The Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now

Anomali Threat Research

Published on

April 2, 2026

Table of Contents

Threat Assessment Level: ELEVATED The assessment level remains ELEVATED, unchanged from the prior cycle. While no single event this cycle triggered an escalation to CRITICAL, the sustained operational tempo of Iranian cyber actors — combined with three new critical-severity vulnerabilities under active exploitation — demands continued heightened vigilance. The prior cycle’s CRITICAL assessment (1 April 2026) was driven by the Handala/FBI Director breach; those events remain valid context, but today’s intelligence reflects sustained pressure rather than a new escalation trigger. <h2>Introduction                               </h2> Thirty-three days into the Iran-Israel cyber conflict’s current escalation phase, Iranian state and proxy cyber operations show zero signs of de-escalation. New actor groups are emerging, ransomware is being reframed as a weapon of war rather than a profit tool, and a CVSS 10.0 vulnerability in React Server Components is being exploited at industrial scale — 766 hosts compromised in 24 hours. If your organization runs Next.js applications, Ivanti Endpoint Manager Mobile, or BeyondTrust Remote Support, this report requires your immediate attention. If you operate in defense, energy, government, healthcare, or financial services, the threat actors discussed here have named your sector as a target. This isn’t a theoretical exercise. The infrastructure is live. The actors are active. The vulnerabilities are being exploited right now. <h2>What Changed                             </h2> Since our last assessment on 1 April 2026, seven developments have reshaped the operational picture: <ol> <li>A new Iranian-aligned threat group, APTIran, surfaced — claiming compromise of Israeli government ministries, hospitals, universities, and financial institutions, with 350,000+ leaked credentials and ~300 internal databases. Most significantly, they claim deployment of ALPHV and LockBit ransomware as weapons of retaliation, not for profit.</li> <li>Cyber Islamic Resistance emerged as a named actor — an Iran-aligned hacktivist collective claiming access to industrial control systems and OT environments, adding another group to the growing roster of Iranian proxy cyber operators.</li> <li>CVE-2025-55182 (React2Shell) is under mass automated exploitation — Cisco Talos disclosed that actor UAT-10608 weaponized this CVSS 10.0 pre-authentication RCE in React Server Components, compromising 766 hosts within 24 hours using a fully automated credential harvesting pipeline. Talos’s 2025 Year in Review calls it “the most targeted vulnerability” in its class, with exploitation “likely fuelled by AI.”</li> <li>AdaptixC2 infrastructure on Iranian ASNs expanded — a new command-and-control node at 45.147.77[.]210 (ASN 51889, Tehran) was confirmed, joining three previously tracked nodes. This open-source C2 framework has replaced Cobalt Strike as the tool of choice for Iranian state actors seeking to evade commercial EDR detection.</li> <li>Three critical ICS advisories landed — affecting PX4 drone autopilot systems (MAVLink RCE), WAGO industrial managed switches (CLI escape), and PTC Windchill PLM (RCE in defense manufacturing software).</li> <li>UNC1860/ShroudedSnooper has gone operationally silent — last updated in threat databases on 25 March 2026, this stealthy telecom and energy backdoor operator’s silence is consistent with deep-cover pre-positioning rather than stand-down, and warrants active hunting in affected sectors.</li> </ol> <h2>Conflict & Threat Timeline           </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 4 Feb 2026 </td> <td> AdaptixC2 node 213.177.179[.]31 first observed </td> <td> Iranian state actors begin standing up open-source C2 infrastructure ahead of conflict escalation </td> </tr> <tr> <td> 28 Feb 2026 </td> <td> Current escalation phase begins </td> <td> Marks the start of the sustained Iranian cyber offensive tempo </td> </tr> <tr> <td> 28 Feb 2026 </td> <td> AdaptixC2 node 62.60.131[.]49 first observed </td> <td> Second Iranian C2 node confirms deliberate infrastructure build-out </td> </tr> <tr> <td> 24 Mar 2026 </td> <td> APTIran and Cyber Islamic Resistance actor profiles created </td> <td> Google Threat Intelligence documents two new Iran-aligned groups </td> </tr> <tr> <td> 25 Mar 2026 </td> <td> UNC1860 / ShroudedSnooper last