All Posts
Anomali Cyber Watch
1
min read

Iranian Cyber Operations Expand Multi-Tool Staging Infrastructure as Conflict Enters Fourth Month

Published on
May 27, 2026
Table of Contents
<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> Nearly three months into the Iran-Israel conflict (Day 88 since February 28, 2026), Iranian state-affiliated cyber operations continue to expand offensive infrastructure capacity despite the nominal ceasefire declared on April 8. Today's intelligence reveals a troubling convergence: multiple offensive frameworks, APT-attributed infrastructure, and botnet command-and-control servers are consolidating on a single Tehran-based network &mdash; while a European Central Bank warning signals that the conflict's economic shockwaves are now reaching European policymakers. For CISOs, the message is clear: the ceasefire has not reduced cyber risk. It has shifted it below the threshold of kinetic conflict, exactly where Iranian doctrine says it should operate. </p> <h2> <strong> What Changed </strong> </h2> <p> <strong> Since our last assessment (2026-05-26): </strong> </p> <ul> <li> <strong> ASN 213790 ("Limited Network," Tehran) confirmed as multi-actor staging ground </strong> &mdash; now hosting APT28-attributed IPs, Mirai botnet C2, Cactus ransomware infrastructure, AND Iranian SOCKS4 proxy relays on the same network block. This is no longer a single-actor concern; it's an operational ecosystem. </li> <li> <strong> Three offensive frameworks confirmed co-located on Iranian research infrastructure </strong> &mdash; Cobalt Strike, Remcos RAT, and Sliver C2 are simultaneously active on Iranian academic/research ISPs, suggesting either a bulletproof hosting service or a sophisticated operator maintaining tool diversity. </li> <li> <strong> ECB publicly warned that the Iran war is "amplifying Europe's financial vulnerabilities" </strong> &mdash; a geopolitical escalation signal that may expand pro-Iran hacktivist targeting from Israel/US to European financial institutions. </li> <li> <strong> Seven new ICS advisories from CISA </strong> covering ABB AC500 V2, Terra AC, Zenon, and other industrial systems &mdash; expanding the attack surface relevant to Iranian ICS/OT targeting capabilities. </li> <li> <strong> Defense Industrial Base (DIB) pre-positioning intelligence has been quiet for 10 consecutive days </strong> &mdash; approaching the threshold for mandatory proactive hunting. Absence is not safety. </li> <li> <strong> MuddyWater (MOIS) remains operationally silent since December 2025 </strong> &mdash; now approaching six months of quiet, consistent with a wartime retooling cycle. When they resurface, expect evolved TTPs that bypass current detection signatures. </li> <li> <strong> Nimbus Manticore (UNC1549) conducted three MiniFast backdoor waves against US aviation and aerospace </strong> between February and April 2026 via SEO poisoning &mdash; a novel delivery technique for Iranian APTs, with AI-assisted malware development confirmed. </li> <li> <strong> Threat level remains ELEVATED </strong> (unchanged from Day 87). No de-escalation signals detected. Infrastructure expansion continues to accumulate offensive capacity. </li> </ul> <h2> <strong> Conflict &amp; Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-02-28 </p> </td> <td> <p> Iran-Israel conflict escalation begins </p> </td> <td> <p> Day 0 &mdash; cyber operations surge </p> </td> </tr> <tr> <td> <p> 2026-03-13 </p> </td> <td> <p> Stryker wiper attack (Void Manticore/Handala) </p> </td> <td> <p> 20+ defense-sector systems destroyed </p> </td> </tr> <tr> <td> <p> 2026-02 &ndash; 2026-04 </p> </td> <td> <p> Three MiniFast backdoor waves (Nimbus Manticore/UNC1549) </p> </td> <td> <p> US aviation/aerospace targeted via SEO poisoning &mdash; first for Iranian APTs </p> </td> </tr> <tr> <td> <p> 2026-04-08 </p> </td> <td> <p> Nominal ceasefire declared </p> </td> <td> <p> Cyber operations intensify rather than decrease </p> </td> </tr> <tr> <td> <p> 2026-05-25 </p> </td> <td> <p> IRGC-directed PLC manipulation at food plant </p> </td> <td> <p> Three compressors destroyed using valid credentials alone &mdash; no