Iranian Cyber Forces in “Coiled Spring” Posture: What CISOs Must Do Before the Window Closes

Anomali Threat Research

Published on

May 7, 2026

Table of Contents

Threat Assessment Level: ELEVATED (Maintained from prior cycle. Downgraded from HIGH on 5 May 2026 as diplomatic negotiations suppress overt operations — but covert pre-positioning is accelerating. Conditions for rapid re-escalation to HIGH exist if negotiations collapse.) <h2> Introduction </h2> We are now 68 days into the Iran conflict (since 28 February 2026), and the cyber dimension has entered its most dangerous phase — not because attacks are happening, but because they aren’t. Iranian state cyber forces are updating tooling, refreshing infrastructure, and maintaining active command-and-control nodes while producing zero overt operations. This “coiled spring” posture mirrors the pattern observed before the 2023 Unitronics PLC attacks and the devastating March 2026 Stryker wiper incident that destroyed 200,000+ endpoints. Simultaneously, 11 ICS/OT advisories have dropped in 48 hours affecting vendors commonly deployed in defense, energy, and critical infrastructure environments — creating fresh attack surface that Iran-aligned hacktivists historically exploit within 7–14 days. The message for CISOs is clear: the quiet is the warning. <h2> What Changed (Last 72 Hours) </h2> <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> APT34 (OilRig/Helix Kitten) profile updated 2026-05-07 — first activity signal after being flagged “silent” </td> <td> Backend intelligence ingestion suggests new IOCs or targeting data added; possible campaign preparation </td> </tr> <tr> <td> Cobalt Strike beacon active on Iranian cloud (188.121.123[.]185, Arvan Cloud) — confirmed active since Dec 2025 </td> <td> MOIS-linked infrastructure still operational; Arvan Cloud previously hosted MuddyWater C2 </td> </tr> <tr> <td> 5 new CISA ICS advisories (ABB B&R ×3, Hitachi Energy PCM600, Johnson Controls CEM AC2000) </td> <td> Directly affect defense/energy OT stacks; privilege escalation and PLC runtime vulnerabilities </td> </tr> <tr> <td> Russia confirmed sharing satellite imagery with Iran for military targeting </td> <td> Qualitative escalation in bilateral cooperation; cyber implications include shared C2 and false-flag potential </td> </tr> <tr> <td> FBI warns of Iranian assassination plot using cyber-enabled targeting pipeline </td> <td> Confirms Iran’s cyber-to-physical kill chain remains active during negotiations </td> </tr> <tr> <td> MuddyWater silent for 2nd consecutive day despite active C2 infrastructure </td> <td> Pre-positioning or retooling; last confirmed operations targeted US banks, airports, and software companies </td> </tr> <tr> <td> 3 new SOCKS4 proxies stood up on single /24 subnet (ASN 213790) — simultaneous refresh </td> <td> Operational relay infrastructure buildup consistent with pre-operation OPSEC staging </td> </tr> <tr> <td> APT33 / Refined Kitten produces 5 new malware samples including WILDMORPH.LINUX Linux backdoor (4–6 May) </td> <td> Signals capability expansion into cloud and OT Linux environments; new tooling entering operational testing phase </td> </tr> <tr> <td> Pioneer Kitten (UNC757) DIB access — 55+ days without detection signal </td> <td> Dormant VPN access tradecraft means absence of signal is not absence of compromise; DIB blind spot remains unresolved </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor/Attribution </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran conflict begins </td> <td> — </td> </tr> <tr> <td> 2026-03-11 </td> <td> Stryker medical device manufacturer wiped (200K+ endpoints) </td> <td> Handala / Void Manticore / BANISHED KITTEN (IRGC) </td> </tr> <tr> <td> 2026-03-27 </td> <td> FBI Director’s personal email compromised </td> <td> Handala / BANISHED KITTEN (IRGC) </td> </tr> <tr> <td> 2026-04-07 </td> <td> Ukrainian intelligence reveals Russia sharing satellite targeting data with Iran </td> <td> Russian GRU / IRGC </td> </tr> <tr> <td> 2026-04-28 </td> <td> UNC757/Pioneer Kitten last profile update (DIB targeting) </td> <td> Pioneer Kitten (IRGC) </td> </tr> <tr> <td> 2026-05-01 </td> <td> BANISHED KITTEN profile updated — last known activity signal </td> <td> BANISHED KITTEN (IRGC) </td> </tr> <tr> <td> 2026-05-04–06 </td> <td> APT33/Refined Kitten produces 5 new malware samples including Linux backdoor </td> <td> APT33 / Refined Kitten (IRGC) </td> </tr> <tr> <td> 2026-05-05 </td> <td> 5 CISA ICS advisories published (ABB, Hitachi, Johnson