updated in threat databases </td> <td> Stealthy telecom/energy backdoor operator goes silent — possible deep-cover operations </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> Handala Hack Team breaches FBI Director’s personal Gmail </td> <td> IRGC-affiliated actors demonstrate high-value target access </td> </tr> <tr> <td> 31 Mar 2026 </td> <td> TWOSTROKE campaign expands to Azerbaijan and Turkey </td> <td> MOIS-suspected espionage actors broaden geographic targeting </td> </tr> <tr> <td> 31 Mar 2026 </td> <td> CISA publishes ICS advisories for PX4, WAGO, PTC Windchill </td> <td> New attack surface in drone systems, industrial switches, and defense PLM </td> </tr> <tr> <td> 2 Apr 2026 </td> <td> Cisco Talos discloses UAT-10608 / React2Shell mass exploitation </td> <td> 766 hosts compromised in 24 hours via CVE-2025-55182 (CVSS 10.0) </td> </tr> <tr> <td> 2 Apr 2026 </td> <td> AdaptixC2 node 45.147.77[.]210 confirmed on Iranian ASN </td> <td> Fourth C2 node expands Iranian offensive infrastructure </td> </tr> </tbody> </table> <h2>Key Threat Analysis                      </h2> <h3>Iranian State C2 Infrastructure: AdaptixC2 Replaces Cobalt Strike</h3> Iranian state-sponsored actors affiliated with MOIS (MuddyWater/UNC3313/UNC5667, OilRig/APT34) have systematically migrated from Cobalt Strike to AdaptixC2, an open-source command-and-control framework. Four confirmed nodes are now operational: <table> <thead> <tr> <th> IP Address </th> <th> ASN </th> <th> Location </th> <th> Confidence </th> <th> Port(s) </th> </tr> </thead> <tbody> <tr> <td> 45.147.77[.]210 </td> <td> 51889 (Gostaresh Pardazesh) </td> <td> Tehran, IR </td> <td> 93 </td> <td> — </td> </tr> <tr> <td> 62.60.131[.]49 </td> <td> 208137 (Feo Prest) </td> <td> Tehran, IR </td> <td> 86 </td> <td> — </td> </tr> <tr> <td> 213.177.179[.]31 </td> <td> WIS Telecom </td> <td> Tehran, IR </td> <td> 88 </td> <td> — </td> </tr> <tr> <td> 83.142.209[.]11 </td> <td> 205759 (Ghosty Networks) </td> <td> Netherlands </td> <td> 98 </td> <td> 2222 </td> </tr> </tbody> </table> The Dutch relay node on port 2222 provides a European egress point, making geographic IP blocking insufficient. This infrastructure likely supports multiple Iranian actor groups simultaneously and represents a deliberate effort to evade signature-based detection tuned for Cobalt Strike beacons. Why this matters: If your EDR is optimized for Cobalt Strike detection but lacks signatures for AdaptixC2, you have a blind spot that Iranian state actors are actively exploiting. <h3>Ransomware as a Weapon: APTIran’s Doctrinal Shift</h3> APTIran’s claimed deployment of ALPHV (BlackCat) and LockBit ransomware against Israeli critical infrastructure represents a significant doctrinal evolution. Previously, Iranian actors’ use of ransomware-as-a-service (RaaS) platforms was assessed as primarily revenue-motivated — state operators moonlighting for personal profit. APTIran explicitly frames ransomware as a retaliatory weapon, deployed for destruction and coercion rather than financial gain. This convergence of state-sponsored operations with criminal ransomware tooling creates attribution challenges and raises the stakes: ransomware incidents against organizations in the Iran-Israel conflict orbit may now carry geopolitical motivations that change the incident response calculus entirely. The group also claims exfiltration of 350,000+ Israeli government credentials and ~300 internal databases — a scale of credential compromise that, if validated, would represent one of the largest state-directed credential harvesting operations in the conflict. <h3>React2Shell: A CVSS 10.0 Vulnerability Exploited at Machine Speed</h3> CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components affecting Next.js applications (versions 19.0.0–19.2.0). The threat actor UAT-10608 built a fully automated exploitation pipeline called the NEXUS Listener that compromised 766 hosts within 24 hours of campaign launch. The harvested data is staggering in scope: <table> <thead> <tr> <th> Data Type </th> <th> % of Compromised Hosts </th> </tr> </thead> <tbody> <tr> <td> Database credentials </td> <td> 91.5% </td> </tr> <tr> <td> SSH keys </td> <td> 78.2% </td> </tr> <tr> <td> AWS credentials </td> <td> 25.6% </td> </tr> <tr> <td> Stripe API keys </td> <td> 11.4% </td> </tr> <tr> <td> GitHub tokens </td> <td> 8.6% </td> </tr> <tr> <td> Kubernetes service account tokens </td> <td> — </td> </tr> </tbody> </table> Cisco Talos’s 