Bluesky suffered a 24-hour DDoS attack that caused outages. A pro-Iran hacker group claimed responsibility for the disruption.
Bluesky experienced a sophisticated DDoS attack that disrupted its services for about 24 hours, starting on April 15.
Bluesky is a decentralized, open-source microblogging social media platform similar to X (formerly Twitter). It allows users to post short messages, images, and videos (up to 300 characters) while providing more control over algorithms, data, and moderation.
The attack disrupted feeds, notifications, threads, and search, causing intermittent outages. A pro-Iran hacker group, called 313 Team (aka “Islamic Cyber Resistance in Iraq”), claimed responsibility, highlighting growing threats against social media platforms and the impact of coordinated disruption campaigns.
“Our team received a report of intermittent app outages at about 11:40pm PDT on April 15, 2026. They worked through the night to mitigate a sophisticated Distributed Denial-of-Service (DDoS) attack, which intensified throughout the day.” Bluesky announced. “We have not seen any evidence of unauthorized access to private user data.”
The company found no signs of data breaches and confirmed it limited the impact of the attack and avoided prolonged outages.
313 Team is a pro-Iran hacktivist group tied to politically driven cyber activity like DDoS attacks, defacements, phishing, and data-leak claims. It targets public services, government and symbolic platforms to create disruption and amplify geopolitical tensions. Analysts link it to the broader Iran-aligned ecosystem, sometimes close to state interests. However, the group often exaggerates its impact, so claims should be treated with caution.
To stay up to date on our latest investigations, join Bellingcat’s WhatsApp channel here.
Bellingcat has geolocated footage of multiple Tomahawk cruise missiles travelling through Iraqi airspace towards Iran, either in violation of its airspace or with Iraq’s consent.
Bellingcat identified at least 20 individual cruise missiles and geolocated them over Iraqi Kurdistan including alongside Mount Piramagrun, in the Zagros Mountain range, and approximately 50 km southeast of the city of Kirkuk.
The US is the only participant in the war known to possess Tomahawks, which can be launched by ships or submarines. US President Donald Trump said at a press conference on Monday that Iran “also has some Tomahawks”. Official government reports on Iran’s military balance don’t support this claim.
Considering the distance of US vessels to the geolocated missiles, the missiles seen in the videos were most likely fired from the Mediterranean Sea, Sam Lair, a research associate at the James Martin Center for Nonproliferation Studies, told Bellingcat.
Red Sea launches would be pushing the maximum range, and US Navy ships were not known to have been in the Persian Gulf at the start of the war, Lair said.
Brian Finucane, a senior adviser with the US Program at the International Crisis Group, told Bellingcat that without the consent of Iraq and Syria, the intrusion of Tomahawk missiles into their airspace “would violate its sovereignty and international law”.
We asked the US State Department and Department of Defense as well as the foreign ministries of Iraq and Syria, if the US had an agreement with Iraq or Syria to utilise their airspace for cruise missiles targeting a third country. The Department of Defense told Bellingcat they “had nothing to provide” while neither the Iraqi nor Syrian ministry had responded at the time of publication.
On Tuesday, Iraqi Prime Minister Mohammed Shia al-Sudani spoke with US Secretary of State Marco Rubio and stressed that Iraqi airspace and territory should not be used for any military action targeting neighbouring countries, the prime minister’s media office said.
Bellingcat geolocated at least eight videos showing Tomahawk missiles over Iraq. The videos show at least 20 individual Tomahawk missiles, based on the longest uninterrupted video we reviewed.
The below graphic shows all Tomahawk missiles Bellingcat has geolocated, which includes additional missiles identified outside of Iraq.
Click the arrows in the map below to view the verified missile sightings, including the original footage and geolocation analysis.
Interactive map showing the approximate locations of US carrier groups in the region at the start of the war, with a 1600 km range, in relation to Tomahawks geolocated by Bellingcat. We included a possible Red Sea launch point for visualisation, reference and comparison purposes only. The white arrows indicate the location of Tomahawk sightings. Their respective directions of travel are shown by default. All coordinates and directions shown are approximate. Source: Logan Williams/Bellingcat.
