SECURITYWEEK reports that Iran had already built cyberattack capabilities for a potential response before the Epic Fury strikes, with a six‑month buildup of Iran‑linked infrastructure including US‑based shell companies.
A study by Augur Security tracks increased activity across MOIS and IRGC‑affiliated groups prior to Epic Fury, describing a multi‑tier infrastructure starting from Sefroyek Pardaz Engineering in Tehran, then bulletproof hosting via Moldovan‑based ALEXHOST and Wyoming‑based RouterHosting LLC, and additional shell companies such as Cloudblast and UltaHost (registered in the US with a UK subsidiary). ICANN issued a formal notice against UltaHost Inc on 5 February 2025, flagged as a red flag.
Augur notes a rapid expansion of hacktivist activity after the February 28, 2026 US/Israeli strikes, with an Electronic Operations Room established within 24 hours to coordinate around 60 or more hacktivist groups, including Cyber Fattah, Fatimiyoun Cyber Team, Handala, and Cotton Sandstorm collectives targeting Israeli, US government, financial and critical infrastructure targets.
The report also highlights pre‑operational activity by groups such as MuddyWater and references attacks linked to Stryker, illustrating that kinetic action did not halt Iran’s cyber operational capacity.