Controls) </td> <td> — </td> </tr> <tr> <td> 2026-05-05 </td> <td> Project Freedom diplomatic pause announced </td> <td> — </td> </tr> <tr> <td> 2026-05-05–06 </td> <td> MuddyWater/UNC3313 profiles updated; no operational activity </td> <td> MuddyWater / Seedworm (MOIS) </td> </tr> <tr> <td> 2026-05-07 </td> <td> APT34 profile updated; SOCKS4 proxy cluster refreshed; Cobalt Strike beacon confirmed active </td> <td> APT34 (MOIS), infrastructure actors </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Iranian APT Pre-Positioning (APT34, MuddyWater, APT33) </h3> Three of Iran’s most capable cyber units are showing simultaneous “infrastructure warm, operations cold” patterns: <ul> <li> APT34 (OilRig / Helix Kitten / MOIS-affiliated): Profile updated 2026-05-07 after being flagged silent. Known for spearphishing (T1566.001), PowerShell execution (T1059.001), and exploitation of public-facing applications (T1190). Active RemcosRAT C2 at 62.60.226[.]42 (port 43155, confidence 97) and 217.60.241[.]19 (port 5903). </li> <li> MuddyWater / Seedworm (MOIS-affiliated): Confirmed active C2 using Mythic framework against US financial institutions, airports, and software companies. Two consecutive days of profile updates without operational activity suggests retooling or target selection phase. Cobalt Strike infrastructure on Arvan Cloud (188.121.123[.]185) aligns with known MuddyWater tradecraft. </li> <li> APT33 / Refined Kitten (IRGC-affiliated): Produced 5 new malware samples 4–6 May including WILDMORPH.LINUX — a novel Linux-native backdoor signaling expansion into cloud and OT Linux environments. </li> </ul> <h3> 2. ICS/OT Attack Surface Expansion </h3> Eleven ICS advisories in 48 hours affect vendors deployed across defense, energy, and critical infrastructure: <ul> <li> ABB B&R Automation Runtime — PLC runtime vulnerability affecting base HVAC/power systems </li> <li> ABB B&R Automation Studio — Engineering workstation compromise vector </li> <li> Hitachi Energy PCM600 — Substation protection relay configuration tool </li> <li> Johnson Controls CEM AC2000 — Physical access control; privilege escalation from standard user to admin (T1068) </li> </ul> Why this matters now: Cyber Av3ngers (IRGC-affiliated hacktivist group) historically exploits ICS vulnerabilities within 7–14 days of advisory publication. The exploitation window opened 2026-05-05. Their current silence is not reassuring — it’s consistent with target selection. <h3> 3. Russia-Iran Intelligence Fusion </h3> Ukrainian intelligence and multiple corroborating sources confirm Russian satellites conducted dozens of detailed imagery surveys of military facilities across the Middle East, shared with Iran to improve strike accuracy. Cyber implications: <ul> <li> Russian infrastructure may serve as shared C2 or false-flag platforms for Iranian operations </li> <li> Combined ISR + cyber targeting creates a more lethal kill chain </li> <li> Defense industrial base contractors are at elevated risk from both Russian and Iranian actors simultaneously </li> </ul> <h3> 4. The DIB Blind Spot (55+ Days Without Detection) </h3> The most concerning finding is what we cannot see. Iranian pre-positioning in defense industrial base networks (attributed to UNC757/Pioneer Kitten and a fake-resume GitHub lure campaign targeting aerospace) has produced zero detection signals for over 55 days. This doesn’t mean it stopped — Pioneer Kitten’s tradecraft specifically involves dormant VPN access that activates only during kinetic escalation. Current organic detection capabilities are insufficient to confirm or deny active compromise. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Trigger </th> </tr> </thead> <tbody> <tr> <td> Cyber Av3ngers exploit new ICS advisories (ABB/Hitachi/Johnson Controls) </td> <td> 35% </td> <td> 7–14 days </td> <td> Advisory publication + operational silence pattern </td> </tr> <tr> <td> MuddyWater launches new campaign against US financial/aviation sector </td> <td> 30% </td> <td> 7–21 days </td> <td> 2+ days retooling + active C2 infrastructure </td> </tr> <tr> <td> Negotiations collapse → coordinated cyber surge (wipers + DDoS + espionage) </td> <td> 25% </td> <td> 24–48 hours post-collapse </td> <td> Diplomatic failure </td> </tr> <tr> <td> BANISHED KITTEN/Handala deploys wiper against new target </td> <td> 35% </td> <td> 7 days </td> <td> 6-day silence during active conflict is anomalous </td> </tr> <tr> <td> DIB dormant access activation (Pioneer Kitten) </td> <td> 20% </td> <td> Immediate upon kinetic