Iranian Cyber Operations Enter Most Dangerous Phase: Physical Destruction Without Malware Under Ceasefire Cover

Anomali Threat Research

Published on

May 26, 2026

Table of Contents

Threat Assessment Level: HIGH Eighty-seven days into the US-Iran conflict, Iranian cyber operators have crossed a threshold that every CISO needs to understand: the deliberate physical destruction of industrial equipment through process manipulation alone — no malware required, no signatures to detect, no IOCs to block. Simultaneously, IRGC-affiliated Nimbus Manticore has expanded targeting to US domestic aviation using AI-assisted tooling and a delivery technique never before seen from Iranian state actors. The nominal ceasefire that has held since April 8 is not reducing risk — it is the precise condition under which Iran's doctrine mandates its most aggressive below-threshold cyber operations. This is not a future scenario. It is happening now. <h2> What Changed </h2> Five developments from the current threat picture fundamentally alter the defensive calculus: <ul> <li> Physical destruction via PLC manipulation — zero malware footprint. An IRGC-directed front attacked a food plant's cold-room controllers, rewrote PLC setpoints, pinned valves open, and destroyed three compressors. The attackers demonstrated expert knowledge of refrigerant physics. A disk wiper was found on the same network, but the physical damage required no malware at all — only valid credentials and process knowledge. </li> </ul> <ul> <li> Nimbus Manticore deploys MiniFast backdoor against US aviation via SEO poisoning. The IRGC-affiliated group (also tracked as UNC1549, Imperial Kitten, Smoke Sandstorm, and TA455) launched three campaign waves between February and April 2026. For the first time, an Iranian APT used SEO poisoning — counterfeit Oracle SQL Developer and Zoom download pages — to deliver malware. The new MiniFast backdoor replaces MiniJunk and shows indicators of AI-assisted development. Targets include US domestic airlines, aerospace firms, and entities in Saudi Arabia, UAE, Australia, and Israel. </li> </ul> <ul> <li> Ceasefire fragility confirmed by concurrent military strikes. US forces struck missile sites and Iranian boats placing mines; Iran returned fire. The ceasefire is technically intact but operationally meaningless as a risk-reduction signal. Iran's potential internet reinstatement — ordered by President Pezeshkian but not yet confirmed — would simultaneously improve Iranian C2 capabilities and unleash months of suppressed hacktivist/IO activity. </li> </ul> <ul> <li> MuddyWater (MOIS) operationally silent for five months — retooling likely. Iran's most prolific MOIS-affiliated operator has produced no new campaign reporting since December 2025. Wartime silence of this duration strongly indicates infrastructure migration and tooling overhaul, likely forced by Iran's domestic internet shutdown disrupting cloud-based C2 channels. </li> </ul> <ul> <li> CISA ICS advisories expand OT attack surface across energy and industrial sectors. Advisories issued May 19–22 cover critical vulnerabilities in Siemens RUGGEDCOM, Hitachi Energy GMS600, ABB B&R Automation Studio, and EV charging infrastructure — all platforms within confirmed Iranian ICS targeting scope. </li> </ul> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Cyber Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Operation Epic Fury launched; US-Iran military conflict begins </td> <td> Iranian cyber operations shift to wartime tempo </td> </tr> <tr> <td> 2026-02-28 – 03-15 </td> <td> HYDRO KITTEN exploits CVE-2021-22681 against Rockwell Allen-Bradley PLCs </td> <td> IRGC-CEC expands ICS targeting beyond Unitronics to dominant US PLC platform </td> </tr> <tr> <td> 2026-03-13 </td> <td> Void Manticore/Handala executes Stryker wiper attack </td> <td> 20+ defense-sector systems destroyed; IRGC attribution confirmed Mar 27 </td> </tr> <tr> <td> 2026-02 – 04 </td> <td> Nimbus Manticore MiniFast waves 1–3 </td> <td> US aviation, aerospace, software firms targeted via SEO poisoning and AppDomain hijacking </td> </tr> <tr> <td> 2026-04-08 </td> <td> Ceasefire declared </td> <td> Cyber pre-positioning intensifies under diplomatic cover </td> </tr> <tr> <td> 2026-05-24 </td> <td> UNC1549 deploys POLLREGISTER backdoor via fake T-Mobile recruitment </td> <td> Azure-hosted C2; telecom sector targeting </td> </tr> <tr> <td> 2026-05-25 </td> <td> IRGC front destroys food-plant compressors via PLC manipulation </td> <td> First confirmed physical destruction under ceasefire — no malware </td> </tr> <tr> <td> 2026-05-26 </td> <td> US strikes southern Iran; Iran fires back; talks continue in Qatar </td> <td> "No war, no peace" — peak conditions for IRGC cyber doctrine </td> </tr> <tr> <td> 2026-05-26 </td> <td> Check Point publishes MiniFast/AppDomain hijacking analysis </td> <td> Novel TTPs confirmed: SEO poisoning, AI-assisted development </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Nimbus Manticore (UNC1549) — Aviation & Aerospace Campaign </h3> Actor: IRGC-affiliated | Also tracked as Imperial Kitten, Smoke Sandstorm, TA455, Screening Serpens What's new: Three significant tradecraft evolutions observed simultaneously: <ul> <li> AppDomain hijacking replacing traditional DLL sideloading — .NET applications load unsigned DLLs via XML configuration files placed alongside legitimate binaries </li> <li> SEO poisoning — counterfeit download pages for Oracle SQL Developer, Zoom, and OnlyOffice rank in search results, delivering trojanized installers </li> <li> AI-assisted malware development — MiniFast backdoor shows excessive error handling, verbose naming conventions, and debug strings consistent with LLM-generated code </li> </ul> Targets: US domestic airlines, software firms, Saudi Arabia, UAE, Australia, Israel Malware: MiniFast (replaces MiniJunk); uses JSON-formatted C2 over HTTPS mimicking Chrome browser traffic; achieves persistence via Zoom scheduled task hijacking Why this matters: SEO poisoning bypasses email security entirely. The victim finds the malware themselves through a search engine. Your email gateway, your phishing training, your URL rewriting — none of it applies. This requires proxy/DNS-layer detection that many organizations lack, particularly for developer tool downloads. <h3> IRGC OT Doctrine — "War Between Wars" Goes Kinetic </h3> Actor: IRGC-directed front (specific group attribution pending) What's new: The food-plant attack represents the operational confirmation of a doctrine that was previously theoretical. Key characteristics: <ul> <li> No malware required for physical destruction — pure process manipulation via valid credentials </li> <li> Deep domain expertise — attackers understood refrigerant physics, compressor thermal limits, and safety interlock bypass procedures </li> <li> Dual-purpose operation — a disk wiper (disguised as a Microsoft update) was deployed on the IT network simultaneously, suggesting both espionage/destruction objectives </li> <li> Ceasefire timing deliberate — aligns with IRGC "war between wars" doctrine of below-threshold operations during diplomatic pauses </li> </ul> Implication: Traditional cybersecurity detection (malware signatures, anomalous network traffic, IOC matching) would not have prevented the physical damage. Only process-integrity monitoring — verifying that PLC setpoints and safety limits remain within authorized ranges — could detect this class of attack. <h3> MuddyWater — The Silence That Speaks </h3> Actor: MOIS-affiliated | Also tracked as UNC5667, UNC3313, TEMP.Zagros, Static Kitten What's new: MuddyWater has been operationally silent for five months (since December 2025). All ThreatStream Next-Gen entries were updated May 21–23, 2026, but no new campaign reporting exists. The actor's last known activity targeted CFOs using NetBird remote access abuse. Why silence is signal: Five months of quiet from one of Iran's most prolific operators — during wartime — strongly indicates retooling. MuddyWater's historical reliance on cloud services (Microsoft Power Automate, Teams) may be disrupted by Iran's domestic internet shutdown, forcing infrastructure migration. When this actor resurfaces, expect new C2 infrastructure