Iranian Cyber Operations Expand Multi-Tool Staging Infrastructure as Conflict Enters Fourth Month

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> Nearly three months into the Iran-Israel conflict (Day 88 since February 28, 2026), Iranian state-affiliated cyber operations continue to expand offensive infrastructure capacity despite the nominal ceasefire declared on April 8. Today's intelligence reveals a troubling convergence: multiple offensive frameworks, APT-attributed infrastructure, and botnet command-and-control servers are consolidating on a single Tehran-based network &mdash; while a European Central Bank warning signals that the conflict's economic shockwaves are now reaching European policymakers. For CISOs, the message is clear: the ceasefire has not reduced cyber risk. It has shifted it below the threshold of kinetic conflict, exactly where Iranian doctrine says it should operate. </p> <h2> <strong> What Changed </strong> </h2> <p> <strong> Since our last assessment (2026-05-26): </strong> </p> <ul> <li> <strong> ASN 213790 ("Limited Network," Tehran) confirmed as multi-actor staging ground </strong> &mdash; now hosting APT28-attributed IPs, Mirai botnet C2, Cactus ransomware infrastructure, AND Iranian SOCKS4 proxy relays on the same network block. This is no longer a single-actor concern; it's an operational ecosystem. </li> <li> <strong> Three offensive frameworks confirmed co-located on Iranian research infrastructure </strong> &mdash; Cobalt Strike, Remcos RAT, and Sliver C2 are simultaneously active on Iranian academic/research ISPs, suggesting either a bulletproof hosting service or a sophisticated operator maintaining tool diversity. </li> <li> <strong> ECB publicly warned that the Iran war is "amplifying Europe's financial vulnerabilities" </strong> &mdash; a geopolitical escalation signal that may expand pro-Iran hacktivist targeting from Israel/US to European financial institutions. </li> <li> <strong> Seven new ICS advisories from CISA </strong> covering ABB AC500 V2, Terra AC, Zenon, and other industrial systems &mdash; expanding the attack surface relevant to Iranian ICS/OT targeting capabilities. </li> <li> <strong> Defense Industrial Base (DIB) pre-positioning intelligence has been quiet for 10 consecutive days </strong> &mdash; approaching the threshold for mandatory proactive hunting. Absence is not safety. </li> <li> <strong> MuddyWater (MOIS) remains operationally silent since December 2025 </strong> &mdash; now approaching six months of quiet, consistent with a wartime retooling cycle. When they resurface, expect evolved TTPs that bypass current detection signatures. </li> <li> <strong> Nimbus Manticore (UNC1549) conducted three MiniFast backdoor waves against US aviation and aerospace </strong> between February and April 2026 via SEO poisoning &mdash; a novel delivery technique for Iranian APTs, with AI-assisted malware development confirmed. </li> <li> <strong> Threat level remains ELEVATED </strong> (unchanged from Day 87). No de-escalation signals detected. Infrastructure expansion continues to accumulate offensive capacity. </li> </ul> <h2> <strong> Conflict &amp; Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-02-28 </p> </td> <td> <p> Iran-Israel conflict escalation begins </p> </td> <td> <p> Day 0 &mdash; cyber operations surge </p> </td> </tr> <tr> <td> <p> 2026-03-13 </p> </td> <td> <p> Stryker wiper attack (Void Manticore/Handala) </p> </td> <td> <p> 20+ defense-sector systems destroyed </p> </td> </tr> <tr> <td> <p> 2026-02 &ndash; 2026-04 </p> </td> <td> <p> Three MiniFast backdoor waves (Nimbus Manticore/UNC1549) </p> </td> <td> <p> US aviation/aerospace targeted via SEO poisoning &mdash; first for Iranian APTs </p> </td> </tr> <tr> <td> <p> 2026-04-08 </p> </td> <td> <p> Nominal ceasefire declared </p> </td> <td> <p> Cyber operations intensify rather than decrease </p> </td> </tr> <tr> <td> <p> 2026-05-25 </p> </td> <td> <p> IRGC-directed PLC manipulation at food plant </p> </td> <td> <p> Three compressors destroyed using valid credentials alone &mdash; no malware </p> </td> </tr> <tr> <td> <p> 2026-05-26 </p> </td> <td> <p> CISA publishes 7 ICS advisories (ABB products) </p> </td> <td> <p> Expanded ICS/OT attack surface </p> </td> </tr> <tr> <td> <p> 2026-05-27 </p> </td> <td> <p> ASN 213790 multi-actor convergence confirmed </p> </td> <td> <p> APT28, Mirai, Cactus ransomware, SOCKS4 proxies on single Tehran ASN </p> </td> </tr> <tr> <td> <p> 2026-05-27 </p> </td> <td> <p> ECB warns of Iran-war financial contagion to Europe </p> </td> <td> <p> Potential expansion of hacktivist target aperture </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. ASN 213790: A Multi-Actor Staging Ecosystem </strong> </h3> <p> A single Tehran-based autonomous system &mdash; ASN 213790, operated by "Limited Network" &mdash; has become the most significant convergence point for Iranian-nexus offensive infrastructure we track. In a single network block, we now observe: </p> <ul> <li> <strong> SOCKS4 proxy relays </strong> (ports 9734, 10088, 10693, 10694) providing anonymization for outbound operations </li> <li> <strong> APT28-attributed command-and-control </strong> using non-standard ports with T1059 (Command and Scripting Interpreter) and T1071 (Application Layer Protocol) techniques </li> <li> <strong> Mirai botnet HTTP loader </strong> (confidence 100) for DDoS amplification </li> <li> <strong> Cactus ransomware staging </strong> (confidence 96) </li> </ul> <p> This density of multi-actor tooling on a single network is operationally unsustainable without eventual exposure &mdash; but until that exposure occurs, any new indicator on ASN 213790 should be treated as high-priority regardless of initial classification. </p> <h3> <strong> 2. Multi-Framework C2 on Iranian Research Infrastructure </strong> </h3> <p> Three distinct post-exploitation frameworks are simultaneously active on Iranian academic and research ISPs: </p> <table> <thead> <tr> <th> <p> <strong> Framework </strong> </p> </th> <th> <p> <strong> IP </strong> </p> </th> <th> <p> <strong> Port </strong> </p> </th> <th> <p> <strong> Active Since </strong> </p> </th> <th> <p> <strong> Hosting </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Cobalt Strike BEACON </p> </td> <td> <p> 217.60.241.17 </p> </td> <td> <p> 443 </p> </td> <td> <p> Recent </p> </td> <td> <p> Pfcloud UG (ASN 51396) </p> </td> </tr> <tr> <td> <p> Remcos RAT </p> </td> <td> <p> 62.60.226.42 </p> </td> <td> <p> 43155 </p> </td> <td> <p> Feb 2025 (15+ months) </p> </td> <td> <p> Iranian Research Org for Science &amp; Technology </p> </td> </tr> <tr> <td> <p> Sliver </p> </td> <td> <p> 45.147.77.210 </p> </td> <td> <p> 5900 </p> </td> <td> <p> Sep 2025 </p> </td> <td> <p> Gostaresh Pardazesh Dana Negar (ASN 51889) </p> </td> </tr> </tbody> </table> <p> The Remcos RAT instance has maintained persistence for over 15 months &mdash; an extraordinary dwell time that suggests either domestic surveillance operations or a long-term staging platform for outbound campaigns. The addition of Sliver (an increasingly popular open-source alternative to Cobalt Strike) complicates detection: no single signature or behavioral rule catches all three frameworks. </p> <h3> <strong> 3. ICS/OT Attack Surface Expansion </strong> </h3> <p> CISA's batch of seven ICS advisories (ICSA-26-146-01 through -06 plus one additional) covering ABB AC500 V2 PLCs, Terra AC wallboxes, Zenon Remote Transport, and Eppendorf BioFlo 320 bioreactors arrives in a context where: </p> <ul> <li> On May 25, IRGC-directed operators destroyed physical infrastructure (food plant compressors) by manipulating PLC setpoints using <strong> valid credentials alone </strong> &mdash; no malware deployed </li> <li> HYDRO KITTEN (IRGC-CEC) / Cyber Av3ngers have demonstrated willingness to target water, energy, and food production ICS </li> <li> ABB PLCs share architectural similarities with previously targeted Rockwell systems </li> </ul> <p> The credential-only destruction technique (T0831 &mdash; Manipulation of Control) renders traditional malware-based detection irrelevant for ICS