Iranian Cyber Operations Enter Sustained Pre-Positioning Phase: What CISOs Must Know Now

Anomali Threat Research

Published on

June 10, 2026

Table of Contents

Threat Assessment Level: ELEVATED Previous assessment (2026-06-09): HIGH. The threat level has been adjusted from HIGH to ELEVATED based on the absence of new escalation triggers (no destructive operations, no confirmed new campaigns) despite continued infrastructure pre-positioning. The underlying risk posture remains serious — Iranian state-sponsored actors are actively maintaining and expanding staging infrastructure, and seven ICS advisories in five days have widened the OT attack surface. CISOs should treat this as a "coiled spring" environment: the absence of destructive action reflects preparation-phase discipline, not de-escalation. <h2> Introduction </h2> One hundred and two days into the renewed Iran-Israel conflict (since February 28, 2026), Iranian cyber operations have settled into a pattern that should alarm every security leader: quiet, methodical infrastructure expansion paired with active vulnerability scanning — the hallmarks of pre-positioning for future destructive or disruptive operations. Today's intelligence reveals simultaneous activity across proxy, malware command-and-control, and APT-attributed infrastructure on a single Iranian autonomous system, new exploitation of AI gateway vulnerabilities confirmed by CISA, and a surge of ICS/OT advisories affecting the exact systems Iranian actors have historically targeted. The operational silence from hacktivist groups and the absence of wiper deployments should not be mistaken for safety — it is consistent with Iranian doctrine of holding destructive capabilities in reserve during diplomatic uncertainty. This post provides actionable intelligence for CISOs managing organizations in the crosshairs of Iranian state-sponsored operations. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> ASN 213790 multi-actor infrastructure refresh — 7 IPs active across proxy, malware, and APT categories </td> <td> Iranian cyber staging area continues expansion; new chemical-sector targeting detected via Pinchy-Spider tooling </td> </tr> <tr> <td> CVE-2026-42271 (LiteLLM MCP RCE) added to CISA KEV </td> <td> Active exploitation confirmed — any authenticated user can achieve remote code execution on AI proxy infrastructure </td> </tr> <tr> <td> CVE-2026-29116 (Dahua camera DoS) published </td> <td> Unauthenticated remote reboot of surveillance cameras — directly enables disruption of battle damage assessment and physical security </td> </tr> <tr> <td> 7 ICS advisories in 5 days (Schneider, Siemens, Hitachi, NAVTOR) </td> <td> OT attack surface expansion in energy, building management, substation automation, and maritime — all within Iranian proxy targeting doctrine </td> </tr> <tr> <td> Remcos RAT C2 on Iranian academic infrastructure </td> <td> New C2 node at Iranian Research Organization for Science & Technology suggests state-adjacent staging </td> </tr> <tr> <td> Cobalt Strike BEACON on Iranian cloud provider </td> <td> C2 infrastructure on Noyan Abr Arvan (ASN 202468) expands Iranian operational hosting beyond previously tracked ASNs </td> </tr> <tr> <td> Active vulnerability scanning from Iranian IPs </td> <td> Targeting CVE-2017-9841, CVE-2021-41773, CVE-2024-4577 — legacy vulnerabilities with known exploitation paths </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran-Israel conflict resumes; cyber operations begin escalating </td> </tr> <tr> <td> 2026-06-03 </td> <td> Handala hacktivist group claims cyber-to-kinetic targeting support — first confirmed digital-to-physical convergence </td> </tr> <tr> <td> 2026-06-05 </td> <td> New Pinchy-Spider IP (77.90.185[.]253) created on ASN 213790 targeting chemical sector </td> </tr> <tr> <td> 2026-06-08 </td> <td> Iran declares "resumption of hostilities"; C2 infrastructure refreshed with "ceasefire over" operational