Iran Declares Ceasefire Over: Cyber Retaliation Window Opens for Critical Infrastructure

Anomali Threat Research

Published on

June 8, 2026

Table of Contents

Threat Assessment Level: HIGH (Upgraded from ELEVATED — previous cycle assessed ELEVATED daily posture under HIGH strategic level; the ceasefire collapse on June 8 now elevates both to HIGH) The ceasefire is over. On June 8, 2026, Iran's foreign ministry publicly blamed the United States for "whatever happens in the region" — language that historically precedes IRGC-directed cyber retaliation orders. One hundred days into Operation Epic Fury, the Iran conflict has entered its most dangerous cyber phase: dormant access is likely activating, hacktivist proxies are expected to launch within 48 hours, and a hacker group has publicly claimed it fed targeting intelligence to Iranian missile units striking U.S. military facilities. This is not a theoretical escalation. The infrastructure is live, the actors are positioned, and the political authorization signal has been broadcast. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Date </th> <th> Why It Matters </th> </tr> </thead> <tbody> <tr> <td> Iran declares "resumption of hostilities" — blames U.S. for escalation </td> <td> 2026-06-08 </td> <td> Political trigger for IRGC cyber retaliation; eliminates de-escalation pathway </td> </tr> <tr> <td> Handala hacker group claims it provided targeting data to Iranian missile/drone units </td> <td> 2026-06-03 </td> <td> First confirmed cyber-to-kinetic convergence — intrusions now enable physical strikes </td> </tr> <tr> <td> Iran confirmed using ChatGPT and Gemini for military cyber planning </td> <td> 2026-06-02 </td> <td> AI-augmented phishing and operational planning accelerating </td> </tr> <tr> <td> ASN 213790 (Tehran) C2 infrastructure refreshed — Remcos RAT, SystemBC, DarkComet, SOCKS4 proxies all active </td> <td> 2026-06-08 </td> <td> Shared IRGC relay network operational; government research org hosting C2 </td> </tr> <tr> <td> CISA adds CVE-2026-28318 (SolarWinds Serv-U), CVE-2026-45247 (Mirasvit/Magento 2), and CVE-2024-21182 (Oracle WebLogic) to KEV </td> <td> 2026-06-05 </td> <td> Active exploitation confirmed against common enterprise and e-commerce infrastructure </td> </tr> <tr> <td> CISA issues ATG hardening advisory for fuel/tank gauge systems </td> <td> 2026-06-02 </td> <td> Timing suggests intelligence of imminent CyberAv3ngers targeting </td> </tr> <tr> <td> Five ICS advisories: Hitachi Energy RTU500, NAVTOR NavBox, B&R PPT30 </td> <td> 2026-06-04 </td> <td> Energy grid and maritime navigation attack surface expanding </td> </tr> <tr> <td> Pioneer Kitten / Fox Kitten dormant VPN access — 77-day silence on DIB targeting </td> <td> 2026-06-05 </td> <td> Actor updated in threat feeds; extended silence consistent with dormant access maintenance ahead of retaliation trigger </td> </tr> <tr> <td> Wiper-capable unit 25-day operational silence since last confirmed activity </td> <td> 2026-05-14 </td> <td> Assessed as deliberate pre-positioning; preparation likely complete ahead of retaliation window </td> </tr> <tr> <td> Russia providing Iran satellite imagery of U.S. military facilities </td> <td> 2026-04-08 </td> <td> Strategic intelligence sharing enabling precision targeting </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Cyber Implication </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Operation Epic Fury begins (U.S.