2025 Year in Review explicitly notes that React2Shell became the most targeted vulnerability within weeks of disclosure, with “industrialization of vulnerability exploitation likely fuelled by AI.” The Iranian nexus: While UAT-10608 is not currently attributed to Iran, the harvested credentials — particularly AWS, Azure, and Kubernetes tokens — represent exactly the kind of initial access that Iranian state actors purchase or leverage for lateral movement into government and defense cloud infrastructure. The Talos YiR confirms Iranian-linked actors increased hacktivist operations approximately 60% over the past year, and state actors like ShroudedSnooper (UNC1860) deploy stealthy backdoors in telecommunications infrastructure. React2Shell exploitation could provide the initial foothold that Iranian actors subsequently exploit. <h3>Critical Vulnerability Convergence</h3> Three additional critical-severity vulnerabilities demand immediate attention: <table> <thead> <tr> <th> CVE </th> <th> Product </th> <th> CVSS </th> <th> Type </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2025-55182 </td> <td> React Server Components / Next.js </td> <td> 10.0 </td> <td> Pre-auth RCE </td> <td> Actively exploited at scale </td> </tr> <tr> <td> CVE-2026-1281 </td> <td> Ivanti EPMM </td> <td> 9.8 </td> <td> Pre-auth RCE </td> <td> Disclosed; Iranian adoption expected </td> </tr> <tr> <td> CVE-2026-1340 </td> <td> Ivanti EPMM </td> <td> 9.8 </td> <td> Pre-auth RCE </td> <td> Disclosed; Iranian adoption expected </td> </tr> <tr> <td> CVE-2026-1731 </td> <td> BeyondTrust Remote Support </td> <td> 9.8 </td> <td> Pre-auth RCE </td> <td> Disclosed </td> </tr> </tbody> </table> The Ivanti EPMM vulnerabilities are particularly concerning given Iranian actors’ track record: CVE-2024-21887 (Ivanti Connect Secure) was weaponized by Iranian groups within 48 hours of proof-of-concept availability. Expect the same adoption velocity for CVE-2026-1281 and CVE-2026-1340. <h3>ICS/OT: Expanding Attack Surface</h3> The emergence of Cyber Islamic Resistance claiming ICS/OT access, combined with three new ICS advisories, expands the operational technology threat surface: <ul> <li>PX4 Autopilot (ICSA-26-090-02): MAVLink interface RCE enables arbitrary shell command execution on military and commercial drone platforms. In the Iran-Israel theater, where both sides rely heavily on UAS for ISR and strike operations, this vulnerability has direct kinetic implications.</li> <li>WAGO Industrial Managed Switches (ICSA-26-085-01): Unauthenticated CLI escape achieves full system access on industrial network switches.</li> <li>PTC Windchill PLM (ICSA-26-085-03): RCE in product lifecycle management software used extensively by defense and aerospace manufacturers — a high-value target for Iranian aerospace espionage actors.</li> </ul> These advisories join the existing threat from Cyber Av3ngers (HYDRO KITTEN), the IRGC Cyber Electronic Command-affiliated group that has maintained 21+ days of operational silence — a pattern historically consistent with pre-attack OPSEC discipline. <h2>Predictive Analysis                      </h2> Based on current intelligence, historical pattern analysis, and the operational tempo of Iranian cyber actors: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Iranian actors begin scanning for CVE-2026-1281/1340 (Ivanti EPMM) </td> <td> 70% </td> <td> Within 7 days </td> <td> Historical precedent: CVE-2024-21887 weaponized within 48 hours of PoC </td> </tr> <tr> <td> React2Shell (CVE-2025-55182) exploitation adopted by Iranian-nexus actors </td> <td> 60% </td> <td> Within 14 days </td> <td> Automated tooling lowers barrier; Iranian operators adopt commodity frameworks </td> </tr> <tr> <td> Cyber Av3ngers (HYDRO KITTEN) executes destructive ICS/OT operation </td> <td> 50% </td> <td> Within 7 days </td> <td> 21+ day operational silence consistent with pre-attack OPSEC; no de-escalation signals </td> </tr> <tr> <td> Additional Iran-aligned hacktivist groups emerge with CI targeting claims </td> <td> 65% </td> <td> Within 14 days </td> <td> APTIran and Cyber Islamic Resistance appeared within days of each other; pattern suggests coordinated emergence </td> </tr> <tr> <td> Iranian actors leverage harvested React2Shell credentials for secondary operations </td> <td> 55% </td> <td> Within 30 days </td> <td> Cloud credentials (AWS, Azure, K8s tokens) are high-value for lateral movement into government/defense infrastructure </td> </tr> <tr> <td> Ceasefire-related cyber tempo reduction </td> <td> <20% </td> <td> Next 3 cycles </td> <td> Absence of de-escalation signals; continued aggressive posturing by multiple actor groups </td> </tr> </tbody> </table> <h2>SOC Operational Guidance               </h2> <h3>What to Monitor</h3> AdaptixC2 Command & Control (ATT&CK: T1071.001, T1571, T1573) - Monitor for outbound connections to confirmed C2 IPs: 45.147.77[.]210, 62.60.131[.]49, 213.177.179[.]31, 83.142.209[.]11 - Alert on any traffic to port 2222 destined for ASN 205759 (Ghosty Networks, NL) - Hunt for TLS connections to Iranian ASNs 51889 and 208137 from internal hosts - Deploy network signatures for AdaptixC2 beacon patterns — these differ from Cobalt Strike’s malleable C2 profiles React2Shell / NEXUS Listener Exploitation (ATT&CK: T1190, T1059.004, T1552.001) - Monitor web application logs for anomalous POST requests to React Server Component endpoints - Alert on HTTP callbacks matching the NEXUS Listener C2 pattern: GET /<path>?h=<HOSTNAME>&l=<PHASE>&id=<ID> on port 8080 - Hunt for shell scripts in /tmp/ directories with randomized names (e.g., .eba9ee1e4.sh) - Monitor for bulk reads of .env files, SSH key directories, and cloud credential metadata endpoints. Credential Harvesting Indicators (ATT&CK: T1552.005, T1528, T1078.004) - Alert on unusual access to cloud instance metadata APIs (AWS IMDS, GCP metadata server, Azure IMDS) - Monitor for exfiltration of files named environ.txt, jsenv.txt, ssh.txt, full.txt, k8s.txt, docker.txt - Watch for anomalous GitHub token usage, Kubernetes service account token access, and Stripe API key calls from unexpected sources ICS/OT Indicators (ATT&CK: T1190, T1059) - Monitor MAVLink interfaces on PX4 autopilot systems for unauthorized command injection - Audit WAGO industrial switch management interfaces for CLI escape attempts - Alert on unexpected connections to PTC Windchill PLM servers from external IPs <h3>Hunting Hypotheses</h3> <ol> <li>Hypothesis: Iranian actors have already adopted AdaptixC2 in our environment. Hunt for TLS connections from internal hosts to any IP on ASNs 51889, 208137, or 205759 over the past 90 days. Correlate with DNS queries for domains resolving to these ASNs. Check EDR telemetry for processes establishing persistent outbound connections on non-standard ports (2222, 4322, 4444).</li> <li>Hypothesis: React2Shell exploitation has compromised a Next.js application in our environment. Inventory all Next.js deployments. Check web server logs for exploitation signatures. Search for /tmp/ shell scripts with randomized filenames. Audit .env files for evidence of unauthorized access. Check cloud provider logs for credential usage from unexpected geographic locations.</li> <li>Hypothesis: Harvested credentials from React2Shell are being used for lateral movement. Review AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs for authentication events from unfamiliar IPs or user agents. Check for new IAM roles, service accounts, or API keys created in the past 14 days. Monitor Kubernetes audit logs for service account token usage from outside the cluster.</li> <li>Hypothesis: UNC1860/ShroudedSnooper has pre-positioned web shells in our telecom or energy infrastructure. Hunt for LIONTAIL and TEMPLEDOOR web shell indicators. Search for unusual IIS module loading events (T1505.003). Audit web servers for files modified in the past 90 days that don’t match deployment records.</li> </ol> <h3>Detection Rules to Deploy</h3> <ul> <li>Snort SIDs 66180, 66181, 301456 — Qilin EDR killer detection (relevant given ransomware-as-weapon doctrine)</li> <li>Sigma rules for /tmp/ shell script execution — process_creation events where CommandLine contains /tmp/. and nohup</li> <li>Cloud credential abuse detection — alert on AssumeRole or GetSessionToken API calls from IPs outside your known CIDR ranges</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Iranian actors — particularly APTIran — have explicitly claimed compromise of Israeli financial institutions. The 350,000+ credential dump, if weaponized against interconnected financial systems, could enable account takeover at scale. Priority actions: - Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all customer-facing and internal banking platforms — credential dumps render password-only and SMS-based MFA insufficient - Audit SWIFT and interbank messaging systems for unauthorized access patterns - Review third-party