Iranian Cyber Operations Enter Pre-Strike Phase: What CISOs Must Do This Week

Anomali Threat Research

Published on

June 22, 2026

Table of Contents

Threat Assessment Level: ELEVATED (trending HIGH) This assessment is unchanged from the prior cycle (2026-06-21). Escalation to HIGH is pending confirmation of active exploitation against Western critical infrastructure targets. The convergence of infrastructure refresh, phishing reactivation, and ICS vulnerability disclosure creates conditions consistent with imminent offensive operations. Nearly four months into the Iran conflict theater (since 28 February 2026), Iranian state-sponsored cyber operations have shifted from opportunistic exploitation to deliberate pre-positioning. Multiple IRGC and MOIS-affiliated threat groups are simultaneously refreshing command-and-control infrastructure, reactivating phishing campaigns, and diversifying their tooling — all hallmarks of the preparation phase that precedes coordinated offensive action. This is not theoretical. CISA has confirmed active exploitation of Splunk Enterprise (CVE-2026-20253, CVSS 9.8), issued a hardening directive for Fortinet devices under the "FortiBleed" campaign, and released seven ICS advisories in a single batch covering vendors that Iranian actors have historically targeted. The window for defensive action is narrowing. <h2> What Changed </h2> The past 72 hours brought several developments that collectively raise the operational tempo: <ul> <li> MuddyWater phishing infrastructure reactivated — A Firebase-hosted credential harvesting domain (cloud-233f9[.]firebaseapp[.]com) previously used to target CFOs is showing fresh weaponization indicators, alongside a Microsoft typosquat domain (microsoft-corp[.]com) hosted on Stark Industries Solutions infrastructure known to support MuddyWater C2. </li> <li> New Cobalt Strike C2 node on a fourth Iranian ASN — IP 151.239.24[.]122 on Aria Shatel (ASN 31549, Tehran) was validated by multiple threat intelligence sources on 2026-06-19. Iranian C2 infrastructure now spans four distinct autonomous systems, complicating network-level blocking. </li> <li> Venom RAT appears on Iranian infrastructure — A lesser-known remote access tool ("Venom Software") was identified on ASN 213790, marking the first appearance of this framework in Iranian-attributed infrastructure. This suggests tooling diversification beyond Cobalt Strike. </li> <li> CISA KEV addition: CVE-2026-20253 — Splunk Enterprise pre-authentication RCE confirmed actively exploited in the wild. Public proof-of-concept available. Any unpatched instance should be considered compromised until verified. </li> <li> Seven ICS advisories in a single batch — Covering Schneider Electric, Mitsubishi MELSEC, Rockwell Automation, AzeoTech, and AVer — all vendors whose products are deployed in energy, water, and manufacturing environments that Iranian proxies have previously targeted. </li> <li> Cyber Av3ngers silent for 9+ days — The IRGC-CEC's primary ICS-targeting proxy has gone operationally quiet. Historical pattern: silence precedes capability refresh or new campaign launch. </li> <li> Pinchy Spider attribution tags on Iranian infrastructure — Russian-origin Pinchy Spider (GandCrab/REvil lineage) indicators observed on ASN 213790 alongside chemical sector targeting, suggesting possible Russian-Iranian criminal infrastructure sharing and a blurring of state-sponsored and criminal operations. </li> </ul> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran conflict theater begins </td> <td> Start of current escalation cycle </td> </tr> <tr> <td> 2026-06-06 </td> <td> APT34/OilRig last observed active </td> <td> Burst-pattern actor; silence may precede new campaign </td> </tr> <tr> <td> 2026-06-12 </td> <td> Cyber Av3ngers last observed active </td> <td> 9+ days of silence — anomalous for IRGC-CEC proxy </td> </tr> <tr> <td> 2026-06-17 </td> <td> Tooling convergence confirmed across Pioneer Kitten, Handala, Banished Kitten </td> <td> IRGC-affiliated groups sharing infrastructure and TTPs </td> </tr> <tr> <td> 2026-06-17 </td> <td> MuddyWater C2 infrastructure reactivation detected </td> <td> MOIS-affiliated group refreshing operational capability </td> </tr> <tr> <td> 