-Israeli airstrikes on Iran) </td> <td> Day 0 — conflict initiates </td> </tr> <tr> <td> 2026-04-08 </td> <td> Russian satellite imagery shared with Iran for military targeting </td> <td> Russia-Iran intelligence fusion enables precision cyber-kinetic operations </td> </tr> <tr> <td> 2026-05-14 </td> <td> Last confirmed wiper-capable unit activity </td> <td> 25-day operational silence — assessed as deliberate pre-positioning </td> </tr> <tr> <td> 2026-05-27 </td> <td> MuddyWater/TEMP.Zagros last active </td> <td> 12-day silence — possible retooling before retaliation wave </td> </tr> <tr> <td> 2026-06-02 </td> <td> Iran confirmed using ChatGPT/Gemini for cyber-military ops </td> <td> AI-augmented phishing and planning now operational </td> </tr> <tr> <td> 2026-06-02 </td> <td> CISA ATG hardening advisory issued </td> <td> Intelligence of imminent fuel system targeting </td> </tr> <tr> <td> 2026-06-03 </td> <td> Handala claims targeting intel provided to Iranian missiles </td> <td> Cyber-to-kinetic convergence confirmed </td> </tr> <tr> <td> 2026-06-04 </td> <td> Iran declares diplomacy failed; U.S. invokes War Powers Act </td> <td> Political de-escalation eliminated </td> </tr> <tr> <td> 2026-06-04 </td> <td> Five ICS advisories (RTU500, NavBox, PPT30) </td> <td> OT attack surface documented during peak threat window </td> </tr> <tr> <td> 2026-06-05 </td> <td> CVE-2026-28318, CVE-2026-45247, and CVE-2024-21182 added to CISA KEV </td> <td> Active exploitation of enterprise and e-commerce edge infrastructure </td> </tr> <tr> <td> 2026-06-08 </td> <td> Iran declares "resumption of hostilities" </td> <td> Trigger event — retaliation authorization signal </td> </tr> <tr> <td> 2026-06-08 </td> <td> ASN 213790 C2 infrastructure refreshed </td> <td> Operational infrastructure confirmed active for imminent use </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. The Retaliation Authorization Signal </h3> Iran's foreign ministry statement on June 8 is not diplomatic posturing — it is an operational signal. In previous Iranian cyber campaigns (2019 tanker crisis, 2020 Soleimani response), similar public statements preceded IRGC cyber operations by 24–72 hours. Every dormant access point Iranian actors have established over the past 100 days should now be considered at risk of activation. Actors in play: <ul> <li> Pioneer Kitten / UNC757 (IRGC) — VPN exploitation specialists; dormant webshells in Citrix, Ivanti, PAN-OS environments </li> <li> APT33 / Refined Kitten (IRGC) — aerospace and energy targeting; wiper deployment capability </li> <li> APT42 / IRGC-IO — credential harvesting and surveillance operations </li> <li> Cyber Av3ngers (IRGC) — ICS/OT targeting; fuel systems, water treatment, ATG </li> <li> HYDRO KITTEN / IRGC-CEC — critical infrastructure pre-positioning </li> <li> APT34 / OilRig (MOIS) — tooling confirmed active June 6 </li> <li> MuddyWater / TEMP.Zagros (MOIS) — silent since May 27; retooling suspected </li> </ul> <h3> 2. Cyber-to-Kinetic Convergence: Handala Group </h3> The Handala hacker group's public claim that it provided targeting intelligence to "Mojtaba's missiles and drones" during strikes on U.S. military facilities represents a paradigm shift. Cyber intrusions into military and defense networks are no longer espionage — they are pre-strike reconnaissance enabling kinetic attacks . This changes the risk calculus for every defense industrial base contractor and military-adjacent organization: a network compromise may directly result in physical casualties. ATT&CK techniques: T1589 (Gather Victim Identity Information), T1591 (Gather Victim Org Information), T1041 (Exfiltration Over C2 Channel) <h3> 3. Iranian C2 Infrastructure — ASN 213790 (Tehran) </h3> ASN 213790 ("Limited Network," Tehran) continues to function as a shared IRGC cyber operations relay network . On June 8, the following were confirmed active: <ul> <li> Remcos RAT C2 at 62.60.226[.]42:43155 — hosted at the Iranian Research Organization for Science & Technology (government