Iranian Cyber Operations Intensify: New C2 Infrastructure, Active Exploitation, and the Russia-Iran Criminal Nexus

Anomali Threat Research

Published on

June 23, 2026

Table of Contents

Threat Assessment Level: ELEVATED (trending HIGH) This assessment is unchanged from the prior cycle. Escalation to HIGH is pending confirmed active exploitation of Fortinet and Ivanti vulnerabilities directly attributed to Iranian APT operators targeting Western critical infrastructure. The convergence of Russian-origin tooling with Iranian C2 infrastructure and the acceleration of edge-device exploitation provide the upward pressure. <h2> Introduction </h2> Nearly four months into the Iran conflict (ongoing since February 28, 2026 — now 115 days), Iranian state-sponsored cyber operations continue to expand in both capability and infrastructure breadth. This week's intelligence collection reveals a troubling convergence: Russian-origin initial access broker tooling appearing on freshly activated Iranian command-and-control servers, critical Fortinet vulnerabilities under active exploitation with CISA issuing emergency hardening directives, and MuddyWater refreshing ransomware-linked malware targeting Gulf state financial institutions. For CISOs, the operational picture is clear — Iranian threat actors are diversifying their infrastructure, accelerating their exploitation timelines, and deepening their integration with Russian-speaking cybercriminal ecosystems. The window between patch release and active exploitation has compressed to seven days. Organizations running Fortinet, Ivanti, or ICS/SCADA systems from Schneider Electric, Mitsubishi, or Rockwell Automation face immediate risk. <h2> What Changed This Week </h2> <table> <thead> <tr> <th> Development </th> <th> Why It Matters </th> </tr> </thead> <tbody> <tr> <td> Three new Cobalt Strike C2 nodes activated across Iranian ISPs (ASN 59441, 44436, 25184) — now spanning 4+ autonomous systems </td> <td> Iranian operators are diversifying infrastructure to evade IP-based blocking; single-ASN blocklists are no longer sufficient </td> </tr> <tr> <td> BumbleBee loader identified on Iranian C2 infrastructure for the first time </td> <td> Signals an active supply-chain relationship between Russian-speaking initial access brokers and Iranian APT operators — the "Dark Covenant" nexus is operational </td> </tr> <tr> <td> CVE-2026-25089 (FortiSandbox, CVSS 9.8) confirmed actively exploited in the wild </td> <td> Unauthenticated RCE; exploitation began just 7 days after patch release — matching Pioneer Kitten's historical n-day exploitation cadence </td> </tr> <tr> <td> CISA updated Fortinet hardening directive (June 22) citing global credential exposure campaign </td> <td> FortiBleed-style credential harvesting ongoing against government networks worldwide </td> </tr> <tr> <td> MuddyWater Hive-family malware refreshed targeting Saudi Arabia and Cyprus </td> <td> Confirms the MOIS-affiliated group's ransomware-as-a-service handoff model remains active </td> </tr> <tr> <td> Ivanti Sentry CVE-2026-10520 (CVSS 10.0) exploitation confirmed but no attributed IOCs yet </td> <td> A dangerous detection blind spot — we know it's being exploited but cannot identify the operators </td> </tr> <tr> <td> Six ICS advisories covering Mitsubishi MELSEC, Schneider Electric, and Rockwell Automation </td> <td> Expands the OT attack surface at a time when Iranian proxy groups (Cyber Av3ngers) have demonstrated ICS targeting intent </td> </tr> <tr> <td> Cyber Av3ngers operationally silent for 9+ days </td> <td> Historically, extended silence from this IRGC-affiliated group precedes new campaign launches </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> Iran conflict begins </td> <td> Initiates current escalation cycle </td> </tr> <tr> <td> Jun 5, 2026 </td> <td> Last known Pioneer Kitten (Fox Kitten) IOC activity </td> <td> 18-day gap suggests infrastructure rotation underway </td> </tr> <tr> <td> Jun 9, 2026 </td> <td> Fortinet releases patch for CVE-2026-25089 </td> <td> Starts the exploitation countdown clock </td> </tr> <tr> <td> Jun 11, 2026 </td> <td> Ivanti Sentry CVE-2026-10520 (CVSS 