The Iran War: What You Need to Know Last updated: 1 May 2026 at 1500 GMT New from Insikt Group: Iran War — Future Scenarios and Business Implications Insikt Group has published a dedicated Cone of Plausibility analysis examining how the Iran conflict could evolve over the next 6–12 months — from a fragile ceasefire baseline to regional war, regime collapse, and nuclear crisis. Each scenario includes business implications and 0–90 day priority actions.
Read the full analysis. This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.
The Latest Updates Geopolitical Landscape Iran’s hardliners are driving strategic deadlock, blockade resilience, and Strait closure. Insikt Group assesses Iran’s calculus is very likely shaped by IRGC influence and hardliner dominance: Supreme Leader Khamenei’s April 30 statement frames Iranian control of the Strait of Hormuz as a post-American regional order, chief negotiator Ghalibaf has reportedly resigned after a reprimand for raising nuclear issues in talks, and Iran’s public position has converged on a single precondition — the US must lift its naval blockade before negotiations can resume.
The US blockade has cut Iranian oil exports by ~70% but has not achieved its strategic objectives. Iran faces critical oil storage constraints — Bloomberg reported 22 days or less of unused capacity as of April 27 — yet Insikt Group assesses Iran can very likely survive the current pressure level, and the full financial blow will lag three to four months as ~130 million barrels already loaded before the blockade remain in transit.
Maritime standoff deepens as Iran seizes vessels, lays additional mines, and ceasefire talks stall. Following the US seizure of the Touska, the IRGC seized the MSC Francesca and Epaminondes and fired on a third vessel transiting the Strait; the IRGC reportedly dropped additional mines during the final week of April, and the Pentagon assesses mine-clearing could take up to six months after a formal end to hostilities. https://main--2025recordedfuturewebsite--recorded-future-website.aem.page/data/blog/iranwar-icon-grid.json Style Bg-color-grey-100, padding-y-0 Three Dimensions of the Conflict In addition to the latest geopolitical, cyber and influence operations updates above, earlier developments in this conflict remain relevant for understanding the current situation.
The Strait of Hormuz: from closure to contested governance. The Strait of Hormuz has shifted from a disruption event to a sustained contest over the waterway’s governance. Iran institutionalized administrative control during the ceasefire period — requiring vessels to coordinate directly with the IRGC Navy, vetting transits individually, collecting fees payable in cryptocurrency or Chinese yuan, and designating the primary Traffic Separation Scheme lanes as a mine-hazard zone.
On April 13, the US enacted a naval blockade of all ships entering or departing Iranian ports while asserting freedom of navigation for vessels transiting to non-Iranian ports. Commercial traffic has been at a near-standstill since: only 14 vessels crossed daily in the days immediately preceding the blockade against a pre-war daily average of 120+. On April 17, Iran’s Foreign Minister briefly declared the Strait “completely open” for commercial vessels, but Iran reversed course within 48 hours following the US seizure of the Touska — declaring the Strait closed until the blockade is lifted and warning that any vessel approaching would be “considered co-operation with the enemy.” Transits have effectively ceased since.
The IRGC reportedly dropped additional mines during the final week of April; the Pentagon assesses mine-clearing alone could take up to six months after any formal cessation of hostilities. Insikt Group assesses that the contest over Strait governance will be the central sticking point in any negotiated resolution. Supreme Leader Khamenei’s April 30 statement framing Iranian control of the Strait as a “post-American regional order” — which Reuters reporting suggests was shaped by IRGC and hardliner influence rather than independent judgment — makes diplomatic stalemate, not imminent breakthrough, the current baseline.
Coalition and regional dynamics. The US blockade has not attracted allied participation: the UK, Spain, and Australia all declined to join, while France and the UK announced a separate multinational defensive mission to secure freedom of navigation. The Israel-Lebanon front remains active: despite the US-mediated ten-day ceasefire announced April 16, a Hezbollah attack on April 18 killed a French UN peacekeeper in southern Lebanon — the first fatality since the ceasefire.