malware </p> </td> </tr> <tr> <td> <p> 2026-05-26 </p> </td> <td> <p> CISA publishes 7 ICS advisories (ABB products) </p> </td> <td> <p> Expanded ICS/OT attack surface </p> </td> </tr> <tr> <td> <p> 2026-05-27 </p> </td> <td> <p> ASN 213790 multi-actor convergence confirmed </p> </td> <td> <p> APT28, Mirai, Cactus ransomware, SOCKS4 proxies on single Tehran ASN </p> </td> </tr> <tr> <td> <p> 2026-05-27 </p> </td> <td> <p> ECB warns of Iran-war financial contagion to Europe </p> </td> <td> <p> Potential expansion of hacktivist target aperture </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. ASN 213790: A Multi-Actor Staging Ecosystem </strong> </h3> <p> A single Tehran-based autonomous system &mdash; ASN 213790, operated by "Limited Network" &mdash; has become the most significant convergence point for Iranian-nexus offensive infrastructure we track. In a single network block, we now observe: </p> <ul> <li> <strong> SOCKS4 proxy relays </strong> (ports 9734, 10088, 10693, 10694) providing anonymization for outbound operations </li> <li> <strong> APT28-attributed command-and-control </strong> using non-standard ports with T1059 (Command and Scripting Interpreter) and T1071 (Application Layer Protocol) techniques </li> <li> <strong> Mirai botnet HTTP loader </strong> (confidence 100) for DDoS amplification </li> <li> <strong> Cactus ransomware staging </strong> (confidence 96) </li> </ul> <p> This density of multi-actor tooling on a single network is operationally unsustainable without eventual exposure &mdash; but until that exposure occurs, any new indicator on ASN 213790 should be treated as high-priority regardless of initial classification. </p> <h3> <strong> 2. Multi-Framework C2 on Iranian Research Infrastructure </strong> </h3> <p> Three distinct post-exploitation frameworks are simultaneously active on Iranian academic and research ISPs: </p> <table> <thead> <tr> <th> <p> <strong> Framework </strong> </p> </th> <th> <p> <strong> IP </strong> </p> </th> <th> <p> <strong> Port </strong> </p> </th> <th> <p> <strong> Active Since </strong> </p> </th> <th> <p> <strong> Hosting </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Cobalt Strike BEACON </p> </td> <td> <p> 217.60.241.17 </p> </td> <td> <p> 443 </p> </td> <td> <p> Recent </p> </td> <td> <p> Pfcloud UG (ASN 51396) </p> </td> </tr> <tr> <td> <p> Remcos RAT </p> </td> <td> <p> 62.60.226.42 </p> </td> <td> <p> 43155 </p> </td> <td> <p> Feb 2025 (15+ months) </p> </td> <td> <p> Iranian Research Org for Science &amp; Technology </p> </td> </tr> <tr> <td> <p> Sliver </p> </td> <td> <p> 45.147.77.210 </p> </td> <td> <p> 5900 </p> </td> <td> <p> Sep 2025 </p> </td> <td> <p> Gostaresh Pardazesh Dana Negar (ASN 51889) </p> </td> </tr> </tbody> </table> <p> The Remcos RAT instance has maintained persistence for over 15 months &mdash; an extraordinary dwell time that suggests either domestic surveillance operations or a long-term staging platform for outbound campaigns. The addition of Sliver (an increasingly popular open-source alternative to Cobalt Strike) complicates detection: no single signature or behavioral rule catches all three frameworks. </p> <h3> <strong> 3. ICS/OT Attack Surface Expansion </strong> </h3> <p> CISA's batch of seven ICS advisories (ICSA-26-146-01 through -06 plus one additional) covering ABB AC500 V2 PLCs, Terra AC wallboxes, Zenon Remote Transport, and Eppendorf BioFlo 320 bioreactors arrives in a context where: </p> <ul> <li> On May 25, IRGC-directed operators destroyed physical infrastructure (food plant compressors) by manipulating PLC setpoints using <strong> valid credentials alone </strong> &mdash; no malware deployed </li> <li> HYDRO KITTEN (IRGC-CEC) / Cyber Av3ngers have demonstrated willingness to target water, energy, and food production ICS </li> <li> ABB PLCs share architectural similarities with previously targeted Rockwell systems </li> </ul> <p> The credential-only destruction technique (T0831 &mdash; Manipulation of Control) renders traditional malware-based detection irrelevant for ICS environments. </p> <h3> <strong> 4. MuddyWater (MOIS) Operational Silence </strong> </h3> <p> MuddyWater (also tracked