All Posts
Anomali Cyber Watch
1
min read

Iranian Cyber Operations Intensify: Seven Cisco SD-WAN Exploits, AI-Generated Attack Code, and Fresh C2 Infrastructure Signal Imminent Escalation

Published on
June 16, 2026
Table of Contents
<p> <strong> Threat Assessment Level: HIGH </strong> </p> <p> The Iran-Israel conflict &mdash; now in its 109th day since hostilities began on February 28, 2026 &mdash; continues to generate an accelerating tempo of Iranian state-sponsored cyber operations. Despite active ceasefire negotiations, IRGC and MOIS-affiliated threat actors are not standing down. They are pre-positioning, staging fresh command-and-control infrastructure, and systematically dismantling the security of network management platforms used by governments and militaries worldwide. </p> <p> This week's convergence of three signals should command every CISO's attention: a seventh exploited vulnerability in Cisco's SD-WAN platform, a CVSS 10.0 Ivanti Sentry flaw with a public proof-of-concept, and the first confirmed AI-generated exploit code observed in the Iranian threat landscape. The adversary is getting faster, more methodical, and more capable. </p> <p> If your organization operates Cisco SD-WAN, Ivanti Sentry, or Fortinet FortiSandbox &mdash; or if you serve the defense industrial base, energy, healthcare, or government sectors &mdash; this report demands immediate action. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-20262 </strong> added to CISA KEV (June 15) &mdash; the 7th Cisco SD-WAN Manager vulnerability exploited since January 2026 </p> </td> <td> <p> A single determined adversary is systematically compromising government/military WAN management planes. This is not opportunistic &mdash; it is architectural targeting. </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-10520 </strong> (Ivanti Sentry, CVSS 10.0) &mdash; public PoC now available for 7 days </p> </td> <td> <p> Pioneer Kitten (Fox Kitten/UNC757) historically weaponizes Ivanti PoCs within 72 hours. The exploitation window is wide open. </p> </td> </tr> <tr> <td> <p> <strong> Fresh Cobalt Strike C2 </strong> stood up on Iranian ISP Aria Shatel (June 15) </p> </td> <td> <p> Iranian operators are actively staging infrastructure for imminent campaign launches. </p> </td> </tr> <tr> <td> <p> <strong> AI-generated exploit code </strong> confirmed for FortiSandbox CVE-2026-25089 </p> </td> <td> <p> A capability threshold has been crossed &mdash; exploit development timelines will compress from days to hours. </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater goes silent </strong> after active credential harvesting campaign </p> </td> <td> <p> Silence after collection typically means transition to exploitation. Expect anomalous authentications from harvested credentials. </p> </td> </tr> <tr> <td> <p> <strong> Cyber Av3ngers </strong> &mdash; 47+ days without new campaign activity </p> </td> <td> <p> Anomalous silence for an active conflict. Profile updated June 16 but no new indicators &mdash; possible infrastructure refresh or target reconnaissance. </p> </td> </tr> <tr> <td> <p> <strong> APT42 (Charming Kitten) </strong> conducting active credential harvesting against diplomatic entities during peace talks </p> </td> <td> <p> IRGC-IO collection operations are accelerating in parallel with negotiations &mdash; intelligence gathering on negotiating positions is a priority target. </p> </td> </tr> <tr> <td> <p> <strong> DIB/GitHub fake-resume lure campaign </strong> goes quiet after active targeting of aerospace engineers </p> </td> <td> <p> Operational silence after active reconnaissance is consistent with transition to internal operations against already-compromised targets. </p> </td> </tr> </tbody> </table> <h2> <strong> Conflict &amp; Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-02-28 </p> </td> <td> <p> Iran-Israel conflict begins </p> </td> <td> <p> Kinetic and cyber operations commence simultaneously </p> </td> </tr> <tr> <td> <p> 2026-03-05 </p> </td> <td> <p> CVE-2026-20122, CVE-2026-20128 exploited </p> </td> <td> <p> First Cisco SD-WAN Manager vulnerabilities in chain </p> </td> </tr> <tr> <td> <p> 2026-03-11 </p> </td> <td> <p> Handala/Void Manticore wipes 200,000 endpoints at Stryker </p> </td> <td> <p> Largest destructive attack of the conflict </p> </td> </tr> <tr> <td> <p> 2026-04-21 </p> </td> <td> <p> CVE-2026-20133 exploited </p> </td> <td> <p> Fourth SD-WAN vulnerability; CISA flags exploitation </p> </td> </tr> <tr> <td> <p> 2026-05-15 </p> </td> <td> <p> CVE-2026-20182 zero-day exploited </p> </td> <td> <p> Fifth