fintech integrations running Next.js for React2Shell exposure (CVE-2025-55182) - Monitor for Stripe API key abuse — 11.4% of React2Shell victims had Stripe keys harvested <h3>Energy</h3> Cyber Av3ngers (HYDRO KITTEN) and Cyber Islamic Resistance both claim ICS/OT access targeting energy infrastructure. The 21+ day operational silence from Cyber Av3ngers is consistent with pre-attack preparation. Priority actions: - Conduct emergency audit of all internet-facing SCADA/HMI interfaces — verify network segmentation between IT and OT - Review WAGO industrial managed switch configurations for CLI escape vulnerability (ICSA-26-085-01) - Implement out-of-band monitoring for PLC firmware integrity on Yokogawa and Johnson Controls systems - Ensure OT incident response playbooks account for destructive attacks (wipers), not just ransomware - Pre-position manual override procedures for critical processes in case of control system compromise <h3>Healthcare</h3> APTIran claims hospital compromise among its Israeli targets. Healthcare organizations globally face elevated risk from ransomware-as-weapon operations where the goal is disruption rather than payment. Priority actions: - Verify offline backup integrity for electronic health record (EHR) systems — ransomware-as-weapon actors have no incentive to provide decryption keys - Audit Ivanti EPMM deployments managing clinical mobile devices — CVE-2026-1281/1340 (CVSS 9.8) enables pre-auth RCE on the mobile device management platform - Segment biomedical device networks from general IT infrastructure - Review BeyondTrust Remote Support deployments used for vendor access to medical systems — CVE-2026-1731 (CVSS 9.8) <h3>Government</h3> MuddyWater’s confirmed MOIS espionage operations across 17 countries and 7 verticals, with government agencies as primary targets. The TWOSTROKE campaign’s expansion to Azerbaijan and Turkey demonstrates geographic broadening beyond the immediate conflict theater. Priority actions: - Audit Microsoft 365 / Entra ID configurations for OAuth consent grant abuse — Russian actor UTA0355’s phishing campaign (spoofing European security events) demonstrates the TTP is active, and Iranian actors have adopted similar techniques - Hunt for AdaptixC2 beacons on government networks — block all four confirmed C2 IPs at the perimeter - Review cloud identity logs for anomalous service principal activity, particularly in Azure Government and GovCloud environments - Assess exposure to PTC Windchill PLM if used in defense acquisition or procurement workflows (ICSA-26-085-03) <h3>Aviation & Logistics</h3> PX4 autopilot vulnerabilities (ICSA-26-090-02) directly threaten UAS/drone operations. Iranian aerospace espionage actors (UNC6446) target PLM and design systems. Priority actions: - Audit all PX4 autopilot deployments — ensure MAVLink interfaces are not accessible from untrusted networks - Review drone ground control station (GCS) network architecture for segmentation from enterprise IT - Assess PTC Windchill PLM exposure in aerospace design and manufacturing environments - Monitor supply chain integrity for avionics firmware and flight management system updates - Implement GPS spoofing detection on UAS platforms operating in conflict-adjacent airspace <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🔴 </td> <td> DevOps </td> <td> Audit ALL Next.js deployments for React Server Components versions 19.0.0–19.2.0. Patch to 19.2.1+ immediately. If patching is not possible within 24 hours, disable Server Function endpoints. Check /tmp/ directories for randomized shell scripts matching dropper patterns. (CVE-2025-55182, CVSS 10.0) </td> </tr> <tr> <td> 🔴 </td> <td> IT Ops </td> <td> Patch Ivanti EPMM to the latest version addressing CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, pre-auth RCE). If internet-facing, apply emergency mitigation per Ivanti advisory immediately. </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Block AdaptixC2 C2 IPs at perimeter firewall and ingest into threat intelligence platform: 45.147.77[.]210, 62.60.131[.]49, 213.177.179[.]31, 83.142.209[.]11 (port 2222). Query NetFlow/proxy logs for any historical connections to ASNs 51889 and 208137. </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Deploy detection for NEXUS Listener C2 callback pattern: HTTP GET to port 8080 with URI matching /h=*&l=*&id=*. </td> </tr> <tr> <td> 🔴 </td> <td> Executive/IR </td> <td> Brief executive leadership on the ransomware-as-weapon