Iranian Cyber Operations Escalate to Military Psychological Warfare as Ceasefire Talks Stall

Anomali Threat Research

Published on

May 21, 2026

Table of Contents

Threat Assessment Level: HIGH The Iran-US conflict — now in its 82nd day since kinetic operations began on 28 February 2026 — has entered its most dangerous cyber phase. While diplomats negotiate and Gulf allies press for restraint, Iranian cyber operators are escalating beyond infrastructure disruption into direct psychological warfare against deployed military personnel. The gap between diplomatic signals and cyber reality has never been wider, and CISOs across defense, energy, healthcare, and government must act on what the adversary is doing , not what negotiators are saying . This week's most alarming development: the IRGC-affiliated group Handala (a.k.a. Void Manticore / Red Sandstorm / Banished Kitten) leaked personal data of US Marines stationed in the Persian Gulf and sent WhatsApp messages telling service members to "call home and make final goodbyes." This is not hacktivism. This is military psychological warfare delivered through cyber means. <h2> What Changed </h2> Six developments drove the threat level from ELEVATED to HIGH this cycle: <ul> <li> Handala's escalation ladder reached military personnel targeting. The group progressed from destroying 200,000 endpoints (Stryker wipe, 11 March) → compromising the FBI director's personal email (27 March) → leaking Marines' PII and conducting WhatsApp-based psychological operations (30 April). Each step represents a qualitative increase in sophistication and strategic intent. </li> </ul> <ul> <li> Ceasefire negotiations created a pre-positioning window. President Trump disclosed he was "an hour away" from additional strikes before Gulf allies intervened. Iran submitted a counter-proposal demanding reparations and US troop withdrawal. Historical pattern analysis shows Iranian actors accelerate access establishment during negotiations — they do not pause. </li> </ul> <ul> <li> A critical 42-day intelligence gap on defense-industrial base pre-positioning. Pioneer Kitten (MOIS-linked) has been silent for 42 consecutive days in DIB networks — during the exact window when pre-positioning activity should be increasing . This silence is not reassurance; it is either successful adversary operational security or a collection failure. Neither is acceptable. </li> </ul> <ul> <li> APT42 espionage campaign refreshed across six sectors. IRGC-IO's BELLACIAO/SHELLAFEL campaign was updated on 19–20 May, actively targeting energy, government, healthcare, manufacturing, chemical, and construction sectors. IRGC-IO espionage continues completely unaffected by kinetic conflict or diplomatic negotiations. </li> </ul> <ul> <li> Russia-Iran shared cyber infrastructure confirmed active. ASN 213790 ("Limited Network," Tehran) was refreshed on 20–21 May with new APT28 and Cactus ransomware IPs, validating cross-national cyber cooperation and raising the possibility that ransomware is being used as cover for destructive operations. </li> </ul> <ul> <li> ICS/OT attack surface expanded by seven new CISA KEVs. CISA published 7 new Known Exploited Vulnerabilities and 5 ICS advisories on 19–20 May — including ScadaBR unauthenticated RCE and Siemens RUGGEDCOM vulnerabilities — directly expanding the attack surface available to IRGC-affiliated ICS-targeting groups. </li> </ul> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> US-Israeli kinetic strikes on Iran begin </td> <td> — </td> <td> Conflict initiation </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> Stryker wiper destroys 200,000+ endpoints </td> <td> Handala / Void Manticore (IRGC) </td> <td> Largest destructive cyber attack of the conflict </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> FBI director personal email compromised </td> <td> Handala / Void Manticore (IRGC) </td> <td> Intelligence community targeting </td> </tr> <tr> <td> 30 Apr 2026 </td> <td> US Marines PII leaked; WhatsApp psyops messages sent </td> <td> Handala / Void Manticore (IRGC) </td> <td> Military psychological warfare </td> </tr> <tr> <td> 18 May 2026 </td> <td> US fuel ATG systems compromised via CVE-2026-1340 </td> <td> CyberAv3ngers / Ababil of Minab (IRGC) </td> <td> Critical infrastructure ICS