entity) </li> <li> SystemBC encrypted proxy at 185.93.89[.]147 — same malware family tracked alongside LockBit/APT28 infrastructure </li> <li> DarkComet and Keitaro TDS at 62.60.226[.]10 </li> <li> Tofsee (Gheg) C2 at 217.60.241[.]17:8080 and 217.60.241[.]39:418 </li> <li> Four fresh SOCKS4 proxy relays in the 206.123.156.0/24 range </li> </ul> The co-location of commodity RATs (Remcos, DarkComet) on government research infrastructure suggests state-sponsored actors using commercial tooling for deniability — a known Iranian tradecraft pattern. <h3> 4. Actively Exploited Vulnerabilities </h3> Three CVEs now confirmed under active exploitation are directly relevant: <table> <thead> <tr> <th> CVE </th> <th> Product </th> <th> CVSS </th> <th> Exploitation Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-28318 </td> <td> SolarWinds Serv-U </td> <td> 7.5 (HIGH) </td> <td> KEV — active exploitation; unauthenticated DoS via deflate POST </td> </tr> <tr> <td> CVE-2026-45247 </td> <td> Mirasvit Cache Warmer (Magento 2) </td> <td> 9.8 (CRITICAL) </td> <td> KEV — PHP object injection → RCE </td> </tr> <tr> <td> CVE-2024-21182 </td> <td> Oracle WebLogic Server </td> <td> 7.5 (HIGH) </td> <td> KEV — unauthenticated data access via T3/IIOP </td> </tr> </tbody> </table> Iranian APT groups (particularly Pioneer Kitten and APT34) have historically weaponized SolarWinds and Oracle vulnerabilities within days of KEV listing. The timing of these additions during the retaliation window is not coincidental. <h3> 5. ICS/OT Attack Surface Expansion </h3> Five ICS advisories issued June 4 expand the operational technology attack surface during peak threat: <ul> <li> Hitachi Energy RTU500 — energy grid remote terminal units (Iranian actors have demonstrated RTU targeting capability) </li> <li> NAVTOR NavBox — maritime navigation systems (relevant to Strait of Hormuz threats and subsea cable operations) </li> <li> Hitachi Energy ITT600 Explorer — energy grid management </li> <li> B&R PPT30 — industrial automation operating system </li> <li> Hitachi Energy MACH HiDraw — buffer overflow in energy engineering tools </li> </ul> Combined with CISA's ATG hardening advisory (June 2), the OT threat surface is at maximum exposure during the highest-risk political window. <h3> 6. AI-Augmented Iranian Operations </h3> Iranian actors are confirmed using ChatGPT, Gemini, and other commercial AI models for: <ul> <li> Enhanced spearphishing lure generation </li> <li> Military operational planning </li> <li> Cyber operation automation </li> </ul> This means traditional signature-based email security will miss AI-crafted phishing. The quality ceiling for Iranian social engineering has risen dramatically. <h2> Predictive Analysis: Likely Attack Scenarios (Next 72 Hours) </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Pro-Iran hacktivist groups (DieNet, 313 Team, Handala) launch coordinated DDoS/defacement against U.S./Israeli targets </td> <td> 75% </td> <td> Historical pattern: hacktivists activate within 48h of political authorization; current silence is anomalous and likely pre-coordination </td> </tr> <tr> <td> Pioneer Kitten / Fox Kitten dormant VPN access activated for exfiltration or destructive pre-positioning in DIB networks </td> <td> 50% </td> <td> Actor updated June 5 in threat feeds; 77-day silence on DIB targeting is consistent with dormant access maintenance; political trigger now fired </td> </tr> <tr> <td> New wiper variant deployed against Israeli critical infrastructure </td> <td> 45% </td> <td> Historical pattern from Operation Epic Fury response; 25-day silence from wiper-capable units suggests preparation complete </td> </tr> <tr> <td> Coordinated wiper deployment against U.S. critical infrastructure </td> <td> 