in chain &mdash; zero-day indicates dedicated reverse engineering </p> </td> </tr> <tr> <td> <p> 2026-06-05 </p> </td> <td> <p> CVE-2026-20245 zero-day exploited </p> </td> <td> <p> Sixth vulnerability; campaign cadence accelerating </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> WatchTowr publishes Ivanti Sentry PoC </p> </td> <td> <p> Exploitation clock starts for CVE-2026-10520 </p> </td> </tr> <tr> <td> <p> 2026-06-11 </p> </td> <td> <p> CVE-2026-10520 added to CISA KEV </p> </td> <td> <p> Confirmed in-the-wild exploitation </p> </td> </tr> <tr> <td> <p> 2026-06-12 </p> </td> <td> <p> DIB aerospace GitHub lure campaign goes quiet </p> </td> <td> <p> Possible transition from reconnaissance to internal operations </p> </td> </tr> <tr> <td> <p> 2026-06-13 </p> </td> <td> <p> Wiper campaign (masquerading as ESET) last updated </p> </td> <td> <p> Handala-linked destructive capability remains active </p> </td> </tr> <tr> <td> <p> 2026-06-15 </p> </td> <td> <p> CVE-2026-20262 added to CISA KEV; fresh C2 on 151.239.24[.]160 </p> </td> <td> <p> Seventh SD-WAN exploit + active Iranian C2 staging </p> </td> </tr> <tr> <td> <p> 2026-06-16 </p> </td> <td> <p> FortiSandbox triple exploitation confirmed; AI-generated exploit identified </p> </td> <td> <p> Capability evolution &mdash; AI-assisted offensive development now operational </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> The Cisco SD-WAN Systematic Campaign: A Nation-State at Work </strong> </h3> <p> Seven vulnerabilities in one platform exploited over six months is not opportunistic scanning. This is a dedicated reverse-engineering effort by an adversary with deep architectural knowledge of Cisco's Catalyst SD-WAN Manager. </p> <p> <strong> The chain: </strong> CVE-2026-20122 &rarr; CVE-2026-20127 &rarr; CVE-2026-20128 &rarr; CVE-2026-20133 &rarr; CVE-2026-20182 &rarr; CVE-2026-20245 &rarr; CVE-2026-20262 </p> <p> The attack pattern is consistent: crafted HTTP POST requests to API endpoints enable file creation/overwrite via the WildFly Java application server, escalating to root-level access. The adversary deploys malicious .war files to achieve persistent control of the management plane. </p> <p> <strong> Why this matters strategically: </strong> SD-WAN management planes control routing for entire enterprise and government WANs. Persistent access here enables traffic interception, route manipulation, and &mdash; critically &mdash; the ability to disrupt communications during a kinetic escalation. This maps directly to pre-positioning for destructive action. </p> <p> No specific actor attribution has been confirmed, but the sustained cadence, zero-day capability (CVE-2026-20182, CVE-2026-20245), and targeting of government networks are consistent with IRGC-affiliated operations. </p> <h3> <strong> Pioneer Kitten and the Ivanti Sentry Window </strong> </h3> <p> <strong> CVE-2026-10520 </strong> is an unauthenticated OS command injection vulnerability in Ivanti Sentry that grants root-level remote code execution. CVSS 10.0. The WatchTowr Labs proof-of-concept has been public since June 9. </p> <p> <strong> Pioneer Kitten </strong> (also tracked as Fox Kitten, UNC757, Refined Kitten, and RUBIDIUM) has a documented pattern of weaponizing Ivanti vulnerabilities within 72 hours of PoC availability. This actor operates at the intersection of MOIS espionage and ransomware monetization &mdash; they sell initial access to ransomware affiliates while simultaneously conducting espionage for Iranian intelligence. </p> <p> We are now at Day 7 post-PoC with no public reporting of Pioneer Kitten exploitation. This does not mean it isn't happening &mdash; it may mean exploitation is occurring but has not yet been detected or disclosed. </p> <p> <strong> Related Ivanti exposure: </strong> CVE-2026-5787 (Ivanti EPMM certificate validation bypass, CVSS 8.9) was disclosed in May 2026, expanding the Ivanti attack surface for organizations using mobile device management for classified communications. </p> <h3> <strong> Fresh Iranian C2 Infrastructure: Active Staging </strong> </h3> <p> On June 15, a new Cobalt Strike beacon server was validated at 151.239.24[.]160 on ASN 31549 (Aria Shatel, Tehran), listening on port 9090. This joins an expanding constellation of Iranian C2 infrastructure: </p> <ul> <li> 79.175.189[.]207 (ASN 25184, Afranet, Iran) &mdash; Cobalt Strike + Mythic framework, high confidence </li> <li> 195.181.36[.]124 (ASN 58224, Iran Telecom) &mdash; QuasarRAT C2 </li> </ul> <p> The refresh cadence is accelerating &mdash; new beacons appearing every 7-10 days on