10.0) exploitation reported </td> <td> Enterprise mobile gateways actively backdoored </td> </tr> <tr> <td> Jun 14, 2026 </td> <td> Cyber Av3ngers last observed activity </td> <td> Operational silence now exceeds 9 days </td> </tr> <tr> <td> Jun 16, 2026 </td> <td> First in-the-wild exploitation of CVE-2026-25089 detected </td> <td> 7-day patch-to-exploit gap — consistent with Iranian APT tempo </td> </tr> <tr> <td> Jun 18, 2026 </td> <td> CISA issues 7 ICS advisories + FortiBleed hardening directive; CVE-2026-20253 (Splunk, CVSS 9.8) added to KEV </td> <td> Simultaneous OT and enterprise edge exposure </td> </tr> <tr> <td> Jun 19, 2026 </td> <td> New Cobalt Strike C2 validated on ASN 31549 (Aria Shatel, Tehran) </td> <td> Fourth Iranian ASN hosting offensive infrastructure </td> </tr> <tr> <td> Jun 21, 2026 </td> <td> MuddyWater Firebase phishing domain reactivated; Venom RAT on ASN 213790 </td> <td> Tooling diversification continues </td> </tr> <tr> <td> Jun 22, 2026 </td> <td> Three additional Cobalt Strike C2 nodes activated (ASN 59441, 44436, 25184); BumbleBee loader association confirmed; CISA updates Fortinet alert </td> <td> Infrastructure expansion accelerates; Russia-Iran nexus confirmed </td> </tr> <tr> <td> Jun 23, 2026 </td> <td> MuddyWater Hive-family hashes refreshed targeting Saudi Arabia/Cyprus </td> <td> RaaS handoff model actively servicing new campaigns </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Iranian C2 Infrastructure Expansion — The Four-ASN Problem </h3> Iranian offensive cyber infrastructure has expanded from a single autonomous system to four distinct ASNs hosting confirmed Cobalt Strike BEACON C2 servers: <ul> <li> ASN 31549 — Aria Shatel (Tehran) — validated June 19 </li> <li> ASN 59441 — Noavaran Shabakeh Sabz Mehregan — activated June 22 </li> <li> ASN 44436 — Toosee Ertebatat Damavand — DNS-over-HTTPS C2 </li> <li> ASN 25184 — Afranet — long-standing Iranian ISP </li> </ul> This diversification strategy defeats single-IP blocklists and requires defenders to monitor entire Iranian ASN ranges. The use of port 53 (DNS-over-HTTPS) for C2 on ASN 44436 is particularly concerning — it blends with legitimate DNS traffic and may bypass network security controls that whitelist DNS. Attributed actors: Infrastructure patterns are consistent with Pioneer Kitten (also tracked as Fox Kitten, UNC757, Parisite) — an IRGC-affiliated group known for selling network access to ransomware operators. <h3> 2. The Russia-Iran Criminal Nexus Goes Operational </h3> The identification of BumbleBee loader — a malware family historically exclusive to the Russian-speaking cybercriminal ecosystem (Conti, TrickBot, former ITG23 operators) — on Iranian-hosted C2 infrastructure at 45.138.135[.]27 represents a significant escalation in cross-ecosystem cooperation. This is not merely shared hosting. BumbleBee functions as an initial access broker tool: it establishes footholds in victim networks and then hands off access to secondary operators. Its presence on Iranian C2 infrastructure indicates one of three scenarios: <ol> <li> Iranian APT operators are purchasing network access from Russian-speaking initial access brokers </li> <li> A shared bulletproof hosting arrangement enables both ecosystems to operate from the same infrastructure </li> <li> A deliberate operational partnership where Russian criminal groups provide initial access and Iranian state actors conduct follow-on espionage or destructive operations </li> </ol> All three scenarios increase risk. The implication for defenders: detection signatures for Russian-origin malware (BumbleBee, Cobalt Strike loaders) should trigger investigation for Iranian APT follow-on activity, and vice versa. <h3> 3. Fortinet Under Siege — CVE-2026-25089 and the FortiBleed Campaign </h3> Three FortiSandbox vulnerabilities are under active exploitation: <table> <thead> <tr> <th> CVE </th> <th> Type </th> <th> CVSS </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-25089 </td> <td> Unauthenticated OS command injection </td> <td> 9.8 CRITICAL </td> <td> Actively exploited in the wild </td> </tr> <tr> <td> CVE-2026-39808 </td> <td> Authentication