environments. </p> <h3> <strong> 4. MuddyWater (MOIS) Operational Silence </strong> </h3> <p> MuddyWater (also tracked as UNC5667, TEMP.Zagros, Static Kitten), affiliated with Iran's Ministry of Intelligence and Security (MOIS), has been operationally silent since December 2025 &mdash; now approaching six months. Their Anomali ThreatStream Next-Gen profile was updated on 2026-05-27, but no associated IOCs or campaigns surfaced. This silence, coinciding with Iran's domestic internet shutdown, strongly indicates wartime retooling. When MuddyWater resurfaces, expect evolved TTPs that bypass current detection signatures. </p> <h3> <strong> 5. European Financial Sector Enters the Target Aperture </strong> </h3> <p> The ECB's public warning that the Iran war is amplifying European financial vulnerabilities is a leading indicator. Historically, pro-Iran hacktivist groups (Cyber Toufan, Handala) have expanded targeting when geopolitical narratives provide justification. European banks, payment processors, and financial market infrastructure should anticipate: </p> <ul> <li> DDoS campaigns (T1498) against public-facing services </li> <li> Defacement operations (T1491.002) for propaganda value </li> <li> Potential credential harvesting campaigns against financial sector employees </li> </ul> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> HYDRO KITTEN/Cyber Av3ngers resume public claims </p> </td> <td> <p> 60% </p> </td> <td> <p> Within 5 days </p> </td> <td> <p> Operational silence typically precedes new campaign announcements </p> </td> </tr> <tr> <td> <p> ASN 213790 infrastructure linked to named campaign </p> </td> <td> <p> 40% </p> </td> <td> <p> Within 2 weeks </p> </td> <td> <p> Multi-actor tool density is unsustainable without operational exposure </p> </td> </tr> <tr> <td> <p> New Iranian exploitation of internet-facing assets </p> </td> <td> <p> 25% </p> </td> <td> <p> Within 7 days </p> </td> <td> <p> Expected once intelligence collection feeds recover from weekend gap </p> </td> </tr> <tr> <td> <p> Pro-Iran hacktivists expand targeting to European financial institutions </p> </td> <td> <p> 35% </p> </td> <td> <p> Within 30 days </p> </td> <td> <p> ECB warning provides narrative justification; conflict spillover pattern </p> </td> </tr> <tr> <td> <p> MuddyWater resurfaces with evolved tooling </p> </td> <td> <p> 30% </p> </td> <td> <p> Within 60 days </p> </td> <td> <p> Six months of silence = retooling cycle consistent with prior patterns </p> </td> </tr> <tr> <td> <p> Dormant Iranian access in DIB networks activates </p> </td> <td> <p> 20% </p> </td> <td> <p> Escalation-dependent </p> </td> <td> <p> Pioneer Kitten/UNC6446 historical pattern of pre-positioned webshells </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: ASN 213790 Communications </strong> </p> <ul> <li> <strong> What to look for: </strong> Any outbound connections to the 192.253.248.0/24 and 206.123.156.0/24 ranges </li> <li> <strong> ATT&amp;CK techniques: </strong> T1090.002 (External Proxy), T1071 (Application Layer Protocol), T1571 (Non-Standard Port) </li> <li> <strong> Detection logic: </strong> Alert on connections to ports 9734, 10088, 10693, 10694 (SOCKS4 proxy) and any traffic to 192.253.248[.]169, 192.253.248[.]52, 192.253.248[.]55, 185.93.89[.]43 </li> <li> <strong> Investigation: </strong> If hits found, correlate with authentication logs &mdash; Iranian operators increasingly use valid credentials (T1078) </li> </ul> <p> <strong> Hunt Hypothesis 2: Cobalt Strike BEACON on Port 443 </strong> </p> <ul> <li> <strong> What to look for: </strong> HTTPS connections to 217.60.241[.]17 with Cobalt Strike JA3/JA3S fingerprints </li> <li> <strong> ATT&amp;CK techniques: </strong> T1071.001 (Web Protocols), T1573.001 (Encrypted Channel), T1105 (Ingress Tool Transfer) </li> <li> <strong> Detection logic: </strong> Review 30 days of firewall/proxy logs for any historical connection to this IP; deploy CS malleable C2 profile detection on NDR platforms </li> <li> <strong> Investigation: </strong> If beacon detected, assume full compromise &mdash; Cobalt Strike enables lateral movement within minutes </li> </ul> <p> <strong> Hunt Hypothesis 3: Sliver Framework Masquerading </strong> </p> <ul> <li> <strong> What to look for: </strong> Traffic to 45.147.77[.]210 on port 5900 (VNC port masquerading) </li> <li> <strong> ATT&amp;CK techniques: </strong> T1219 (Remote Access Software), T1571 (Non-Standard Port), T1071.001 (Web Protocols) </li> <li> <strong> Detection logic: </strong> Port 5900 traffic that does NOT match VNC protocol headers = likely Sliver C2; deploy Sliver-specific JA3 fingerprints to NDR/IDS </li> <li> <strong> Investigation: </strong> Cross-reference with any Remcos RAT indicators &mdash; operators may maintain multiple implants </li> </ul> <p> <strong> Hunt Hypothesis 4: ICS/OT Credential-Based Manipulation </strong> </p> <ul> <li> <strong> What to look for: </strong> Anomalous PLC setpoint changes, especially outside maintenance windows, using valid engineering workstation credentials </li> <li> <strong> ATT&amp;CK techniques (ICS): </strong> T0831 (Manipulation of Control), T0859 (Valid Accounts), T0821 (Modify Controller Tasking) </li> <li> <strong> Detection logic: </strong> This attack uses NO malware &mdash; monitor for setpoint changes exceeding normal operational parameters; alert on engineering workstation logins from unexpected source IPs </li> <li> <strong> Investigation: </strong> Correlate with physical process anomalies (pressure, temperature, flow rate deviations) </li> </ul> <h3> <strong> Blocking Recommendations </strong> </h3> <p> Add the following to network IOC blocklists immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Indicator </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]169 </p> </td> <td> <p> Mirai C2, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]52 </p> </td> <td> <p> APT28-attributed, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]55 </p> </td> <td> <p> APT28-attributed, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 185.93.89[.]43 </p> </td> <td> <p> Cactus ransomware, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 217.60.241[.]17 </p> </td> <td> <p> Cobalt Strike BEACON </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 62.60.226[.]42 </p> </td> <td> <p> Remcos RAT C2 (15+ months active) </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.147.77[.]210 </p> </td> <td> <p> Sliver C2 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]220 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]230 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]231 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]238 </p> </td> <td> <p> SOCKS4 proxy, ASN 213790 </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via ThreatStream Next-Gen </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services </strong> </h3> <p> The ECB's Iran-war financial contagion warning elevates this sector's risk profile. Pro-Iran hacktivists have historically targeted financial institutions for propaganda value during escalation periods. </p> <ul> <li> <strong> Immediate: </strong> Increase DDoS mitigation readiness for public-facing banking portals and payment APIs; pre-stage scrubbing center capacity </li> <li> <strong> 7-Day: </strong> Review OAuth token lifecycle management &mdash; supply chain compromises have demonstrated that OAuth abuse enables persistent access to CI/CD pipelines used by fintech partners; audit long-lived tokens and enforce short-lived credential policies </li> <li> <strong> 30-Day: </strong> Conduct tabletop exercise simulating coordinated hacktivist DDoS + credential harvesting campaign against customer-facing systems </li> <li> <strong> Monitor for: </strong> T1498 (Network DoS), T1491.002 (External Defacement), T1078 (Valid Accounts via credential stuffing) </li> </ul> <h3> <strong> Energy </strong> </h3> <p> Iranian ICS/OT capabilities have escalated to physical destruction without malware. The May 25 food plant compressor attack demonstrates that valid credentials + PLC access = kinetic damage. </p> <ul> <li> <strong> Immediate: </strong> Audit all engineering workstation access credentials; enforce MFA on all HMI/SCADA login paths; verify PLC setpoint change alerting is functional </li> <li> <strong> 7-Day: </strong> Patch ABB AC500 V2 and Terra AC systems per CISA ICSA-26-146 advisories; segment OT networks to prevent IT-to-OT lateral movement </li> <li> <strong> 30-Day: </strong> Deploy OT-specific anomaly detection (e.g., Claroty, Dragos, Nozomi) focused on setpoint manipulation rather than malware signatures </li> <li> <strong> Monitor for: </strong> T0831 (Manipulation of Control), T0859 (Valid Accounts in ICS), T0821 (Modify Controller Tasking), anomalous process variable deviations </li> </ul> <h3> <strong> Healthcare </strong> </h3> <p> Eppendorf BioFlo 320 bioreactor advisory (CISA) directly impacts pharmaceutical manufacturing and research facilities. Iranian actors have not historically targeted healthcare, but the credential-only attack model lowers the barrier. </p> <ul> <li> <strong> Immediate: </strong> Identify all BioFlo 320 deployments and apply vendor patches; isolate bioreactor control systems from general IT networks </li> <li> <strong> 7-Day: </strong> Audit remote access to laboratory automation systems; disable default credentials on all bioprocess controllers </li> <li> <strong> 30-Day: </strong> Establish baseline process parameters for critical bioreactors to enable anomaly detection of unauthorized setpoint changes </li> <li> <strong> Monitor for: </strong> T1190 (Exploit Public-Facing Application), unauthorized remote access to lab automation, process deviations in fermentation/cell culture parameters </li> </ul> <h3> <strong> Government / Defense Industrial Base </strong> </h3> <p> PIR-007 (DIB pre-positioning) has been quiet for 10 consecutive days. Historical precedent shows Iranian actors (Pioneer Kitten/UNC6446) maintain dormant access for months before activation during kinetic escalation windows. </p> <ul> <li> <strong> Immediate: </strong> Review VPN concentrator logs for webshell indicators (DVSL.aspx patterns, CVE-2024-3400 exploitation remnants); check for unauthorized SSH keys on edge devices </li> <li> <strong> 7-Day: </strong> Commission proactive threat hunt across DIB contractor networks focusing on Cisco ASA/FTD, Ivanti EPMM, Fortinet, and PAN-OS devices &mdash; all historically targeted by Iranian actors </li> <li> <strong> 30-Day: </strong> Implement zero-trust network segmentation for contractor access; require continuous authentication for privileged sessions </li> <li> <strong> Monitor for: </strong> T1133 (External Remote Services), T1505.003 (Web Shell), T1078 (Valid Accounts), dormant scheduled tasks or cron jobs on edge infrastructure </li> </ul> <h3> <strong> Aviation / Logistics </strong> </h3> <p> Nimbus Manticore (UNC1549/Imperial Kitten/Smoke Sandstorm/TA455) conducted three MiniFast backdoor waves against US aviation and aerospace between February and April 2026 using SEO poisoning &mdash; a novel delivery technique for Iranian APTs, with AI-assisted malware development confirmed. </p> <ul> <li> <strong> Immediate: </strong> Block known MiniFast C2 infrastructure; deploy browser isolation for employees conducting job-related web searches (SEO poisoning vector) </li> <li> <strong> 7-Day: </strong> Audit all recently installed browser extensions and downloaded executables from search engine results; scan for MiniFast persistence mechanisms </li> <li> <strong> 30-Day: </strong> Implement application allowlisting on engineering workstations; conduct awareness training on SEO poisoning threats targeting aviation professionals </li> <li> <strong> Monitor for: </strong> T1608.006 (SEO Poisoning), T1204.001 (User Execution: Malicious Link), T1547 (Boot or Logon Autostart Execution), connections to Iranian ASN ranges from aviation network segments </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block all 11 ASN 213790 IPs listed above at perimeter firewall and hunt for historical connections in 30-day logs </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Add Cobalt Strike