Political-Religious Hacktivism in the Middle East

Over the last ten years, political-religious hacktivism linked to the Middle East has become harder to explain. There are still groups, logos, channels, campaigns, public claims, denial-of-service attacks, defacements, leaks, and propaganda, but the full picture is far more uncomfortable than a simple list of names and targets.

When viewed with some distance, what becomes visible is a mix of political militancy, religious identity, social frustration, territorial conflict, propaganda, psychological action, and offensive use of the Internet. Of course, these elements do not always appear together. Sometimes the technical operation dominates. In other cases, the narrative does. At times, an actor only needs to show belonging to a cause. And in other cases, publishing a screenshot, a logo, a target list, or a difficult-to-verify claim may be enough to produce an effect inside a community already predisposed to believe it.

The evolution of warfare did not simply move from bullets to keyboards. Saying it that way, flatly, would be too convenient a simplification. But it is clear that keyboards became another channel of pressure. Digital propaganda, the spread of threats, data exposure, rumor, perception manipulation, and public claims of attacks became part of the confrontation space. In some cases, that psychological action became almost as important as the technical operation it claimed to accompany.

The case of the Islamic State marked an important part of that decade because it broke the mold. ISIS understood very early that the Internet was not just a channel for publishing communiqués. It was an infrastructure for propaganda expansion, recruitment, financing, intimidation, coordination, dissemination of instructions, circulation of symbols, and production of extreme fear. Its media apparatus did not only seek to report actions; it sought to manufacture a sense of strength, proximity, and permanent advance. In that climate, groups aligned with its cause also appeared, some with clearer links, others far more diffuse, and many moving between ideological support, opportunism, and low-complexity recycled propaganda.

That is where the universe associated with the United Cyber Caliphate comes in. During 2016, UCC was publicly presented as a kind of convergence structure for pro-ISIS groups operating in hacking, doxing, defacements, and propaganda. Among the names linked to that space were Caliphate Cyber Army, Ghost Caliphate Section, Sons Caliphate Army, Anshar Caliphate Army, Islamic Intelligence, Fighter Moeslim Cyber Caliphate, Anon Terror, and Team System DZ, among others. Not all of these groups had the same weight or the same capability. There is also not enough basis to affirm that all of them remain active today under the same form or name. But as a historical snapshot, they help understand that a strong cause can bring together volunteers, imitators, minor operators, and propagandists under a shared banner without necessarily implying a solid organic structure.

With UCC and its associated groups, many public readings tended to inflate capabilities or mix different activities under the same idea of an “Islamic State hacking apparatus.” The Combating Terrorism Center at West Point warned precisely about that problem: “…assessments of the capabilities of ISIS-affiliated or ISIS-inspired hackers often relied on hypothetical scenarios, overestimated technical skills, and mixed separate activities as if they were part of the same compact structure.” That does not make the phenomenon irrelevant. It makes it more uncomfortable: simple cyberattacks, doxing, defacements, target lists, and hostile propaganda could be turned into psychological pressure at a relatively low operational cost.

A defacement may last only a few minutes, but circulate for years as a screenshot, as a story, or as emotional proof inside a community. In intelligence, something similar happens with rumor: planting it is usually simple; eradicating it is extremely difficult. The technical operation can disappear quickly, but its psychological effect remains available to be recycled whenever the narrative needs it. That mechanism was visible in several spaces close to ISIS, but it did not remain confined there.

First-degree relationship network associated with Cyber Islamic Resistance (CIR). The capture illustrates one of the central ideas of this analysis: in political-religious hacktivism, an actor’s influence is also built through alliances, narrative proximity, public validation, and the ability to integrate into a broader digital front. Source: 3C-INT

Hamas and Hezbollah force us to look at another layer of the problem. They are not equivalent to the Islamic State, neither in structure, nor in objectives, nor in their relationship with territory, community, or governance. Their relationship with technology responds to broader needs: communication, political legitimacy, narrative control, connection with social bases, pressure against adversaries, international exposure, and, in some cases, support for operations linked to armed conflict. CSIS noted that the technological strategies of Hamas and Hezbollah reflect their governance roles, unlike organizations such as al-Qaeda or ISIS, which are more oriented toward a pan-Islamist vision and transnational media operations.

That nuance helps avoid a flat reading. In the case of ISIS, the digital environment served to project an idea of a global caliphate, recruit sympathizers, intimidate adversaries, and activate ideological satellites. In Hamas or Hezbollah, technology also serves to sustain political presence, dispute legitimacy, speak to concrete communities, and maintain a narrative of resistance in the face of prolonged conflicts. In both cases there is propaganda, but it is not the same propaganda. In both cases there is psychological action, but it does not operate on the same social base.

The Iranian axis adds another dimension. In previous publications on materials attributed to LabDookhtegan and activities linked to Ansar or environments associated with MOIS, references appeared to planning against hotels, oil companies, airports, telecommunications, energy, sites in Saudi Arabia and Jordan, as well as spear phishing, social engineering, mobile tracking, and operations aimed at shaping public perception. This type of activity shows an increasingly porous boundary between intrusion, intelligence, psychological pressure, and propaganda. It is not only about entering a system. Sometimes the objective is to sow doubt, plant rumors, symbolically punish, or increase the sense of vulnerability.