2026-06-18 </td> <td> CISA adds CVE-2026-20253 to KEV catalog </td> <td> Splunk pre-auth RCE confirmed exploited in the wild </td> </tr> <tr> <td> 2026-06-18 </td> <td> CISA issues FortiBleed hardening directive </td> <td> Government-level response to Fortinet credential exposure </td> </tr> <tr> <td> 2026-06-18 </td> <td> 7 ICS advisories released (Schneider, Mitsubishi, Rockwell) </td> <td> Attack surface expansion for OT environments </td> </tr> <tr> <td> 2026-06-19 </td> <td> New Cobalt Strike C2 validated on ASN 31549 (Tehran) </td> <td> 4th Iranian ASN hosting offensive infrastructure </td> </tr> <tr> <td> 2026-06-21 </td> <td> MuddyWater Firebase phishing domain reactivated </td> <td> Credential harvesting campaign targeting executives </td> </tr> <tr> <td> 2026-06-21 </td> <td> Venom RAT identified on ASN 213790 </td> <td> New C2 framework diversifying Iranian toolkit </td> </tr> <tr> <td> 2026-06-21 </td> <td> Pinchy Spider (REvil lineage) tagged on Iranian IP </td> <td> Possible Russian-Iranian criminal infrastructure sharing </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> MuddyWater (MOIS-Affiliated) — Active Campaign in Progress </h3> MuddyWater (also tracked as TEMP.Zagros, Static Kitten, Mercury) is demonstrating textbook pre-operational behavior: refreshing phishing infrastructure across multiple hosting providers while maintaining persistent C2 capability. Current operational pattern: <ol> <li> Delivery: Compromised legitimate cloud services (Google Firebase, OneHub, Egnyte) host credential harvesting pages </li> <li> C2: Stark Industries Solutions VPS infrastructure (Germany-hosted) for command and control via MuddyC2Go </li> <li> Persistence: Remote monitoring and management (RMM) tools — ScreenConnect, Atera — for long-term access </li> </ol> The reactivation of cloud-233f9[.]firebaseapp[.]com is significant because it exploits implicit trust in Google-hosted domains, bypassing many URL filtering solutions. The simultaneous activity on microsoft-corp[.]com (Stark Industries, IP 80.71.157[.]130) confirms dual-infrastructure operation. Primary targets: CFOs and finance executives — credential harvesting for business email compromise and lateral movement into financial systems. <h3> Pioneer Kitten / Banished Kitten / Handala (IRGC-Affiliated) — Infrastructure Expansion </h3> The IRGC-affiliated cluster continues expanding C2 infrastructure across Iranian ISPs. ASN 213790 ("Limited Network") remains the dominant hosting provider, but the addition of ASN 31549 (Aria Shatel) demonstrates deliberate infrastructure diversification — a counter-detection measure that complicates IP-based blocking strategies. The appearance of Venom RAT alongside established Cobalt Strike deployments suggests these groups are reducing single-tool dependency, likely in response to improved Cobalt Strike detection capabilities across the defender community. Notable anomaly: Pinchy Spider (Russian-origin, GandCrab/REvil ransomware lineage) attribution tags appearing on the same Iranian infrastructure (ASN 213790) with chemical sector targeting. This may indicate Russian-Iranian criminal infrastructure sharing — a convergence pattern that blurs the line between state-sponsored espionage and criminal ransomware operations. <h3> Cyber Av3ngers (IRGC-CEC) — Operational Silence </h3> Nine days of silence from Iran's most aggressive ICS-targeting proxy is not reassuring — it's concerning. Historical pattern analysis shows that Cyber Av3ngers operational pauses precede capability refreshes or new campaign launches. The simultaneous release of seven ICS advisories covering their preferred target vendors (Schneider Electric, Mitsubishi MELSEC, Rockwell Automation) creates a convergence window. Estimated exploitation window: Based on historical Cyber Av3ngers tempo (14-21 days from vulnerability disclosure to weaponization), potential ICS-targeting activity is forecast within the 7-21 day window from the date of this publication. <h3> Critical Vulnerabilities Under Active Exploitation </h3> <table> <thead> <tr> <th> CVE </th> <th> Product </th> <th> CVSS </th> <th> Status </th> <th> Risk </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-20253 </td> <td> Splunk Enterprise 10.x </td> <td> 