and potentially new tooling. <h3> ICS/OT Vulnerability Expansion </h3> Multiple CISA advisories issued May 19–22 expand the ICS attack surface relevant to Iranian targeting: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> Risk </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-139-02 </td> <td> Siemens RUGGEDCOM APE1808 (PAN-OS buffer overflow) </td> <td> CVE-2026-0300 — OT edge device with internet-facing portal </td> </tr> <tr> <td> ICSA-26-141-01 </td> <td> Hitachi Energy GMS600 (CVE-2022-4304 OpenSSL timing) </td> <td> Grid management system — energy sector </td> </tr> <tr> <td> ICSA-26-141-02/03/04 </td> <td> ABB B&R Automation Studio, Runtime, Industrial PCs </td> <td> Automation development and runtime environments </td> </tr> <tr> <td> ICSA-26-141-05 </td> <td> ABB Terra AC Wallbox </td> <td> EV charging infrastructure </td> </tr> </tbody> </table> These vulnerabilities are significant because Iranian actors (particularly HYDRO KITTEN and Cyber Av3ngers) have demonstrated both the intent and capability to exploit ICS platforms. CVE-2026-0300 on Siemens RUGGEDCOM is especially concerning given its deployment in OT network edge positions. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Nimbus Manticore deploys additional MiniFast variants against aerospace/DIB targets </td> <td> 75% </td> <td> 7 days </td> <td> SEO poisoning infrastructure likely pre-staged; wartime operational tempo maintained </td> </tr> <tr> <td> Iranian internet reinstatement triggers burst IO/hacktivist activity </td> <td> 60% </td> <td> 48–72 hours post-restoration </td> <td> Pre-staged leaks likely prepared during blackout; Telegram channels dormant but not deleted </td> </tr> <tr> <td> HYDRO KITTEN claims new ICS compromises under consolidated "APT Iran" persona </td> <td> 55% </td> <td> 7–14 days </td> <td> Persona consolidation observed; communications suppressed by internet shutdown </td> </tr> <tr> <td> Additional OT/ICS physical destruction attacks against food/agriculture or energy </td> <td> 45% </td> <td> 30 days </td> <td> Doctrine confirmed; ceasefire conditions persist; multiple ICS vulnerabilities disclosed </td> </tr> <tr> <td> MuddyWater resurfaces with new C2 infrastructure on non-Iranian hosting </td> <td> 35% </td> <td> 14–30 days </td> <td> Five-month silence during wartime indicates retooling; cloud service disruption forces migration </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <ol> <li> AppDomain Hijacking (T1574.001) </li> </ol> <ul> <li> Hunt hypothesis: Adversary places malicious XML configuration files alongside legitimate .NET applications to load unsigned DLLs via AppDomainManager directives </li> <li> Detection: Monitor for .config file creation/modification in application directories containing <appDomainManagerAssembly> or <appDomainManagerType> directives; alert on .NET processes loading DLLs from non-standard paths (Downloads, Temp, user-writable directories) </li> <li> Data source: Sysmon Event ID 7 (Image Loaded), EDR DLL load telemetry </li> </ul> <ol start="2"> <li> SEO Poisoning Delivery (T1608.004) </li> </ol> <ul> <li> Hunt hypothesis: Adversary registers domains mimicking legitimate software download pages (Oracle SQL Developer, Zoom, OnlyOffice) and uses SEO techniques to rank in search results </li> <li> Detection: Monitor proxy/DNS logs for newly-registered domains (< 30 days) resolving to download pages for development tools; correlate with subsequent .NET binary execution from user Downloads folders; flag ZIP archives downloaded from non-vendor domains containing .exe + .dll + .config file combinations </li> <li> Data source: Web proxy logs, DNS query logs, endpoint file-creation events </li> </ul> <ol start="3"> <li> Trojanized Installer Persistence via Scheduled Tasks (T1053.005) </li> </ol> <ul> <li> Hunt hypothesis: Adversary hijacks legitimate Zoom scheduled tasks to maintain persistence </li> <li> Detection: Monitor for modifications to existing Zoom-related scheduled tasks; alert on scheduled tasks executing binaries from non-standard Zoom installation paths </li> <li> Data source: Windows Event ID 