bypass </td> <td> High </td> <td> Actively exploited </td> </tr> <tr> <td> CVE-2026-39813 </td> <td> Authentication bypass </td> <td> High </td> <td> Actively exploited </td> </tr> </tbody> </table> CVE-2026-25089 affects FortiSandbox versions 5.0.0–5.0.5, 4.4.0–4.4.8, all 4.2.x releases, and Cloud/PaaS editions. It allows unauthenticated remote code execution via crafted HTTP requests — no credentials required. Simultaneously, CISA's updated Fortinet hardening directive (June 22) warns of a global credential exposure campaign targeting government networks — the "FortiBleed" pattern where threat actors harvest credentials from internet-facing Fortinet devices. The exploitation timeline is critical: Fortinet released the patch on June 9. First exploitation was detected on June 16 — a 7-day window . This matches Pioneer Kitten's documented behavior of exploiting n-day vulnerabilities within 7–14 days of patch release (per CISA advisory AA24-290A). Organizations that have not patched within one week of release should assume compromise. <h3> 4. MuddyWater's Ransomware-as-a-Service Handoff Model </h3> MuddyWater (MOIS-affiliated, also tracked as Static Kitten, TEMP.Zagros) refreshed four malware samples targeting Saudi Arabia and Cyprus this week. The samples are tagged to the Hive ransomware family and include PHP webshells, Windows executables, and ZIP archive delivery mechanisms. This confirms MuddyWater's continued operation of a dual-purpose model: initial compromise for espionage, with ransomware deployment as either a secondary monetization path or a destructive/deniable operation disguised as criminal activity. The targeting of Saudi financial institutions and Cypriot entities (likely offshore banking) aligns with Iran's strategic interest in economic disruption of Gulf state adversaries. <h3> 5. Ivanti Sentry — The CVSS 10.0 Blind Spot </h3> CVE-2026-10520 in Ivanti Sentry carries the maximum CVSS score of 10.0 and has been confirmed actively exploited since June 11. Enterprise mobile gateways are being backdoored. Yet no actor-attributed IOCs have surfaced — creating a dangerous detection gap where exploitation is confirmed but defenders cannot identify specific threat infrastructure. This is precisely the type of vulnerability Iranian APT groups (particularly Pioneer Kitten) historically exploit for initial access to enterprise networks. <h3> 6. ICS/OT Attack Surface Expansion </h3> Six simultaneous CISA ICS advisories covering Mitsubishi MELSEC iQ-F Series , Schneider Electric EcoStruxure/Easergy/PowerLogic , and Rockwell Automation FactoryTalk Historian expand the OT vulnerability surface at a critical moment. While no exploitation has been confirmed, these systems are explicitly within the targeting scope of Cyber Av3ngers — the IRGC-affiliated group responsible for attacks on water treatment facilities and whose 9+ day operational silence may precede a new campaign. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Additional Fortinet exploitation attempts detected as actors race to exploit before patching completes </td> <td> 70% (HIGH) </td> <td> 72 hours </td> <td> Active exploitation confirmed; 7-day patch-to-exploit pattern established </td> </tr> <tr> <td> Pioneer Kitten infrastructure rotation surfaces new IPs on previously unseen ASNs </td> <td> 50% (MODERATE) </td> <td> 7 days </td> <td> 18-day gap matches historical rotation cadence of 14–21 days </td> </tr> <tr> <td> Handala or Cyber Toufan operational pause ends with destructive or information operation targeting Israeli entities </td> <td> 30% (LOW-MODERATE) </td> <td> 14 days </td> <td> 9+ day silence historically precedes campaign launches </td> </tr> <tr> <td> Cyber Av3ngers launch new ICS-targeting campaign leveraging freshly disclosed Schneider/Mitsubishi/Rockwell vulnerabilities </td> <td> 25% (LOW-MODERATE) </td> <td> 30 days </td> <td> Advisories provide targeting information; group has demonstrated ICS capability </td> </tr> <tr> <td> BumbleBee-to-Iranian-APT handoff results in confirmed compromise of Western critical infrastructure entity </td> <td> 20% (LOW) </td> <td> 30 days </td> <td> Supply-chain relationship confirmed