residential Iranian ISPs. This pattern is consistent with MuddyWater and Pioneer Kitten operational tradecraft and indicates imminent campaign launches. </p> <h3> <strong> FortiSandbox Triple Exploitation and the AI Threshold </strong> </h3> <p> Three FortiSandbox vulnerabilities &mdash; <strong> CVE-2026-39813 </strong> , <strong> CVE-2026-39808 </strong> , and <strong> CVE-2026-25089 </strong> (all CVSS 9.1) &mdash; are now actively exploited. All enable unauthenticated command injection or authentication bypass. </p> <p> The critical signal: <strong> CVE-2026-25089's exploit shows signatures of AI-assisted development. </strong> While reportedly imperfect in its current form, this represents a capability threshold crossing. The implication is clear &mdash; exploit development timelines will compress as AI tools mature, reducing the window between vulnerability disclosure and weaponization from days to potentially hours. </p> <p> Pioneer Kitten and UNC757 have historically targeted Fortinet appliances (documented in CISA Advisory AA24-241A), making this exploitation cluster directly relevant to the Iranian threat landscape. </p> <h3> <strong> Named Threat Actors: Current Status </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Current Assessment </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Pioneer Kitten </strong> (Fox Kitten, UNC757, Refined Kitten) </p> </td> <td> <p> MOIS-adjacent </p> </td> <td> <p> Expected to exploit CVE-2026-10520 imminently; historically targets Ivanti and Fortinet </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater </strong> (TEMP.Zagros) </p> </td> <td> <p> MOIS (Ministry of Intelligence and Security) </p> </td> <td> <p> Silent after credential harvesting campaign &mdash; likely transitioning to exploitation phase </p> </td> </tr> <tr> <td> <p> <strong> Handala / Void Manticore </strong> (UNC5203, BANISHED KITTEN) </p> </td> <td> <p> IRGC-affiliated </p> </td> <td> <p> Responsible for Stryker wiper (200K endpoints); wiper campaign last updated June 13 </p> </td> </tr> <tr> <td> <p> <strong> Cyber Av3ngers </strong> </p> </td> <td> <p> IRGC-affiliated </p> </td> <td> <p> 47+ days silent &mdash; anomalous for active conflict; profile updated June 16 with no new campaigns </p> </td> </tr> <tr> <td> <p> <strong> APT42 / Charming Kitten </strong> </p> </td> <td> <p> IRGC-IO </p> </td> <td> <p> Active credential harvesting targeting diplomatic entities during peace talks </p> </td> </tr> <tr> <td> <p> <strong> UNC6077 / Berry Sandstorm </strong> </p> </td> <td> <p> Suspected MOIS </p> </td> <td> <p> Active in DIB targeting via GitHub fake-resume lures </p> </td> </tr> </tbody> </table> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Pioneer Kitten weaponizes CVE-2026-10520 (Ivanti Sentry) </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Within 72 hours </p> </td> <td> <p> Historical pattern of Ivanti exploitation within 72h of PoC; 7 days elapsed increases urgency </p> </td> </tr> <tr> <td> <p> Cisco SD-WAN campaign yields 8th exploited CVE </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Within 14 days </p> </td> <td> <p> Sustained 7-vuln cadence over 6 months; dedicated RE capability demonstrated </p> </td> </tr> <tr> <td> <p> MuddyWater transitions from credential harvesting to exploitation </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> Within 7 days </p> </td> <td> <p> Operational silence after active collection phase is consistent with credential weaponization </p> </td> </tr> <tr> <td> <p> AI-generated exploits become routine in Iranian operations </p> </td> <td> <p> <strong> 65% </strong> </p> </td> <td> <p> Within 90 days </p> </td> <td> <p> <strong> Capability demonstrated; iteration will improve quality; low barrier to adoption </strong> </p> </td> </tr> <tr> <td> <p> <strong> Destructive attack on critical infrastructure during ceasefire talks </strong> </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> Within 30 days </p> </td> <td> <p> Historical pattern: Iranian actors escalate cyber operations as diplomatic leverage during negotiations </p> </td> </tr> <tr> <td> <p> Cyber Av3ngers resurface with ICS/OT targeting </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> Within 21 days </p> </td> <td> <p> Extended silence during active conflict is anomalous; infrastructure refresh likely underway </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <ol> <li> <strong> Cisco SD-WAN Management Plane Monitoring </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Adversary has deployed malicious .war files via crafted HTTP POST requests to SD-WAN Manager API endpoints, achieving root-level persistence. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1485 (Data Destruction), T1068 (Privilege Escalation) </li> <li> <strong> Detection guidance: </strong> </li> <ul> <li> Alert on any .war file creation on SD-WAN Manager hosts outside scheduled deployments </li> <li> Monitor WildFly Java application server logs for anomalous POST requests to API endpoints </li> <li> Search for unexpected processes spawned by the WildFly service account </li> <li> Baseline normal API call patterns and alert on deviations </li> </ul> </ul> <ol start="2"> <li> <strong> Ivanti Sentry Exploitation </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Unauthenticated OS command injection via CVE-2026-10520 grants root shell; adversary establishes persistence and pivots to managed mobile devices. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1059.004 (Unix Shell), T1068 (Privilege Escalation) </li> <li> <strong> Detection guidance: </strong> </li> <ul> <li> Monitor Ivanti Sentry access logs for unauthenticated requests to vulnerable endpoints </li> <li> Alert on shell process spawns (bash, sh) from Sentry application processes </li> <li> Network-level: detect outbound connections from Sentry appliances to non-standard ports </li> <li> If unpatched: implement WAF rules to block exploitation patterns or take offline </li> </ul> </ul> <ol start="3"> <li> <strong> Iranian C2 Communication </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Compromised hosts are beaconing to Cobalt Strike/Mythic/QuasarRAT C2 servers on Iranian ISPs. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1071.001 (Web Protocols), T1573.001 (Encrypted Channel), T1105 (Ingress Tool Transfer), T1571 (Non-Standard Port) </li> <li> <strong> Detection guidance: </strong> </li> <ul> <li> Block and alert on traffic to ASN 31549 (Aria Shatel), ASN 25184 (Afranet), ASN 58224 (Iran Telecom), ASN 213790 (Limited Network) </li> <li> Specifically monitor port 9090 for Cobalt Strike beacon patterns </li> <li> Implement JA3/JA3S fingerprint detection for known Cobalt Strike profiles </li> <li> Historical search: query 90 days of netflow for any connections to the IOCs listed below </li> </ul> </ul> <ol start="4"> <li> <strong> Fortinet FortiSandbox Exploitation </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> Unauthenticated attackers are exploiting JRPC API endpoints to achieve command injection on FortiSandbox appliances. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1553.002 (Code Signing bypass) </li> <li> <strong> Detection guidance: </strong> </li> <ul> <li> Audit FortiSandbox logs for unauthenticated HTTP requests to JRPC API </li> <li> Monitor for unexpected process execution on FortiSandbox hosts </li> <li> Network segmentation: ensure FortiSandbox management interfaces are not internet-exposed </li> </ul> </ul> <ol start="5"> <li> <strong> Credential Abuse from MuddyWater Harvesting </strong> </li> </ol> <ul> <li> <strong> Hunt hypothesis: </strong> MuddyWater (MOIS) harvested credentials during recent phishing campaign and is now using them for initial access to M365/Azure tenants. </li> <li> <strong> ATT&amp;CK techniques: </strong> T1078 (Valid Accounts), T1021 (Remote Services), T1114 (Email Collection) </li> <li> <strong> Detection guidance: </strong> </li> <ul> <li> Alert on authentications from Iranian IP ranges (ASNs above) to cloud tenants </li> <li> Monitor for impossible travel or anomalous login patterns on privileged accounts </li> <li> Review conditional access policies &mdash; enforce MFA and block legacy authentication </li> <li> Search for new mail forwarding rules or OAuth app registrations in the past 14 days </li> </ul> </ul> <h3> <strong> Hunting Hypotheses Summary </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Hypothesis </strong> </p> </th> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Data Sources </strong> </p> </th> <th> <p> <strong> Key Indicators </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> SD-WAN management plane compromise via .war file deployment </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> SD-WAN Manager logs, WildFly logs, file integrity monitoring </p> </td> <td> <p> Unexpected .war files, anomalous API POSTs, root-level process spawns </p> </td> </tr> <tr> <td> <p> Ivanti Sentry root shell via CVE-2026-10520 </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Sentry access logs, process monitoring, netflow </p> </td> <td> <p> Unauthenticated requests to vulnerable endpoints, shell spawns </p> </td> </tr> <tr> <td> <p> Cobalt