Last updated on 9 March 2026 at 2230 GMT.

Recorded Future's Insikt Group® is actively monitoring the rapidly evolving situation following coordinated US-Israeli strikes against Iran, the death of Supreme Leader Ali Khamenei and the widening regional war. This analysis serves as a continuously updated compilation on the geopolitical, cyber and influence operation aspects of the war, including key indicators to watch in the coming days, weeks and months.

This report will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Areas to Watch

Three things to watch right now:

• Mojtaba Khamenei's first address to the nation. This is the single most important near-term signal. Whether his tone is defiant, pragmatic, or obliquely conciliatory will reveal whether any room for negotiation exists — and substantially change the picture for regional stability.
• The Internet blackout lifting and the cyber re-operationalization window. When connectivity is restored, expect scanning, brute forcing, password spraying, and probing against previously untargeted networks as early signals of Iranian cyber forces returning to operational tempo.
• Three scenarios remain in play — and are not mutually exclusive. A swift US military exit, a negotiated Venezuela-style deal, or internal revolution and fragmentation each carry distinct risk profiles.

Iran's Leadership Situation

Mojtaba Khamenei, son of the late Ali Khamenei, has been elected as Supreme Leader. His election is expected to preserve hardliner continuity and underscores the IRGC's political power — they were able to shape the outcome in favor of their preferred candidate despite reported objections from some clerics. Mojtaba himself appears to have been wounded in US-Israeli strikes that killed his father, mother, wife, and one son.

What this means strategically: Mojtaba is neither a credible Islamic scholar nor an experienced administrator — the two traditional prerequisites for the position. He lacks the authority his father spent two decades consolidating. For now, Iran is effectively being run by committee. Key power brokers include IRGC chief Vahidi, parliamentary speaker Ghalibaf, and overall security head Larijani. These individuals are realists, even if labeled hardliners, and have a broader range of options before them than Khamenei Senior ever permitted.

There is also visible tension between political leadership and the IRGC. President Pezeshkian's public apology over the weekend for strikes on Iran's neighbors drew immediate backlash from hardliners and military leaders — a reflection of the weakness of the elected government, not a sign of internal fracturing. The IRGC is driving wartime strategy.

Iran faces two paths: pursue a deal with the US that normalizes economic engagement and offers a path to regime survival — or endure the bombing, crack down domestically, export enough oil to China and India to sustain the patronage system, and wait for the geopolitical environment to shift. Mojtaba's first address to the nation will be the most significant near-term signal of which direction Iran is leaning.

Cyber Threat Landscape

Insikt Group continues to observe a near-term reduction in Iran's more advanced cyber activity since March 1. The Internet blackout across much of Iran has likely impeded operational tempo and coordination among state-sponsored groups. However, treat this period as a window in which Iran-aligned operators are regrouping, prioritizing recovery and defense, and setting conditions for future operations — not as a sign of diminished threat.

It is worth separating espionage-grade operations from the broader pro-Iran ecosystem. Some groups have gone quiet; others remain active. Critically, not all groups need to operate from within Iran's borders.

Recent confirmed activity:

• A pro-Iranian cyberattack was launched against Jordanian public silos and supply infrastructure around March 1
• A malicious Android application mimicking a missile warning system was disseminated to Israeli civilians via SMS — currently under investigation and validation by Insikt Group
• These are considered outliers in what is likely to become a far more robust retaliation once Iran emerges from the Internet blackout

Groups to Track

State-sponsored: Insikt Group is actively monitoring Green Bravo (APT42), Green Golf, Cotton Sandstorm, and Cyber Avengers. These groups are capable of advanced network and vulnerability scanning, opportunistic exploitation of known vulnerabilities, deployment of disruptive and destructive malware, and satellite or television broadcast hijacks — the latter particularly likely given their psychological impact.

Hacktivist fronts: The Handala Hack Team and the Conquerors Electronic Army operate in a hybrid space blending hacktivism, cyber intrusions, and influence operations. Typical TTPs include web defacements, DDoS targeting government and critical infrastructure, hack-and-leak operations, and doxing of officials and political figures. These groups are likely to be the first to resume traditional operational tempo as the blackout lifts.

Also watch: Peach Sandstorm, APT34, MuddyWater, and Moses Staff each have established patterns for initial access and lateral movement. Watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen with Homeland Justice in Albania and Moses Staff targeting Israel.

Three Areas to Monitor

Intent to Recalibrate. After this round of hostilities, cyber operations will likely expand to include new regional targets, mirroring what we've seen on the kinetic front. Iranian cyber groups will likely be active across new targeted networks and operationalized for disruptive use.

Proliferation. In line with that recalibration, Iranian cyber groups will likely be tasked to acquire and deploy more disruptive capabilities.

Time. Iran is currently experiencing a digital blackout, and cyber operations are likely impacted as a result. There are already reports suggesting aerial bombardments have hit at least one facility used by a major group. If cyber centers remain intact, Iran will still require time to re-operationalize — and if more physical centers have been targeted, that timeline extends further. For historical context: after the Qasem Soleimani killing in January 2020, Iran took approximately two months before launching what became multi-year, highly targeted campaigns against Israeli government, private sector, and academic institutions.

Targeted Industries

Critical infrastructure, government, defense, and the defense industrial base will be at the top of the targeting list. US critical infrastructure is absolutely part of that target set — Iranian APT groups are known to be opportunistic, acquiring exploits and collaborating with ransomware groups to gain network access, and the threshold for retaliation following Khamenei's death will be very high. Pro-Iran hacktivist groups — including Handala Hack Team, Cyber Islamic Resistance, RipperSec, APT IRAN, and Cyber Fattah — have announced coordinated cyber operations against Israeli and regional targets. While large-scale independently verified intrusions had not been confirmed as of March 9, organizations should not mistake this for low risk.

Watch for each major group's distinct TTPs: Peach Sandstorm, APT34, MuddyWater, Cotton Sandstorm, and APT42 each have established patterns for initial access and lateral movement. Also watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen previously with Homeland Justice in Albania and Moses Staff targeting Israel.

What to Watch

When the digital blackout lifts, look for scanning, brute forcing, password spraying, and probing against your networks as early signals of Iranian cyber forces re-operationalizing. A temporal overlap between the blackout lifting and increased probing against previously untargeted networks would be a significant indicator. DDoS campaigns may also be an early signal. Ensure all public-facing technologies are patched — you can't control geopolitics, but you can control your exposure.

Additionally, watch for infrastructure repurposing: groups known for traditional espionage may suddenly shift to IO-driven domains, as seen after June 2025 when espionage infrastructure pivoted to hybrid theft-and-influence operations.