escalation </td> <td> Kinetic strike on Iranian territory </td> </tr> <tr> <td> APT33 deploys WILDMORPH.LINUX against cloud/OT Linux targets </td> <td> 25% </td> <td> 14–30 days </td> <td> New capability needs operational testing </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> What to Monitor </th> <th> Detection Logic </th> </tr> </thead> <tbody> <tr> <td> T1071.001 (Web Protocols) </td> <td> HTTPS beaconing to 188.121.123[.]185:443 (Cobalt Strike) </td> <td> Alert on any connection to this IP; check JA3/JA4 fingerprints against known Cobalt Strike profiles </td> </tr> <tr> <td> T1219 (Remote Access Software) </td> <td> RemcosRAT beaconing on ports 43155, 5903 </td> <td> Monitor for connections to 62.60.226[.]42:43155 and 217.60.241[.]19:5903; Remcos uses predictable beacon intervals </td> </tr> <tr> <td> T1090 (Proxy) </td> <td> SOCKS4 connections to 206.123.156[.]0/24 </td> <td> Alert on outbound to ports 10255, 17250, 10884 on this subnet; any connection is suspicious </td> </tr> <tr> <td> T1059.001 (PowerShell) </td> <td> Encoded PowerShell execution post-phishing </td> <td> Detect base64-encoded commands, download cradles, AMSI bypass attempts — APT34 primary post-exploitation </td> </tr> <tr> <td> T1566.001 (Spearphishing) </td> <td> Weaponized attachments from spoofed domains </td> <td> Enhanced email filtering for .doc/.xls with macros from Middle Eastern sender infrastructure </td> </tr> <tr> <td> T1068 (Privilege Escalation) </td> <td> Johnson Controls CEM AC2000 exploitation </td> <td> Monitor for unexpected admin account creation or privilege changes on physical access control systems </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ol> <li> Hunt for Mythic Framework C2: MuddyWater’s confirmed use of Mythic against US targets means SOC teams should hunt for Mythic agent characteristics — HTTP/S callbacks with specific URI patterns, named pipes for lateral movement, and SOCKS proxy pivoting. </li> <li> Hunt for RemcosRAT persistence: Search for registry run keys, scheduled tasks, and startup folder entries associated with Remcos. Check for processes communicating on non-standard ports (43155, 5903) to Iranian ASNs. </li> <li> Hunt for dormant VPN access (PIR-007): Review all VPN accounts for: (a) accounts unused >30 days that were created during the conflict period, (b) Rclone or Wasabi S3 exfiltration patterns, (c) GitHub-sourced executables in developer environments. </li> <li> Hunt for Cobalt Strike on Arvan Cloud: Beyond the known IP, search for any connections to ASN 202468 (Noyan Abr Arvan). Correlate with Cobalt Strike malleable C2 profile indicators. </li> </ol> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> MuddyWater has confirmed active C2 targeting US banks using the Mythic framework. Priority actions: - Audit all SWIFT/payment system access for anomalous service accounts - Deploy behavioral analytics on wire transfer workflows for T1565.001 (Data Manipulation: Stored Data) - Review email gateway logs for spearphishing attempts from Iranian infrastructure (ASNs 44244, 202468, 213790) - Ensure DDoS mitigation is pre-staged — hacktivist groups historically combine DDoS with intrusion attempts as distraction <h3> Energy </h3> Hitachi Energy PCM600 and ABB B&R vulnerabilities directly affect substation protection and industrial control. Priority actions: - Immediately patch PCM600 (ICSA-26-125-01) — this tool configures protection relays; compromise enables T0826 (Loss of Availability) - Segment engineering workstations running ABB B&R Automation Studio from OT networks - Monitor for Cyber Av3ngers reconnaissance of internet-exposed HMIs (Shodan/Censys scanning from Iranian ASNs) - Review Unitronics PLC configurations if deployed — Cyber Av3ngers’ 2023 playbook targeted these specifically <h3> Healthcare </h3> The March 2026 Stryker wiper (200K+ endpoints) demonstrated BANISHED KITTEN’s willingness to target healthcare supply chains. Priority actions: - Verify medical device network segmentation — especially devices with Stryker components - Pre-position incident response retainers with wiper-specific playbooks - Monitor for Handala/BANISHED KITTEN Telegram channels announcing new targets - Ensure offline backups of patient care systems are tested and current <h3> Government / Defense </h3> Russia-Iran satellite imagery sharing and the FBI Director email compromise demonstrate strategic intelligence targeting. Priority actions: - Enforce hardware MFA on all email accounts (eliminate SMS/voice as factors) - Hunt for dormant VPN