beacon IP 217.60.241[.]17:443 to blocklist; hunt for JA3 fingerprint matches in TLS inspection logs </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy alerting for Remcos RAT C2 (62.60.226[.]42:43155) and Sliver (45.147.77[.]210:5900) </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> OT Security </p> </td> <td> <p> Verify PLC setpoint change alerting is active and functional &mdash; the May 25 attack used NO malware; only credential-based manipulation </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Confirm ABB ICS advisory patches are in the deployment queue (ICSA-26-146-01 through -06) </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC/CTI </p> </td> <td> <p> Initiate proactive hunt for Pioneer Kitten webshell artifacts across DIB contractor VPN concentrators (10 days quiet &mdash; approaching mandatory hunt threshold) </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy Sliver C2 detection signatures &mdash; JA3 fingerprints + port 5900 non-VNC protocol detection &mdash; to NDR/IDS platforms </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Complete ABB AC500 V2, Terra AC, and Zenon patching per CISA advisories </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Security Engineering </p> </td> <td> <p> Audit OAuth token configurations across all CI/CD pipelines; revoke long-lived tokens; implement short-lived credentials </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> CTI </p> </td> <td> <p> Verify OSINT feed connectivity &mdash; zero returns across 12 queries is anomalous and represents a collection single-point-of-failure </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Assess European financial sector partner exposure to Iran-conflict spillover; review shared infrastructure with entities on hacktivist target lists </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission red team assessment of ICS/OT environments focusing on credential-only attack paths (no malware, valid credentials + PLC manipulation) </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Security Architecture </p> </td> <td> <p> Add secondary OSINT collection source to eliminate single-point-of-failure in intelligence feeds </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update incident response playbooks to include "credential-only ICS destruction" scenario &mdash; traditional malware forensics will find nothing </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Conduct tabletop exercise simulating coordinated Iranian cyber-kinetic escalation: simultaneous DDoS + ICS manipulation + hacktivist IO campaign </p> </td> </tr> </tbody> </table> <h2> <strong> The Bottom Line </strong> </h2> <p> The Iran conflict is 88 days old. The ceasefire has not reduced cyber risk &mdash; it has formalized the "war between wars" doctrine that keeps operations below the threshold of kinetic response while accumulating offensive capacity. Today's intelligence shows that capacity growing: a Tehran-based ASN hosting an entire ecosystem of offensive tools, three distinct C2 frameworks staged on research infrastructure, and a European central bank publicly acknowledging the conflict's financial contagion. </p> <p> The most dangerous development remains the May 25 credential-only PLC destruction. This technique leaves no malware artifacts, no signatures to detect, no hashes to block. It requires defenders to shift from "find the malware" to "monitor the physics" &mdash; watching for process anomalies that indicate unauthorized manipulation of industrial control systems. </p> <p> Your adversaries are patient. MuddyWater (MOIS) has been silent for six months &mdash; retooling. Pioneer Kitten's dormant access in DIB networks hasn't been confirmed cleared. HYDRO KITTEN's (IRGC-CEC) operational pause likely precedes their next campaign announcement. </p> <p> <strong> Don't wait for the next wiper. Hunt now. </strong> </p> <p> <em> Anomali CTI Desk | 2026-05-27 | TLP:GREEN </em> </p> <p> <em> Intelligence sources: ThreatStream Next-Gen, CISA ICS-CERT, Reuters/ECB, open-source collection </em> </p>