but no victim-side evidence yet </td> </tr> <tr> <td> Geopolitical trigger event (negotiation collapse, military escalation) activates dormant Iranian cyber access in CI networks </td> <td> UNKNOWN </td> <td> Unknown </td> <td> Cannot assess — intelligence collection gap on geopolitical indicators </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> <ol> <li> Cobalt Strike BEACON on Iranian Infrastructure </li> </ol> <ul> <li> ATT&CK: T1071.001 (Web Protocols), T1219 (Remote Access Software), T1573.002 (Asymmetric Encryption), T1105 (Ingress Tool Transfer) </li> <li> Hunt hypothesis: Hosts beaconing to Iranian ASN ranges (59441, 44436, 25184, 31549, 213790) on ports 8443, 53, or 80 with HTTPS/DoH C2 patterns </li> <li> Detection: Monitor for DNS-over-HTTPS to non-standard resolvers (ASN 44436 uses port 53 for Cobalt Strike C2 — this will appear as encrypted traffic on a DNS port); alert on JA3/JA4 fingerprints matching known Cobalt Strike malleable profiles; inspect SSL certificates on connections to Iranian IP ranges </li> <li> Block: 45.138.135[.]27:8443, 87.107.191[.]39:53, 79.175.189[.]207:80 </li> </ul> <ol start="2"> <li> Remcos RAT Persistent C2 </li> </ol> <ul> <li> ATT&CK: T1219 (Remote Access Software), T1071.001 (Web Protocols), T1573.001 (Symmetric Encryption), T1132.001 (Standard Encoding) </li> <li> Hunt hypothesis: Any endpoint communicating with 62.60.226[.]42 (IROST — Iranian government-affiliated academic network) is likely compromised; this C2 has been active for 16+ months </li> <li> Detection: Network flow analysis for persistent outbound connections to this IP; Remcos RAT typically uses custom TCP protocols with base64-encoded payloads </li> <li> Block: 62.60.226[.]42 (all ports) </li> </ul> <ol start="3"> <li> FortiSandbox Exploitation (CVE-2026-25089) </li> </ol> <ul> <li> ATT&CK: T1190 (Exploit Public-Facing Application), T1059.004 (Unix Shell), T1068 (Privilege Escalation), T1552.001 (Credentials in Files) </li> <li> Hunt hypothesis: FortiSandbox appliances receiving crafted HTTP requests with OS command injection payloads; post-exploitation credential harvesting from configuration files </li> <li> Detection: Monitor FortiSandbox logs for unexpected shell spawning, anomalous HTTP POST requests to management interfaces, new user account creation, or configuration export events; correlate with CISA's FortiBleed indicators </li> <li> Investigate: Any FortiSandbox instance not yet patched to 5.0.6+ or 4.4.9+ should be forensically examined for compromise indicators </li> </ul> <ol start="4"> <li> MuddyWater/Hive Ransomware Delivery </li> </ol> <ul> <li> ATT&CK: T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1486 (Data Encrypted for Impact), T1078 (Valid Accounts) </li> <li> Hunt hypothesis: ZIP attachments delivering PHP webshells or Windows executables to finance/executive targets; post-compromise lateral movement using harvested credentials </li> <li> Detection: Deploy YARA rules for the following SHA-256 hashes; monitor for PHP file uploads to web-accessible directories; alert on PowerShell execution from ZIP-extracted executables </li> <li> Hash monitoring: </li> <ul> <li> bfecab4bbe4901e03868cee748cce2b5fd687c9c0daf38a96ab850868766dc69 </li> <li> 3a108692905f788a7fe875fd9a771c29582bda392266be526a384190f2a55d34 </li> <li> b7e42c7bb14f34c24d31a513fcaf9b2d04fa48939a5f842c569bfc249dad09f9 </li> <li> 5a24c4f14337ed42ee7f332ae660ee3f67015ac02f7c715e9c81d9171439e0a9 </li> </ul> </ul> <ol start="5"> <li> BumbleBee Initial Access Broker Activity </li> </ol> <ul> <li> ATT&CK: T1105 (Ingress Tool Transfer), T1071.001 (Web Protocols) </li> <li> Hunt hypothesis: BumbleBee typically arrives via ISO/VHD files or malicious advertisements; look for DLL sideloading patterns and WMI-based persistence following initial loader execution </li> <li> Detection: Monitor for rundll32.exe executing DLLs from unusual paths (user temp directories, mounted virtual disks); BumbleBee uses unique User-Agent strings and cookie-based C2 communication </li> </ul> <ol start="6"> <li> Ivanti Sentry Exploitation (CVE-2026-10520) </li> </ol> <ul> <li> ATT&CK: T1190 (Exploit Public-Facing