APT Activation, Pre-Positioning, Retaliatory TTPs, and Other Escalation Tactics Explained 

As Operation Epic Fury unfolds, the battlefield has extended well beyond kinetic strikes. Iran’s near-total Internet blackout is only the most visible layer of a much broader hybrid conflict. Beneath the disruption, a coordinated activation of Iranian-state sponsored cyber operators is underway.

This is not a single destructive event; it is a structured escalation model, blending espionage, access development, disruption, and influence operations.

In this 45-minute threat intelligence briefing, Ziv Mador, VP Security Research, breaks down what LevelBlue SpiderLabs has observed, how we have elevated monitoring for clients in recent days, and what detection and response priorities security leaders should implement now. In this session, you’ll learn:

• How Iranian threat actors MuddyWater, Charming Kitten, OilRig, APT33, and affiliated operators are evolving their tradecraft
• The core TTPs driving escalation: credential theft, cloud abuse, supply chain compromise, custom malware, wiper staging, and OT targeting
• Early retaliation signals, from reconnaissance and DDoS to destructive pre-positioning
• How to align SOC detection with the intrusion-to-disruption lifecycle
• Which critical infrastructure sectors are most at risk and why

Speaker:

• Ziv Mador, VP Security Research 

📅 Thursday, March 5, 2026 | 10:00am CST

Epic Fury Decoded: Iran's Cyber Escalation Playbook - APT Activation,
Pre-Positioning, and Retaliatory TTPs