as UNC5667, TEMP.Zagros, Static Kitten), affiliated with Iran's Ministry of Intelligence and Security (MOIS), has been operationally silent since December 2025 &mdash; now approaching six months. Their Anomali ThreatStream Next-Gen profile was updated on 2026-05-27, but no associated IOCs or campaigns surfaced. This silence, coinciding with Iran's domestic internet shutdown, strongly indicates wartime retooling. When MuddyWater resurfaces, expect evolved TTPs that bypass current detection signatures. </p> <h3> <strong> 5. European Financial Sector Enters the Target Aperture </strong> </h3> <p> The ECB's public warning that the Iran war is amplifying European financial vulnerabilities is a leading indicator. Historically, pro-Iran hacktivist groups (Cyber Toufan, Handala) have expanded targeting when geopolitical narratives provide justification. European banks, payment processors, and financial market infrastructure should anticipate: </p> <ul> <li> DDoS campaigns (T1498) against public-facing services </li> <li> Defacement operations (T1491.002) for propaganda value </li> <li> Potential credential harvesting campaigns against financial sector employees </li> </ul> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> HYDRO KITTEN/Cyber Av3ngers resume public claims </p> </td> <td> <p> 60% </p> </td> <td> <p> Within 5 days </p> </td> <td> <p> Operational silence typically precedes new campaign announcements </p> </td> </tr> <tr> <td> <p> ASN 213790 infrastructure linked to named campaign </p> </td> <td> <p> 40% </p> </td> <td> <p> Within 2 weeks </p> </td> <td> <p> Multi-actor tool density is unsustainable without operational exposure </p> </td> </tr> <tr> <td> <p> New Iranian exploitation of internet-facing assets </p> </td> <td> <p> 25% </p> </td> <td> <p> Within 7 days </p> </td> <td> <p> Expected once intelligence collection feeds recover from weekend gap </p> </td> </tr> <tr> <td> <p> Pro-Iran hacktivists expand targeting to European financial institutions </p> </td> <td> <p> 35% </p> </td> <td> <p> Within 30 days </p> </td> <td> <p> ECB warning provides narrative justification; conflict spillover pattern </p> </td> </tr> <tr> <td> <p> MuddyWater resurfaces with evolved tooling </p> </td> <td> <p> 30% </p> </td> <td> <p> Within 60 days </p> </td> <td> <p> Six months of silence = retooling cycle consistent with prior patterns </p> </td> </tr> <tr> <td> <p> Dormant Iranian access in DIB networks activates </p> </td> <td> <p> 20% </p> </td> <td> <p> Escalation-dependent </p> </td> <td> <p> Pioneer Kitten/UNC6446 historical pattern of pre-positioned webshells </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: ASN 213790 Communications </strong> </p> <ul> <li> <strong> What to look for: </strong> Any outbound connections to the 192.253.248.0/24 and 206.123.156.0/24 ranges </li> <li> <strong> ATT&amp;CK techniques: </strong> T1090.002 (External Proxy), T1071 (Application Layer Protocol), T1571 (Non-Standard Port) </li> <li> <strong> Detection logic: </strong> Alert on connections to ports 9734, 10088, 10693, 10694 (SOCKS4 proxy) and any traffic to 192.253.248[.]169, 192.253.248[.]52, 192.253.248[.]55, 185.93.89[.]43 </li> <li> <strong> Investigation: </strong> If hits found, correlate with authentication logs &mdash; Iranian operators increasingly use valid credentials (T1078) </li> </ul> <p> <strong> Hunt Hypothesis 2: Cobalt Strike BEACON on Port 443 </strong> </p> <ul> <li> <strong> What to look for: </strong> HTTPS connections to 217.60.241[.]17 with Cobalt Strike JA3/JA3S fingerprints </li> <li> <strong> ATT&amp;CK techniques: </strong> T1071.001 (Web Protocols), T1573.001 (Encrypted Channel), T1105 (Ingress Tool Transfer) </li> <li> <strong> Detection logic: </strong> Review 30 days of firewall/proxy logs for any historical connection to this IP; deploy CS malleable C2 profile detection on NDR platforms </li> <li> <strong> Investigation: </strong> If beacon detected, assume full compromise &mdash; Cobalt Strike enables lateral movement within minutes </li> </ul> <p> <strong> Hunt Hypothesis 3: Sliver Framework Masquerading </strong> </p> <ul> <li> <strong> What to look for: </strong> Traffic