Application) </li> <li> Hunt hypothesis: Internet-facing Ivanti Sentry instances receiving exploitation attempts for CVSS 10.0 unauthenticated access; post-exploitation backdoor installation on mobile gateway </li> <li> Detection: Audit all Ivanti Sentry instances for unexpected configuration changes, new admin accounts, or outbound connections to unknown infrastructure; review Ivanti's security advisory for specific IOCs </li> <li> Investigate: Any unpatched Ivanti Sentry instance should be assumed potentially compromised </li> </ul> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: MuddyWater's Hive-family ransomware campaign explicitly targets Saudi Arabian and Cypriot financial institutions. The dual-purpose model (espionage + ransomware) means initial compromise may appear as credential theft before escalating to encryption. Actions: <ul> <li> Heighten monitoring of spearphishing targeting finance executives and treasury functions — MuddyWater's Firebase phishing domain was reactivated June 21 </li> <li> Deploy the four MuddyWater SHA-256 hashes to endpoint detection platforms immediately </li> <li> Review wire transfer authorization procedures — Iranian operations have historically targeted SWIFT-connected systems </li> <li> Ensure offline backups are current and tested — Hive ransomware deployment may follow weeks after initial access </li> </ul> <h3> Energy </h3> Primary threat: Six ICS advisories covering Schneider Electric EcoStruxure/Easergy/PowerLogic, Mitsubishi MELSEC, and Rockwell FactoryTalk create an expanded OT attack surface. Cyber Av3ngers (IRGC-affiliated) have demonstrated willingness to target energy and water infrastructure, and their 9+ day operational silence may precede a new campaign. Actions: <ul> <li> Inventory all Mitsubishi MELSEC iQ-F, Schneider EcoStruxure/Easergy, and Rockwell FactoryTalk Historian deployments; prioritize patching internet-accessible instances </li> <li> Verify network segmentation between IT and OT environments — Iranian APTs use IT-side initial access (Fortinet/Ivanti exploitation) to pivot into OT networks </li> <li> Implement monitoring for T0816 (Device Restart/Shutdown) and T0826 (Loss of Availability) patterns on MELSEC controllers </li> <li> Review Rockwell FactoryTalk Historian for authentication token exposure (ICSA-26-169-03) </li> </ul> <h3> Healthcare </h3> Primary threat: Healthcare organizations running Fortinet edge devices and Ivanti Sentry mobile device management are at immediate risk from CVE-2026-25089 and CVE-2026-10520. Iranian APTs have historically targeted healthcare during periods of geopolitical tension as high-impact, low-military-risk targets. Actions: <ul> <li> Emergency patching of FortiSandbox (CVE-2026-25089) and Ivanti Sentry (CVE-2026-10520) — both are unauthenticated RCE vulnerabilities </li> <li> Audit mobile device management infrastructure — Ivanti Sentry backdoors provide persistent access to clinical mobile devices </li> <li> Ensure ransomware playbooks account for the MuddyWater/Hive dual-purpose model — initial indicators may appear as credential theft rather than immediate encryption </li> <li> Verify that medical device networks are segmented from enterprise IT where Fortinet/Ivanti exploitation would occur </li> </ul> <h3> Government </h3> Primary threat: CISA's updated Fortinet hardening directive (June 22) explicitly cites targeting of government networks in the FortiBleed credential exposure campaign. Government entities are the confirmed victim set for active FortiSandbox exploitation. Actions: <ul> <li> Implement CISA's Fortinet hardening guidance immediately across all FortiGate, FortiClient, and FortiSandbox deployments </li> <li> Conduct credential rotation for any accounts that may have been exposed via Fortinet device compromise — assume credentials harvested if devices were unpatched between June 9–16 </li> <li> Deploy Splunk detection rules for CVE-2026-20253 (Splunk Enterprise pre-auth RCE, CVSS 9.8, added to KEV June 18) — government SOCs running Splunk face a tool-targeting-the-tool scenario </li> <li> Monitor for Pioneer Kitten's known post-exploitation behavior: creation of local admin