tagging </td> </tr> <tr> <td> 2026-06-08 </td> <td> CVE-2026-42271 (LiteLLM MCP RCE, CVSS 8.8) added to CISA KEV </td> </tr> <tr> <td> 2026-06-09 </td> <td> Cobalt Strike BEACON C2 refreshed on ASN 51396; BumbleBee loader first associated with Iranian infrastructure </td> </tr> <tr> <td> 2026-06-09 </td> <td> Iranian IPs begin active scanning for CVE-2024-4577 (PHP-CGI) and CVE-2021-41773 (Apache path traversal) </td> </tr> <tr> <td> 2026-06-10 </td> <td> ASN 213790 shows simultaneous proxy, malware, and APT activity — 7 IPs confirmed malicious </td> </tr> <tr> <td> 2026-06-10 </td> <td> CVE-2026-29116 (Dahua camera unauthenticated DoS) published </td> </tr> <tr> <td> 2026-06-10 </td> <td> 7th ICS advisory in 5 days published (Schneider, Siemens, Hitachi, NAVTOR) </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Iranian Multi-Actor Staging Infrastructure (ASN 213790) </h3> ASN 213790 ("Limited Network") has emerged as Iran's primary cyber staging area — functioning as the digital equivalent of a forward operating base. Today's collection confirms simultaneous proxy relay, malware delivery, and APT command-and-control operations from this single network: <ul> <li> SOCKS proxy infrastructure for anonymization </li> <li> Malware delivery nodes (confidence 100, dual-sourced) </li> <li> APT-attributed IPs tagged to APT28, APT15, and Pinchy-Spider (REvil operators) </li> </ul> The co-location of Russian-attributed threat actors (APT28, Pinchy-Spider) on Iranian infrastructure confirms the Russian-Iranian criminal nexus — shared hosting that provides mutual deniability and complicates attribution. The new appearance of chemical sector targeting via Pinchy-Spider tooling is a novel development that expands the threat beyond traditional Iranian targets. Named actors with confirmed infrastructure on this ASN: Pioneer Kitten/Fox Kitten (UNC757), APT33, APT42/Charming Kitten, CyberAv3ngers (IRGC-CEC), HYDRO KITTEN, MuddyWater/TEMP.Zagros, APT34/OilRig, UNC5855/AnonymousForJustice, and Handala. <h3> AI Infrastructure Under Active Attack (CVE-2026-42271) </h3> The addition of CVE-2026-42271 to CISA's Known Exploited Vulnerabilities catalog confirms what threat intelligence has been tracking: AI gateway infrastructure is now a confirmed exploitation target . This vulnerability in LiteLLM's Model Context Protocol (MCP) allows any authenticated user to execute arbitrary commands on the AI proxy host via stdio transport (CVSS 8.8). Organizations deploying LiteLLM as an AI gateway — increasingly common in enterprise AI architectures — face immediate remote code execution risk. The exploitation is trivial once authentication is obtained, and Iranian actors have demonstrated sophisticated credential harvesting capabilities through OAuth abuse and phishing. <h3> OT/ICS Attack Surface Expansion </h3> Seven ICS advisories in five days represent an abnormal velocity (baseline: 4-5 per week) affecting systems that align precisely with Iranian targeting doctrine: <table> <thead> <tr> <th> Vendor </th> <th> Product </th> <th> Impact </th> <th> Sector </th> </tr> </thead> <tbody> <tr> <td> Siemens </td> <td> KACO Blueplanet Inverters </td> <td> Credential derivation from serial data </td> <td> Energy/Solar </td> </tr> <tr> <td> Schneider Electric </td> <td> EcoStruxure Panel Server </td> <td> Vulnerability in panel server </td> <td> Building Management/OT </td> </tr> <tr> <td> Schneider Electric </td> <td> Modicon Network Switches </td> <td> RADIUS protocol vulnerability </td> <td> OT Network Infrastructure </td> </tr> <tr> <td> Hitachi Energy </td> <td> RTU500 </td> <td> Substation automation vulnerabilities </td> <td> Energy/Grid </td> </tr> <tr> <td> Hitachi Energy </td> <td> MACH HiDraw </td> <td> Buffer overflow </td> <td> Engineering Workstations </td> </tr> <tr> <td> Hitachi Energy </td> <td> ITT600 Explorer </td> <td> Telecontrol vulnerabilities </td> <td> Energy/Grid </td> </tr> <tr> <td> NAVTOR </td> <td> NavBox </td> <td> Unauthorized SOAP method access </td> <td> Maritime OT </td> </tr> </tbody> </table> Historical pattern analysis across 86 intelligence cycles shows Iranian proxy groups exploit newly-published ICS vulnerabilities within 7-30 days of advisory publication. The exploitation window is now open. <h3> Remcos RAT and Cobalt Strike on Iranian Infrastructure </h3> Two distinct C2 nodes confirm Iranian actors are maintaining diverse post-exploitation capabilities: <ul> <li> Remcos RAT on IP 62.60.226[.]42 (port 43155) — hosted at the Iranian Research Organization for Science & Technology, suggesting state-adjacent staging </li> <li> Cobalt Strike BEACON on IP 188.121.123[.]185 (port 443) — hosted on Noyan Abr Arvan (ASN 202468), a major Iranian cloud provider </li> </ul> The use of legitimate Iranian academic and cloud infrastructure for C2 hosting complicates blocking decisions but confirms state tolerance (at minimum) of offensive cyber operations from these networks. <h2> Predictive Analysis </h2> Based on pattern analysis across 87 intelligence cycles and historical Iranian operational tempo: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Iranian scanning IPs escalate from reconnaissance to exploitation of CVE-2024-4577 (PHP-CGI) targets </td> <td> 70% </td> <td> 7 days </td> <td> Active scanning confirmed; exploitation tooling is publicly available </td> </tr> <tr> <td> Schneider EcoStruxure/Modicon vulnerabilities see PoC exploitation from Iranian-proxied infrastructure </td> <td> 50% </td> <td> 14 days </td> <td> Historical 7-30 day lag between advisory and Iranian exploitation </td> </tr> <tr> <td> Pioneer Kitten (UNC757) surfaces new campaign targeting healthcare or manufacturing via Citrix/Ivanti chains </td> <td> 30% </td> <td> 14 days </td> <td> Actor profile updated 2026-06-10; historical targeting pattern </td> </tr> <tr> <td> Hacktivist groups (Cyber Av3ngers, Handala) resume public operations with DDoS or defacement campaigns </td> <td> 60% </td> <td> 7 days </td> <td> Silence is inconsistent with "resumption of hostilities" declaration; likely collection gap masking activity </td> </tr> <tr> <td> Wiper deployment against Israeli or Gulf State critical infrastructure </td> <td> 15% </td> <td> 30 days </td> <td> Capabilities confirmed (BiBiWiper, Rusty Boots/MoKhargosh) but diplomatic uncertainty favors "hold" posture </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Priority Detection Rules </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Focus </th> <th> Hunting Hypothesis </th> </tr> </thead> <tbody> <tr> <td> T1071 (Application Layer Protocol) </td> <td> Monitor for C2 beaconing to ASN 213790 and ASN 202468 IP ranges </td> <td> Iranian APT C2 uses standard HTTPS on port 443 to blend with legitimate traffic — hunt for periodic beaconing patterns to Iranian ASN ranges </td> </tr> <tr> <td> T1571 (Non-Standard Port) </td> <td> Alert on outbound connections to port 43155 (Remcos RAT) </td> <td> Remcos C2 uses non-standard ports; any connection to 62.60.226[.]42:43155 is confirmed malicious </td> </tr> <tr> <td> T1090 (Proxy) </td> <td> Detect SOCKS proxy connections to ASN 213790 IPs </td> <td> Iranian SOCKS infrastructure provides anonymization for follow-on operations — connections indicate compromised host </td> </tr> <tr> <td> T1190 (Exploit Public-Facing Application) </td> <td> Monitor web application logs for CVE-2024-4577 and CVE-2021-41773 exploitation patterns </td> <td> Iranian scanners are actively probing; exploitation attempts will follow reconnaissance </td> </tr> <tr> <td> T1595.002 (Vulnerability Scanning) </td> <td> Alert on inbound scanning from Iranian ASN ranges (202468, 34369, 213790) </td> <td> Pre-exploitation reconnaissance precedes targeted attacks by 3-7 days </td> </tr> <tr> <td> T1219 (Remote Access Software) </td> <td> Hunt for Remcos RAT artifacts in endpoint telemetry </td> <td> Remcos is