify the individuals affected. Whether or not that lawsuit succeeds, the filing itself signals what comes after containment in a breach of this scale: regulatory scrutiny, litigation exposure and reputational fallout that outlasts the recovery timeline by years.

Cyber Threats Escalating

A detail from the early days of the conflict gave some analysts brief reassurance: when the joint U.S.-Israel strikes hit Iran on Feb. 28, Iran's available internet connectivity collapsed to between 1 and 4 percent of normal. State-linked cyber units lost the ability to coordinate. Sophisticated attacks require coordination. The thinking was that the near-total blackout had bought time.

That window is closing. Iran's advanced persistent threat (APT) groups don't dissolve when operational tempo gets disrupted. They retool, restore access, and return.

Researchers at Symantec and Carbon Black documented that, before the war started, Seedworm had already placed backdoors inside U.S. companies. Also known as MuddyWater, Seedworm is the Iranian group linked to the Ministry of Intelligence and Security. Those U.S. footholds don't disappear when Iran's internet goes dark. They were built precisely to survive disruption.

The SOCRadar dashboard captures this reality in real time. It shows a structured, state-directed campaign running in parallel with every news cycle, with credential harvesting operations, hacktivist mobilization on Telegram channels and active dark web coordination continuing regardless of what's happening on the ground in the Middle East.

Threat Actors Behind Headlines

Our earlier post covered Handala in detail. This group claimed the Stryker attack and is widely assessed by intelligence firms as a front for Iranian state operations rather than an independent hacktivist collective. But Handala is one actor in a much larger ecosystem that the SOCRadar dashboard tracks in full.

On the state-sponsored side, Iranian APT groups, including APT34, APT35, APT39, and APT42 are running active intelligence operations against companies holding large individual-level data sets such as telecommunications providers, medical systems, and internet service providers (ISPs).

The assessed intent is locating and identifying regime dissidents and tracking individuals connected to Iranian opposition. APT42 specifically targets Western non-governmental organizations (NGOs), media outlets, and academic institutions.

Beyond those, a group tracked as Cotton Sandstorm, affiliated with the Islamic Revolutionary Guard Corps, was caught staging malware inside Israeli and Middle Eastern networks before the Feb. 28 strikes. This behavior is consistent with a pattern security professionals call "pre-positioning." Hackers establish access and plant latent tools so they don't need to find the door when they need it. It's already open.

The FBI Told You Exactly How They Got In

On March 24, the FBI published a formal alert describing the malware used by Iranian government-linked threat actors -- including the tools associated with Handala and its parent operation, Void Manticore. The alert describes a three-stage attack chain. Stage one involves malware that masquerades as legitimate, commonly used applications -- KeePass, Pictory and Telegram were specifically named. A user interacts with what looks like a familiar tool, and stage two deploys: a persistent implant that embeds itself and waits. Stage three introduces additional functions, depending on the target.

This explains something that confused a lot of people when the Stryker story broke: Stryker's repeated statement that it found "no indication of malware or ransomware" was technically accurate at the time. The initial access method, adversary-in-the-middle phishing, requires no malware. The attack happens entirely through a proxy sitting between the user's browser and their login page. Credentials are harvested, the attacker logs in as a legitimate administrator, and Microsoft Intune does the rest. By the time the malicious file was deployed, the hackers were already inside and operating as trusted users.

That attack chain has a significant implication for businesses running endpoint detection and response tools: the initial phase of this attack would not have triggered most of them. EDR looks for malicious code signatures. There was none. This's why credential security, phishing-resistant multi-factor authentication and privileged access controls for MDM platforms are no longer optional considerations for any enterprise running Microsoft 365.

Attack Vector Made Stryker Possible

Our earlier post described what happened at Stryker: a global wipe, 79 countries, 56,000 employees sent home. What it didn't cover in depth is the specific mechanism, because the full technical picture wasn't confirmed yet. It is now.

Handala didn't require novel malware or an elite technical operation. The attack appears to have exploited Microsoft Intune, a legitimate enterprise device management platform that allows IT teams to remotely configure, push updates to and, when necessary, wipe corporate devices. Intune is widely deployed across mid-market and enterprise environments.

Under normal operations Intune is an invaluable productivity tool. In the hands of hackers with compromised administrative credentials, it becomes a weapon capable of mass destruction across an entire global fleet in a single command sequence.