Strike beaconing to Iranian ASNs </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Firewall logs, DNS logs, netflow, proxy logs </p> </td> <td> <p> Connections to port 9090, JA3 fingerprints, periodic beaconing patterns </p> </td> </tr> <tr> <td> <p> Credential stuffing from MuddyWater harvest </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Azure AD sign-in logs, M365 UAL, CASB </p> </td> <td> <p> Iranian IP logins, impossible travel, new OAuth apps, mail rules </p> </td> </tr> <tr> <td> <p> FortiSandbox command injection </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> FortiSandbox logs, network IDS </p> </td> <td> <p> Unauthenticated JRPC requests, unexpected child processes </p> </td> </tr> <tr> <td> <p> DIB GitHub lure code execution </p> </td> <td> <p> MEDIUM </p> </td> <td> <p> Endpoint EDR, Git logs, process trees </p> </td> <td> <p> Code cloned from unknown repos, unexpected compilation/execution </p> </td> </tr> </tbody> </table> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services </strong> </h3> <p> <strong> Primary threat: </strong> Iranian actors targeting SWIFT-connected systems and payment infrastructure for both espionage and potential destructive disruption as economic leverage during negotiations. </p> <ul> <li> <strong> Immediate: </strong> Audit all Cisco SD-WAN deployments in branch connectivity; financial institutions heavily rely on SD-WAN for branch-to-datacenter communication. Verify patching for all seven CVEs in the chain. </li> <li> <strong> 7-day: </strong> Review Fortinet FortiSandbox deployments used for transaction file analysis &mdash; exploitation could allow malware to bypass sandbox detection entirely, enabling downstream payload delivery. </li> <li> <strong> 30-day: </strong> Conduct tabletop exercise simulating simultaneous SD-WAN disruption and wiper deployment during peak trading hours. Validate out-of-band communication plans. </li> </ul> <h3> <strong> Energy </strong> </h3> <p> <strong> Primary threat: </strong> ICS/OT pre-positioning for destructive attack. Cyber Av3ngers previously targeted water/energy infrastructure; their extended silence may precede a major operation. </p> <ul> <li> <strong> Immediate: </strong> Verify network segmentation between IT SD-WAN management planes and OT networks. If SD-WAN is used for SCADA backhaul, implement emergency out-of-band monitoring. </li> <li> <strong> 7-day: </strong> Review CISA ICS advisories for Schneider Electric EcoStruxure and Siemens KACO inverter vulnerabilities &mdash; patch or isolate affected systems. Audit Brickcom/Dahua surveillance cameras for default credentials. </li> <li> <strong> 30-day: </strong> Implement Iranian ASN blocking at OT network perimeters (not just IT). Deploy passive OT network monitoring to detect lateral movement from compromised IT systems. </li> </ul> <h3> <strong> Healthcare </strong> </h3> <p> <strong> Primary threat: </strong> Ransomware via Pioneer Kitten initial access brokering, and wiper attacks disguised as ransomware (Handala pattern). </p> <ul> <li> <strong> Immediate: </strong> Patch Ivanti Sentry/EPMM deployments used for clinician mobile device management &mdash; CVE-2026-10520 grants root access to MDM infrastructure, enabling mass device compromise. </li> <li> <strong> 7-day: </strong> Audit for Pioneer Kitten IOCs (SHA-256 hashes listed below) across endpoint fleet. Pioneer Kitten sells access to ransomware affiliates &mdash; healthcare is a preferred monetization target. </li> <li> <strong> 30-day: </strong> Validate backup integrity and test restoration procedures. The Stryker wiper attack (200,000 endpoints) demonstrates Iranian willingness to conduct destructive operations against healthcare-adjacent targets. </li> </ul> <h3> <strong> Government </strong> </h3> <p> <strong> Primary threat: </strong> Systematic SD-WAN compromise enabling persistent access to government WAN management planes for espionage and pre-positioning for communications disruption. </p> <ul> <li> <strong> Immediate: </strong> Treat Cisco SD-WAN Manager patching as a national security priority. Seven exploited vulnerabilities in six months means the adversary has persistent reverse-engineering capability against this platform. Assume compromise if any patch was delayed. </li> <li> <strong> 7-day: </strong> Implement out-of-band management for all critical network infrastructure. SD-WAN management interfaces must not be reachable from the general internet or standard user networks. </li> <li> <strong> 30-day: </strong> Commission red team assessment of SD-WAN management plane