accounts matching Pioneer Kitten tradecraft - Audit all contractor remote access — DIB supply chain is the primary vector - Brief personnel on Iranian cyber-enabled assassination targeting pipeline (T1589, T1591) - Review physical security posture at facilities identified in satellite imagery reporting <h3> Aviation / Logistics </h3> MuddyWater’s confirmed targeting of US airports combined with APT33’s historical focus on aviation. Priority actions: - Audit operational technology in airport systems (baggage handling, HVAC, access control) - Patch Johnson Controls CEM AC2000 (ICSA-26-125-05) if deployed in airport physical access control - Monitor for credential stuffing against airline reservation systems from Iranian proxy infrastructure - Review supply chain dependencies on cloud services hosted on Arvan Cloud (ASN 202468) <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block C2 IPs at perimeter: 62.60.226[.]42, 188.121.123[.]185, 217.60.241[.]19. Verify zero historical connections in SIEM — any hit indicates active compromise. </td> </tr> <tr> <td> 2 </td> <td> IT Ops / OT </td> <td> Emergency patch Hitachi Energy PCM600 (ICSA-26-125-01) and Johnson Controls CEM AC2000 (ICSA-26-125-05) — both enable privilege escalation in physical infrastructure. </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy detection rules for RemcosRAT beaconing on ports 43155 and 5903 to any Iranian ASN. </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Verify surge staffing plan is ready — if negotiations collapse, expect 24–48 hour activation window for coordinated Iranian cyber operations. </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> SOC </td> <td> Implement alerting for SOCKS4 connections to 206.123.156[.]0/24 (ports 10255, 17250, 10884) — operational relay infrastructure. </td> </tr> <tr> <td> 6 </td> <td> IT Ops / OT </td> <td> Patch ABB B&R Automation Runtime, Studio, and PVI (ICSA-26-125-02/03/04). Prioritize engineering workstations with OT network access. </td> </tr> <tr> <td> 7 </td> <td> SOC </td> <td> Hunt for Mythic framework indicators across all network segments — MuddyWater’s confirmed tool against US targets. </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Hunt for RemcosRAT persistence mechanisms (registry keys, scheduled tasks) — 3 confirmed Iranian C2 nodes using this RAT. </td> </tr> <tr> <td> 9 </td> <td> IR Team </td> <td> Update wiper response playbook with BANISHED KITTEN TTPs from March 2026 Stryker incident. Pre-position forensic images. </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 10 </td> <td> CISO </td> <td> Authorize proactive threat hunt for dormant DIB access (est. 40 analyst-hours). Focus: inactive VPN accounts, Rclone/Wasabi exfiltration, GitHub-sourced malware in dev environments. 55+ days without visibility is an unacceptable risk. </td> </tr> <tr> <td> 11 </td> <td> CISO </td> <td> Establish bilateral telemetry sharing with DIB contractor partners — organic collection alone cannot detect Pioneer Kitten dormant access. </td> </tr> <tr> <td> 12 </td> <td> CISO </td> <td> Commission red team exercise simulating Iranian “coiled spring” activation: simultaneous wiper + DDoS + espionage across multiple business units. </td> </tr> <tr> <td> 13 </td> <td> Intelligence </td> <td> Deploy Telegram OSINT monitoring for BANISHED KITTEN/Handala/Cyber Toufan channels to close hacktivist visibility gap. </td> </tr> <tr> <td> 14 </td> <td> Executive </td> <td> Brief board on Iran conflict cyber risk posture. Key message: negotiations may suppress overt attacks but pre-positioning continues; if talks fail, activation window is 24–48 hours. </td> </tr> </tbody> </table> <h2> Bottom Line </h2> The Iranian cyber apparatus is not dormant — it is coiled . Every signal we’re collecting points to infrastructure maintenance, capability development, and target selection occurring behind the diplomatic curtain. The 5 new ICS advisories have started a 7–14 day countdown before Cyber Av3ngers historically begins exploitation. The 55-day blind spot on defense industrial base pre-positioning is the kind of gap that becomes a headline after a crisis. CISOs have a narrow window to act: patch the ICS vulnerabilities before they’re weaponized, block the confirmed C2 infrastructure before it’s used for lateral movement, and — critically — authorize the proactive hunt that closes the DIB visibility gap before dormant access activates. The quiet is not peace. It’s preparation. Act accordingly.

FEATURED RESOURCES

May 7, 2026

Anomali Cyber Watch