Italy suspended its defense cooperation agreement with Israel on April 14, citing incidents affecting Italian troops in Lebanon, signaling growing fractures in European political support for Israeli operations. IRGC Quds Force Commander Qaani visited Baghdad on April 18; the Institute for the Study of War assessed the visit focused on preparations for renewed conflict and militia coordination. Iraqi Shi’a militias under the Islamic Resistance in Iraq umbrella have continued drone and missile strikes against GCC targets in Bahrain, Kuwait, and Saudi Arabia throughout the ceasefire period; Insikt Group assesses that Iran’s diminished command and control has afforded these groups greater tactical autonomy.
Leadership assassinations. Supreme National Security Council Secretary Ali Larijani and Basij chief Brigadier General Gholamreza Soleimani were both confirmed killed in targeted Israeli strikes on March 16–17. Intelligence Minister Esmaeil Khatib was killed in a separate IDF strike in Tehran on March 18 — he had served since 2021 and was assessed to have led Iranian intelligence’s global terror activities against Israeli and American targets worldwide.
Former National Security Council Secretary Saeed Jalili is reported as the likely interim replacement for Larijani. Insikt Group does not assess that these deaths will lead to near-term regime collapse or substantially diminish Iran’s internal security capacity. South Pars strike and Gulf energy threat. A US-Israeli coordinated strike on March 18 targeted Iran’s South Pars gas field — the world’s largest, accounting for 70–75% of Iran’s natural gas production.
In response, the IRGC issued explicit threats of retaliatory strikes against Gulf energy facilities, calling on Saudi Arabia, the UAE, and Qatar to evacuate specific sites including Jubail Petrochemical, SAMREF Refinery, Al Hosn Gas Field, Mesaieed Petrochemical Complex, and Ras Laffan Refinery. First combat use of the GBU-72 A5K. CENTCOM confirmed that March 17 airstrikes on Iranian coastal missile sites near the Strait of Hormuz marked the first combat use of the 5,000-pound GBU-72/B Advanced 5K deep penetrator munition.
Target facilities contained anti-ship cruise missiles used against international shipping. US internal dissent. On March 17, NCTC Director Joe Kent resigned in protest of US military action against Iran — the first US official to do so publicly. DNI Tulsi Gabbard reaffirmed the administration’s position. No replacement has been named. Iran’s strategic fork. Two paths remain: pursue a deal with the US that normalizes economic engagement and offers a path to regime survival, or endure the bombing, crack down domestically, export enough oil to China and India to sustain the patronage system, and wait for the geopolitical environment to shift.
The Strait closure and accelerating elimination of senior leadership are rapidly narrowing the window for the second option. That window has narrowed further still: Iran’s oil storage crisis — with as few as 22 days of unused capacity remaining as of late April — materially constrains its ability to sustain the endurance strategy indefinitely. Insikt Group assesses that diplomatic stalemate — not imminent breakthrough — is the current baseline, and that the risk of further escalation remains elevated.
Leadership & Succession Mojtaba Khamenei, son of the late Supreme Leader Ali Khamenei, has been elected Supreme Leader. His election preserves hardliner continuity and underscores the IRGC's political dominance — they shaped the outcome in favor of their preferred candidate despite reported objections from some clerics. Mojtaba appears to have been wounded in the US-Israeli strikes that killed his father, mother, wife, and one son.
He has not appeared in person since his televised announcement — almost certainly to avoid providing a digital or physical signature that could enable US or Israeli targeting. Any public appearance will be a significant signal of his consolidation of authority and perceived security. What this means strategically. Mojtaba is neither a credible Islamic scholar nor an experienced administrator — the two traditional prerequisites for the position.
He lacks the authority his father spent two decades consolidating. Iran is effectively being run by committee. Key power brokers now include IRGC chief Vahidi, parliamentary speaker Ghalibaf, and President Pezeshkian. These individuals are realists, even if labeled hardliners, and have a broader range of options than Khamenei Senior ever permitted. Civil-military tension persists. President Pezeshkian's public apology over strikes on Iran's neighbors drew immediate backlash from hardliners and military leaders — a reflection of the weakness of the elected government relative to the security apparatus.