4698/4702, Sysmon Event ID 1 with parent process schtasks.exe </li> </ul> <ol start="4"> <li> PLC Setpoint Manipulation (T0855, T0831) </li> </ol> <ul> <li> Hunt hypothesis: Adversary uses valid engineering credentials to modify PLC setpoints and safety limits without deploying malware </li> <li> Detection: Implement out-of-band PLC configuration monitoring; alert on setpoint changes outside maintenance windows; monitor for bulk safety-limit modifications; detect remote account lockouts on engineering workstations </li> <li> Data source: OT network monitoring (Claroty, Nozomi, Dragos), PLC audit logs, Active Directory authentication events for OT service accounts </li> </ul> <ol start="5"> <li> JSON C2 Over HTTPS Mimicking Chrome (T1071.001) </li> </ol> <ul> <li> Hunt hypothesis: MiniFast backdoor communicates via JSON-formatted HTTPS requests with Chrome User-Agent strings to Azure-hosted infrastructure </li> <li> Detection: Monitor for processes with non-browser binaries making HTTPS connections with Chrome User-Agent strings; flag JSON POST requests to Azure/cloud endpoints from .NET applications that don't normally communicate externally </li> <li> Data source: Network detection (Zeek/Suricata), proxy SSL inspection logs, EDR network telemetry </li> </ul> <h3> IOC Blocking Actions </h3> Block the following at endpoint, email gateway, and proxy layers: <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> MD5 </td> <td> edcdba624ddb43c2a1dcf334aa493068 </td> <td> MiniJunk v2 — Screening Serpens / Nimbus Manticore </td> </tr> <tr> <td> MD5 </td> <td> d0579f2fe897c63b801c8c804b8951d2 </td> <td> MuddyWater-tagged, aerospace targeting </td> </tr> <tr> <td> MD5 </td> <td> 2087f7cbf5c1791c802e286d33433ebc </td> <td> MuddyWater-tagged, retail targeting </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream (filter: `iran_nexus`, `screening_serpens`, `appdomainmanager_hijacking` tags). <h3> MITRE ATT&CK Coverage Map </h3> <table> <thead> <tr> <th> Technique ID </th> <th> Technique Name </th> <th> Actor </th> <th> Detection Status </th> </tr> </thead> <tbody> <tr> <td> T1574.001 </td> <td> Hijack Execution Flow: DLL Search Order </td> <td> Nimbus Manticore </td> <td> Requires new detection rule </td> </tr> <tr> <td> T1608.004 </td> <td> Stage Capabilities: Drive-By Target </td> <td> Nimbus Manticore </td> <td> Requires proxy/DNS monitoring </td> </tr> <tr> <td> T1053.005 </td> <td> Scheduled Task/Job </td> <td> Nimbus Manticore </td> <td> Existing rules may need tuning </td> </tr> <tr> <td> T1071.001 </td> <td> Application Layer Protocol: Web </td> <td> Nimbus Manticore (MiniFast) </td> <td> Behavioral detection needed </td> </tr> <tr> <td> T1055.012 </td> <td> Process Injection: Process Hollowing </td> <td> Nimbus Manticore </td> <td> EDR coverage likely exists </td> </tr> <tr> <td> T1566.002 </td> <td> Phishing: Spearphishing Link </td> <td> UNC1549 (POLLREGISTER) </td> <td> Existing email security </td> </tr> <tr> <td> T0855 </td> <td> Unauthorized Command Message </td> <td> IRGC OT operations </td> <td> OT monitoring required </td> </tr> <tr> <td> T0831 </td> <td> Manipulation of Control </td> <td> IRGC OT operations </td> <td> OT monitoring required </td> </tr> <tr> <td> T1485 </td> <td> Data Destruction </td> <td> IRGC front (wiper) </td> <td> EDR + backup monitoring </td> </tr> <tr> <td> T1036.005 </td> <td> Masquerading: Match Legitimate Name </td> <td> IRGC front (fake MS update) </td> <td> Existing rules may cover </td> </tr> <tr> <td> T1190 </td> <td> Exploit Public-Facing Application </td> <td> Multiple (CVE-2026-0300) </td> <td> Patch management + WAF </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary risk: Destructive wiper attacks disguised as ransomware; credential theft via trojanized business applications <ul> <li> Audit all .NET applications in trading and payment processing environments for unauthorized .config file modifications </li> <li> Verify integrity of scheduled tasks on systems running financial software (Bloomberg, Reuters, proprietary platforms) </li> <li> Implement behavioral analytics on SWIFT/payment gateway connections — flag