accounts, deployment of SSH tunnels, and sale of access to ransomware operators </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: Iranian APT groups (particularly Pioneer Kitten) have historically targeted transportation and logistics as part of supply-chain intelligence collection. The BumbleBee initial access broker association suggests access to aviation/logistics networks may be brokered through Russian-speaking criminal markets. Actions: <ul> <li> Audit all internet-facing Fortinet and Ivanti appliances — these are the primary initial access vectors for Iranian APTs targeting this sector </li> <li> Monitor for Cobalt Strike beaconing to Iranian ASN ranges, particularly the newly identified infrastructure on ports 8443, 53, and 80 </li> <li> Review third-party vendor access — the initial access broker model means compromise may arrive through a supply-chain partner rather than direct exploitation </li> <li> Ensure cargo management and flight operations systems are segmented from general enterprise networks </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🔴 </td> <td> IT Ops </td> <td> Patch ALL FortiSandbox instances to version 5.0.6+ or 4.4.9+ — CVE-2026-25089 (CVSS 9.8) is under active unauthenticated exploitation. Any unpatched instance should be assumed compromised and forensically examined. </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Block confirmed Iranian C2 IPs at perimeter: 45.138.135[.]27:8443, 87.107.191[.]39:53, 79.175.189[.]207:80, 62.60.226[.]42 (all ports) </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Deploy hash-based detections for MuddyWater/Hive samples: bfecab4b..., 3a108692..., b7e42c7b..., 5a24c4f1... across all endpoint platforms </td> </tr> <tr> <td> 🔴 </td> <td> IT Ops </td> <td> Implement CISA Fortinet hardening guidance (updated June 22) — rotate all credentials on Fortinet devices; disable unnecessary management interfaces </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Hunt for Remcos RAT callbacks to 62.60.226[.]42 — this C2 has been active for 16+ months with confidence 97; any communication indicates compromise </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Audit and patch all Ivanti Sentry deployments for CVE-2026-10520 (CVSS 10.0) — confirmed exploited, PoC publicly available </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Deploy network detection for DNS-over-HTTPS C2 patterns on non-standard resolvers — Iranian operators using port 53 encrypted traffic for Cobalt Strike </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Implement JA3/JA4 fingerprint monitoring for Cobalt Strike malleable C2 profiles connecting to Iranian ASN ranges (59441, 44436, 25184, 31549, 213790) </td> </tr> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Apply CISA FortiBleed hardening across entire Fortinet estate (FortiGate, FortiClient, FortiSandbox) — credential exposure campaign ongoing </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Hunt for BumbleBee loader indicators — DLL sideloading via rundll32.exe from temp directories, ISO/VHD file delivery, WMI persistence </td> </tr> <tr> <td> 🟠 </td> <td> IR </td> <td> Update incident response playbooks to account for Russia-Iran handoff model — initial access via Russian-origin tooling (BumbleBee) followed by Iranian APT post-exploitation </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟡 </td> <td> OT Security </td> <td> Patch ICS systems — Mitsubishi MELSEC iQ-F, Schneider EcoStruxure/Easergy/PowerLogic, Rockwell FactoryTalk Historian per CISA advisories ICSA-26-169-02 through -07 </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Procure geopolitical intelligence feed — current collection has been blind to Iran negotiation/escalation signals for 5+ cycles; without this, retaliation pre-positioning cannot be assessed </td> </tr> <tr> <td> 🟡 </td> <td> Network Ops </td> <td> Implement ASN-level monitoring for all Iranian autonomous systems — IP-only blocklists are insufficient given infrastructure diversification across 4+ ISPs </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Commission tabletop exercise simulating coordinated Iranian cyber-kinetic escalation