Iranian Cyber Operations Intensify as Conflict Enters Day 110: SD-WAN Kill Chains, ICS Vulnerabilities, and Supply Chain Compromise Converge

Anomali Threat Research

Published on

June 17, 2026

Table of Contents

Threat Assessment Level: HIGH The Iran-Israel conflict, now in its 110th day since hostilities began on February 28, 2026, has entered a dangerous new phase in cyberspace. While ceasefire negotiations continue through diplomatic channels, Iranian state-sponsored cyber units are accelerating infrastructure pre-positioning, expanding exploit chains against network backbone technologies, and leveraging supply chain attacks that threaten defense industrial base (DIB) environments. Three developments from the past 72 hours demand immediate executive attention: a complete unauthenticated-to-root exploit chain now confirmed active against government SD-WAN infrastructure, five simultaneous ICS advisories expanding the operational technology attack surface, and a supply chain compromise affecting 141 npm packages with nearly one million weekly downloads. The absence of destructive operations — no wipers, no DDoS — is not reassurance. It is the signature of a pre-positioning phase. This is the calm before the payload deploys. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Date </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-20262 added to CISA KEV — completes 4-CVE Cisco SD-WAN kill chain </td> <td> 2026-06-15 </td> <td> Unauthenticated attackers can now achieve root access on SD-WAN Manager via chained exploitation; active campaign confirmed targeting government </td> </tr> <tr> <td> 5 Rockwell Automation ICS advisories published simultaneously </td> <td> 2026-06-16 </td> <td> Logix 5370/5570, CompactLogix, FLEX I/O, RSLinx, and FactoryTalk all affected — creates fresh OT attack surface for Iranian ICS-focused groups </td> </tr> <tr> <td> 141 Mastra npm packages compromised — 918K weekly downloads </td> <td> 2026-06-17 </td> <td> Multi-stage cross-platform infostealer targeting developer credentials, crypto wallets, and CI/CD secrets </td> </tr> <tr> <td> Pioneer Kitten (UNC757) threat profile updated with fresh malware samples </td> <td> 2026-06-17 </td> <td> 7 new malware hashes cross-tagged with 5 Iranian actor groups — indicates shared tooling pipeline and possible operational convergence </td> </tr> <tr> <td> MuddyWater (MOIS) silent for 26 consecutive days </td> <td> Ongoing </td> <td> Anomalous quiet period for a weekly-tempo actor historically precedes retooling and new campaign launch </td> </tr> <tr> <td> Iranian C2 cluster on ASN 213790 persists; new node identified on ASN 60631 </td> <td> Ongoing </td> <td> Persistent C2 infrastructure supporting multi-actor Iranian operations; new node expands monitoring requirements </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran-Israel conflict begins </td> <td> Cyber operations authorized as parallel track </td> </tr> <tr> <td> 2026-03-11 </td> <td> Handala/Void Manticore deploys Stryker wiper </td> <td> 200,000 endpoints destroyed </td> </tr> <tr> <td> 2026-05-14 </td> <td> CVE-2026-20182 (Cisco SD-WAN, CVSS 10.0) disclosed </td> <td> Exploitation confirmed within 4 weeks </td> </tr> <tr> <td> 2026-05-22 </td> <td> MuddyWater (MOIS) SYNCRO campaign targets ME financial services </td> <td> Last confirmed MuddyWater activity </td> </tr> <tr> <td> 2026-06-11 </td> <td> CVE-2026-10520 (Ivanti Sentry, CVSS 10.0) confirmed exploited in the wild </td> <td> Pioneer Kitten expected to weaponize </td> </tr> <tr> <td> 2026-06-15 </td> <td> CVE-2026-20262 added to CISA KEV </td> <td> Completes 4-CVE SD-WAN root chain </td> </tr> <tr> <td> 2026-06-16 </td> <td> 5 Rockwell ICS advisories published; AI-generated exploit code confirmed (FortiSandbox CVE-2026-25089) </td> <td> OT attack surface expands; exploit timelines compress </td> </tr> <tr> <td> 2026-06-17 </td> <td> Pioneer Kitten profile updated; Mastra npm supply chain attack disclosed </td> <td> Shared Iranian tooling pipeline confirmed; developer environments compromised </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Cisco SD-WAN Manager: A Complete Kill Chain Now Active </h3> Four CVEs now form an unbroken chain from unauthenticated access to root compromise of Cisco Catalyst SD-WAN Manager — the backbone of government and military wide-area networks: <table> <thead> <tr> <th> CVE </th> <th> CVSS </th> <th> Role in Chain </th> <th> KEV Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-20127 </td> <td> 10.0 </td> <td> Authentication bypass </td> <td> ✓ Active exploitation </td> </tr> <tr> <td> CVE-2026-20182 </td> <td> 10.0 </td> <td> Authentication bypass (alternate path) </td> <td> ✓ Active exploitation </td> </tr> <tr> <td> CVE-2026-20245 </td> <td> 7.8 </td> <td> Privilege escalation </td> <td> ✓ Active exploitation </td> </tr> <tr> <td> CVE-2026-20262 </td> <td> 6.5 </td> <td> Authenticated file upload → path traversal → root </td> <td> ✓ Added Jun 15 </td> </tr> </tbody> </table> A confirmed campaign (targeting government sector) is actively exploiting this chain. The targeting profile — government SD-WAN infrastructure — overlaps precisely with Pioneer Kitten's known victimology. An SD-WAN fabric compromise gives attackers the ability to manipulate routing, intercept traffic, and pivot into connected sites — effectively owning the network at the transport layer. <h3> 2. Rockwell Automation ICS: Five Doors Opened Simultaneously </h3> Five CISA ICS advisories published on June 16 affect Rockwell Automation products deployed across energy, water, and manufacturing environments: <ul> <li> Logix 5370/5570 & CompactLogix — Denial of service via CIP protocol abuse (CVE-2026-9307); CIP Connection IDs exposed on diagnostic webpages </li> <li> FLEX I/O EtherNet/IP Adapters — Unauthorized access and account takeover </li> <li> FactoryTalk Analytics PavilionX — Authentication bypass via token brute-force (CVE-2025-13036) enabling lateral movement from historian to control plane </li> </ul> Iranian ICS-focused groups (Cyber Av3ngers, CyberAv3ngers/IOCONTROL) have not yet exploited these vulnerabilities — but the CIP protocol DoS attack is low-complexity, and the advisory provides sufficient technical detail for rapid weaponization. Historical patterns show a 2-4 week window from Rockwell advisory publication to proof-of-concept exploitation. <h3> 3. Pioneer Kitten and the Iranian Shared Tooling Pipeline </h3> Pioneer Kitten (also tracked as UNC757, Fox Kitten, Parisite) received a threat profile update on June 17. Seven new malware samples are simultaneously attributed to five Iranian actor groups : Pioneer Kitten, Refined Kitten (APT33), Helix Kitten (APT34/OilRig), Banished Kitten, and Handala. This cross-attribution is significant. It indicates the Iranian cyber apparatus is operating increasingly as a unified capability rather than independent units — sharing malware development pipelines, infrastructure, and operational tooling. For defenders, this means: <ul> <li> Attribution to a single actor is less meaningful than tracking the shared infrastructure layer </li> <li> A detection for one group's tooling may catch activity from all five </li> <li> Coordinated multi-unit operations become more likely as tooling converges </li> </ul> <h3> 4. Mastra npm Supply Chain: 918K Weekly Downloads Weaponized </h3> A sophisticated supply chain attack compromised 141 packages in the @mastra/* npm namespace, deploying a multi-stage infostealer with cross-platform persistence: <ul> <li> Windows: Registry key NvmProtocal for persistence </li> <li> macOS: LaunchAgent com.nvm.protocal </li> <li> Linux: Systemd service nvmconf.service </li> </ul> The payload targets crypto wallets, browser credentials, and — critically — CI/CD secrets . For organizations in the defense industrial base, developer environments running compromised packages could expose build pipeline credentials, code signing keys, and access tokens to classified repositories. <h3> 5. Iranian C2 Infrastructure: ASN 213790 Cluster Persists </h3> A cluster of command-and-control infrastructure on ASN 213790 ("Limited Network", Tehran) continues operating with high-confidence IOCs. A new node — 171.22.27[.]16 on ASN 60631 ("Vandad Vira Hooman", Tehran) — was identified this cycle. This infrastructure supports application-layer C2 (T1071) over non-standard ports (T1571) and has been active since at least May 2026. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> MuddyWater (MOIS) resurfaces with new campaign and fresh infrastructure </td> <td> 70% </td> <td> 7-14 days </td> <td> 26-day quiet period for weekly-tempo actor historically precedes retooling </td> </tr> <tr> <td> SD-WAN exploitation campaign attributed to Iranian nexus actor </td> <td> 60% </td> <td> 14 days </td> <td> Government targeting + infrastructure overlap with Pioneer Kitten victimology </td> </tr> <tr> <td> Rockwell ICS vulnerabilities see PoC exploitation </td> <td> 40% </td> <td> 30 days </td> <td> Low-complexity CIP DoS; advisory provides weaponization detail </td> </tr> <tr> <td> Coordinated multi-unit Iranian operation leveraging shared tooling </td> <td> 35% </td> <td> 30-60 days </td> <td> Cross-tagging of 5 actor groups on shared malware samples suggests operational convergence </td> </tr> <tr> <td> Destructive payload deployment (wiper) following pre-positioning phase </td> <td> 25% </td> <td> Contingent on geopolitical trigger </td> <td> Absence of wipers since March 11 Stryker event; pre-positioning indicators active </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Focus </th> <th> Hunting Hypothesis </th> </tr> </thead> <tbody> <tr> <td> T1190 — Exploit Public-Facing Application </td> <td> Cisco SD-WAN Manager, Ivanti Sentry, FortiSandbox </td> <td> Hunt for anomalous authentication events followed by file uploads on SD-WAN management interfaces </td> </tr> <tr> <td> T1505.003 — Web Shell </td> <td> ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG </td> <td> Hunt for new .aspx/.php files in web-accessible directories on edge appliances; correlate with Pioneer Kitten hash IOCs </td> </tr> <tr> <td> T1195.002 — Supply Chain Compromise </td> <td> npm postinstall hooks, @mastra/* packages </td> <td> Hunt for protocal.cjs, .pkg_history, .pkg_logs in developer workstations and CI/CD runners </td> </tr> <tr> <td> T1543.001/.002 — Launch Agent / Systemd Service </td> <td> macOS/Linux persistence </td> <td> Hunt for com.nvm.protocal plist or nvmconf.service unit files </td> </tr> <tr> <td> T1071 / T1571 — Application Layer Protocol / Non-Standard Port </td> <td> C2 communications </td> <td> Monitor for outbound connections to ASN 213790 and ASN 60631 IP ranges on non-standard ports </td> </tr> <tr> <td> T1499 — Endpoint Denial of Service </td> <td> CIP protocol abuse against PLCs </td> <td> Monitor Rockwell PLC diagnostic webpage access from non-management VLANs </td> </tr> <tr> <td> T1078 — Valid Accounts </td> <td> Credential reuse from supply chain theft </td> <td> Hunt for authentication from unusual geolocations using credentials associated with developer accounts </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ol> <li> SD-WAN Pivot Hunt: If SD-WAN Manager is compromised, the attacker controls routing. Hunt for NETCONF configuration changes, new tunnel establishments, or traffic redirection rules not matching change management records. </li> <li> Developer Workstation Compromise: If Mastra packages were installed, hunt for outbound connections to 23.254.164[.]92 and 23.254.164[.]123, presence of NodePackages directory, and registry/plist/systemd persistence artifacts. </li> <li> Iranian Webshell Deployment: Following edge appliance exploitation, hunt for Farsi-language artifacts in webshell code, connections to ASN 213790/60631 infrastructure, and the 7 Pioneer Kitten SHA-256 hashes in EDR telemetry. </li> <li> OT Lateral Movement: If FactoryTalk Historian is compromised via CVE-2025-13036, hunt for anomalous queries from historian to PLC control plane, especially CIP read/write commands originating from non-engineering workstations. </li> </ol> <h3> IOC Blocking Table </h3> <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 192.253.248[.]169 </td> <td> Iranian APT C2 (ASN 213790, conf 97) </td> </tr> <tr> <td> IPv4 </td> <td> 77.90.185[.]253 </td> <td> Iranian APT C2 (ASN 213790, conf 91) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> Iranian APT C2 (ASN 213790, conf 91) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]180 </td> <td> Iranian APT C2 (ASN 213790, conf 91) </td> </tr> <tr> <td> IPv4 </td> <td> 171.22.27[.]16 </td> <td> Iranian APT C2 (ASN 60631, conf 70 — NEW) </td> </tr> <tr> <td> IPv4 </td> <td> 23.254.164[.]92 </td> <td> Mastra npm supply chain — payload server </td> </tr> <tr> <td> IPv4 </td> <td> 23.254.164[.]123 </td> <td> Mastra npm supply chain — C2 exfiltration </td> </tr> <tr> <td> Domain </td> <td> hwsrv-1327786.hostwindsdns[.]com </td> <td> Mastra npm attacker infrastructure </td> </tr> <tr> <td> Domain </td> <td> hwsrv-1327785.hostwindsdns[.]com </td> <td> Mastra npm attacker infrastructure </td> </tr> <tr> <td> SHA-256 </td> <td> 028d3de0f0709a18c9928526519e761a08f6766d1eca386e908588f995f44e7f </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> 0a5cf97e699c8bfacee7f89ebfaa851ff03dd004a58ffde9c609fcc2cd27f250 </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> 7540bed5efd55f75271bb4b5a5afb28f343ebe64a816f74f0edba8527dc5e181 </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> 2417738503887374dae9891d26ea7033eb7b44656a14b84f15d4e8fa63e4e830 </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> 2a432edfba8a28854b9e3e34be513e96e1dc3426b1bd0976cda71ecfc5a2427c </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> ff5f7d414c6e701be02ec546c56fac589902896fe29fa0ef1e3a96d904a65134 </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> <tr> <td> SHA-256 </td> <td> 9f0ac7fa30e86b4015de6f77fe219cced164f317799fdc3faaf35af730a48700 </td> <td> Pioneer Kitten/Handala shared malware </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream Next-Gen. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: MuddyWater (UNC3313, affiliated with Iran's Ministry of Intelligence and Security — MOIS) historically targets Middle Eastern financial services. The last confirmed campaign (SYNCRO) was May 22. The 26-day silence likely precedes a new campaign with fresh infrastructure. Actions: <ul> <li> Audit all Fortinet and Ivanti edge appliances for CVE-2026-10520 (CVSS 10.0) and FortiSandbox CVE-2026-25089 patches </li> <li> Enable enhanced logging on SWIFT messaging interfaces and core banking API gateways </li> <li> Review VPN authentication logs for credential stuffing patterns from Iranian IP ranges (ASN 213790, ASN 60631) </li> <li> Validate that developer workstations with access to trading platform code are not running compromised @mastra/* packages </li> </ul> <h3> Energy </h3> Primary threat: Rockwell Automation ICS vulnerabilities (CVE-2026-9307, CVE-2025-13036) directly affect SCADA/DCS environments. Iranian groups (Cyber Av3ngers) have demonstrated willingness to target water and energy OT. Actions: <ul> <li> Immediately restrict access to Rockwell PLC diagnostic webpages to management VLAN only — CIP Connection IDs are exposed and enable session hijacking </li> <li> Audit FactoryTalk Historian for CVE-2025-13036 (token brute-force auth bypass); implement rate limiting on authentication endpoints </li> <li> Segment historian systems from PLC control plane — compromised historian enables lateral movement to safety-critical controllers </li> <li> Validate that FLEX I/O EtherNet/IP adapters are not accessible from corporate network segments </li> </ul> <h3> Healthcare </h3> Primary threat: Pioneer Kitten explicitly targets healthcare (confirmed in updated threat profile). Shared tooling with Handala and Refined Kitten means detections must cover the full Iranian actor ecosystem. Actions: <ul> <li> Deploy the 7 Pioneer Kitten SHA-256 hashes to EDR blocklists across clinical and administrative endpoints </li> <li> Hunt for ASPXSPY, ANTAK, TUNNA, CHOPPER, and REGEORG webshells on internet-facing patient portal and EHR systems </li> <li> Audit Cisco SD-WAN deployments connecting hospital campuses — the 4-CVE chain enables traffic interception including ePHI </li> <li> Review npm dependencies in any internally developed clinical applications or integration middleware </li> </ul> <h3> Government </h3> Primary threat: The Cisco SD-WAN exploitation campaign is confirmed targeting government infrastructure . This is not theoretical — it is active. Actions: <ul> <li> Emergency patching of Cisco Catalyst SD-WAN Manager for CVE-2026-20262 (and verify CVE-2026-20127, -20182, -20245 are already remediated) </li> <li> Hunt for NETCONF configuration changes, unauthorized tunnel establishments, and routing policy modifications not matching change control </li> <li> Audit all Ivanti Sentry deployments for CVE-2026-10520 exploitation indicators </li> <li> Review contractor access — Pioneer Kitten uses compromised contractor VPN credentials as initial access vector (T1078) </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: Supply chain compromise via npm ecosystem (Mastra attack) threatens logistics software development environments. SD-WAN compromise enables traffic manipulation affecting flight operations and cargo tracking systems. Actions: <ul> <li> Scan all CI/CD environments for @mastra/* package dependencies and the easy-day-js typosquat package </li> <li> Hunt for protocal.cjs, NvmProtocal registry