JSON-formatted C2 patterns mimicking legitimate API traffic </li> <li> Pre-position incident response retainers with OT-capable firms if you operate data center cooling/UPS infrastructure </li> </ul> <h3> Energy </h3> Primary risk: PLC/SCADA manipulation targeting physical processes; exploitation of newly-disclosed ICS vulnerabilities <ul> <li> Immediate: Audit all Siemens RUGGEDCOM APE1808 deployments for CVE-2026-0300 exposure; restrict User-ID Authentication Portal to internal-only access </li> <li> Immediate: Verify ABB B&R Automation Studio and Runtime patches are current per ICSA-26-141 series </li> <li> Implement out-of-band setpoint verification for all safety-critical PLCs — do not rely solely on network monitoring </li> <li> Conduct emergency review of remote access accounts on engineering workstations; verify no unauthorized modifications since February 2026 </li> <li> Monitor Hitachi Energy GMS600 grid management systems for exploitation of CVE-2022-4304 (OpenSSL timing side-channel) </li> </ul> <h3> Healthcare </h3> Primary risk: Disruption of building management systems (HVAC, refrigeration for pharmaceuticals/blood storage) using the same PLC manipulation techniques demonstrated against the food plant <ul> <li> Map all cold-storage and refrigeration systems with PLC controllers — these are now confirmed targets of IRGC doctrine </li> <li> Verify that pharmaceutical cold-chain monitoring has out-of-band alerting independent of the control network </li> <li> Audit Ivanti EPMM (mobile device management) deployments — Iranian actors (Pioneer Kitten) are actively exploiting CVE-2026-6973 </li> <li> Ensure backup medical device networks are segmented from IT networks where wiper deployment could propagate </li> </ul> <h3> Government </h3> Primary risk: Espionage via trojanized development tools; pre-positioning for destructive attacks timed to diplomatic milestones <ul> <li> Issue advisory to all personnel: do NOT download development tools (Oracle SQL Developer, IDE plugins, utilities) from search engine results — use only vendor-verified URLs </li> <li> Monitor for AppDomain hijacking indicators across all .NET government applications </li> <li> Prepare for burst Iranian IO activity (leaks, defacements, disinformation) upon Iranian internet reinstatement — brief public affairs teams </li> <li> Review all contractor access to classified networks for indicators of UNC1549/POLLREGISTER compromise (fake recruitment lures from T-Mobile, US airlines) </li> </ul> <h3> Aviation & Logistics </h3> Primary risk: Direct targeting by Nimbus Manticore MiniFast campaign; supply-chain compromise via trojanized software <ul> <li> Immediate: Hunt for indicators of MiniFast/MiniJunk in airline reservation, flight operations, and maintenance systems </li> <li> Block MD5 edcdba624ddb43c2a1dcf334aa493068 across all endpoints and email gateways </li> <li> Audit Zoom installations across the enterprise — verify all binaries are signed by Zoom Video Communications; check for modified scheduled tasks </li> <li> Monitor for OnlyOffice ZIP archive deliveries via email or cloud sharing platforms </li> <li> Brief recruiting/HR teams: UNC1549 uses fake job postings impersonating US domestic airlines as lure documents — verify all candidate-submitted files in sandboxed environments </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Deploy AppDomain hijacking detection: monitor for .NET applications loading unsigned DLLs from non-standard paths; alert on XML config files containing AppDomainManager directives placed alongside legitimate binaries </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Block IOCs: MD5 edcdba624ddb43c2a1dcf334aa493068, d0579f2fe897c63b801c8c804b8951d2, 2087f7cbf5c1791c802e286d33433ebc at endpoint, email gateway, and proxy </td> </tr> <tr> <td> 3 </td> <td> IT Ops </td> <td> Audit Siemens RUGGEDCOM APE1808 for CVE-2026-0300 exposure; restrict User-ID Authentication Portal to internal networks; apply vendor patch </td> </tr> <tr> <td> 4 </td> <td> OT Security </td> <td> Verify PLC setpoints and safety limits on all refrigeration, HVAC, and cold-storage