a commodity RAT but its presence on Iranian academic infrastructure suggests state-directed deployment </td> </tr> <tr> <td> T1059.001 (PowerShell) </td> <td> Monitor for encoded PowerShell execution consistent with Cobalt Strike stagers </td> <td> BEACON typically uses PowerShell for initial execution and lateral movement </td> </tr> <tr> <td> T0816 (Device Restart/Shutdown) </td> <td> Monitor Dahua camera systems for unexpected reboots </td> <td> CVE-2026-29116 enables unauthenticated remote reboot — pattern of reboots indicates exploitation </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ol> <li> "Has any internal host communicated with ASN 213790 in the past 90 days?" — Query netflow/proxy logs for any connection to the IP ranges listed in the IOC table below. Historical connections may indicate pre-existing compromise. </li> <li> "Are any LiteLLM instances exposed to authenticated users beyond the AI/ML team?" — CVE-2026-42271 requires only authentication, not admin privileges. Over-provisioned access creates RCE risk. </li> <li> "Do we have Arista EOS switches configured with VXLAN or GRE tunneling?" — CVE-2026-7473 allows tunnel decapsulation bypass that could undermine OT network segmentation. </li> <li> "Are Dahua cameras in our physical security infrastructure accessible from untrusted networks?" — CVE-2026-29116 requires no authentication; any network-accessible Dahua device is vulnerable. </li> </ol> <h3> IOC Blocking Table </h3> <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 185.93.89[.]106 </td> <td> SOCKS proxy, ASN 213790 </td> <td> 95 </td> </tr> <tr> <td> IPv4 </td> <td> 172.94.9[.]29 </td> <td> Malware/hacking, ASN 213790 </td> <td> 100 </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]169 </td> <td> APT-attributed, ASN 213790 </td> <td> 97 </td> </tr> <tr> <td> IPv4 </td> <td> 77.90.185[.]253 </td> <td> Pinchy-Spider, chemical targeting, ASN 213790 </td> <td> 91 </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> APT-attributed, ASN 213790 </td> <td> 91 </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]180 </td> <td> APT-attributed, ASN 213790 </td> <td> 91 </td> </tr> <tr> <td> IPv4 </td> <td> 77.90.185[.]118 </td> <td> APT-attributed, ASN 213790 </td> <td> 93 </td> </tr> <tr> <td> IPv4 </td> <td> 62.60.226[.]42 </td> <td> Remcos RAT C2, port 43155 </td> <td> 97 </td> </tr> <tr> <td> IPv4 </td> <td> 188.121.123[.]185 </td> <td> Cobalt Strike BEACON C2, port 443 </td> <td> 75 </td> </tr> <tr> <td> IPv4 </td> <td> 37.32.26[.]36 </td> <td> Active vulnerability scanner, ASN 202468 </td> <td> 70 </td> </tr> <tr> <td> IPv4 </td> <td> 37.148.110[.]129 </td> <td> Active vulnerability scanner, ASN 34369 </td> <td> 70 </td> </tr> <tr> <td> MD5 </td> <td> 5b54a028c3c18deb38d0482a06e6c8d6 </td> <td> Associated malware sample </td> <td> — </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream Next-Gen. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Iranian actors historically target financial institutions for both espionage and disruptive operations (denial-of-service as economic coercion). The Russian-Iranian nexus on ASN 213790 — with Pinchy-Spider (REvil operators) sharing infrastructure with Iranian APTs — creates a dual ransomware and state-sponsored threat. Priority actions: <ul> <li> Block all ASN 213790 IP ranges at the network perimeter and monitor for historical connections </li> <li> Audit SWIFT and core banking system access logs for connections to Iranian ASN ranges </li> <li> Ensure DDoS mitigation is active and tested — hacktivist groups may resume operations without warning </li> <li> Review OAuth token lifetimes for customer-facing applications — APT42 specializes in OAuth abuse </li> </ul> <h3> Energy </h3> Seven ICS advisories in five days directly affect energy sector systems: Siemens KACO Blueplanet solar inverters, Schneider EcoStruxure panel servers, Schneider Modicon network switches, and Hitachi Energy RTU500 