His stated diplomatic conditions (reparations, international guarantees) now align with Mojtaba Khamenei's public statement, suggesting a coordinated political-diplomatic posture even as civil-military tensions continue beneath the surface. Regime stability signals. IRGC units have reportedly denied medical aid and supplies to regular army (Artesh) units. Group desertions have been reported, highest among conscripts.
Four Iranian diplomats have applied for asylum in Western countries since early 2026. Israel has begun targeting street-level security checkpoints — a deliberate effort to degrade the regime's suppression infrastructure rather than purely its military capacity. The IRGC has explicitly threatened to deal with any street unrest "with a blow even harsher than that of January 8." Cyber Threat Landscape Insikt Group continues to observe a reduction in Iran's more advanced cyber activity since March 1, driven by the internet blackout that has impaired operational tempo and coordination among state-sponsored groups.
That window is narrowing. Treat this period as one in which Iran-aligned operators are regrouping, prioritizing recovery and defense, and setting conditions for future operations — not as a sign of diminished threat. State-Sponsored Espionage GreenGolf (MuddyWater / Boggy Serpens) remains the most active Iran-nexus APT since the conflict began, attributed to Iran’s Ministry of Intelligence and Security (MOIS).
Palo Alto Networks reported on March 16 that GreenGolf has expanded its toolset with Rust-based malware variants LampoRAT and BlackBeard, UDP-based backdoors, and AI-assisted development techniques. The shift to Rust likely reflects efforts to evade defenses and achieve longer-term persistence with reduced visibility, particularly against diplomatic organizations and critical infrastructure in the energy, maritime, and finance sectors.
Most recently, Oasis Security documented a GreenGolf-overlapping campaign exploiting five newly disclosed CVEs to target more than 12,000 internet-exposed systems across aviation, energy, infrastructure, and government sectors in the Middle East, resulting in confirmed data exfiltration from an Egyptian aviation organization. APT34 Moses Staff C2 infrastructure was degraded in Israeli operations. Insikt Group is actively monitoring for that infrastructure coming back online — when it does, expect these groups to resume operations and potentially act as C2 for other Iranian APTs.
A rise in malicious traffic with Iranian source origination will signal renewed operational tempo. Conflict-themed phishing campaigns are expanding. Since March 1, ProofPoint has documented six coordinated phishing and espionage campaigns exploiting the conflict as a lure, originating from actors aligned with China, Belarus, Pakistan, Hamas, and Iran. Targets include Middle Eastern governments, European diplomatic organizations, and a US think tank.
Common patterns across all campaigns include conflict-themed lures, compromised government email accounts used for legitimacy, credential harvesting as a primary objective, and geofencing to selectively target victims. Groups observed include UNK_InnerAmbush (China-aligned), TA402/Gaza Hacker Team, UNK_RobotDreams (Pakistan-aligned), UNK_NightOwl, TA473/TAG-70 (Belarus-aligned), and TA453/APT35 (Iran-aligned).
Security and IT teams should treat any conflict-themed email referencing Iran, the Strait of Hormuz, or the strikes as a high-suspicion lure regardless of apparent sender. OT/ICS Targeting The joint FBI/CISA/NSA advisory of April 7 confirmed that Iran-linked APT actors have been exploiting internet-exposed programmable logic controllers (PLCs) — including Rockwell Automation and Allen-Bradley devices — to target US government, water, and energy sectors since at least March 2026.
Actors gained initial access by connecting to public-facing PLCs from overseas IP addresses using legitimate engineering software (Rockwell Studio 5000 Logix Designer) to establish trusted sessions, deployed Dropbear SSH over port 22 for C2, and communicated through OT ports including 44818, 2222, 102, and 502. Threat actors manipulated PLC project files and altered HMI and SCADA system data, resulting in operational outages and financial loss.
The advisory noted similarities to earlier CyberAv3ngers campaigns but stopped short of formal attribution. Organizations with internet-exposed OT/ICS devices should treat remediation as a critical-priority action item. Pro-Iranian Groups Nasir Security Group , a suspected pro-Iranian threat group claimed to have breached the Dubai International Airport on its extortion blog website, Nasir Security Blog.