doctrine shift. Update incident response playbooks to account for ransomware incidents with no decryption possibility — the attacker’s goal may be destruction, not payment. Ensure crisis communication plans cover geopolitically motivated attacks. </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟡 </td> <td> IT Ops </td> <td> Inventory all BeyondTrust Remote Support instances and patch CVE-2026-1731 (CVSS 9.8, pre-auth RCE). Verify no unauthorized remote access tools are present. </td> </tr> <tr> <td> 🟡 </td> <td> SOC </td> <td> Deploy Snort SIDs 66180, 66181, 301456 for Qilin EDR killer detection. Deploy YARA/Sigma rules for AdaptixC2 beacon patterns and /tmp/ shell script execution. </td> </tr> <tr> <td> 🟡 </td> <td> OT Security </td> <td> Review PX4 autopilot deployments for MAVLink interface exposure. Ensure MAVLink is not accessible from untrusted networks. Audit WAGO industrial managed switches for CLI escape vulnerability per ICSA-26-085-01. </td> </tr> <tr> <td> 🟡 </td> <td> Cloud Security </td> <td> Audit AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs for credential usage from unexpected IPs or regions. Review IAM roles and service accounts created in the past 30 days. Rotate any credentials that may have been exposed via .env files in Next.js applications. </td> </tr> <tr> <td> 🟡 </td> <td> Identity </td> <td> Audit Microsoft 365 / Entra ID OAuth consent grants. Revoke any suspicious application permissions. Enforce conditional access policies requiring compliant devices for sensitive applications. </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟢 </td> <td> CISO </td> <td> Commission security assessment of PTC Windchill PLM deployment given ICSA-26-085-03 RCE vulnerability. Windchill is a high-value target for Iranian aerospace espionage actors. </td> </tr> <tr> <td> 🟢 </td> <td> SOC </td> <td> Establish proactive threat hunt for UNC1860/ShroudedSnooper TTPs — search for LIONTAIL/TEMPLEDOOR web shell indicators, unusual IIS module loading, and connections to Iranian ASNs from telecom and energy infrastructure. </td> </tr> <tr> <td> 🟢 </td> <td> CISO </td> <td> Review and update the organization’s ransomware response strategy to address the state-sponsored ransomware-as-weapon scenario. This includes legal counsel engagement on attribution implications, government notification procedures, and insurance policy review for acts of war exclusions. </td> </tr> <tr> <td> 🟢 </td> <td> Architecture </td> <td> Assess network segmentation between IT and OT environments. Validate that ICS/SCADA systems are not reachable from internet-facing networks. Implement unidirectional security gateways where feasible. </td> </tr> <tr> <td> 🟢 </td> <td> Supply Chain </td> <td> Audit npm, PyPI, and GitHub Actions dependencies across all development pipelines. Pin GitHub Actions to commit SHAs. Implement software composition analysis (SCA) scanning for all production deployments. The backdoored Axios npm package (~45M weekly downloads, from prior cycle) and React2Shell demonstrate that the JavaScript supply chain remains a primary attack vector. </td> </tr> </tbody> </table> <h2>Bottom Line                              </h2> Thirty-three days into this escalation cycle, the pattern is unmistakable: Iranian cyber operations are intensifying, diversifying, and professionalizing. New actor groups are standing up. Ransomware is being weaponized for destruction. Critical vulnerabilities are being exploited at machine speed. And the actors who should concern you most — Cyber Av3ngers, UNC1860 — are the ones you’re hearing the least from. Silence from a capable adversary is not comfort. It is preparation. The three actions that will have the greatest impact on your security posture this week: <ol> <li>Patch Next.js (CVE-2025-55182) and Ivanti EPMM (CVE-2026-1281/1340) — these are pre-auth RCE vulnerabilities with CVSS scores of 9.8–10.0, and at least one is under active mass exploitation today.</li> <li>Block the AdaptixC2 infrastructure and hunt for historical connections — four confirmed C2 nodes are operational and likely serving multiple Iranian state actor groups.</li> <li>Update your incident response playbooks for ransomware-as-weapon scenarios — when the attacker’s goal is destruction rather than payment, your negotiation playbook is worthless. Plan for no decryption key.</li> </ol> The threat actors aren’t waiting. Neither should you.

FEATURED RESOURCES

April 2, 2026

Anomali Cyber Watch