substation automation. Iranian proxy groups (CyberAv3ngers) have a documented track record of exploiting OT systems in this sector. Priority actions: <ul> <li> Inventory all Schneider EcoStruxure Panel Server and Modicon managed switch deployments; apply vendor patches within 7 days </li> <li> Audit Hitachi Energy RTU500 firmware versions in substation environments </li> <li> Verify OT network segmentation — CVE-2026-7473 (Arista EOS) could allow tunnel protocol bypass that undermines segmentation </li> <li> Review Siemens KACO Blueplanet inverter configurations — credential derivation from device serial numbers means physical access or serial number disclosure enables compromise </li> <li> Ensure ICS-specific incident response playbooks account for Iranian proxy TTPs (T0816 device restart, T0826 loss of availability) </li> </ul> <h3> Healthcare </h3> Pioneer Kitten (UNC757/Fox Kitten) maintains active targeting of healthcare organizations, with a profile update as recently as June 10, 2026. Healthcare is also vulnerable to Remcos RAT campaigns and Cobalt Strike post-exploitation — both confirmed active on Iranian infrastructure today. Priority actions: <ul> <li> Patch all internet-facing Citrix and Ivanti appliances — Pioneer Kitten's primary initial access vector </li> <li> Hunt for Remcos RAT indicators (connections to port 43155, registry persistence mechanisms) </li> <li> Audit VPN concentrator logs for anomalous authentication patterns from Iranian IP ranges </li> <li> Ensure medical device networks are segmented from corporate IT — lateral movement from compromised IT to OT medical devices is a documented Iranian TTP </li> <li> Review PHI access logs for bulk data exfiltration indicators </li> </ul> <h3> Government </h3> Government networks face the broadest threat surface: APT33, APT34/OilRig, APT42/Charming Kitten, MuddyWater, and Pioneer Kitten all maintain active government targeting. The confirmed APT-attributed IPs on ASN 213790 specifically tag government as a target sector. Priority actions: <ul> <li> Implement emergency blocking of all 11 IPs in the IOC table above across all network boundaries </li> <li> Audit all AI/ML infrastructure for LiteLLM deployments — CVE-2026-42271 (KEV) enables RCE from any authenticated user </li> <li> Review Dahua camera deployments in government facilities — CVE-2026-29116 enables unauthenticated surveillance disruption </li> <li> Conduct credential audit for all internet-facing services — APT42's credential harvesting campaigns precede network intrusion </li> <li> Verify secure communications infrastructure is not routable from untrusted networks </li> </ul> <h3> Aviation & Logistics </h3> UNC1549/Tortoiseshell (Imperial Kitten) maintains aerospace targeting capabilities, and NAVTOR NavBox maritime OT vulnerabilities (unauthorized SOAP method access) directly affect logistics and shipping operations. The absence of active aviation-targeting indicators is assessed as a collection gap, not confirmed safety. Priority actions: <ul> <li> Audit NAVTOR NavBox deployments for unauthorized SOAP method access vulnerability; apply vendor patches </li> <li> Review all aerospace contractor VPN and remote access infrastructure for Iranian APT indicators </li> <li> Monitor for SEO poisoning campaigns targeting aviation industry search terms (previously documented TTP) </li> <li> Ensure supply chain security reviews cover Iranian-nexus subcontractors </li> <li> Verify satellite communication systems are patched and monitored for anomalous access </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block ASN 213790 IP ranges at perimeter: 172.94.9[.]29, 185.93.89[.]106, 192.253.248[.]169, 77.90.185[.]253, 185.93.89[.]147, 192.253.248[.]180, 77.90.185[.]118 — confirmed multi-source malicious </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Block Remcos C2 IP 62.60.226[.]42:43155 and hunt for historical connections in 90-day netflow </td> </tr> <tr> <td> 3 </td> <td> IT Ops </td> <td> Verify all LiteLLM proxy instances are patched to v1.83.7+ — CVE-2026-42271 is KEV-listed with confirmed active exploitation </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Deploy detection for Cobalt Strike BEACON traffic to 188.121.123[.]185:443 (ASN 202468) </td> </tr> <tr> <td> 5 </td> <td> Executive/IR </td> <td> Brief executive leadership on elevated Iranian cyber posture and potential for escalation to destructive operations </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> IT Ops </td> <td> Audit all Dahua camera firmware for CVE-2026-29116 susceptibility — unauthenticated remote reboot enables surveillance disruption </td> </tr> <tr> <td> 2 </td> <td> Network Ops </td> <td> Review Arista EOS VXLAN/GRE configurations for CVE-2026-7473 exposure — tunnel bypass undermines OT segmentation </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy detection rules for CVE-2024-4577 (PHP-CGI) and CVE-2021-41773 (Apache path traversal) exploitation — Iranian scanners are actively probing </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Patch SolarWinds Serv-U for CVE-2026-28318 (unauthenticated DoS via Content-Encoding: deflate) </td> </tr> <tr> <td> 5 </td> <td> IR </td> <td> Update incident response playbooks with Iranian APT-specific procedures: Remcos RAT containment, Cobalt Strike BEACON isolation, OT/ICS incident escalation </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> CISO </td> <td> Commission assessment of Schneider EcoStruxure Panel Server and Modicon managed switch deployments against new CISA advisories — Iranian proxy groups historically exploit within 30 days </td> </tr> <tr> <td> 2 </td> <td> CISO </td> <td> Fund and deploy backup threat intelligence collection (Telegram monitoring, additional OSINT feeds) — current collection gaps mask hacktivist early warning </td> </tr> <tr> <td> 3 </td> <td> Network Ops </td> <td> Conduct full audit of OT network segmentation with specific focus on Hitachi Energy RTU500 substation automation and NAVTOR maritime systems </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Implement network-level blocking of Iranian cloud ASNs (202468 — Noyan Abr Arvan, 34369 — Aria Shatel) at perimeter where business justification permits </td> </tr> <tr> <td> 5 </td> <td> Executive </td> <td> Conduct tabletop exercise simulating Iranian destructive cyber attack (wiper deployment) against critical infrastructure — test decision-making timelines and communication protocols </td> </tr> </tbody> </table> <h2> Bottom Line </h2> The Iranian cyber apparatus is behaving exactly as doctrine predicts during a preparation phase: infrastructure is being refreshed, scanning is intensifying, and destructive capabilities remain staged but undeployed. The declaration of "resumption of hostilities" on June 8 was accompanied by immediate C2 infrastructure activation — the digital equivalent of moving forces to the border. The seven ICS advisories published in the past five days have opened exploitation windows in energy, building management, substation automation, and maritime systems — precisely the sectors Iranian proxy groups like CyberAv3ngers have previously attacked. Historical patterns show a 7-30 day lag between advisory publication and Iranian exploitation attempts. That clock is now running. CISOs should not interpret the current absence of destructive operations as safety. It is preparation. The blocking actions, patching priorities, and detection rules outlined above represent the minimum defensive posture for organizations in Iranian targeting scope. The time to act is before the preparation phase ends. Published 2026-06-10 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream Next-Gen, CISA KEV/ICS advisories, and partner feeds. For IOC feeds and automated detection content, contact your Anomali representative.

FEATURED RESOURCES

June 10, 2026

Anomali Cyber Watch