According to the threat group, they have obtained the capability of accessing classified information from the within the past months. According to the sample passport photos released, they include citizens of the United Arab Emirates , Indonesia , and the US . Insikt Group cannot verify whether these passport photos are real and related to travelers passing through the Dubai International Airport . This same group targeted Middle East energy infrastructure through supply-chain compromise combined with influence operations, per Resecurity.
This reflects an increasingly integrated approach in which network intrusion and narrative manipulation are executed as complementary operations. Hacktivist Groups Handala Hack Team infrastructure was seized by the FBI on March 19. Primary websites handala-hack[.]to and handala-redwanted[.]to are now displaying seizure banners. Two Iranian officials linked to the group were killed in military strikes: Mohammad Mehdi Farhadi Ramin (DOJ-charged in 2020 for cyber theft and defacement) and Seyed Yahya Hosseiny Panjaki, assessed as the government curator of Handala, Homeland Justice, and related hacking groups.
Handala's primary social media profiles have also been suspended. Handala has acknowledged the seizures and declared continued operations, with plans for a new domain. Insikt Group assesses the group will likely continue operating in a distributed structure; coordination may be temporarily degraded but should not be assumed disrupted. Prior to the seizure, Handala's most significant action was a destructive attack against a major US-based medical device manufacturer — a meaningful shift from their historical focus on Israeli targets.
That attack used compromised credentials and abuse of legitimate business software rather than a custom wiper or novel payload. The implication is direct: prioritize identification and remediation of compromised credentials, as the core TTP is credential-based access, not novel exploitation. Researchers have previously connected Handala to Iranian threat clusters Void Manticore and potentially Banished Kitten, suggesting a possible link to Iranian state-sponsored activity.
Insikt Group cannot corroborate that attribution at this time, though it is likely the group serves as a cutout or deniable proxy for Iranian offensive cyber operations. Cyber Avengers is an Iran-affiliated group that bridges the gap between hacktivists and state-sponsored attackers, acting as a state-directed entity. While presenting as a hacktivist group targeting Israel, they function as an Iranian IRGC-linked unit targeting critical infrastructure (water, energy) using sophisticated methods.
Conquerors Electronic Army operates in a similar hybrid space — blending hacktivism, intrusions, and influence operations — with typical activity including web defacements, DDoS targeting government and critical infrastructure, hack-and-leak operations, and doxing. Ransomware & Extortionist Activity Pay2Key ransomware targeted a US healthcare organization in late February 2026 using compromised administrative credentials and living-off-the-land techniques, per Halcyon.
Insikt Group assessed this as state-aligned disruption rather than a financially motivated attack — implying deliberate rather than opportunistic targeting. This follows Handala's earlier destructive attack against a US medical device manufacturer, reinforcing a pattern of Iran-aligned actors pivoting toward US healthcare. Influence Operations Outside Iran China is watching — and learning. A Nanjing National Defense Mobilization Office assessment published in late March treated the US-Israel-Iran war as a live case study in cyber-enabled warfare and cognitive operations, arguing China should pre-build a wartime-capable information mobilization system.
The document cited specific examples from this conflict — including Handala activity, broadcast hijacking, deepfakes, and AI-enabled psychological warfare — as evidence that future conflicts are decided as much in cyber and cognitive domains as on the battlefield. Insikt Group assessed the article likely reflects some thinking within China's national defense mobilization system, though not necessarily formal PLA doctrine.
The significance is less about any single document than the pattern it represents: this conflict is actively shaping foreign military thinking on the integration of cyber and cognitive warfare, with implications that extend well beyond the Middle East. China's reported ceasefire role amplifies its "stabilizing power" narrative. confirmed , Beijing's role in shaping Iran's acceptance of a ceasefire will very likely be leveraged to reinforce Chinese state messaging contrasting China's diplomatic influence with US military adventurism - building on patterns Insikt Group has already observed in Chinese national defense mobilization assessments of this conflict.