This matters because it reframes the conversation about what "getting hacked" actually looks like in 2026. There was no ransomware. There was no exotic payload. There was stolen access to administrative infrastructure that most businesses treat as a backend IT function, not a security perimeter. The attack surface wasn't a vulnerability in the traditional sense. It was an over-privileged administrative account with insufficient access controls around it.

Security researchers responding to the Stryker incident have recommended that any business running Microsoft Intune or similar unified endpoint management platforms review who holds global administrator privileges in that environment and restrict those credentials to a small number of break-glass accounts used only in emergencies. Routine administration should run through lower-privilege accounts scoped to specific functions.

Segregating those privileges takes an afternoon. Rebuilding from a mass wipe takes longer.

Federal Gap Changes Calculus

CISA launched an investigation into the Stryker attack the day after it was confirmed. That's notable and appropriate. What's equally notable is that no specific advisory or alert was issued on the day of the attack itself. And this was the first confirmed major cyberattack on a U.S. corporation since the Iran war began.

CISA is currently operating at about 38 percent staffing due to a federal funding lapse, leaving the agency tasked with coordinating critical infrastructure defense significantly constrained at precisely the wrong moment.

Businesses in sectors that have historically relied on government advisories as a layer of situational awareness can't treat that channel as a reliable primary signal right now. Commercial threat intelligence sources, including the SOCRadar dashboard, sector-specific information sharing groups, and managed security providers with active monitoring capabilities, are filling a gap the federal apparatus isn't currently positioned to fill at full capacity.

Framework Stretched

CISA's March 18 alert urging organizations to harden their endpoint management systems was the first formal federal response to the Stryker attack specifically. But the government's posture has continued to shift. On March 20, the FBI seized four domains linked to Iran's Ministry of Intelligence and Security, including infrastructure tied directly to Handala -- sites the bureau alleged were used for psychological operations, including claiming cyberattacks, leaking stolen data and publishing calls for violence against journalists and dissidents.

On March 23, the U.S. State Department launched the Bureau of Emerging Threats, a new office created specifically to counter cyberattacks from Iran-affiliated and other state-linked groups. The timing is not coincidental. The federal government is acknowledging, through institutional action, the existing response framework wasn't built for the pace and scale of what is currently happening.

For businesses, that acknowledgment matters less than the reality it reflects: federal agencies are stretched, response timelines are long, and the guidance issued is general. CISA can tell every company in the country to audit its Intune configuration. It can't do that audit for you.

What Dashboard Says Headlines Don't

The SOCRadar dashboard tracks the conflict at a level of granularity that general news coverage doesn't reach. It identifies which specific threat actors are active on any given day, what sectors they're targeting, what attack techniques they're using, and which countries are absorbing the most impact. In the week of Feb. 27 through March 6, Israel absorbed the heaviest volume, followed by Kuwait and Jordan. The most impacted industries globally were national government, aerospace and defense, and technology. But the dashboard also flags activity directed at financial services, health care, and shipping.

It also surfaces something the Stryker headlines largely missed: the supply chain targeting logic that security firm Palo Alto Networks identified in Handala's recent behavior. The group has shown a focus on establishing footholds through IT service providers and managed service partners to reach downstream customers. That's not a peripheral concern for businesses that work with IT vendors, managed security providers, or cloud service companies. It's a direct exposure pathway. If your IT provider is compromised, the attacker is already inside your network before anyone knows to look.

Conflict Has No End Date

The Center for Strategic and International Studies assessed that the Feb. 28 strikes were more likely to mark the beginning of a new phase of cyber escalation than its conclusion. That assessment has held.

The businesses compromised in the months ahead will largely be those that treated the Stryker attack as a one-time event, concluded it had nothing to do with them, and moved on without taking action.

The SOCRadar dashboard we referenced when this post was first published continues to update in real time. The picture it shows today is more complex than it was two weeks ago. There are more confirmed actors, more disclosed victims, more federal involvement, and a clearer technical picture of how these attacks unfold. Bookmark it, check it regularly, and treat what it shows as a risk signal.

If the Stryker disclosure, the FBI alert or the class action filing raised questions about your own environment (about your Intune configuration, your credential exposure or your incident response readiness) those questions deserve a real answer before someone else provides one for you.