scenario — dormant access activation during geopolitical crisis </td> </tr> <tr> <td> 🟡 </td> <td> SOC </td> <td> Develop detection for Pioneer Kitten post-exploitation — local admin account creation, SSH tunnel deployment, and indicators of access brokerage to ransomware operators </td> </tr> </tbody> </table> <h2> IOC Blocking Table </h2> The following IOCs are confirmed from intelligence collection and should be actioned immediately: <h3> Network Indicators </h3> <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 45.138.135[.]27 </td> <td> Cobalt Strike C2, ASN 59441 (Iran), port 8443 </td> <td> 76 </td> </tr> <tr> <td> IPv4 </td> <td> 87.107.191[.]39 </td> <td> Cobalt Strike C2, ASN 44436 (Iran), DNS-over-HTTPS port 53 </td> <td> 91 </td> </tr> <tr> <td> IPv4 </td> <td> 79.175.189[.]207 </td> <td> Cobalt Strike C2, ASN 25184 Afranet (Iran), port 80 </td> <td> 75 </td> </tr> <tr> <td> IPv4 </td> <td> 62.60.226[.]42 </td> <td> Remcos RAT C2, IROST (Iran), active 16+ months </td> <td> 97 </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> Iranian APT infrastructure </td> <td> Collected </td> </tr> <tr> <td> IPv4 </td> <td> 77.90.185[.]253 </td> <td> Iranian APT infrastructure </td> <td> Collected </td> </tr> <tr> <td> IPv4 </td> <td> 95.38.16[.]220 </td> <td> Iranian APT infrastructure </td> <td> Collected </td> </tr> </tbody> </table> <h3> File Hashes (SHA-256) </h3> <table> <thead> <tr> <th> Hash </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> bfecab4bbe4901e03868cee748cce2b5fd687c9c0daf38a96ab850868766dc69 </td> <td> MuddyWater/Hive — PHP webshell (targets: SA, CY) </td> </tr> <tr> <td> 3a108692905f788a7fe875fd9a771c29582bda392266be526a384190f2a55d34 </td> <td> MuddyWater/Hive — Windows executable (targets: SA, CY) </td> </tr> <tr> <td> b7e42c7bb14f34c24d31a513fcaf9b2d04fa48939a5f842c569bfc249dad09f9 </td> <td> MuddyWater/Hive — ZIP archive delivery (targets: SA, CY) </td> </tr> <tr> <td> 5a24c4f14337ed42ee7f332ae660ee3f67015ac02f7c715e9c81d9171439e0a9 </td> <td> MuddyWater/Hive — PHP webshell (targets: SA, CY) </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds. <h2> The Silence That Should Concern You Most </h2> Two observations warrant executive attention beyond the technical indicators: Cyber Av3ngers have been silent for 9+ days. This IRGC-affiliated group — responsible for attacks on water treatment facilities and critical infrastructure — historically goes quiet before launching new campaigns. Combined with six fresh ICS advisories providing new targeting information, the conditions for an OT-focused attack are present. Pioneer Kitten has not produced new IOCs in 18 days. For a group with a documented operational tempo of weekly infrastructure rotation, this gap is anomalous. The most likely explanation: they have completed an infrastructure rotation and are operating from new, unattributed IP addresses. Your current blocklists may be stale. The absence of activity is not the absence of threat. It is, in many cases, the precursor to it. <h2> Bottom Line </h2> The Iran conflict is 115 days old and the cyber dimension continues to escalate in sophistication. The convergence of Russian criminal tooling with Iranian state infrastructure, the compression of patch-to-exploit timelines to seven days, and the expansion of C2 infrastructure across multiple autonomous systems all indicate an adversary that is investing in capability and preparing for sustained operations. The single most important action a CISO can take today: confirm that every Fortinet and Ivanti appliance in your environment is patched. The second: ensure your SOC is hunting for the specific C2 patterns and hashes identified in this report. The third: prepare your incident response team for a scenario where initial access arrives through Russian-origin tooling but the operator behind it serves Iranian state interests. The threat actors are not waiting. Neither should you. Anomali CTI Desk | June 23, 2026 For IOC feeds, detection signatures, and YARA rules referenced in this report, contact your Anomali representative or access via ThreatStream Next-Gen.

FEATURED RESOURCES

June 23, 2026

Anomali Cyber Watch