attack </td> </tr> <tr> <td> 19–20 May 2026 </td> <td> APT42 BELLACIAO/SHELLAFEL campaign refreshed </td> <td> APT42 / Charming Kitten (IRGC-IO) </td> <td> Espionage against energy, government, healthcare </td> </tr> <tr> <td> 19 May 2026 </td> <td> CISA adds 7 KEVs; ScadaBR RCE re-confirmed </td> <td> — </td> <td> Expanded ICS/OT attack surface </td> </tr> <tr> <td> 20–21 May 2026 </td> <td> ASN 213790 infrastructure refreshed with APT28 + Cactus IPs </td> <td> APT28 + Cactus (Russia-Iran shared infra) </td> <td> Cross-national cyber cooperation validated </td> </tr> <tr> <td> 20–21 May 2026 </td> <td> Active ceasefire negotiations; Trump "hour away" from strike </td> <td> — </td> <td> Peak pre-positioning window </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Handala / Void Manticore — From Hacktivism to Military Psyops </h3> Attribution: IRGC-affiliated. Also tracked as Red Sandstorm and Banished Kitten. Handala's operational progression follows a deliberate escalation ladder: <ul> <li> Phase 1 — Infrastructure Destruction: Stryker wiper (200K endpoints, 11 March) </li> <li> Phase 2 — Intelligence Community Targeting: FBI director email compromise (27 March) </li> <li> Phase 3 — Military Personnel Psychological Operations: Marines PII leak + WhatsApp threats (30 April) </li> </ul> The WhatsApp messaging is designed to accomplish three objectives simultaneously: demonstrate intelligence collection capability ("we know who you are and where you are"), degrade morale of deployed forces, and signal to US decision-makers that Iranian reach extends to individual service members. Relevant ATT&CK Techniques: T1530 (Data from Cloud Storage), T1567 (Exfiltration Over Web Service), T1491.002 (External Defacement), T1598 (Phishing for Information) Predicted next phase (60% probability): Targeting family members of military personnel or political leadership with similar psychological operations. <h3> APT42 / Charming Kitten — IRGC-IO Espionage Uninterrupted </h3> Attribution: IRGC Intelligence Organization (IRGC-IO) APT42's BELLACIAO (IIS backdoor) and SHELLAFEL (credential harvester) campaign was refreshed on 19–20 May 2026, targeting energy, government, healthcare, manufacturing, chemical, and construction sectors across four countries. A parallel campaign targets researchers, government officials, and Iranian diaspora via compromised email accounts. The key insight: IRGC-IO espionage operations continue completely unaffected by kinetic conflict or diplomatic negotiations. This is consistent with Iranian doctrine that treats cyber espionage as a permanent, parallel track. Relevant ATT&CK Techniques: T1505.003 (Web Shell), T1078 (Valid Accounts), T1566.001 (Spearphishing Attachment), T1003 (OS Credential Dumping), T1071.001 (Web Protocols C2) <h3> Pioneer Kitten / Fox Kitten — The Silent Pre-Positioner </h3> Attribution: MOIS-linked Pioneer Kitten has confirmed pre-positioned access in defense-industrial base networks via CVE-2023-3519 (Citrix NetScaler) and CVE-2024-21887 (Ivanti Connect Secure), repurposed from initial access to disruption-ready footholds. The group has been silent for 42 consecutive days — during the exact window when pre-positioning should be intensifying. This silence is the single most concerning finding in this cycle. Dormancy in pre-positioned access actors historically indicates mission completion, not mission abandonment. New vulnerability of concern: CVE-2026-6973 (Ivanti EPMM, CVSS 7.2) — added to CISA KEV, expanding the Ivanti attack surface that Pioneer Kitten has historically exploited. <h3> ASN 213790 — Russia-Iran Shared Cyber Infrastructure </h3> Two new IPs tagged to APT28 (Fancy Bear / Russia) appeared on ASN 213790 ("Limited Network," Tehran), alongside Cactus ransomware infrastructure targeting healthcare and manufacturing. This co-location validates the Russia-Iran cyber cooperation hypothesis and raises the possibility that ransomware is being used as cover for destructive operations. Relevant ATT&CK Techniques: T1059 (Command and Scripting Interpreter), T1071 (Application Layer Protocol), T1569.002 (Service Execution), T1571 (Non-Standard Port), T1190 (Exploit Public-Facing Application) <h3> ICS/OT Attack Surface Expansion </h3> CISA published 7 new KEV entries and 5 ICS advisories on 19–20 