controllers; confirm remote access accounts are unmodified </td> </tr> <tr> <td> 5 </td> <td> HR/Recruiting </td> <td> Brief recruiting teams on UNC1549 fake job posting TTPs — do not execute candidate-submitted code or open archives without sandbox analysis </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Implement SEO poisoning detection: monitor DNS/proxy for newly-registered domains mimicking Oracle SQL Developer, Zoom, OnlyOffice; correlate with binary execution from Downloads folders </td> </tr> <tr> <td> 2 </td> <td> OT Security </td> <td> Implement out-of-band PLC setpoint monitoring independent of control network; establish baseline configurations for all safety-critical controllers </td> </tr> <tr> <td> 3 </td> <td> IT Ops </td> <td> Patch ABB B&R Automation Studio, Runtime, and industrial PCs per ICSA-26-141 series; prioritize network-exposed systems </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Tune scheduled task monitoring to detect Zoom task hijacking ( T1053.005 ); baseline legitimate Zoom update behavior </td> </tr> <tr> <td> 5 </td> <td> CTI </td> <td> Pre-stage Telegram OSINT monitoring for Handala, Cyber Toufan, and "APT Iran" channels — prepare for burst IO upon Iranian internet reinstatement </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> CISO </td> <td> Commission tabletop exercise: simulate IRGC "war between wars" OT attack during ceasefire — test detection of PLC setpoint manipulation without malware; validate OT incident response playbook </td> </tr> <tr> <td> 2 </td> <td> CISO </td> <td> Update enterprise threat model to reflect AI-accelerated Iranian malware iteration (2–3x faster variant production); adjust patching and detection update cadences accordingly </td> </tr> <tr> <td> 3 </td> <td> SOC/CTI </td> <td> Develop detection analytics for MuddyWater infrastructure pivot — monitor for new C2 domains on non-Iranian hosting providers; baseline current cloud service (Power Automate, Teams) usage patterns </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Conduct enterprise-wide audit of .NET application configurations; establish integrity monitoring for all .config files in production application directories </td> </tr> <tr> <td> 5 </td> <td> Executive/Legal </td> <td> Review cyber insurance coverage for physical damage caused by cyber-physical attacks (PLC manipulation destroying equipment) — the food-plant precedent establishes this as a realized risk </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> The Iranian cyber threat has evolved past the point where traditional cybersecurity — malware detection, IOC blocking, email filtering — provides adequate protection. When an adversary can destroy industrial equipment using only valid credentials and physics knowledge, the security conversation must expand to include process integrity, safety-system verification, and operational technology monitoring. Three realities demand immediate executive attention: First , the ceasefire is not safety. IRGC doctrine explicitly treats diplomatic pauses as windows for pre-positioning and below-threshold operations. The food-plant attack proves this is not theory — it is confirmed operational practice. Second , AI is compressing Iranian malware development cycles. The MiniJunk-to-MiniFast evolution took approximately three months under wartime pressure. Historical Iranian malware families took 6–12 months between major versions. Your detection engineering must keep pace with 2–3x faster adversary iteration. Third , Iran's internet reinstatement — whenever it comes — will trigger a surge. Months of suppressed hacktivist activity, pre-staged leaks, and IO campaigns will release simultaneously. Organizations should prepare now, not after the first Telegram post drops. The war between wars is not coming. It is here. Anomali CTI Desk | 2026-05-26 For IOC feeds and automated detection content, contact your Anomali representative or access indicators directly via Anomali ThreatStream Next-Gen (tags: `iran_nexus`, `screening_serpens`, `appdomainmanager_hijacking`).

FEATURED RESOURCES

May 26, 2026

Anomali Cyber Watch