Iranian Cyber Forces Converge: Access Brokers Now Sharing Tooling with Destructive Operators

Anomali Threat Research

Published on

June 18, 2026

Table of Contents

Threat Assessment Level: ELEVATED (trending HIGH) The Iran-Israel conflict is now in its 110th day, and Iranian cyber operations are exhibiting a structural shift that demands immediate executive attention. For the first time, we have confirmed evidence that IRGC-affiliated access brokers are sharing malware tooling directly with destructive operators — collapsing the operational separation that previously provided Iran plausible deniability. Combined with a cluster of critical ICS vulnerabilities affecting Rockwell Automation controllers and sustained MuddyWater espionage campaigns, the current threat landscape signals coordinated pre-positioning across multiple attack lanes simultaneously. This is not theoretical. Fresh malware samples were collected yesterday. Infrastructure is active today. And the ICS vulnerabilities disclosed this week map directly to controllers deployed across energy, water, and manufacturing environments worldwide. <h2> What Changed </h2> Previous cycle (2026-06-17): Threat Level HIGH — characterized by systematic infrastructure pre-positioning across network, OT, and software supply chain domains. This cycle (2026-06-18): Threat Level ELEVATED (trending HIGH) — the threat level designation reflects a refinement in classification methodology, but the underlying risk has intensified based on four developments: <ol> <li> Pioneer Kitten and Handala are now sharing malware — confirmed via multi-actor tagged samples at "very-high" severity. This represents the maturation of an access-broker-to-destructor pipeline that shortens the timeline from initial compromise to destructive attack. </li> <li> Rockwell Automation ICS advisories include a "nonrecoverable fault" vulnerability — a CIP-based denial-of-service against Logix 5370/5570 controllers that effectively bricks the device until physical intervention. Cyber Av3ngers' profile was updated the same day these advisories published. </li> <li> MuddyWater's POWERSTATS backdoor campaign is actively refreshing — new samples modified 2026-06-17 confirm sustained operational tempo after a 27-day silence that preceded retooling. </li> <li> Iranian C2 infrastructure is actively expanding — a new IP (171.22.27[.]16) provisioned on ASN 60631 (Vandad Vira Hooman, Tehran) on 2026-06-06 joins four established nodes on ASN 213790, indicating deliberate infrastructure build-out concurrent with the Pioneer Kitten–Handala convergence. </li> </ol> All prior actor attributions and events from the previous cycle remain valid and are carried forward. <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran-Israel conflict begins </td> <td> Day 0 — cyber operations commence alongside kinetic activity </td> </tr> <tr> <td> 2026-06-06 </td> <td> New Iranian C2 IP provisioned (171.22.27[.]16) </td> <td> Infrastructure expansion on ASN 60631 (Vandad Vira Hooman, Tehran) </td> </tr> <tr> <td> 2026-06-11 </td> <td> CVE-2026-10520 (Ivanti Sentry) added to CISA KEV </td> <td> Confirmed active exploitation of edge device </td> </tr> <tr> <td> 2026-06-12 </td> <td> CVE-2026-35273 added to CISA KEV </td> <td> Active exploitation confirmed </td> </tr> <tr> <td> 2026-06-15 </td> <td> CVE-2026-20262 (Cisco Catalyst SD-WAN) added to CISA KEV </td> <td> Completes 4-CVE unauthenticated-to-root kill chain </td> </tr> <tr> <td> 2026-06-16 </td> <td> 5× Rockwell Automation ICS advisories published </td> <td> Includes nonrecoverable controller fault (Logix 5370/5570) </td> </tr> <tr> <td> 2026-06-16 </td> <td> CVE-2026-48907 added to CISA KEV </td> <td> Active exploitation — details still embargoed </td> </tr> <tr> <td> 2026-06-16 </td> <td> Cyber Av3ngers profile updated </td> <td> Same day as Rockwell advisories — preparation indicator </td> </tr> <tr> <td> 2026-06-17 </td> <td> MuddyWater POWERSTATS samples refreshed </td> <td> Active campaign targeting India; expansion likely </td> </tr> <tr> <td> 2026-06-17 </td> <td> Pioneer Kitten/Handala shared tooling confirmed </td> <td> Access-broker-to-destructor pipeline maturation </td> </tr> <tr> <td> 2026-06-18 </td> <td> Day 110 — current assessment </td> <td> Multi-lane pre-positioning continues; 86-day Handala IO silence is anomalous </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Pioneer Kitten–Handala Convergence: The Access-to-Destruction Pipeline </h3> Actors: Pioneer Kitten (UNC757, IRGC-nexus), Handala (IRGC-linked), Banished