May, including: <ul> <li> ScadaBR — Unauthenticated RCE (re-confirmed) </li> <li> Kieback & Peter DDC Building Controllers — Browser takeover </li> <li> Siemens RUGGEDCOM APE1808 — Buffer overflow in PAN-OS Captive Portal on ruggedized OT devices </li> <li> ABB CoreSense HM/M10 — Path traversal </li> </ul> These advisories expand the attack surface available to CyberAv3ngers and other IRGC-affiliated ICS-targeting groups, even as CyberAv3ngers themselves have gone operationally silent (possible persona consolidation under Handala). <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Trigger </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations intensify if negotiations stall or collapse </td> <td> 70% </td> <td> 7–14 days </td> <td> Breakdown in talks or resumption of kinetic strikes </td> </tr> <tr> <td> Pre-positioned DIB/aerospace access activated for espionage collection </td> <td> 60% </td> <td> 7–14 days </td> <td> Iran seeking intelligence advantage for negotiations </td> </tr> <tr> <td> Handala escalates to political targets or military family members </td> <td> 60% </td> <td> 14–30 days </td> <td> Continuation of escalation ladder pattern </td> </tr> <tr> <td> Coordinated destructive wiper operation against allied infrastructure </td> <td> 40% </td> <td> 7–30 days </td> <td> Resumption of kinetic strikes by US/Israel </td> </tr> <tr> <td> Cactus ransomware on Iranian infrastructure used as cover for destructive attack on healthcare </td> <td> 35% </td> <td> 14–30 days </td> <td> Escalation of conflict or collapse of talks </td> </tr> <tr> <td> CyberAv3ngers resurface under consolidated Handala persona with ICS attack </td> <td> 30% </td> <td> 30 days </td> <td> Operational readiness achieved on new ICS targets </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Monitoring Priorities </h3> Hunt Hypothesis 1: Dormant Web Shells in DIB Networks <ul> <li> What to look for: IIS web shells (BELLACIAO pattern), unusual .aspx files in IIS directories, web shell callbacks to Iranian IP ranges </li> <li> ATT&CK: T1505.003 (Server Software Component: Web Shell) </li> <li> Detection: Monitor IIS logs for POST requests to unusual .aspx paths; alert on w3wp.exe spawning cmd.exe or powershell.exe </li> <li> Timeframe: Pioneer Kitten has been silent 42 days — look back at least 60 days in logs </li> </ul> Hunt Hypothesis 2: Credential Harvesting via SHELLAFEL <ul> <li> What to look for: Unusual credential access patterns, LSASS memory dumps, Mimikatz-like behavior </li> <li> ATT&CK: T1003 (OS Credential Dumping), T1078 (Valid Accounts) </li> <li> Detection: Monitor for LSASS access by non-standard processes; alert on credential use from unusual geographic locations </li> </ul> Hunt Hypothesis 3: C2 Over Standard Web Protocols <ul> <li> What to look for: Beaconing patterns to ASN 213790 IPs, HTTP/S traffic with encoded payloads to Iranian hosting </li> <li> ATT&CK: T1071.001 (Application Layer Protocol: Web Protocols), T1571 (Non-Standard Port) </li> <li> Detection: Network flow analysis for periodic callbacks; DNS queries to domains resolving to 185.93.89.0/24 or 192.253.248.0/24 </li> </ul> Hunt Hypothesis 4: Ivanti Exploitation (CVE-2023-3519, CVE-2024-21887, CVE-2026-6973) <ul> <li> What to look for: Exploitation artifacts on Ivanti Connect Secure and EPMM appliances; unauthorized admin account creation; unusual VPN session patterns </li> <li> ATT&CK: T1190 (Exploit Public-Facing Application) </li> <li> Detection: Review Ivanti appliance integrity checks; monitor for new admin accounts; alert on VPN connections from Iranian ASNs </li> </ul> <h3> Blocking Guidance </h3> Block the following confirmed APT infrastructure at all perimeter controls: <table> <thead> <tr> <th> IOC </th> <th> Type </th> <th> Attribution </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 192.253.248[.]52 </td> <td> IPv4 </td> <td> APT28 (ASN 213790) </td> <td> Block ingress/egress </td> </tr> <tr> <td> 192.253.248[.]55 </td> <td> IPv4 </td> <td> APT28 (ASN 213790) </td> <td> Block ingress/egress </td> </tr> <tr> <td> 185.93.89[.]79 </td> <td> IPv4 </td> <td> Cactus ransomware (ASN 213790) </td> <td> Block ingress/egress </td> </tr> <tr> <td> 185.93.89[.]43 </td> <td> IPv4 </td> <td> Cactus ransomware (ASN 213790) </td> <td> Block ingress/egress </td> </tr> <tr> <td> 185.93.89[.]0/24 </td> <td> CIDR </td> <td> ASN 213790 range </td> <td> Consider full range block </td> </tr> </tbody> </table> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds. <h3> Investigation Triggers </h3> Escalate to incident response if you observe: <ul> <li> Any connection to ASN 213790 (213790, "Limited Network," Tehran) from internal assets </li> <li> IIS web shell artifacts (unexpected .aspx files, w3wp.exe child processes) </li> <li> WhatsApp or messaging-app-based social engineering targeting employees with military connections </li> <li> Ivanti appliance anomalies (unexpected reboots, new admin accounts, integrity check failures) </li> <li> ScadaBR or building automation controller access from unexpected sources </li> </ul> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> <ul> <li> Primary threat: Cactus ransomware operating from Iranian infrastructure; potential for destructive attacks disguised as ransomware </li> <li> Action: Validate backup integrity for core banking systems; ensure ransomware playbooks account for wiper-masquerading-as-ransomware scenario; block ASN 213790 at network edge </li> <li> Monitor: Unusual encryption activity that doesn't generate ransom notes (wiper indicator) </li> </ul> <h3> Energy </h3> <ul> <li> Primary threat: APT42 BELLACIAO/SHELLAFEL actively targeting energy sector; CyberAv3ngers history of fuel ATG compromise (CVE-2026-1340); ScadaBR RCE </li> <li> Action: Audit all IIS servers in OT-adjacent networks for web shells; verify ScadaBR instances are network-segmented; review fuel ATG system access controls </li> <li> Monitor: ICS protocol anomalies (Modbus/DNP3 from unexpected sources); BELLACIAO C2 patterns on IIS infrastructure </li> </ul> <h3> Healthcare </h3> <ul> <li> Primary threat: Cactus ransomware from ASN 213790 explicitly targeting healthcare; APT42 campaign includes healthcare sector </li> <li> Action: Ensure medical device networks are segmented from enterprise IT; validate EDR coverage on clinical systems; pre-stage incident response retainer for ransomware scenario </li> <li> Monitor: Lateral movement from enterprise IT to clinical networks; credential harvesting targeting clinical application service accounts </li> </ul> <h3> Government </h3> <ul> <li> Primary threat: MuddyWater (MOIS) confirmed in 100+ government networks (ongoing since October 2025); APT42 BELLACIAO targeting government sector; Handala intelligence collection on government officials </li> <li> Action: Conduct web shell sweep across all internet-facing government web servers; enforce hardware MFA on all privileged accounts; brief personnel on messaging-app social engineering </li> <li> Monitor: Unusual email forwarding rules (APT42 TTP); PowerShell execution from IIS worker processes; credential use from atypical locations </li> </ul> <h3> Aviation / Logistics / Defense Industrial Base </h3> <ul> <li> Primary threat: Pioneer Kitten (MOIS-linked) pre-positioned access (silent 42 days — likely mission-complete); APT33/Refined Kitten historical aerospace targeting; UNC4444/Imperial Kitten updated 21 May targeting aerospace and energy </li> <li> Action: This is the highest-priority sector this cycle. Conduct full retrospective hunt (90-day lookback) on VPN logs, web application servers, and GitHub API access. Audit all Ivanti and Citrix appliances for exploitation artifacts. Review contractor access for dormant accounts. </li> <li> Monitor: Dormant VPN sessions reactivating; data staging in unusual directories; large outbound transfers during off-hours; GitHub API calls from infrastructure not associated with development teams </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block ASN 213790 IPs at all perimeter controls: 192.253.248[.]52, 192.253.248[.]55, 185.93.89[.]79, 185.93.89[.]43 — confirmed APT28 and Cactus ransomware infrastructure </td> </tr> <tr> <td> 2 </td> <td> SOC / Physical Security </td> <td> Issue OPSEC advisory to all personnel with military connections regarding Handala WhatsApp-based psychological operations — advise against engaging with unknown messaging contacts </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy detection rules for IIS web shell indicators: w3wp.exe spawning cmd.exe/powershell.exe ( T1505.003 ); unexpected .aspx file creation in