Inside Iran - Background and Context Iran has shifted away from early reactionary messaging — including tactical battlefield updates — and moved toward overarching threat rhetoric, escalation narratives, and proxy alignment, particularly with Hezbollah, the Houthis, and the Islamic Resistance in Iraq. US and Israeli messaging has remained focused on projecting overwhelming military force and coalition resolve.
Phase assessment: Influence operations are now active across all three phases. Strategic narrative shaping is ongoing. Covert networks have fully pivoted to the conflict. Psychological deterrence operations are underway, with Iran’s April 23–24 unity messaging campaign — in which officials across the political spectrum posted near-identical language denying internal divisions and pledging obedience to the Supreme Leader — a direct, coordinated Phase 3 operation designed to counter President Trump’s public claims that Iran’s leadership is “seriously fractured.” Three Phases of Iran’s IO Approach Phase 1 — Strategic Narrative Shaping (Sustained).
Iran has continued shaping narratives down to the tactical battlefield level, capitalizing on the fog of war to inflate perceived military capabilities and complicate damage assessment. Key patterns include unverified claims of civilian casualties, exaggerated reports of US military losses, and viral AI-generated imagery. NewsGuard has identified 53 false claims since the start of Operation Epic Fury, with some posts reaching millions of views.
One AI-generated image related to USS Abraham Lincoln claims reportedly reached over 5 million views before being debunked. Phase 2 — Covert Network Surge (Active). Known influence operation networks have fully pivoted to the conflict. Coordinated inauthentic behavior is ongoing across social media — sock puppet accounts impersonating journalists and activists amplifying false narratives and attempting to delegitimize US-Israeli strikes.
Storm-2035’s confirmed content pivot and ION-79’s active posting are examples of this phase now fully in motion. Phase 3 — Psychological Deterrence (Active). This hybrid campaign is now underway, targeting international audiences to shape deterrence perceptions while reinforcing a narrative of regime survivability domestically. Parliament Speaker Ghalibaf’s direct public taunting of US consumers on energy prices following the Islamabad talks’ collapse is one example.
Iran’s vessel seizures and IRGC statements asserting Strait sovereignty have been actively amplified by state-affiliated outlets including Fars News and Tasnim News as a coordinated narrative designed to sustain public support for continued confrontation and limit pressure on the regime to concede. Supreme Leader Khamenei’s April 30 statement framing a “post-American regional order” represents a further Phase 3 escalation, extending the psychological deterrence campaign to international audiences.
Operations Targeting Iranian Domestic Audiences Insikt Group has also observed influence activity directed at the Iranian population itself: a seizure of Islamic Republic of Iran Broadcasting's live broadcast — notably, the IRIB facility was itself the target of a kinetic strike — with messaging focused on defections and targeting supporters of Mojtaba Khamenei. Precision message delivery within Iran via a popular mobile application has also been observed, with messaging along the lines of "help has arrived" and calls to resist the regime.
Active Threat Networks Storm-2035 (ION-24) remains one of the most prolific Iranian IO networks, previously active in 2024 targeting US elections. As of late March, a fresh deliberate content pivot was confirmed — the network is now focused specifically on exaggerating Iranian military capabilities and complicating battlefield damage assessment. Claims observed include unverified reports of shooting down a US MQ-9 Reaper drone and inflated US casualty figures from strikes on US bases.
ION-79, affiliated with the IRGC Basij and previously tracked producing counter-protest narratives during Iran's nationwide protests, has inauthentic accounts actively producing content tied to the current conflict. Operation Overload. Monitor for Russian influence operation activity impersonating legitimate entities in France and Germany under cover of the Middle East conflict. Other nation-state actors are actively exploiting this conflict to advance separate geopolitical interests.
ION-82 physical threat recruitment via Telegram bots continues openly offering financial compensation for physical threat activities targeting US and Israeli interests across channels in the US, Australia, New Zealand, and other countries. Intent levels following Khamenei's death are assessed as likely unprecedented. Expert Assessment: What Happens Next Based on analysis from Dr. Christopher Ahlberg’s conversation with former MI6 Director Sir Alex Younger on 9 March.