These missiles don’t always make it to their intended target. In addition to footage of the airborne missiles, Bellingcat also identified remnants of a Tomahawk missile that had crashed outside Kafr Zita in northwest Syria.
Unexploded WDU-36/B warhead of a Tomahawk missile, outside Kafr Zita, Syria. Source: Qalaat Al Mudiq.
Missiles Fired From the Sea
On the first day of the war, Feb 28, the US Central Command (CENTCOM) published footage of Tomahawk missiles being fired from the sea. Later on March 1, CENTCOM released additional video of the USS Thomas Hudner (DDG-116) firing a Tomahawk missile, while operating in the Eastern Mediterranean Sea.
According to a Center for Strategic and International Studies (CSIS) analysis, more than 160 Tomahawk missiles may have been used in the first 100 hours of the war, and “they would have been used to destroy Iranian air defenses and other counter-air capabilities and create permissive conditions for follow-on attacks”.
Arleigh Burke-class guided-missile destroyer USS Thomas Hudner (DDG 116) fires Tomahawk land attack missiles in support of Operation Epic Fury, Mar. 1, 2026. (U.S. Navy video)
Tomahawk Flights Through Iraqi Airspace
The footage analysed by Bellingcat showing cruise missiles travelling over land is consistent with the typical flight profile of Tomahawks, which cruise at low altitude along pre-programmed routes toward distant targets.
Support Bellingcat
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
According to the US Navy, “Tomahawk cruise missiles are designed to fly at extremely low altitudes at high subsonic speeds, and are piloted over an evasive route by several mission tailored guidance systems.”
This explains why they are sometimes filmed by civilians during transit. Similar sightings have previously been recorded during US conflicts in the Middle East.
Bellingcat analysed terrain features and solar data in the footage and confirmed the location and approximate direction of travel of the Tomahawk missiles. We found that they followed the terrain closely, and appeared to follow two different valleys near the Iraq-Iran border.
The Zagros mountain range stretches across much of Iran as well as northern Iraq. The mountains of this valley would provide details for the Tomahawks’ terrain matching guidance, and hide them from Iranian radar detection.
Click the arrows in the map below to view the verified missile sightings, including the original footage and geolocation analysis.
Interactive map showing the locations of Tomahawk sightings. The missiles were travelling through Iraqi airspace towards Iran in valleys near the Iraq-Iran border, and near Kirkuk. The respective directions of travel are shown (white arrows). All coordinates and directions shown are approximate. Source: Logan Williams/Bellingcat.
Other Geolocated Footage
In a video filmed in Tehran and posted on the first day of the war, six Tomahawk missiles can be seen flying over the Qurkhane Bus Terminal in Tehran, as an anti-aircraft gun on a nearby building fires at them. Other gunfire can be heard in the distance.
A Tomahawk flying over the area near Qurkhane Bus Terminal in Tehran, as an anti-aircraft gun on a nearby roof fires at it. Source: Vahid Online.
A final video analysed by Bellingcat, posted on March 3, shows 13 Tomahawk missiles flying past a commercial ship in the direction of Iran, the M/V MAERSK BOSTON, while it was off the coast of Oman, according to solar, visual and Marine Traffic data.
A Tomahawk flying past the MV MAERSK BOSTON off the coast of Oman. Source: Warren Wright Olanda.
New Tomahawk Variants
Since the beginning of the war, two new variants of Tomahawk missiles have been observed.
Typical Tomahawk configuration, with wings slightly angled towards the rear. Left: View of the bottom of a Tomahawk as it dives towards its target during a test. Right: View of the top of a Tomahawk as it dives during a test. Sources: Commonwealth of Australia, Department of Defence.
One Tomahawk variant seen publicly for the first time, distinguished by its visible black body, believed to be a stealth coating. Other missiles appear to have wings angled forwards, a modification designed to make them harder to detect by radar, according to an analysis by The War Zone.