IIS directories </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Verify Ivanti Connect Secure and EPMM appliance integrity — run vendor integrity checker; confirm no unauthorized admin accounts exist </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> SOC </td> <td> Conduct proactive threat hunt on DIB/aerospace network segments — 90-day lookback for dormant web shells, unusual VPN sessions from Iranian IP ranges, and GitHub API anomalies (addressing 42-day PIR-007 gap) </td> </tr> <tr> <td> 6 </td> <td> IT Ops </td> <td> Patch all Ivanti EPMM instances to versions 12.6.1.1+ / 12.7.0.1+ / 12.8.0.1+ — CVE-2026-6973 is in CISA KEV with confirmed exploitation </td> </tr> <tr> <td> 7 </td> <td> IT Ops / OT </td> <td> Audit all ScadaBR deployments for unauthenticated access; apply network segmentation immediately if patches are unavailable (ICSA-26-139-03) </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Implement network-level monitoring for beaconing to ASN 213790 (185.93.89.0/24, 192.253.248.0/24) — alert on any internal-to-external connection </td> </tr> <tr> <td> 9 </td> <td> IT Ops </td> <td> Review Siemens RUGGEDCOM APE1808 and Kieback DDC building controller deployments for exposure; apply vendor mitigations </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 10 </td> <td> CISO </td> <td> Commission assessment of personnel OPSEC posture against social media and messaging-based intelligence collection — Handala demonstrated ability to identify and contact individual service members </td> </tr> <tr> <td> 11 </td> <td> CISO / IR </td> <td> Update incident response playbooks to include "wiper masquerading as ransomware" scenario — Stryker-scale (200K endpoint) destruction is a validated Iranian capability </td> </tr> <tr> <td> 12 </td> <td> CISO </td> <td> Establish real-time Telegram/social media monitoring for Handala and CyberAv3ngers claim channels — current 21-day detection lag is unacceptable for military psyops </td> </tr> <tr> <td> 13 </td> <td> CISO / Legal </td> <td> Evaluate intelligence-sharing agreements with DIB contractor partners — the 42-day visibility gap on pre-positioning requires telemetry access from supply chain partners </td> </tr> <tr> <td> 14 </td> <td> Executive </td> <td> Brief board/leadership on the negotiation-cyber paradox: diplomatic progress does NOT equal cyber de-escalation. Iranian doctrine treats cyber as a permanent parallel track. Budget and staffing decisions should not assume reduced threat during talks. </td> </tr> </tbody> </table> <h2> Bottom Line: The Negotiation-Cyber Paradox </h2> CISOs must internalize one critical insight from this cycle: diplomatic progress and cyber escalation are not mutually exclusive in Iranian doctrine. They are parallel tracks. The ceasefire negotiation window is not a period of reduced risk — it is the highest-risk window for pre-positioning activity. Iran's calculus is straightforward: establish maximum cyber access now so that if negotiations collapse, retaliatory capability is already in place. If negotiations succeed, that access becomes a long-term espionage asset. Either way, the adversary wins by acting now. The 42-day silence on defense-industrial base pre-positioning is not evidence of safety. It is either evidence of successful adversary operational security or evidence of our own collection failure. The appropriate response is not reassurance — it is a hunt. Handala's progression from infrastructure destruction to military psychological warfare tells us something important about Iranian strategic intent: they are not just trying to break things. They are trying to break will . The WhatsApp messages to Marines are designed to create political pressure against continued military operations. When cyber operations target morale rather than systems, the CISO's responsibility extends beyond the network perimeter into personnel security, OPSEC training, and executive communication. Act on what the adversary is doing. Not on what the diplomats are saying. Anomali CTI Desk | Published 2026-05-21 | TLP:GREEN Intelligence sources: Anomali ThreatStream, CISA KEV/ICS advisories, Check Point Research, Bitdefender, Foundation for Defense of Democracies, Centripetal AI, open-source reporting.

FEATURED RESOURCES

May 21, 2026

Anomali Cyber Watch