Kitten, Helix Kitten (APT34/OilRig), Refined Kitten (APT33) This is the most significant structural development of this cycle. Malware samples tagged at "very-high" severity carry attribution to both Pioneer Kitten (an access broker known for exploiting VPNs and edge devices, then selling or transferring access) and Handala (a destructive operator responsible for wipers and IO campaigns against Israeli targets). Historically, these groups operated in separate lanes — Pioneer Kitten gained access, and destructive operators like Handala conducted their own intrusions. The convergence on shared tooling suggests one of three scenarios: <ul> <li> Organizational merger between IRGC cyber units </li> <li> Matured handoff pipeline where Pioneer Kitten systematically feeds pre-positioned access to Handala </li> <li> Shared contractor serving both organizations </li> </ul> The operational implication is clear: if Pioneer Kitten already has access to your network (via Fortinet, Ivanti, or Cisco edge exploitation), the time-to-destruction just shortened dramatically. Associated web shells: ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG — all documented Pioneer Kitten tools that may already be resident on compromised edge devices. <h3> MuddyWater POWERSTATS: Sustained Tempo, Expanding Targets </h3> Actor: MuddyWater (MOIS), also tracked as TEMP.Zagros After a 27-day silence that historically precedes retooling, MuddyWater has resumed operations with refreshed POWERSTATS backdoor samples. Three new hashes were collected with a modification date of 2026-06-17, targeting India. MuddyWater's documented target list spans 24 countries — expansion to Gulf state telecommunications (consistent with earlier Iraq telecom targeting patterns) is assessed as likely. POWERSTATS is a PowerShell-based backdoor that establishes persistence via registry run keys and communicates over standard web protocols, making it difficult to detect without behavioral analytics. <h3> Rockwell Automation ICS Vulnerability Cluster: Nonrecoverable Faults </h3> CVEs: Referenced in ICSA-26-167-01 through ICSA-26-167-05 The most dangerous advisory is ICSA-26-167-03, affecting Logix 5370 and 5570 controllers — the workhorses of industrial automation in energy, water treatment, and manufacturing. A CIP-based denial-of-service can trigger a "major nonrecoverable fault," effectively bricking the controller until a technician physically intervenes. Why this matters now: Cyber Av3ngers (IRGC-affiliated) updated their operational profile on the same day these advisories published. This group has documented interest in PLC disruption and previously targeted water treatment facilities. Their historical pattern shows a 7–21 day weaponization window after public vulnerability disclosure. Additionally, ICSA-26-167-05 (FLEX I/O EtherNet/IP Adapters) enables unauthorized access and account takeover — providing a potential foothold into OT networks. <h3> Iranian C2 Infrastructure: ASN 213790 Remains Active </h3> Four IPs on ASN 213790 ("Limited Network," Tehran) continue operating as command-and-control infrastructure at confidence levels of 91–97. A fifth IP (171.22.27[.]16) on ASN 60631 ("Vandad Vira Hooman," Tehran) was provisioned on 2026-06-06, indicating infrastructure expansion. These IPs carry conflicting actor tags (APT28, LockBit, Pinchy Spider alongside Iranian APT indicators), suggesting either shared bulletproof hosting across Russian and Iranian threat ecosystems or deliberate false-flag tagging. Regardless of attribution ambiguity, all traffic to ASN 213790 from enterprise networks should be treated as hostile. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-48907 exploitation reports emerge affecting edge devices </td> <td> 70% </td> <td> 72 hours </td> <td> KEV addition pattern; details still embargoed suggests active campaign </td> </tr> <tr> <td> Cyber Av3ngers probe Rockwell controllers using disclosed CIP vulnerabilities </td> <td> 60% </td> <td> 14 days </td> <td> Historical 7–21 day weaponization window; profile updated same day as advisories </td> </tr> <tr> <td> Pioneer Kitten–Handala pipeline produces destructive incident against Israeli or Gulf target </td> <td> 50% </td> <td> 30 days </td> <td> Shared tooling confirmed; pre-positioned access likely exists </td> </tr> <tr> <td> MuddyWater POWERSTATS campaign expands from India to Gulf state telecoms </td> <td> 40% </td> <td> 21 days </td> <td> Consistent with documented TEMP.Zagros targeting across 24 countries </td> </tr> <tr> <td> Handala breaks 86-day IO silence