to 45.147.77[.]210 on port 5900 (VNC port masquerading) </li> <li> <strong> ATT&amp;CK techniques: </strong> T1219 (Remote Access Software), T1571 (Non-Standard Port), T1071.001 (Web Protocols) </li> <li> <strong> Detection logic: </strong> Port 5900 traffic that does NOT match VNC protocol headers = likely Sliver C2; deploy Sliver-specific JA3 fingerprints to NDR/IDS </li> <li> <strong> Investigation: </strong> Cross-reference with any Remcos RAT indicators &mdash; operators may maintain multiple implants </li> </ul> <p> <strong> Hunt Hypothesis 4: ICS/OT Credential-Based Manipulation </strong> </p> <ul> <li> <strong> What to look for: </strong> Anomalous PLC setpoint changes, especially outside maintenance windows, using valid engineering workstation credentials </li> <li> <strong> ATT&amp;CK techniques (ICS): </strong> T0831 (Manipulation of Control), T0859 (Valid Accounts), T0821 (Modify Controller Tasking) </li> <li> <strong> Detection logic: </strong> This attack uses NO malware &mdash; monitor for setpoint changes exceeding normal operational parameters; alert on engineering workstation logins from unexpected source IPs </li> <li> <strong> Investigation: </strong> Correlate with physical process anomalies (pressure, temperature, flow rate deviations) </li> </ul> <h3> <strong> Blocking Recommendations </strong> </h3> <p> Add the following to network IOC blocklists immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Indicator </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]169 </p> </td> <td> <p> Mirai C2, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]52 </p> </td> <td> <p> APT28-attributed, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]55 </p> </td> <td> <p> APT28-attributed, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 185.93.89[.]43 </p> </td> <td> <p> Cactus ransomware, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 217.60.241[.]17 </p> </td> <td> <p> Cobalt Strike BEACON </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 62.60.226[.]42 </p> </td> <td> <p> Remcos RAT C2 (15+ months active) </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.147.77[.]210 </p> </td> <td> <p> Sliver C2 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]220 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]230 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]231 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]238 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via ThreatStream Next-Gen </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services </strong> </h3> <p> The ECB's Iran-war financial contagion warning elevates this sector's risk profile. Pro-Iran hacktivists have historically targeted financial institutions for propaganda value during escalation periods. </p> <ul> <li> <strong> Immediate: </strong> Increase DDoS mitigation readiness for public-facing banking portals and payment APIs; pre-stage scrubbing center capacity </li> <li> <strong> 7-Day: </strong> Review OAuth token lifecycle management &mdash; supply chain compromises have demonstrated that OAuth abuse enables persistent access to CI/CD pipelines used by fintech partners; audit long-lived tokens and enforce short-lived credential policies </li> <li> <strong> 30-Day: </strong> Conduct tabletop exercise simulating coordinated hacktivist DDoS + credential harvesting campaign against customer-facing systems </li> <li> <strong> Monitor for: </strong> T1498 (Network DoS), T1491.002 (External Defacement), T1078 (Valid Accounts via credential stuffing) </li> </ul> <h3> <strong> Energy </strong> </h3> <p> Iranian ICS/OT capabilities have escalated to physical destruction without malware. The May 25 food plant compressor attack demonstrates that valid credentials + PLC access = kinetic damage. </p> <ul> <li> <strong> Immediate: </strong> Audit all engineering workstation access credentials; enforce MFA on all HMI/SCADA login paths; verify PLC setpoint change alerting is functional </li> <li> <strong> 7-Day: </strong> Patch ABB AC500 V2 and Terra AC systems per CISA ICSA-26-146 advisories; segment OT networks to prevent IT-to-OT lateral movement </li> <li> <strong> 30-Day: </strong> Deploy OT-specific anomaly detection (e.g., Claroty, Dragos, Nozomi) focused on setpoint manipulation rather than malware signatures </li> <li> <strong> Monitor for: </strong> T0831 (Manipulation of Control), T0859 (Valid Accounts in ICS), T0821 (Modify Controller Tasking), anomalous process variable deviations </li> </ul> <h3> <strong> Healthcare </strong> </h3> <p> Eppendorf BioFlo 320 bioreactor advisory (CISA) directly impacts pharmaceutical manufacturing and research facilities. Iranian actors have not historically targeted healthcare, but the credential-only attack model lowers the barrier. </p> <ul> <li> <strong> Immediate: </strong> Identify all BioFlo 320 deployments and apply vendor patches; isolate bioreactor control systems from general IT networks </li> <li> <strong> 7-Day: </strong> Audit remote access to laboratory automation systems; disable default credentials on all bioprocess controllers </li> <li> <strong> 30-Day: </strong> Establish baseline process parameters for critical bioreactors to enable anomaly detection of unauthorized setpoint changes </li> <li> <strong> Monitor for: </strong> T1190 (Exploit Public-Facing Application), unauthorized remote access to lab automation, process deviations in fermentation/cell culture parameters </li> </ul> <h3> <strong> Government / Defense Industrial Base </strong> </h3> <p> PIR-007 (DIB pre-positioning) has been quiet for 10 consecutive days. Historical precedent shows Iranian actors (Pioneer Kitten/UNC6446) maintain dormant access for months before activation during kinetic escalation windows. </p> <ul> <li> <strong> Immediate: </strong> Review VPN concentrator logs for webshell indicators (DVSL.aspx patterns, CVE-2024-3400 exploitation remnants); check for unauthorized SSH keys on edge devices </li> <li> <strong> 7-Day: </strong> Commission proactive threat hunt across DIB contractor networks focusing on Cisco ASA/FTD, Ivanti EPMM, Fortinet, and PAN-OS devices &mdash; all historically targeted by Iranian actors </li> <li> <strong> 30-Day: </strong> Implement zero-trust network segmentation for contractor access; require continuous authentication for privileged sessions </li> <li> <strong> Monitor for: </strong> T1133 (External Remote Services), T1505.003 (Web Shell), T1078 (Valid Accounts), dormant scheduled tasks or cron jobs on edge infrastructure </li> </ul> <h3> <strong> Aviation / Logistics </strong> </h3> <p> Nimbus Manticore (UNC1549/Imperial Kitten/Smoke Sandstorm/TA455) conducted three MiniFast backdoor waves against US aviation and aerospace between February and April 2026 using SEO poisoning &mdash; a novel delivery technique for Iranian APTs, with AI-assisted malware development confirmed. </p> <ul> <li> <strong> Immediate: </strong> Block known MiniFast C2 infrastructure; deploy browser isolation for employees conducting job-related web searches (SEO poisoning vector) </li> <li> <strong> 7-Day: </strong> Audit all recently installed browser extensions and downloaded executables from search engine results; scan for MiniFast persistence mechanisms </li> <li> <strong> 30-Day: </strong> Implement application allowlisting on engineering workstations; conduct awareness training on SEO poisoning threats targeting aviation professionals </li> <li> <strong> Monitor for: </strong> T1608.006 (SEO Poisoning), T1204.001 (User Execution: Malicious Link), T1547 (Boot or Logon Autostart Execution), connections to Iranian ASN ranges from aviation network segments </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block all 11 ASN 213790 IPs listed above at perimeter firewall and hunt for historical connections in 30-day logs </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Add Cobalt Strike beacon IP 217.60.241[.]17:443 to blocklist; hunt for JA3 fingerprint matches in TLS inspection logs </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy alerting for Remcos RAT C2 (62.60.226[.]42:43155) and Sliver (45.147.77[.]210:5900) </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> OT Security </p> </td> <td> <p> Verify PLC setpoint change alerting is active and functional &mdash; the May 25 attack used NO malware; only credential-based