Microsoft also observed that convergence after 7 October 2023, describing how Iran combined opportunistic cyber targeting with influence operations in support of Hamas, often exaggerating or distorting the accuracy and scope of the impact. That idea is central to understanding the present: the technical operation may be real, partial, exaggerated, or even weak, but the influence layer seeks to turn it into a useful story.

In the Gaza war, this logic became visible again with force. The conflict activated pro-Palestinian, pro-Israeli, pro-Iranian, and opportunistic communities that used the moment to claim attacks, publish target lists, circulate screenshots, coordinate campaigns, or simply try to gain visibility. Some groups had greater technical capability. Others functioned more as propaganda nodes, target curators, message replicators, or campaign brands.

This is where current actors such as Cyber Islamic Resistance appear, helping us observe how certain narratives of political-religious resistance adapt to a much more modular digital ecosystem. Not all groups in that environment have the same capability or fulfill the same function. Some try to execute operations, others validate, others recycle publications, others act as loudspeakers, others join campaigns to gain legitimacy, and some merely contribute symbolic presence. But all of them can feed the perception of an active front if the ecosystem recognizes them and incorporates them into a shared narrative.

There are also more incipient cases, such as Q22, which show another type of signal. We are not necessarily dealing with mature actors, technically solid operations, or independently confirmed impacts. But useful patterns do appear: public claims, dispersed target selection, hostile aesthetics, declared links with smaller groups, and the use of weak indicators to build an operational presence still under evaluation. In these cases, the intelligence value is not in inflating the threat, but in detecting early an identity that may grow, mutate, disappear, or be absorbed by another circuit.

The problem is that all these actors are often analyzed with the same yardstick. And that does not work. Caliphate Cyber Army or Ghost Caliphate Section help understand a stage of pro-ISIS cyber propaganda. Hamas and Hezbollah require thinking about the use of technology from organizations with social, territorial, and political roots. Iranian clusters show the mixture of cyber operations, intelligence, and influence. Emerging actors such as Q22 or some current hacktivist groups show how signal is built in an environment where visibility can be almost as valuable as real capability. Putting everything in the same bag is convenient, but poor analysis.

Modularity is one of the keys to this evolution. Groups no longer always need to operate as closed organizations with clear hierarchies. They can appear as campaign nodes, coordination rooms, auxiliary groups, dissemination channels, or alliances. Under this scenario, an actor’s value is not always in what it can do alone, but in the function it fulfills within a broader circuit.

That is why alliances have become so visible. Cooperation existed before, of course. Nobody discovered gunpowder; we just stopped looking at the map with a fogged-up magnifying glass. The interesting part is that now the alliance is also a message. It communicates strength, attracts attention, creates a sense of scale, and allows small actors to appear as part of something larger. Sometimes there is real coordination. Sometimes there is only a shared cause and a desire to be seen. In both cases, the signal can serve the ecosystem.

But some alliances also show something more concrete: a functional division of labor. The case of Z-Pentest and AlfaNet, within Z-Alliance, is useful as a recent reference. There, the public announcement was not limited to a statement of sympathy or general cooperation. It proposed a separation of functions: AlfaNet as the layer for reconnaissance, collection, and target development; Z-Pentest as the technical component for intrusion, backdoor support, and access consolidation. In other words, one side feeds targeting and operational-strategic intelligence; the other provides technical execution. If that model holds in practice, the alliance stops being only a joint photo and begins to look more like a repeatable activity chain.

That example does not belong to the political-religious axis of the Middle East, but it helps understand a logic that is being seen in many more serious hacktivist environments, where the common factor is strategic and does not point to a simple alliance between groups, but to the distribution of functions. One actor may produce narrative while another curates targets. Another may execute and another may publish. And all of them, together or separately, can sustain the feeling of an active campaign.

This logic is not exclusive to the Middle East, but it finds especially sensitive ground there. Open conflicts, religious disputes, state rivalries, memories of occupation, foreign interventions, regional competition, active diasporas, and highly mobilized global audiences converge in the region. When a community is already emotionally charged, a minor operation can circulate as proof of strength. A limited leak can feel like punishment. A website down for a few minutes can be presented as victory. And a threat published with militant aesthetics can act as an intimidation tool even when it is not accompanied by notable technical capability.

That elasticity explains why some structures survive better than their technical capability would suggest. It also explains why looking beyond technical telemetry is necessary. Knowing whether there was DDoS, defacement, data access, or simple propaganda remains necessary. But it is not enough. It is also necessary to observe who validates whom, which names repeat, which symbols persist, which alliances appear, which language gets recycled, which targets become useful, and which causes activate faster. Even if it does not seem so at first glance, the social life of the ecosystem says as much as technical indicators.

Political-religious hacktivism in the Middle East does not seem to have become something entirely new. Rather, it has adapted to an environment where technical action, propaganda, and digital community mix more naturally. There are clear inheritances from the decade marked by ISIS and its digital satellites. There are dynamics specific to political-military organizations such as Hamas and Hezbollah. There is influence from state and para-state actors. There are small groups born around a cause that disappear quickly. And there are coalitions that matter less for their solidity than for the perception of force they manage to project.

The most useful reading may be not to always look for the great actor behind every logo, nor to reduce everything to “channel noise.” Between one thing and the other, there is a huge space where identities are formed, campaigns are tested, narratives are recycled, and forms of digital pressure are rehearsed. In the end, the problem is not only the attack. The problem is the combination of attack, propaganda, and belonging. And in the Middle East, that combination has spent at least a decade proving that it can change shape many times without disappearing.