with major destructive operation </td> <td> 35% </td> <td> 30 days </td> <td> Extended quiet periods historically precede large-scale operations (pre-October 7 parallel) </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> Hunt Hypothesis 1: Pioneer Kitten Web Shells on Edge Devices <ul> <li> ATT&CK: T1505.003 (Web Shell), T1190 (Exploit Public-Facing Application) </li> <li> Where to look: All Fortinet FortiGate/FortiSandbox, Ivanti Sentry/EPMM, Cisco SD-WAN, and Palo Alto GlobalProtect appliances </li> <li> What to find: ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG web shells; unexpected .aspx/.php files in web-accessible directories; anomalous outbound connections from edge devices </li> <li> Detection logic: File integrity monitoring on edge device web roots; process execution anomalies on appliances (PowerShell, cmd.exe spawned by web server processes) </li> </ul> Hunt Hypothesis 2: POWERSTATS Backdoor Execution <ul> <li> ATT&CK: T1059.001 (PowerShell), T1547.001 (Registry Run Keys), T1071.001 (Web Protocols) </li> <li> Where to look: Windows endpoints, particularly those with exposure to spearphishing (T1566.001) </li> <li> What to find: Encoded PowerShell commands establishing persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run; HTTP/HTTPS beaconing to unknown infrastructure at regular intervals </li> <li> Detection logic: EDR rules for obfuscated PowerShell with network callbacks; registry modification alerts on Run keys; DNS analytics for newly registered domains </li> </ul> Hunt Hypothesis 3: CIP Protocol Abuse Against Rockwell Controllers <ul> <li> ATT&CK (ICS): T0816 (Device Restart/Shutdown), T0826 (Loss of Availability) </li> <li> Where to look: Network traffic to/from Logix 5370/5570 controllers and FLEX I/O adapters </li> <li> What to find: Unexpected CIP commands from non-engineering workstations; authentication attempts against FLEX I/O from external networks; controller fault conditions without corresponding maintenance windows </li> <li> Detection logic: OT network monitoring for CIP traffic from unauthorized sources; controller health polling for fault state changes; segmentation validation (no internet-routable path to CIP ports) </li> </ul> <h3> Blocking Actions </h3> Deploy the following IOCs to perimeter defenses, EDR, and SIEM: Network Indicators (Block at Firewall/Proxy): <table> <thead> <tr> <th> IP </th> <th> ASN </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> 192.253.248[.]169 </td> <td> 213790 (Limited Network, Tehran) </td> <td> Iranian APT C2, confidence 97 </td> </tr> <tr> <td> 185.93.89[.]147 </td> <td> 213790 (Limited Network, Tehran) </td> <td> Iranian APT C2, confidence 91 </td> </tr> <tr> <td> 192.253.248[.]180 </td> <td> 213790 (Limited Network, Tehran) </td> <td> Iranian APT C2, confidence 91 </td> </tr> <tr> <td> 77.90.185[.]253 </td> <td> 213790 (Limited Network, Tehran) </td> <td> Iranian APT C2, confidence 91 </td> </tr> <tr> <td> 171.22.27[.]16 </td> <td> 60631 (Vandad Vira Hooman, Tehran) </td> <td> Emerging Iranian C2, confidence 70 </td> </tr> </tbody> </table> File Hashes (Block/Alert in EDR): <table> <thead> <tr> <th> SHA-256 </th> <th> Attribution </th> </tr> </thead> <tbody> <tr> <td> 4d0de14966a66c1db3dac5061e643383910fb9bc2b4a1405d6b92eed7b8178e3 </td> <td> MuddyWater POWERSTATS </td> </tr> <tr> <td> 9a372dcffb86e4165cdccb80bc71f88aa69e80bde979dbd0fb12dadad1710655 </td> <td> MuddyWater POWERSTATS </td> </tr> <tr> <td> 562c16d8d7c6e9bb7adda61faba7aa13cf93921c26077ecbdfac63b1242bb6b8 </td> <td> MuddyWater POWERSTATS </td> </tr> <tr> <td> 028d3de0f0709a18c9928526519e761a08f6766d1eca386e908588f995f44e7f </td> <td> Pioneer Kitten/Handala </td> </tr> <tr> <td> 0a5cf97e699c8bfacee7f89ebfaa851ff03dd004a58ffde9c609fcc2cd27f250 </td> <td> Pioneer Kitten/Handala </td> </tr> <tr> <td> 7540bed5efd55f75271bb4b5a5afb28f343ebe64a816f74f0edba8527dc5e181 </td> <td> Pioneer Kitten/Handala </td> </tr> <tr> <td> 2417738503887374dae9891d26ea7033eb7b44656a14b84f15d4e8fa63e4e830 </td> <td> Pioneer Kitten/Handala </td> </tr> <tr> <td> 2a432edfba8a28854b9e3e34be513e96e1dc3426b1bd0976cda71ecfc5a2427c </td> <td> Pioneer Kitten/Handala </td> </tr> <tr> <td> ff5f7d414c6e701be02ec546c56fac589902896fe29fa0ef1e3a96d904a65134 </td> <td> Pioneer Kitten/Handala </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream. <h3> Monitoring Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> What to Monitor </th> <th> Tool/Data Source </th> </tr> </thead> <tbody> <tr> <td> T1190 — Exploit Public-Facing Application </td> <td> Authentication