35% </td> <td> Assessed based on pre-positioning evidence, political trigger, and historical IRGC escalation patterns </td> </tr> <tr> <td> CyberAv3ngers target ATG/fuel systems in U.S. </td> <td> 30% </td> <td> CISA advisory timing suggests intelligence of imminent threat; actor has demonstrated capability and intent </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Monitoring Priorities </h3> Network-Level Detection: <ul> <li> Block and alert on all traffic to/from ASN 213790 (206.123.156[.]0/24, 172.94.9[.]0/24, 62.60.226[.]0/24, 217.60.241[.]0/24, 185.93.89[.]0/24, 151.232.0[.]0/16) </li> <li> Hunt for historical connections to 62.60.226[.]42:43155 (Remcos RAT C2) in 90 days of netflow — T1219 (Remote Access Software) </li> <li> Detect SystemBC encrypted SOCKS5 proxy patterns from 185.93.89[.]147 — T1573 (Encrypted Channel), T1090.003 (Multi-hop Proxy) </li> <li> Monitor for Tofsee C2 beaconing to 217.60.241[.]17:8080 and 217.60.241[.]39:418 — T1071.001 (Application Layer Protocol: Web) </li> </ul> Endpoint Detection: <ul> <li> Hunt for Remcos RAT artifacts: registry persistence under HKCU\Software\Remcos, mutex patterns, keylogger modules — T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys) </li> <li> Scan for DarkComet indicators: default mutex "DC_MUTEX-*", process injection into svchost.exe — T1055 (Process Injection) </li> <li> Detect SOCKS4/5 proxy binaries on endpoints — T1090 (Proxy) </li> </ul> Edge Device Hunting (Critical — Fox Kitten TTPs): <ul> <li> Audit all VPN concentrators (Citrix NetScaler, Ivanti Connect Secure, PAN-OS GlobalProtect) for: </li> <ul> <li> Dormant webshells — T1505.003 (Server Software Component: Web Shell) </li> <li> Unauthorized local accounts — T1136.001 (Create Account: Local Account) </li> <li> Modified SSH authorized_keys — T1098.004 (Account Manipulation: SSH Authorized Keys) </li> <li> Unexpected scheduled tasks — T1053.005 (Scheduled Task/Job: Scheduled Task) </li> </ul> <li> Verify SolarWinds Serv-U not vulnerable to CVE-2026-28318 — T1499 (Endpoint Denial of Service) </li> <li> Verify Oracle WebLogic patched against CVE-2024-21182 — T1190 (Exploit Public-Facing Application) </li> </ul> <h3> Hunting Hypotheses </h3> <table> <thead> <tr> <th> Hypothesis </th> <th> ATT&CK Technique </th> <th> Data Source </th> <th> Query Logic </th> </tr> </thead> <tbody> <tr> <td> Iranian actors using dormant VPN webshells for initial re-entry </td> <td> T1505.003, T1133 </td> <td> VPN appliance logs, file integrity monitoring </td> <td> New files in web-accessible directories on VPN appliances created >30 days ago but accessed in last 7 days </td> </tr> <tr> <td> Remcos RAT beaconing to Iranian government infrastructure </td> <td> T1219, T1071.001 </td> <td> DNS logs, proxy logs, netflow </td> <td> Connections to 62.60.226[.]0/24 on non-standard ports; DNS queries for unusual subdomains resolving to Iranian ASNs </td> </tr> <tr> <td> Pre-wiper reconnaissance via credential harvesting </td> <td> T1003, T1078 </td> <td> Windows Security logs, EDR </td> <td> Bulk LSASS access, DCSync attempts, or Kerberoasting spikes from previously quiet accounts </td> </tr> <tr> <td> AI-generated phishing bypassing email security </td> <td> T1566.001, T1585.001 </td> <td> Email gateway logs, user reports </td> <td> Phishing emails with unusually high linguistic quality targeting executives; sender domains registered <7 days </td> </tr> <tr> <td> ATG/SCADA systems receiving unauthorized commands </td> <td> T0816, T0826 </td> <td> OT network monitoring, historian logs </td> <td> Unexpected write commands to tank gauge controllers; connections from IT network segments to OT </td> </tr> </tbody> </table> <h3> Detection Engineering Priorities </h3> <ol> <li> Sigma