9.8 </td> <td> KEV — Active exploitation confirmed </td> <td> Pre-auth RCE; public PoC available; SIEM infrastructure compromise enables attacker to blind defenders </td> </tr> <tr> <td> FortiBleed (multiple CVEs) </td> <td> Fortinet FortiGate/FortiClient </td> <td> High </td> <td> CISA hardening directive issued </td> <td> Mass credential exposure; VPN access compromise; Pioneer Kitten's preferred initial access vector </td> </tr> <tr> <td> CVE-2026-22828 </td> <td> ICS (details in CISA advisories) </td> <td> Varies </td> <td> Advisory issued </td> <td> OT environment exposure </td> </tr> </tbody> </table> <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Indicators to Watch </th> </tr> </thead> <tbody> <tr> <td> MuddyWater spearphishing campaign targeting finance/executive roles </td> <td> HIGH (75-85%) </td> <td> 24-72 hours </td> <td> Firebase domain in email logs; Microsoft-themed credential pages; Stark Industries IP connections </td> </tr> <tr> <td> Cyber Av3ngers ICS campaign leveraging new Schneider/Mitsubishi/Rockwell vulnerabilities </td> <td> MODERATE-HIGH (55-65%) </td> <td> 7-21 days </td> <td> New Unitronics/PLC-targeting domains; IOCONTROL malware variants; Telegram C2 channel activity </td> </tr> <tr> <td> Pioneer Kitten exploitation of unpatched Fortinet devices for initial access </td> <td> HIGH (70-80%) </td> <td> Ongoing </td> <td> VPN authentication anomalies; credential stuffing from Iranian IP ranges; FortiGate config changes </td> </tr> <tr> <td> Splunk Enterprise compromise enabling SIEM blinding </td> <td> MODERATE (45-55%) </td> <td> 7-14 days </td> <td> Unexpected PostgreSQL service activity; Splunk search head anomalies; log gaps </td> </tr> <tr> <td> Russian-Iranian criminal convergence enabling ransomware with state-actor access </td> <td> LOW-MODERATE (25-35%) </td> <td> 30-60 days </td> <td> REvil/GandCrab variants on Iranian infrastructure; chemical sector targeting; dual-use tooling </td> </tr> <tr> <td> Coordinated multi-actor offensive (kinetic-cyber convergence) </td> <td> MODERATE (40-50%) </td> <td> Contingent on geopolitical trigger </td> <td> Simultaneous activity across MuddyWater + Cyber Av3ngers + Handala; wiper deployment; DDoS surge </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Logic </th> <th> Tool/Data Source </th> </tr> </thead> <tbody> <tr> <td> T1566.001 (Spearphishing Link) </td> <td> Alert on emails containing firebaseapp[.]com URLs or microsoft-corp[.]com links; inspect for credential harvesting page patterns </td> <td> Email gateway, URL sandbox </td> </tr> <tr> <td> T1071.001 (Web Protocols C2) </td> <td> Monitor for HTTPS beaconing to 151.239.24[.]122 and known ASN 213790 ranges; look for regular-interval callbacks (Cobalt Strike default: 60s) </td> <td> NDR, proxy logs, firewall </td> </tr> <tr> <td> T1078.004 (Cloud Accounts) </td> <td> Alert on impossible travel, new OAuth app consents, and token replay for M365/Entra ID accounts — especially finance/executive roles </td> <td> Azure AD logs, CASB </td> </tr> <tr> <td> T1190 (Exploit Public-Facing Application) </td> <td> Monitor Splunk Enterprise PostgreSQL sidecar (port 5432) for unauthenticated connections; alert on file creation in Splunk system directories </td> <td> Host-based monitoring, Splunk internal logs </td> </tr> <tr> <td> T1133 (External Remote Services) </td> <td> Audit all Fortinet VPN authentications for credential reuse, impossible travel, and connections from Iranian ASN ranges (213790, 31549, 44436, 51396) </td> <td> VPN logs, SIEM correlation </td> </tr> <tr> <td> T1583.001 (Acquire Infrastructure) </td> <td> Track newly registered domains matching microsoft-*[.]com patterns; monitor Stark Industries (ASN 44477) IP space </td> <td> Passive DNS, domain monitoring </td> </tr> <tr> <td> T1102 (Web Service for C2) </td> <td> Detect anomalous outbound traffic to Firebase, OneHub, Egnyte that doesn't match business usage patterns </td> <td> Proxy logs, CASB </td> </tr> <tr> <td> T0890 (Exploitation for ICS Impact) </td> <td> Monitor OT network segments for scanning activity targeting Schneider/Mitsubishi/Rockwell management interfaces </td> <td> OT network monitoring, IDS </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ol> <li> Hypothesis: MuddyWater has already harvested credentials via Firebase phishing. Hunt for: M365 sign-ins from Stark Industries IP ranges (ASN 44477); new mail forwarding rules on executive mailboxes; OAuth app registrations from unfamiliar publishers in the past 14 days. </li> <li> Hypothesis: Cobalt Strike beacon active on internal network via Iranian C2. Hunt for: DNS queries or HTTPS connections to 151.239.24[.]122; named pipe creation matching Cobalt Strike defaults (\\.