anomalies on edge devices (Fortinet, Ivanti, Cisco) </td> <td> VPN logs, WAF, appliance auth logs </td> </tr> <tr> <td> T1071.001 — Web Protocols </td> <td> Beaconing patterns to unknown infrastructure </td> <td> Proxy logs, NDR, DNS analytics </td> </tr> <tr> <td> T1059.001 — PowerShell </td> <td> Encoded/obfuscated PowerShell with network callbacks </td> <td> EDR, Windows Event 4104 </td> </tr> <tr> <td> T1505.003 — Web Shell </td> <td> New files in web-accessible directories on appliances </td> <td> FIM, appliance integrity checks </td> </tr> <tr> <td> T1078 — Valid Accounts </td> <td> Credential reuse, impossible travel, service account anomalies </td> <td> IAM, UEBA, Entra ID logs </td> </tr> <tr> <td> T1547.001 — Registry Run Keys </td> <td> Persistence mechanisms on endpoints </td> <td> EDR, Sysmon Event 13 </td> </tr> <tr> <td> T0816 — Device Restart/Shutdown (ICS) </td> <td> Unexpected controller state changes </td> <td> OT monitoring, historian alerts </td> </tr> <tr> <td> T1583.004 — Acquire Infrastructure: Server </td> <td> New infrastructure on Iranian ASNs communicating with your network </td> <td> Netflow, threat intel feeds </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: MuddyWater credential theft campaigns expanding from India to financial hubs; Pioneer Kitten access brokering to ransomware operators (documented LockBit handoff pattern). Actions: <ul> <li> Audit all internet-facing VPN concentrators and web applications for web shell artifacts </li> <li> Enable conditional access policies requiring phishing-resistant MFA for all privileged accounts </li> <li> Review SWIFT/payment system segmentation — ensure no path exists from edge devices to transaction networks </li> <li> Monitor for POWERSTATS-style PowerShell beaconing from treasury and trading workstations </li> </ul> <h3> Energy </h3> Primary threat: Cyber Av3ngers targeting Rockwell Logix controllers via newly disclosed CIP vulnerabilities; Pioneer Kitten pre-positioning in OT-adjacent networks. Actions: <ul> <li> Emergency: Verify network segmentation between IT and OT — no internet-routable path should reach CIP ports (TCP/44818) </li> <li> Audit all Logix 5370/5570 firmware versions against ICSA-26-167-03 advisory </li> <li> Patch FLEX I/O EtherNet/IP Adapters (ICSA-26-167-05) — account takeover risk </li> <li> Deploy OT-specific network monitoring for unauthorized CIP commands </li> <li> Validate physical override capabilities for critical processes in case of controller bricking </li> </ul> <h3> Healthcare </h3> Primary threat: Iranian APT infrastructure (ASN 213790) tagged with healthcare targeting; ransomware handoff from Pioneer Kitten to criminal operators. Actions: <ul> <li> Block all ASN 213790 traffic at perimeter — confirmed healthcare targeting tag on 192.253.248[.]169 </li> <li> Audit medical device network segmentation — ensure IoMT devices cannot reach internet directly </li> <li> Review backup integrity for EHR systems — Pioneer Kitten's ransomware handoff pattern means encryption risk is elevated </li> <li> Ensure incident response plans account for simultaneous IT and clinical system compromise </li> </ul> <h3> Government </h3> Primary threat: APT42 phishing campaigns targeting defense and government personnel; Cisco SD-WAN kill chain (CVE-2026-20262) enabling network takeover; MuddyWater espionage. Actions: <ul> <li> Deploy POWERSTATS hash detections across all government endpoints immediately </li> <li> Audit Cisco Catalyst SD-WAN Manager instances — the 4-CVE kill chain provides unauthenticated root access </li> <li> Brief personnel on APT42 spearphishing TTPs — credential harvesting via fake login portals </li> <li> Review Ivanti EPMM/Sentry patches applied for CVE-2026-10520 (KEV since June 11) </li> <li> Validate that classified network air gaps have no bridging through compromised edge devices </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: Supply chain compromise via npm poisoning (141 @mastra/* packages from prior cycle); Pioneer Kitten targeting of transportation sector infrastructure. Actions: <ul> <li> Audit CI/CD pipelines for any dependency on @mastra/* npm packages — remove and rotate all secrets if found </li> <li> Review all GitHub Actions workflows — pin to commit SHAs, not version tags </li> <li> Assess AIS and maritime OT systems for exposure to Iranian infrastructure </li> <li> Monitor logistics management platforms for anomalous API calls or credential harvesting </li> <li> Ensure air-gapped flight safety systems have no dependency on internet-connected