rule: Alert on any outbound connection to the 14 IPv4 IOCs listed in this report across all network sensors </li> <li> YARA rule: Deploy Remcos RAT and SystemBC signatures to all endpoint agents </li> <li> Suricata/Snort: Add rules for Tofsee HTTP C2 beacon patterns (POST to non-standard ports with specific User-Agent strings) </li> <li> SIEM correlation: Cross-reference VPN authentication anomalies with the Fox Kitten TTP profile (off-hours access, new device fingerprints, geographic impossibility) </li> </ol> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: Destructive wiper attacks disguised as ransomware; DDoS against customer-facing banking infrastructure during hacktivist activation wave. Actions: <ul> <li> Verify SWIFT/payment system network segmentation from internet-facing infrastructure </li> <li> Pre-position DDoS mitigation (activate "under attack" mode on CDN/WAF if available) </li> <li> Audit Oracle WebLogic instances in middleware stacks — CVE-2024-21182 enables unauthenticated data access to transaction systems </li> <li> Review Magento/e-commerce platforms for CVE-2026-45247 (PHP object injection → RCE) if operating online payment portals </li> <li> Ensure offline backup verification completed within last 7 days </li> </ul> <h3> Energy </h3> Primary threat: ICS/OT targeting via Hitachi Energy RTU500 vulnerabilities; ATG system manipulation at fuel distribution facilities; wiper deployment against grid management systems. Actions: <ul> <li> Immediately audit Hitachi Energy RTU500 firmware against ICSA-26-155-04 </li> <li> Verify all ATG systems are network-segmented and not internet-exposed per CISA advisory </li> <li> Implement unidirectional gateways (data diodes) between IT and OT where not already deployed </li> <li> Activate enhanced monitoring on SCADA historian servers for unauthorized read/write operations </li> <li> Pre-position manual override procedures for grid operations in case of wiper deployment </li> <li> Review Hitachi Energy ITT600 Explorer and MACH HiDraw exposure </li> </ul> <h3> Healthcare </h3> Primary threat: Ransomware/wiper attacks leveraging Iranian infrastructure (SystemBC proxy → ransomware delivery is a documented chain); disruption of hospital operations during mass-casualty events. Actions: <ul> <li> Verify medical device network segmentation from enterprise IT </li> <li> Audit SolarWinds Serv-U instances used for file transfer (common in healthcare) against CVE-2026-28318 </li> <li> Ensure electronic health record (EHR) systems have tested offline operational procedures </li> <li> Block ASN 213790 ranges at perimeter — SystemBC at 185.93.89[.]147 is associated with both APT and ransomware delivery </li> <li> Review business continuity plans for simultaneous cyber-physical incidents </li> </ul> <h3> Government </h3> Primary threat: Espionage via dormant access activation; credential harvesting for intelligence collection; destructive attacks against military-adjacent networks; Handala-style targeting intelligence exfiltration. Actions: <ul> <li> Activate enhanced monitoring on all .gov and .mil-adjacent VPN concentrators for Fox Kitten TTPs </li> <li> Conduct emergency audit of Ivanti Connect Secure, Citrix NetScaler, and PAN-OS GlobalProtect for webshells and unauthorized accounts </li> <li> Review all accounts with privileged access to facility information, floor plans, or physical security systems — Handala's targeting intelligence model means this data enables kinetic strikes </li> <li> Implement geographic access restrictions on VPN (block Iranian, Russian IP ranges at authentication layer) </li> <li> Brief cleared personnel on AI-enhanced spearphishing targeting </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: Supply chain