manipulation </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Confirm ABB ICS advisory patches are in the deployment queue (ICSA-26-146-01 through -06) </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC/CTI </p> </td> <td> <p> Initiate proactive hunt for Pioneer Kitten webshell artifacts across DIB contractor VPN concentrators (10 days quiet &mdash; approaching mandatory hunt threshold) </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy Sliver C2 detection signatures &mdash; JA3 fingerprints + port 5900 non-VNC protocol detection &mdash; to NDR/IDS platforms </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Complete ABB AC500 V2, Terra AC, and Zenon patching per CISA advisories </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Security Engineering </p> </td> <td> <p> Audit OAuth token configurations across all CI/CD pipelines; revoke long-lived tokens; implement short-lived credentials </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> CTI </p> </td> <td> <p> Verify OSINT feed connectivity &mdash; zero returns across 12 queries is anomalous and represents a collection single-point-of-failure </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Assess European financial sector partner exposure to Iran-conflict spillover; review shared infrastructure with entities on hacktivist target lists </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission red team assessment of ICS/OT environments focusing on credential-only attack paths (no malware, valid credentials + PLC manipulation) </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Security Architecture </p> </td> <td> <p> Add secondary OSINT collection source to eliminate single-point-of-failure in intelligence feeds </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update incident response playbooks to include "credential-only ICS destruction" scenario &mdash; traditional malware forensics will find nothing </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Conduct tabletop exercise simulating coordinated Iranian cyber-kinetic escalation: simultaneous DDoS + ICS manipulation + hacktivist IO campaign </p> </td> </tr> </tbody> </table> <h2> <strong> The Bottom Line </strong> </h2> <p> The Iran conflict is 88 days old. The ceasefire has not reduced cyber risk &mdash; it has formalized the "war between wars" doctrine that keeps operations below the threshold of kinetic response while accumulating offensive capacity. Today's intelligence shows that capacity growing: a Tehran-based ASN hosting an entire ecosystem of offensive tools, three distinct C2 frameworks staged on research infrastructure, and a European central bank publicly acknowledging the conflict's financial contagion. </p> <p> The most dangerous development remains the May 25 credential-only PLC destruction. This technique leaves no malware artifacts, no signatures to detect, no hashes to block. It requires defenders to shift from "find the malware" to "monitor the physics" &mdash; watching for process anomalies that indicate unauthorized manipulation of industrial control systems. </p> <p> Your adversaries are patient. MuddyWater (MOIS) has been silent for six months &mdash; retooling. Pioneer Kitten's dormant access in DIB networks hasn't been confirmed cleared. HYDRO KITTEN's (IRGC-CEC) operational pause likely precedes their next campaign announcement. </p> <p> <strong> Don't wait for the next wiper. Hunt now. </strong> </p> <p> <em> Anomali CTI Desk | 2026-05-27 | TLP:GREEN </em> </p> <p> <em> Intelligence sources: ThreatStream Next-Gen, CISA ICS-CERT, Reuters/ECB, open-source collection </em> </p>

FEATURED RESOURCES

July 10, 2026
Anomali Cyber Watch

Iranian Cyber Operations Reach Inflection Point: FortiBleed Pipeline Weaponized, Multi-Actor Convergence Accelerates

Read More
July 10, 2026
Anomali Cyber Watch
Public Sector

Critical ColdFusion Vulnerability, New Phishing-as-a-Service Platform, and Russian Infrastructure Refresh Demand Immediate State Government Action

Read More
July 8, 2026
Anomali Cyber Watch
Public Sector

Critical Vulnerabilities and Novel Attack Techniques Threaten State Government Networks

Read More
Explore All