Listen to the full webinar recording here . Three scenarios are in play — not mutually exclusive, and each with distinct implications for organizations managing risk. Scenario 1 — Bomb, Declare Victory, and Leave The US achieves air supremacy, conducts a sustained campaign of precision strikes against remaining target sets, forces the Strait of Hormuz open using naval power, and exits. CENTCOM has confirmed the Iranian Navy is now "combat ineffective," and the US has struck over 5,000 targets inside Iran — including 60 ships — while actively targeting Iran's defense industrial base.
The suppressive effect on Iranian will and capacity should not be underestimated, particularly once B-52s can operate over Iran with impunity. Trump has reportedly given Israel roughly a week to bring down the regime. This scenario has a faster resolution timeline but risks leaving unresolved instability. Resilience question: What is the operational and financial impact of a 30- to 60-day Strait closure across our critical dependencies?
Scenario 2 — A “Venezuela-Style” Deal This is assessed as the scenario Trump is most actively angling for. Iran's new leadership — cornered economically, facing military degradation, and aware that 80% of government revenue derives from hydrocarbons now at risk — has strong incentives to negotiate. Pezeshkian's public apology, the IRGC's repudiation of it, and Trump's calls for unconditional surrender may be the opening moves of a negotiation rather than signs of irreconcilable positions.
Any deal would almost certainly require zero enrichment and the transfer of Iran's 400-plus kilograms of highly enriched uranium. Resilience question: If a deal emerges within weeks, how does your organization's risk posture need to shift — and are your stakeholders prepared for rapid de-escalation as well as escalation? Scenario 3 — Revolution or Fragmentation US intelligence and Israeli officials assessed as of March 12 that the regime is not at risk of imminent collapse and maintains domestic control.
That said, early friction signals are emerging: IRGC units are reportedly denying aid to regular army units, group desertions are being reported at the conscript level, and four Iranian diplomats have applied for asylum in Western countries since early 2026. Israel has begun targeting street-level security checkpoints — a deliberate effort to degrade suppression infrastructure rather than just military capacity.
Revolutions always appear unthinkable before they happen and inevitable afterward. This remains the highest-uncertainty, highest-consequence scenario. Resilience question: Are we prepared for high-impact, low-probability incidents such as sudden infrastructure disruption, terrorist violence, or regional fragmentation affecting operations across Iraq, the Gulf, and beyond? bg-color-grey-100 How Recorded Future Can Help Following standard operation procedure for high-priority global events, the Insikt Group published same-day flash analysis on both the kinetic strikes and the emerging cyber threat landscape.
Upon log-in, customers are directed to resources within the platform via an updated Middle East Resource Center, which includes pre-built queries and alerts to complement Insikt Group finished intelligence — covering suggested threat actors to track, generative AI prompts for continually generating situation reports, and specific recommended actions across cyber, threat actor, and tactical hunting dimensions.
Customers have immediate access to: Resource Center Iran War Middle East Regional Conflict Intelligence Kits Threat Maps : automatically updated based on the latest cyber attacks and targets, including relevant hacktivist groups Threat Actor Profiles for IRGC-affiliated APT groups including GreenGolf (APT42), Green Golf, Cotton Sandstorm, and others — covering TTPs, known infrastructure, and recent victim activity Recorded Future AI: generate a daily situation report filtered to Insikt Group research across geopolitical, cyber, and influence operations tracks New Threat Leads: involving Iranian nation-state groups, with hunting packages to help identify associated network activity in your SIEM Identity Intelligence: monitor for compromised employee credentials in malware logs; integrate with Okta or Microsoft for automated password resets To provide extra support to customers in the region, Recorded Future's support team automatically enabled Geopolitical Intelligence access on February 28.
Other customers interested in a free Geopolitical Intelligence trial should contact their account team. Stay informed To learn how Recorded Future can give your team the intelligence to stay ahead of this and future geopolitical crises, contact us to speak with one of our threat intelligence experts. Explore top use cases by visiting our demo center.