compromise via DIB contractor lateral movement; maritime navigation system exploitation (NAVTOR NavBox); disruption of logistics coordination during military operations. Actions: <ul> <li> Audit NAVTOR NavBox deployments — restrict SOAP method access to authorized management stations only </li> <li> Review all third-party contractor VPN access for dormant sessions (Pioneer Kitten specializes in contractor access exploitation) </li> <li> Verify Windchill PLM and engineering data repositories are not accessible from internet-facing segments </li> <li> Assess GPS-dependent systems for spoofing resilience (Iranian GPS spoofing capability documented) </li> <li> Implement enhanced monitoring on cargo/logistics management systems for unauthorized access patterns </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block all ASN 213790 IP ranges at perimeter firewall and proxy: 206.123.156[.]0/24, 172.94.9[.]0/24, 62.60.226[.]0/24, 217.60.241[.]0/24, 185.93.89[.]0/24, 151.232.0[.]0/16, 188.121.121[.]0/24 </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Deploy IOC blocklist (14 IPs, Remcos/SystemBC/DarkComet/Tofsee C2) to all network security controls </td> </tr> <tr> <td> 3 </td> <td> IT Ops </td> <td> Verify SolarWinds Serv-U patched against CVE-2026-28318 (unauthenticated DoS, active exploitation) </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Verify Oracle WebLogic 12.2.1.4.0 and 14.1.1.0.0 patched against CVE-2024-21182 (unauthenticated access via T3/IIOP) </td> </tr> <tr> <td> 5 </td> <td> SOC </td> <td> Initiate 90-day retrospective hunt for connections to 62.60.226[.]42:43155 (Remcos RAT C2 at Iranian government research org) </td> </tr> <tr> <td> 6 </td> <td> Executive/IR </td> <td> Brief leadership on 24–72 hour retaliation window; confirm incident response retainer is active and responders are on standby </td> </tr> <tr> <td> 7 </td> <td> SOC </td> <td> Elevate alert thresholds — treat any Iranian-attributed IOC hit as P1 incident </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Activate Fox Kitten / Pioneer Kitten hunt package across all VPN concentrators (Citrix, Ivanti, PAN-OS) — scan for dormant webshells, unauthorized accounts, modified SSH keys </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Implement SystemBC encrypted proxy detection signatures for traffic from 185.93.89[.]147 </td> </tr> <tr> <td> 3 </td> <td> OT Security </td> <td> Audit Hitachi Energy RTU500 firmware versions against ICSA-26-155-04; network-segment any unpatched units </td> </tr> <tr> <td> 4 </td> <td> OT Security </td> <td> Assess NAVTOR NavBox exposure; restrict SOAP method access to authorized management stations </td> </tr> <tr> <td> 5 </td> <td> IT Ops </td> <td> Audit all Magento 2 instances for Mirasvit Cache Warmer plugin — CVE-2026-45247 (CVSS 9.8, RCE) </td> </tr> <tr> <td> 6 </td> <td> SOC </td> <td> Deploy AI-phishing detection heuristics — flag emails with high linguistic quality from newly registered domains targeting executives </td> </tr> <tr> <td> 7 </td> <td> IR </td> <td> Conduct tabletop exercise: simultaneous wiper deployment + DDoS + hacktivist data leak scenario </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> CISO </td> <td> Commission ATG system hardening assessment per CISA joint advisory — verify all fuel/tank gauge systems segmented and offline </td> </tr> <tr> <td> 2 </td> <td> CISO </td> <td> Expand threat intelligence collection to include Telegram channel monitoring for Handala, DieNet, 313 Team, NoName057(16) activation signals </td> </tr> <tr> <td> 3 </td> <td> OT Security </td> <td> Implement unidirectional gateways between IT and OT networks where not already deployed </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Conduct full