State proxy hacktivism, like Iran’s Handala group, was on the rise in 2025, with strong indications that in 2026, there will be attacks focused on damaging actual infrastructure rather than only hacking official state websites, a new report by KELA Group warned on Wednesday.
According to the report, state-sponsored actors are using autonomous agents powered by artificial intelligence to run up to 90% of their attacks, with most of them coming from China, North Korea, Russia, and Iran.
It also warned that the main hacktivist groups are located in the focal geopolitical conflicts, with the main current areas of interest being Ukraine-Russia, Israel-Iran, US-China, and the Korean conflict.
The report warns that over the last year, most attacks focused on disrupting official government websites, and there are indications that future attacks could target power grids, water treatment plants, or manufacturing sites.
It also said that disaster recovery units must prepare for “total loss” scenarios, in which critical information would be stolen by hacker groups with the goal of causing physical-world damage to the victims.
New hacking proxy war
One of the main concerns in the report is the plausible deniability that hacktivism offers state-sponsored groups, with most of them not having clear links to the countries financing them.
This was reflected in the Israel-Iran war of 2025, where pro-Palestinian and pro-Iranian groups focused their efforts on DDoS, data leaks, and influence operations with a high number of actors and low resources.
In contrast, Israeli attacks were focused on precision rather than amount, with fewer operations that were capable of inflicting material damage, data loss, and financial disruption on Iranian infrastructure.
‘Vibe hacking,’ SaaS targeting, and ‘end of Apple’s invulnerability’
The report also said that classic hacking has been replaced by ‘vibe hacking,’ in which attackers use AI models to craft their attacks. It’s expected that the situation will worsen, with tools such as deep voice fakes and AI-written emails enabling more realistic Trojan attacks.
A Trojan attack uses tactics such as sending emails that appear official or fake websites to request credentials and steal valuable information. The report now warns that most of these attacks will become practically indistinguishable from official communications.
Another worrying point is that hackers have begun using “upstream tactics,” in which the target of the attack is not a specific company but rather a Software-as-a-Service (SaaS) provider.
The report mentions that all companies must review the SaaS embedded in their systems and prepare to avoid having critical information that can be accessed via these providers.
Additionally, KELA Group warned that companies should review the critical information credentials provided to AI systems, mainly because hacker groups can now use prompt manipulation to extract this data without needing any breach tools.
In other words, if AI has access to sensitive data, then a hacker might be able to extract it by asking the AI agent specific questions that trigger the information to be released.
Finally, the report noted that macOS, the operating system developed by Apple, has lost its “invulnerability” status, with infections skyrocketing from under 1,000 to over 70,000 in the last year.