3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cyber Islamic Resistance

Cyber Islamic Resistance

ID: 8f27533a6eae91685fa0355542c0b3db
Hacktivist Group Hacktivism
Threat types: Hacktivism, Defacement, Intrusion, DDoS Attack, Extremist Cluster
Lebanon ISR
Updated: 2026-04-16
Created: 2026-01-20
Progress: 94% Completeness: 92% Freshness: 100%
Operation zone: Israel
Aliases Limited alias preview
‏CIR Cyber Axis of Resistance Cy***************************** Cy********************
Ej****************************** Is*************************** Is********************* Is***************************
La******************************* Th*************************
Showing 2 of 10 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Cyber Islamic Resistance is a pro-Iran-aligned cyber / hybrid extremist cluster that functions as a public-facing umbrella for coordinated DDoS, defacement, alleged data theft, and propaganda exploitation against Israeli and Western targets. Its activity is strongly Telegram-centric, coalition-driven, and often amplified by adjacent pro-Iranian and pro-Russian actors.


Technique Technique name Tactics Evidence
T1595 Active Scanning TA0043
  • 2026-02-28 — Public reporting on Cyber Islamic Resistance coalition formation described wide-scale targeting of Israeli websites and repeated use of target lists and exposed public services. INFERENCE (confidence: medium): this behavior is consistent with active scanning and exposure discovery before attack waves. · ref
  • 2026-03-11 — Rapid7 described public website targeting and defacement claims across the pro-Iran ecosystem that includes Cyber Islamic Resistance, consistent with reconnaissance against exposed web assets. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-11 — Cyber Islamic Resistance was associated with claims of attacks on several websites. This aligns with exploitation of public-facing applications in at least part of the actor’s visible activity. · ref
  • 2026-03-26 — Unit 42 described the collective as coordinating DDoS, defacement, and website-focused disruptive activity against Israeli and Western infrastructure. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-03-02 — INFERENCE (confidence: medium): repeated public claims involving admin-panel access, CCTV access, and compromise of exposed service environments suggest that valid-account abuse may occur in some incidents, even if direct confirmation is limited. · ref
T1498 Network Denial of Service TA0040
  • 2026-02-28 — SOCRadar reported the formation of a unified Electronic Operations Room and coordinated attacks against Israeli websites under the Islamic Resistance Axis, supporting DDoS as a core operational pattern. · ref
  • 2026-03-26 — Unit 42 explicitly described Cyber Islamic Resistance as coordinating multiple hacktivist teams to launch synchronized DDoS attacks. · ref
T1491.001 Internal Defacement TA0040
  • 2026-03-11 — Rapid7 stated that groups such as Cyber Islamic Resistance have been associated with claims of attacks on several websites and emphasized the significance of defacement in the current conflict. · ref
  • 2026-03-18 — Flashpoint conflict tracking included unverified Cyber Islamic Resistance defacement claims against the Kurdish Peshmerga special forces website. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2026-03-11 — Website defacement and public sabotage claims imply modification of stored content on compromised web resources. · ref
T1485 Data Destruction TA0040
  • 2026-03-26 — Unit 42 linked the collective to data-wiping operations and disruptive attacks. Some specific incidents remain claim-heavy, but destructive intent is part of the actor’s public operational framing. · ref
  • 2026-03-17 — Secondary reporting described Iranian-affiliated groups including Cyber Islamic Resistance conducting website defacements and data-wiping attacks against logistics and military-supporting entities. · ref
T1213 Data from Information Repositories TA0009
  • 2026-03-10 — Industrial Cyber summarized claims involving compromise of communications and infrastructure targets, consistent with collection from information repositories in publicly exposed environments. · ref
  • 2026-03-03 — Public reporting cited leaked CCTV footage and breach claims against Israeli entities, supporting data access and repository collection as recurring narrative elements. · ref
T1102.002 Bidirectional Communication TA0011
  • 2026-02-28 — The actor’s coalition activity was coordinated through a unified Electronic Operations Room with heavy use of public Telegram channels for mobilization and amplification. · ref
  • 2026-03-04 — Recorded Future identified Cyber Islamic Resistance among groups announcing coordinated operations, underscoring the operational importance of public communications channels. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-06T18:31:23+00:00
Cyber Islamic Resistance — Cyber / Hybrid Hacktivist-Extremist Cluster

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cyber / Hybrid Hacktivist-Extremist Cluster - Origin: Assessed transnational “Axis of Resistance” ecosystem with strong pro-Iran alignment and visible Iraq/Lebanon-linked coalition participation

Author: iQBlack CTI Team


Executive Summary

Cyber Islamic Resistance is best modeled as a clustered cyber-propaganda, claim, and coalition-signaling ecosystem rather than a neatly bounded single team. Public-facing branding, Telegram-based mobilization, coalition announcements, and recurring references to the “Islamic Resistance Axis” and “Holy League” indicate an umbrella identity used to coordinate or at minimum publicly synchronize multiple aligned hacktivist and nuisance cyber brands.


The actor’s messaging is consistently anti-Israel, pro-Palestine, pro-“axis of resistance,” and openly convergent with pro-Russian narratives. Public reporting in 2025–2026 described Cyber Islamic Resistance as a pro-Iranian umbrella collective coordinating multiple hacktivist teams for synchronized DDoS, defacement, and destructive or allegedly destructive operations against Israeli and Western infrastructure. Internal Telegram-derived analysis further indicates that the visible communications layer around multiple @Mhwea* identities recirculates materially similar content, which strengthens the cluster model over a “many independent teams” explanation.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Cyber Islamic Resistance

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Cyber Islamic Resistance


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-07T17:58:52+00:00

IOC Appendix — Cyber Islamic Resistance

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-07T18:32:01+00:00

OSINT Library — Cyber Islamic Resistance


2026-04-07 — iQBlack — “Cyber Islamic Resistance as a Social and Strategic Infrastructure of Hybrid Warfare”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/15
Address Verification SOCMINT
twitter.com/Mhw***** Restricted Not integrated
Address Verification SOCMINT
t.me/Mhw***** Restricted Not integrated
t.me/mhw**** Restricted Not integrated
t.me/Mhw****** Restricted Not integrated
t.me/Mhw***** Restricted Not integrated
t.me/Meh***** Restricted Not integrated
t.me/abo*********** Restricted Not integrated
t.me/Mha***** Restricted Not integrated
t.me/Gho************* Restricted Not integrated
t.me/CIR** Restricted Not integrated
t.me/+gA************** Restricted Not integrated
t.me/Mhw*********** Restricted Not integrated
t.me/Mhw*********** Restricted Not integrated
t.me/Mhw*********** Restricted Not integrated
t.me/Mhw*********** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–12 of 21 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda / Alliances Free Preview
Propaganda / Alliances
Defaced website Free Preview
Defaced website
Propaganda / Donations Free Preview
Propaganda / Donations
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Defaced website Free Preview
Defaced website
Defaced website Free Preview
Defaced website
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Logo Free Preview
Logo
Logo Free Preview
Logo
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Logo Free Preview
Logo
Showing 4 of 21 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.