edge device firmware integrity audit (all VPN appliances, firewalls, load balancers) — assume compromise and verify </td> </tr> <tr> <td> 5 </td> <td> Executive </td> <td> Review cyber insurance coverage for state-sponsored destructive attacks — many policies exclude "acts of war" </td> </tr> <tr> <td> 6 </td> <td> CISO </td> <td> Assess organizational exposure to cyber-kinetic convergence — identify data that, if exfiltrated, could enable physical targeting of personnel or facilities </td> </tr> </tbody> </table> <h2> IOC Blocking Table </h2> The following IOCs are confirmed from intelligence collection on 2026-06-08. Deploy to all network security controls immediately. <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 (C2) </td> <td> 62.60.226[.]42 </td> <td> Remcos RAT C2 — Iranian govt research org </td> <td> 97 </td> </tr> <tr> <td> IPv4 (C2) </td> <td> 217.60.241[.]17 </td> <td> Tofsee (Gheg) C2 — port 8080 </td> <td> 89 </td> </tr> <tr> <td> IPv4 (C2) </td> <td> 217.60.241[.]39 </td> <td> Tofsee (Gheg) C2 — port 418 </td> <td> 90 </td> </tr> <tr> <td> IPv4 (C2) </td> <td> 62.60.226[.]10 </td> <td> DarkComet / Keitaro TDS </td> <td> 94 </td> </tr> <tr> <td> IPv4 (Malware) </td> <td> 185.93.89[.]147 </td> <td> SystemBC encrypted proxy </td> <td> 100 </td> </tr> <tr> <td> IPv4 (Malware) </td> <td> 172.94.9[.]250 </td> <td> Malware hosting </td> <td> 98 </td> </tr> <tr> <td> IPv4 (Malware) </td> <td> 172.94.9[.]168 </td> <td> Malware hosting </td> <td> 100 </td> </tr> <tr> <td> IPv4 (Malware) </td> <td> 62.60.130[.]237 </td> <td> Malware hosting </td> <td> 100 </td> </tr> <tr> <td> IPv4 (Malware) </td> <td> 188.121.121[.]26 </td> <td> Hola proxy / malicious relay </td> <td> 100 </td> </tr> <tr> <td> IPv4 (Proxy) </td> <td> 206.123.156[.]212 </td> <td> SOCKS4 relay — ASN 213790 </td> <td> 92 </td> </tr> <tr> <td> IPv4 (Proxy) </td> <td> 206.123.156[.]223 </td> <td> SOCKS4 relay — ASN 213790 </td> <td> 92 </td> </tr> <tr> <td> IPv4 (Proxy) </td> <td> 206.123.156[.]221 </td> <td> SOCKS4 relay — ASN 213790 </td> <td> 92 </td> </tr> <tr> <td> IPv4 (Proxy) </td> <td> 206.123.156[.]235 </td> <td> SOCKS4 relay — ASN 213790 </td> <td> 92 </td> </tr> <tr> <td> IPv4 (Proxy) </td> <td> 151.232.18[.]66 </td> <td> SOCKS4 relay — Iran Telecom </td> <td> 95 </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds. <h2> The Bottom Line </h2> We are in the most dangerous 72-hour window since Operation Epic Fury began 100 days ago. The political signal has been sent. The infrastructure is active. The actors are positioned. The question is not whether Iranian cyber retaliation will come — it is where and how destructive . The Handala group's claim of providing targeting intelligence to missile units means this is no longer a conventional cyber conflict. Network compromises now have kinetic consequences. Data exfiltration enables physical strikes. Every hour of undetected access is an hour of targeting intelligence flowing to adversary military planners. Act now: <ul> <li> Hunt your edge devices for dormant access — assume compromise until proven otherwise </li> <li> Block Iranian relay infrastructure at every layer </li> <li> Patch the three KEV vulnerabilities before they become entry points </li> <li> Brief your leadership: this is a state-sponsored military operation, not a compliance exercise </li> <li> Prepare your incident response teams for activation — the next 72 hours will determine whether your organization is a target or a bystander </li> </ul> The ceasefire is over. Your defensive posture should reflect that reality. Published 2026-06-08 | Anomali CTI Desk For questions or additional IOC feeds, contact your Anomali account team.

FEATURED RESOURCES

June 8, 2026

Anomali Cyber Watch