isolation. Evaluate migration to zero-trust network architecture that does not depend on a single management platform. </li> </ul> <h3> <strong> Aviation &amp; Logistics </strong> </h3> <p> <strong> Primary threat: </strong> DIB supply chain compromise via GitHub fake-resume lures targeting aerospace engineers, and potential disruption of logistics/maritime systems. </p> <ul> <li> <strong> Immediate: </strong> Brief engineering and recruiting teams on the GitHub fake-resume lure campaign (TEMP.Jafar/UNC6077 pattern) &mdash; verify all code repositories before execution in development environments. </li> <li> <strong> 7-day: </strong> Audit all code cloned from external GitHub repositories in the past 30 days. Search for execution of unfamiliar binaries or scripts sourced from interview/assessment repositories. </li> <li> <strong> 30-day: </strong> Implement code execution sandboxing for all externally-sourced repositories. Review NAVTOR and maritime logistics system patching &mdash; Iranian actors have demonstrated interest in maritime chokepoint disruption. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Patch Ivanti Sentry to R10.5.2/R10.6.2/R10.7.1 addressing CVE-2026-10520 (CVSS 10.0). If patching is impossible within 24h, take the appliance offline or implement WAF blocking rules. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify Cisco Catalyst SD-WAN Manager is patched against CVE-2026-20262 and all six prior CVEs. Search WildFly logs for .war file deployments and anomalous API POST requests. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block Iranian C2 IPs at perimeter: 151.239.24[.]160, 79.175.189[.]207, 195.181.36[.]124. Run 90-day historical search for any connections to these addresses. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> Add ASN-based alerting for ASN 31549, 25184, 58224, and 213790 &mdash; any traffic to/from these Iranian networks should trigger investigation. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive/IR </p> </td> <td> <p> Confirm incident response retainer is active and IR team is briefed on Iranian wiper TTPs. Validate out-of-band communication plan if primary WAN is disrupted. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Patch Fortinet FortiSandbox against CVE-2026-39813, CVE-2026-39808, CVE-2026-25089. Audit logs for unauthenticated JRPC API requests. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy Cobalt Strike beacon detection for port 9090 communications from Iranian ASN ranges. Implement JA3/JA3S fingerprinting for known Cobalt Strike profiles. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Review Azure AD/M365 sign-in logs for authentications from Iranian IP ranges. Audit OAuth app registrations and mail forwarding rules created in the past 14 days. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> DevOps/HR </p> </td> <td> <p> Brief aerospace and defense teams on GitHub fake-resume lure campaign. Audit code repositories cloned from unknown sources in past 30 days. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Review and patch Ivanti EPMM (CVE-2026-5787, CVSS 8.9) and Arista EOS per recent security advisories. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission architectural review of SD-WAN management plane isolation. Seven exploited CVEs in six months demands network segmentation of management interfaces and evaluation of platform alternatives. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Implement behavioral analysis for ASN 213790 traffic to resolve actor-tag conflicts (APT28 signatures on Iranian infrastructure indicate misattribution &mdash; likely Iranian actors using similar tooling). </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CISO </p> </td> <td> <p> Evaluate AI-accelerated patching workflows &mdash; if adversaries are using AI to generate exploits faster, defensive patch timelines must compress accordingly. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IR </p> </td> <td> <p> Conduct tabletop exercise: simultaneous SD-WAN management plane compromise + wiper deployment during ceasefire negotiation breakdown. Test backup communications and recovery procedures. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Authorize procurement of additional threat intelligence sources (Shodan/Censys infrastructure scanning, Google Threat Intelligence API) to close collection gaps identified in current monitoring. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following IOCs have been validated through intelligence collection and should be implemented in blocking and detection rules: </p> <h3> <strong> Network Indicators </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Confidence </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 151.239.24[.]160 </p> </td> <td> <p> Cobalt Strike C2, ASN 31549 Aria Shatel, Tehran &mdash; port 9090 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 79.175.189[.]207 </p> </td> <td> <p> Cobalt Strike + Mythic C2, ASN 25184 Afranet, Iran </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 195.181.36[.]124 </p> </td> <td> <p> QuasarRAT C2, ASN 58224 Iran Telecom </p> </td> <td> <p> <strong> Moderate </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]169 </p> </td> <td> <p> APT infrastructure, ASN 213790, targets gov/healthcare/telecom </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 77.90.185[.]253 </p> </td> <td> <p> Cryptominer/APT infrastructure, ASN 213790 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 185.93.89[.]147 </p> </td> <td> <p> Mirage malware C2, ASN 213790 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]180 </p> </td> <td> <p> APT infrastructure, ASN 213790, targets retail/telecom </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 171.22.27[.]16 </p> </td> <td> <p> Iranian threat infrastructure </p> </td> <td> <p> <strong> Moderate </strong> </p> </td> </tr> </tbody> </table> <h3> <strong> File Hashes (Pioneer Kitten / Handala Associated) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> SHA-256 </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> f4092b6a32484d9132e926b19193182bebec5ffba09de94acd193f581df4490f </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> 2d523823c8e1b72ecf485016290af57887cde1000e7c56dbced3757b3ad8bb5a </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> df7a86eaf45a7c3ba2f70321e75b90f77f3b4bb8a49714e694e8769b7b97e6e5 </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> 997ffae5b43a3bbda8657816cc8389e87109d7539074b71552bf7479f8e83363 </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> 7233f291c350fa1510ca73a0b72c2a477031d16efebb6237ef75ff14ead999c0 </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> 028d3de0f0709a18c9928526519e761a08f6766d1eca386e908588f995f44e7f </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> <tr> <td> <p> 0a5cf97e699c8bfacee7f89ebfaa851ff03dd004a58ffde9c609fcc2cd27f250 </p> </td> <td> <p> Pioneer Kitten / Banished Kitten tooling </p> </td> </tr> </tbody> </table> <p> <strong> <em> Note: </em> </strong> <em> All IOCs should be cross-referenced against Anomali ThreatStream Next-Gen prior to deployment in production blocking rules. Additional indicators and STIX packages are available via your Anomali representative. </em> </p> <h2> <strong> Bottom Line </strong> </h2> <p> The Iranian cyber threat is not pausing for diplomacy. While ceasefire negotiations continue, IRGC and MOIS-affiliated operators are exploiting every available vulnerability, staging fresh infrastructure, and &mdash; for the first time &mdash; leveraging AI to accelerate their offensive capabilities. </p> <p> The Cisco SD-WAN campaign is the clearest signal: a methodical, patient adversary is systematically compromising the management planes that control government and military communications. Seven vulnerabilities in six months is not a series of isolated incidents &mdash; it is a campaign with strategic intent. </p> <p> <strong> Your 24-hour priorities are clear: </strong> </p> <ol> <li> Patch Ivanti Sentry (CVSS 10.0, PoC public, exploitation expected) </li> <li> Verify SD-WAN Manager patching (7th CVE exploited, CISA deadline June 29) </li> <li> Block Iranian C2 infrastructure and hunt for historical connections </li> </ol> <p> The window between vulnerability disclosure and weaponization is closing. With AI-assisted exploit development now confirmed in this theater, that window will only get narrower. Act today. </p> <p> <em> Published 2026-06-16 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream Next-Gen. CISA advisories, and curated open-source feeds. For IOC feeds and STIX packages, contact your Anomali representative. </em> </p>

FEATURED RESOURCES

July 10, 2026
Anomali Cyber Watch

Iranian Cyber Operations Reach Inflection Point: FortiBleed Pipeline Weaponized, Multi-Actor Convergence Accelerates

Read More
July 10, 2026
Anomali Cyber Watch
Public Sector

Critical ColdFusion Vulnerability, New Phishing-as-a-Service Platform, and Russian Infrastructure Refresh Demand Immediate State Government Action

Read More
July 8, 2026
Anomali Cyber Watch
Public Sector

Critical Vulnerabilities and Novel Attack Techniques Threaten State Government Networks

Read More
Explore All