supply chain components </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🔴 </td> <td> SOC </td> <td> Block 5 Iranian C2 IPs (ASN 213790 + ASN 60631) at all perimeter firewalls and proxy infrastructure </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Deploy EDR detection rules for 9 SHA-256 hashes (3× POWERSTATS, 6× Pioneer Kitten/Handala) </td> </tr> <tr> <td> 🔴 </td> <td> IT Ops / OT </td> <td> Audit all Rockwell Logix 5370/5570 controllers — verify CIP port (44818) is not reachable from any non-engineering network segment </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Initiate threat hunt for web shells (ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG) on all Fortinet, Ivanti, Cisco, and Palo Alto edge appliances </td> </tr> <tr> <td> 🔴 </td> <td> Executive </td> <td> Brief CISO and IR team on Pioneer Kitten–Handala convergence — pre-positioned access may already exist in your environment </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟠 </td> <td> IT Ops / OT </td> <td> Patch Rockwell FLEX I/O EtherNet/IP Adapters per ICSA-26-167-05 — unauthorized access and account takeover vulnerability </td> </tr> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Patch or mitigate Cisco Catalyst SD-WAN Manager against CVE-2026-20262 kill chain </td> </tr> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Verify Ivanti EPMM/Sentry patches applied for CVE-2026-10520 (KEV since June 11) </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Establish continuous monitoring for CIP protocol anomalies in OT networks — baseline normal engineering workstation behavior </td> </tr> <tr> <td> 🟠 </td> <td> CISO </td> <td> Activate backup threat intelligence collection sources — primary OSINT feeds have been non-functional for 2 consecutive cycles, degrading situational awareness </td> </tr> <tr> <td> 🟠 </td> <td> IR </td> <td> Update incident response playbooks to account for Pioneer Kitten → Handala handoff scenario (edge compromise → wiper deployment, potentially <48 hours) </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟡 </td> <td> CISO </td> <td> Commission red team assessment modeling the Pioneer Kitten → Handala attack chain: VPN exploitation → web shell → lateral movement → wiper deployment </td> </tr> <tr> <td> 🟡 </td> <td> IT Ops / OT </td> <td> Implement controller integrity monitoring for all Rockwell PLCs — detect firmware modification or unexpected configuration changes </td> </tr> <tr> <td> 🟡 </td> <td> Architecture </td> <td> Review and harden all edge device management planes — implement out-of-band management networks for Fortinet, Ivanti, Cisco, and Palo Alto appliances </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Evaluate ASN-level blocking policy for Iranian hosting providers (ASN 213790, ASN 60631) as a standing defensive measure </td> </tr> <tr> <td> 🟡 </td> <td> Executive </td> <td> Conduct tabletop exercise simulating simultaneous IT wiper + OT controller bricking scenario — test cross-functional response between IT security, OT operations, and business continuity teams </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> We are watching Iranian cyber forces collapse the organizational boundaries between espionage, access brokering, and destruction. The Pioneer Kitten–Handala tooling convergence is not a theoretical concern — it is confirmed in collected intelligence as of yesterday. When an access broker shares malware with a destructive operator, it means the preparation phase is over and the execution phase is being enabled. Simultaneously, the disclosure of a nonrecoverable fault vulnerability in Rockwell Logix controllers — on the same day Cyber Av3ngers updated their operational profile — creates a 7–21 day window where weaponization is most likely. Organizations running these controllers in energy, water, or manufacturing environments should treat CIP network segmentation as an emergency action, not a scheduled maintenance item. The 86-day silence from Handala's IO/destructive operations is not reassuring — it is alarming. Extended quiet periods from Iranian destructive actors have historically preceded their largest operations. Act now. Verify your segmentation. Hunt for web shells. Block the infrastructure. The preparation window is closing. Anomali CTI Desk | 2026-06-18 | TLP:GREEN This assessment is based on intelligence collected through 2026-06-18. IOCs and threat actor profiles are available through Anomali ThreatStream Next-Gen for automated ingestion.

FEATURED RESOURCES

June 18, 2026

Anomali Cyber Watch