\pipe\msagent_*); PowerShell download cradles with encoded payloads connecting to ASN 31549/213790 ranges. </li> <li> Hypothesis: Splunk Enterprise already compromised via CVE-2026-20253. Hunt for: Unexpected files in Splunk $SPLUNK_HOME/var/ directories; PostgreSQL sidecar accepting connections from non-localhost; search head returning incomplete results (log blinding indicator); unauthorized Splunk user accounts. </li> <li> Hypothesis: Fortinet credentials already exfiltrated via FortiBleed. Hunt for: VPN sessions from previously unseen geographic locations; multiple VPN users authenticating from the same source IP; FortiGate configuration backups accessed outside maintenance windows; SSL-VPN portal access from Iranian IP ranges. </li> </ol> <h3> Blocking Actions </h3> Deploy the following IOC blocklist immediately: <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 151.239.24[.]122 </td> <td> Cobalt Strike C2, ASN 31549 (Aria Shatel, Tehran) </td> </tr> <tr> <td> IPv4 </td> <td> 80.71.157[.]130 </td> <td> MuddyWater typosquat hosting (Stark Industries) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]169 </td> <td> APT-tagged, ASN 213790 </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]180 </td> <td> APT-tagged, ASN 213790 </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]6 </td> <td> Venom RAT C2, ASN 213790 </td> </tr> <tr> <td> IPv4 </td> <td> 171.22.27[.]16 </td> <td> C2 infrastructure, ASN 213790 </td> </tr> <tr> <td> IPv4 </td> <td> 77.90.185[.]253 </td> <td> Pinchy Spider/chemical targeting, ASN 213790 </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> Iranian APT infrastructure </td> </tr> <tr> <td> IPv4 </td> <td> 217.60.241[.]17 </td> <td> Iranian APT infrastructure </td> </tr> <tr> <td> IPv4 </td> <td> 217.60.241[.]39 </td> <td> Iranian APT infrastructure </td> </tr> <tr> <td> IPv4 </td> <td> 87.107.191[.]39 </td> <td> Iranian APT infrastructure </td> </tr> <tr> <td> Domain </td> <td> cloud-233f9[.]firebaseapp[.]com </td> <td> MuddyWater credential harvesting </td> </tr> <tr> <td> Domain </td> <td> microsoft-corp[.]com </td> <td> MuddyWater typosquat </td> </tr> <tr> <td> Domain </td> <td> FileTransfer[.]io </td> <td> MuddyWater file staging (historical) </td> </tr> <tr> <td> URL </td> <td> https://cloud-233f9[.]firebaseapp[.]com/ </td> <td> Active phishing page </td> </tr> <tr> <td> URL </td> <td> http://cloud-233f9[.]firebaseapp[.]com </td> <td> Active phishing page (HTTP variant) </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> MuddyWater's current campaign explicitly targets CFOs and finance executives with credential harvesting. Financial institutions face elevated risk of: <ul> <li> Business email compromise via stolen M365 credentials </li> <li> Wire fraud following executive mailbox access </li> <li> Lateral movement from compromised finance accounts to treasury/payment systems </li> </ul> Priority actions: <ul> <li> Enable phishing-resistant MFA (FIDO2/hardware keys) for all finance executives immediately </li> <li> Implement conditional access policies blocking sign-ins from ASN 44477 (Stark Industries) and Iranian IP ranges </li> <li> Deploy email banner warnings for messages containing Firebase URLs from external senders </li> <li> Audit mail forwarding rules on all C-suite and finance team mailboxes for unauthorized entries </li> </ul> <h3> Energy </h3> The convergence of seven ICS advisories (Schneider Electric EcoStruxure/PowerLogic, Mitsubishi MELSEC iQ-F, Rockwell FactoryTalk Historian) with Cyber Av3ngers' operational silence creates a high-risk window for energy sector OT environments. Priority actions: <ul> <li> Inventory all Schneider Electric, Mitsubishi MELSEC, and Rockwell Automation devices on OT networks — prioritize internet-accessible