Tomahawk missile with forward swept wings. Source: Channel8.
Clobbering
Sam Lair, a research associate at the James Martin Center for Nonproliferation Studies, told Bellingcat that Tomahawks have GPS guidance and use terrain matching to determine their location. When there is an error in guidance, some missiles can “clobber” and hit the ground.
The US stopped firing Tomahawk missiles over Saudi Arabia during the 2003 Iraq War after some crashed in the country while attempting to strike targets. About ten Tomahawk missiles crashed during that war, with some landing in Iran and Turkey as well.
Bellingcat’s Logan Williams and Felix Matteo Lommerse contributed research to this article. Livio Spani, Anisa Shabir, Afton Briones, Mathis Noizet, and Nicole Kiess from Bellingcat’s Volunteer Community also contributed to this piece.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
A campaign by Iran-linked group Dust Specter is targeting Iraqi officials with phishing emails delivering new malware families.
Zscaler ThreatLabz researchers linked the Iran-nexus group Dust Specter to a campaign targeting Iraqi government officials. Threat actors impersonated the country’s Ministry of Foreign Affairs in phishing messages that delivered previously unseen malware, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, through multiple infection chains.
“In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq.” reads the report published by Zscaler. “Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. “
The researchers analyzed two attack chains used in the Dust Specter campaign targeting Iraqi officials.
Attack Chain 1 begins with a password-protected archive containing a dropper named SPLITDROP, disguised as a WinRAR application. Once executed, it decrypts and deploys two modules: TWINTASK, a worker component that executes PowerShell commands from a local file, and TWINTALK, a command-and-control (C2) orchestrator.
“Attack Chain 1 is delivered in a password-protected RAR archive named mofa-Network-code.rar. The password for this archive is: 92,110-135_118-128. A 32-bit .NET binary, disguised as a WinRAR application, is present inside this archive and starts the attack chain on the endpoint.” continues the report. “This binary functions as a dropper and ThreatLabz named it SPLITDROP because it drops two modules that we named TWINTASK and TWINTALK. “
The malware establishes persistence through registry keys and uses DLL sideloading with legitimate software such as VLC and WingetUI. TWINTALK communicates with the C2 server using randomized delays, custom URI paths, and JWT tokens to evade detection. Commands allow attackers to execute scripts, upload files, or download additional payloads.
Attack Chain 2, called GHOSTFORM, consolidates the same functionality into a single binary that executes commands directly in memory, reducing filesystem traces. It also opens a fake Google Form posing as a survey from Iraq’s Ministry of Foreign Affairs to lure victims. The malware employs stealth techniques such as invisible Windows forms for delayed execution and mutex checks to avoid multiple instances.
ThreatLabz found indicators that generative AI may have been used to develop the TWINTALK and GHOSTFORM malware. During code analysis, researchers identified unusual elements such as emojis and Unicode text embedded in functions. They also observed placeholder values—like the seed 0xABCDEF—often associated with AI-generated code, suggesting automated tools may have assisted in malware development.
The campaign also used a ClickFix lure disguised as a Cisco Webex meeting page to trick victims into running malicious PowerShell commands that download and schedule malware execution.
“ThreatLabz found that the TWINTALK C2 domain, meetingapp[.]site, was also used by Dust Specter in July 2025 to host a web page disguised as a Cisco Webex meeting invitation.” states the report. “The web page included a link to download the legitimate Cisco Webex software and prompted the victim to choose the “Webex for Government” option. The web page also lures the victim into following the instructions shown in the figure below to retrieve the meeting ID.”
ThreatLabz attributes the activity to Dust Specter, an Iran-linked threat actor, citing targeting patterns, malware design, and tactics consistent with previous Iranian cyber-espionage operations.
“This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq’s Ministry of Foreign Affairs. ThreatLabz identified previously undocumented lightweight custom .NET-based droppers and backdoors used in this operation.” concludes the report. “The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development.”
Entrar