key, com.nvm.protocal LaunchAgent, and nvmconf.service across developer and build systems </li> <li> Verify SD-WAN integrity for airport and logistics hub interconnections — compromised SD-WAN fabric could enable cargo manifest manipulation or flight system data interception </li> <li> Enforce npm install --ignore-scripts in all automated build pipelines </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> IT Ops </td> <td> Patch Cisco SD-WAN Manager for CVE-2026-20262; verify CVE-2026-20127, -20182, -20245 are remediated. Active exploitation confirmed against government targets. </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Block all 7 IPv4 IOCs at perimeter firewalls (192.253.248[.]169, 77.90.185[.]253, 185.93.89[.]147, 192.253.248[.]180, 171.22.27[.]16, 23.254.164[.]92, 23.254.164[.]123) </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy 7 Pioneer Kitten/Handala SHA-256 hashes to EDR blocklists </td> </tr> <tr> <td> 4 </td> <td> DevOps </td> <td> Audit all environments for @mastra/* packages and easy-day-js; quarantine affected systems; rotate any credentials accessible from compromised build environments </td> </tr> <tr> <td> 5 </td> <td> Executive </td> <td> Approve emergency SD-WAN patching window — this cannot wait for the next maintenance cycle </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> OT Security </td> <td> Restrict Rockwell PLC diagnostic webpage access to management VLAN; audit CIP Connection ID exposure (CVE-2026-9307) </td> </tr> <tr> <td> 2 </td> <td> DevOps </td> <td> Enforce npm install --ignore-scripts in all CI pipelines; pin all @mastra/* packages to verified versions; implement package integrity verification </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Implement detection rules for Mastra persistence artifacts: protocal.cjs, NvmProtocal registry key, com.nvm.protocal plist, nvmconf.service </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Verify Ivanti Sentry patched for CVE-2026-10520 (CVSS 10.0, confirmed exploited in the wild since Jun 11) </td> </tr> <tr> <td> 5 </td> <td> SOC </td> <td> Create network detection for outbound traffic to ASN 213790 and ASN 60631 on non-standard ports </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> OT Security </td> <td> Implement network segmentation between FactoryTalk Historian and production PLCs — CVE-2025-13036 auth bypass enables lateral movement to control plane </td> </tr> <tr> <td> 2 </td> <td> CISO </td> <td> Commission red team assessment of SD-WAN fabric resilience — test for NETCONF manipulation, unauthorized tunnel creation, and routing policy injection </td> </tr> <tr> <td> 3 </td> <td> CISO </td> <td> Evaluate intelligence collection diversification — single-source dependency creates blind spots during provider outages </td> </tr> <tr> <td> 4 </td> <td> IR Team </td> <td> Update incident response playbooks for coordinated multi-unit Iranian operations — traditional single-actor playbooks may be insufficient given shared tooling convergence </td> </tr> <tr> <td> 5 </td> <td> Executive </td> <td> Brief board on Iran conflict cyber risk posture — pre-positioning indicators suggest destructive capability is being staged for potential geopolitical trigger </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> We are 110 days into a conflict where Iranian cyber units have already demonstrated destructive capability (200,000 endpoints wiped on March 11) and are now systematically building access across network infrastructure, operational technology, and software supply chains. The convergence of five Iranian actor groups around shared tooling, the completion of a full SD-WAN kill chain actively targeting government, and the simultaneous expansion of OT attack surface through Rockwell vulnerabilities — all occurring while MuddyWater (MOIS) maintains anomalous silence — paints a picture of coordinated preparation. The absence of destruction is not peace. It is pre-positioning. Patch the SD-WAN chain today. Block the IOCs today. Audit your developer environments today. The window between vulnerability disclosure and weaponization is compressing from weeks to days, and Iranian actors have demonstrated they will use every door left open. Published 2026-06-17 | Anomali CTI Desk | TLP:GREEN IOCs and enrichment data available through Anomali ThreatStream Next-Gen.

FEATURED RESOURCES

June 17, 2026

Anomali Cyber Watch