or DMZ-adjacent instances </li> <li> Apply CISA ICS advisories (ICSA-26-169-03 through ICSA-26-169-07) within 7 days for network-accessible devices </li> <li> Verify OT network segmentation — ensure no direct path from IT network to PLCs/RTUs without jump server intermediation </li> <li> Establish out-of-band monitoring for Unitronics Vision/Samba PLCs (Cyber Av3ngers' historical targets) </li> <li> Pre-position incident response playbooks for ICS-specific scenarios (safety system manipulation, historian data destruction) </li> </ul> <h3> Healthcare </h3> Healthcare organizations running Splunk Enterprise for SIEM/log management face dual risk: CVE-2026-20253 enables attackers to both compromise the monitoring infrastructure AND blind defenders to subsequent lateral movement. Priority actions: <ul> <li> Patch Splunk Enterprise to 10.2.4+ or 10.0.7+ immediately — this is your visibility platform; if it's compromised, you cannot detect anything else </li> <li> If patching requires a maintenance window, disable the PostgreSQL sidecar service as an interim mitigation </li> <li> Verify Splunk search completeness — run baseline queries and compare result counts against expected volumes to detect potential log manipulation </li> <li> Ensure Fortinet VPN devices (common in healthcare remote access) are covered by the FortiBleed hardening directive </li> </ul> <h3> Government </h3> Government entities face the broadest threat surface: MuddyWater credential theft for espionage, Pioneer Kitten for network pre-positioning, and potential destructive operations during escalation. Priority actions: <ul> <li> Implement CISA's FortiBleed hardening directive across all Fortinet infrastructure — rotate credentials, audit VPN logs back to March 2026, verify firmware </li> <li> Conduct credential audit for all .gov M365 tenants — search for sign-ins from Stark Industries (ASN 44477) and Iranian ASN ranges </li> <li> Review and restrict OAuth application consent policies in Entra ID — block user-initiated consent for unverified publishers </li> <li> Ensure EINSTEIN/CDM sensors are tuned for the IOCs listed in this bulletin </li> <li> Brief executive leadership on the potential for coordinated cyber-kinetic operations tied to geopolitical escalation </li> </ul> <h3> Aviation & Logistics </h3> While not the primary target in this cycle, aviation and logistics organizations should note Pioneer Kitten's historical targeting of transportation sector VPN infrastructure and the chemical sector targeting observed on Iranian infrastructure. Priority actions: <ul> <li> Audit all Fortinet and Cisco VPN concentrators for unauthorized access — Pioneer Kitten exploits edge devices for initial access </li> <li> Review supply chain connections to chemical sector partners (potential lateral targeting via Pinchy Spider/Iranian convergence) </li> <li> Ensure cargo management and flight operations systems are segmented from general IT networks </li> <li> Monitor for reconnaissance activity against publicly exposed OT interfaces (baggage handling, fuel management systems) </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> IT Ops </td> <td> Patch Splunk Enterprise to 10.2.4+ or 10.0.7+. If patching is delayed, disable PostgreSQL sidecar service. CVE-2026-20253 is KEV with public PoC — assume exploitation attempts are ongoing. </td> </tr> <tr> <td> 2 </td> <td> IT Ops </td> <td> Execute CISA FortiBleed hardening directive — rotate ALL Fortinet device credentials, audit VPN logs for unauthorized access since March 2026, verify firmware versions against advisory. </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy IOC blocklist (see table above) across perimeter firewalls, email gateways, web proxies, and EDR platforms. </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Alert on Firebase phishing — create detection rule for emails containing firebaseapp[.]com URLs sent to finance/executive distribution lists. </td> </tr> <tr> <td> 5 </td> <td> Identity Team </td> <td> Audit executive M365 accounts — check for unauthorized mail forwarding rules, OAuth app consents, and sign-ins from ASN 44477 or Iranian IP ranges in the past 30 days. </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 6 </td> <td> OT/ICS Team </td> <td> Patch ICS infrastructure per CISA advisories ICSA-26-169-03 through -07 (Mitsubishi MELSEC, Schneider Electric, Rockwell FactoryTalk). Prioritize network-accessible instances. </td> </tr> <tr> <td> 7 </td> <td> SOC </td> <td> Deploy Venom RAT detection — add Venom Software malware family signatures to EDR; create network detection for C2 traffic to 192.253.248[.]6 and ASN 213790 ranges. </td> </tr> <tr> <td> 8 </td> <td> Identity Team </td> <td> Implement phishing-resistant MFA (FIDO2 keys) for all C-suite and finance roles. Disable SMS/phone-call MFA fallback for these accounts. </td> </tr> <tr> <td> 9 </td> <td> SOC </td> <td> Conduct threat hunt for MuddyWater persistence — search for ScreenConnect, Atera, or other RMM tools not sanctioned by IT; check for PowerShell execution patterns consistent with MuddyC2Go. </td> </tr> <tr> <td> 10 </td> <td> Network Team </td> <td> Block ASN 213790 at perimeter — evaluate feasibility of blocking entire "Limited Network" ASN ranges given concentration of Iranian offensive infrastructure. Assess collateral impact before implementing. </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 11 </td> <td> CISO </td> <td> Commission OT security assessment — engage third-party to evaluate segmentation, monitoring, and incident response readiness for ICS environments, specifically against Cyber Av3ngers TTPs. </td> </tr> <tr> <td> 12 </td> <td> CISO </td> <td> Evaluate OSINT feed alternatives — current intelligence collection has a critical blind spot for geopolitical trigger events. Assess Feedly Threat Intel, Silobreaker, or Flashpoint as supplementary sources. </td> </tr> <tr> <td> 13 </td> <td> SOC </td> <td> Proactive hunt for Cyber Av3ngers infrastructure refresh — search for new Unitronics/PLC-targeting domains, IOCONTROL malware variants, and Telegram-based C2 channels. Nine days of silence from IRGC-CEC's primary ICS proxy is historically a pre-attack indicator. </td> </tr> <tr> <td> 14 </td> <td> IR Team </td> <td> Update incident response playbooks for coordinated multi-vector Iranian attack scenario — simultaneous credential theft (MuddyWater), network access (Pioneer Kitten), ICS disruption (Cyber Av3ngers), and information operations (Handala). </td> </tr> <tr> <td> 15 </td> <td> Executive </td> <td> Tabletop exercise — scenario: Iranian retaliatory cyber operation following geopolitical escalation. Test decision-making for simultaneous IT and OT incidents with potential safety implications. </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> We are 114 days into an active conflict theater where Iranian cyber operations serve as force multipliers for kinetic military objectives. The intelligence picture is clear: multiple Iranian state groups are simultaneously refreshing infrastructure, reactivating campaigns, and diversifying tooling. This is not routine maintenance — it is preparation. The convergence of three factors makes the next 7-21 days a critical defensive window: <ol> <li> MuddyWater's phishing infrastructure is hot — expect credential harvesting attempts against executives within 72 hours </li> <li> Cyber Av3ngers' silence will break — nine days of quiet from an aggressive ICS proxy, combined with seven fresh ICS vulnerability disclosures covering their preferred targets, creates conditions for a new campaign </li> <li> Your SIEM may be the target — CVE-2026-20253 gives attackers the ability to compromise Splunk Enterprise without authentication, potentially blinding your entire detection capability before the main attack begins </li> </ol> The organizations that act on this intelligence in the next 24-48 hours — patching Splunk, hardening Fortinet, blocking known C2 infrastructure, and hunting for existing compromise — will be positioned to detect and contain what comes next. Those that wait will be responding to incidents instead of preventing them. Patch. Block. Hunt. Now. Published 2026-06-22 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream, CISA advisories, and partner feeds. IOCs available for automated ingestion via ThreatStream platform. For questions or to request additional analysis, contact your Anomali account team.

FEATURED RESOURCES

June 22, 2026

Anomali Cyber Watch