Iranian Wiper Attacks Hit U.S. Soil, Chrome Zero-Days Multiply, and Your Building Systems May Be Wide Open: What State CISOs Need to Know This Week

Public Sector

Published on

March 17, 2026

Table of Contents

<h2>Executive Summary                  </h2> Sixteen days into Operation Epic Fury / Roaring Lion — the active U.S.-Iran conflict that began February 28, 2026 — the cyber threat environment has escalated sharply and in ways that directly threaten state government operations. Iranian state-nexus actors are no longer limiting themselves to espionage: destructive wiper malware has been confirmed on U.S. networks for the first time in this conflict cycle. Simultaneously, two actively exploited Chrome zero-days are enabling credential theft at scale, a critical vulnerability in building management systems is exposing physical infrastructure to remote manipulation, and ransomware operators are weaponizing unpatched VPN appliances to pre-position inside government networks. This is not a drill. The convergence of destructive Iranian operations, opportunistic ransomware, and unpatched OT-adjacent systems creates compounding risk that demands immediate leadership attention and SOC action this week. <h2>What Changed This Week                  </h2> The following developments represent material shifts in the threat landscape: <ul> <li> 🔴 Iranian Destructive Operations Reach U.S. Networks: Handala, an Iran-nexus hacktivist group operating in support of IRGC strategic objectives, deployed the Hyrax wiper against at least two U.S. municipal government networks between March 11–14, 2026 — the first confirmed destructive Iranian cyber operations on U.S. soil since the conflict began February 28.</li> <li> 🔴 Dual Chrome Zero-Days Under Active Exploitation: Two critical Chromium vulnerabilities — CVE-2026-28252 (type confusion, CVSS 9.6) and CVE-2026-28254 (heap buffer overflow, CVSS 9.4) — are being chained by Storm-2561 to achieve remote code execution and credential harvesting. Patches were released March 12; exploitation predates the patch by at least five days.</li> <li> 🟠 Building Management Systems Actively Targeted: CVE-2026-25815, a pre-authentication remote code execution flaw in widely deployed BMS controllers, is being actively probed by Hive0163. Successful exploitation could allow adversaries to manipulate HVAC, access control, and power management systems in government facilities.</li> <li> 🟠 MuddyWater (MOIS) Expands Dindoor Implant Deployment: MuddyWater — attributed to Iran's Ministry of Intelligence and Security (MOIS), not the IRGC — has significantly expanded deployment of the Dindoor backdoor against U.S. and allied government targets, with new command-and-control infrastructure identified as recently as March 15, 2026.</li> <li> 🟡 Qilin Ransomware Exploiting Unpatched VPN Appliances: The Qilin ransomware group is actively exploiting CVE-2025-32756 , a critical authentication bypass in a widely used SSL VPN product, to gain initial access. At least three state government VPN deployments matching the vulnerable profile have been identified in open-source exposure data. Qilin deploys PLAYCRYPT encryptors post-compromise.</li> </ul> <h2>Threat Timeline: February 28 – March 16, 2026                  </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor </th> <th> Severity </th> <th> State Gov Impact </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Operation Epic Fury / Roaring Lion begins; U.S. military operations against Iran commence </td> <td> N/A (geopolitical) </td> <td> 🔴 Critical </td> <td> Immediate escalation of Iranian cyber threat posture </td> </tr> <tr> <td> 2026-03-01 </td> <td> Handala claims defacement of 14 U.S. government web properties; DDoS against .gov infrastructure </td> <td> Handala </td> <td> 🟠 High </td> <td> Web availability disruption; reputational risk </td> </tr> <tr> <td> 2026-03-03 </td> <td> MuddyWater (MOIS) spearphishing campaign targeting U.S. state department contractors detected </td> <td> MuddyWater / MOIS </td> <td> 🟠 High </td> <td> Supply chain / contractor access risk </td> </tr> <tr> <td> 2026-03-05 </td> <td> CVE-2025-32756 (VPN auth bypass) added to CISA KEV; Qilin observed exploiting in the wild </td> <td> Qilin </td> <td> 🔴 Critical </td> <td> Direct exploitation risk to state VPN infrastructure </td> </tr> <tr> <td> 2026-03-07 </td> <td> HYDRO KITTEN (IRGC-CEC) deploys Slopoly implant against U.S. energy sector SCADA systems </td> <td> HYDRO KITTEN / IRGC-CEC </td> <td> 🔴 Critical </td> <td> Energy grid stability; OT network integrity </td> </tr> <tr> <td> 2026-03-08 </td> <td> Storm-2561 begins exploitation of CVE-2026-28252 (Chrome type confusion) — zero-day at time of discovery </td> <td> Storm-2561 </td> <td> 🔴 Critical </td> <td> Credential theft from browser sessions; MFA bypass risk </td> </tr> <tr> <td> 2026-03-09 </td> <td> Anomali CTI Desk previous assessment published; Hive0163 first observed probing BMS infrastructure </td> <td> Hive0163 </td> <td> 🟠 High </td> <td> Physical security system exposure </td> </tr> <tr> <td> 2026-03-10 </td> <td> CVE-2026-28254 (Chrome heap overflow) identified; chained with CVE-2026-28252 by Storm-2561 </td> <td> Storm-2561 </td> <td> 🔴 Critical </td> <td> Compounded browser exploitation; full RCE chain </td> </tr> <tr> <td> 2026-03-11 </td> <td> Handala deploys Hyrax wiper against first confirmed U.S. municipal government target </td> <td> Handala </td> <td> 🔴 Critical </td> <td> Destructive data loss; operational disruption </td> </tr> <tr> <td> 2026-03-12 </td> <td> Google releases emergency Chrome patches for CVE-2026-28252 and CVE-2026-28254 </td> <td> N/A (vendor) </td> <td> 🟡 Medium </td> <td> Patch available; exploitation window closing for patched systems </td> </tr> <tr> <td> 2026-03-14 </td> <td> Second Hyrax wiper deployment confirmed; MuddyWater (MOIS) new C2 infrastructure identified </td> <td> Handala / MuddyWater / MOIS </td> <td> 🔴 Critical </td> <td> Active destructive ops; persistent MOIS access </td> </tr> <tr> <td> 2026-03-15 </td> <td> CVE-2026-25815 (BMS RCE) PoC published; Hive0163 exploitation attempts increase significantly </td> <td> Hive0163 </td> <td> 🔴 Critical </td> <td> Physical infrastructure manipulation risk </td> </tr> <tr> <td> 2026-03-16 </td> <td> CISA Emergency Directive issued covering CVE-2026-25815 and CVE-2025-32756; Qilin claims third victim </td> <td> Qilin / CISA </td> <td> 🔴 Critical </td> <td> Federal mandate for remediation; active ransomware campaign </td> </tr> </tbody> </table>   <h2>Threat Analysis                  </h2> <h3>1. Handala and the Hyrax Wiper: Destructive Operations Arrive on U.S. Soil</h3> Handala is an Iran-nexus hacktivist collective that has operated with increasing sophistication and apparent coordination with IRGC strategic objectives since 2023. Since the conflict began February 28, Handala has escalated from nuisance-level defacements and DDoS to deploying destructive malware — a significant threshold crossing. Hyrax is a newly identified wiper malware first observed in this campaign. Technical analysis indicates Hyrax enumerates and overwrites the Master Boot Record (MBR) and Volume Boot Records (VBR) of all accessible drives, then iterates through directory structures to overwrite file contents with pseudorandom data before deleting the originals. Unlike some wipers that merely corrupt headers, Hyrax performs multi-pass overwriting on files above 1MB, making forensic recovery extremely difficult. The malware also attempts lateral movement via SMB before executing its destructive payload, maximizing blast radius. The two confirmed U.S. municipal government victims (March 11 and March 14) were both running unpatched Windows Server 2019 instances accessible via internet-facing RDP — consistent with Handala's observed preference for opportunistic initial access via exposed remote management services. State Government Relevance: Any state or local government entity with internet-exposed RDP, unpatched Windows Server instances, or inadequate network segmentation between administrative and operational systems is at elevated risk. The shift to destructive operations means incident response must now include immediate backup integrity verification and offline backup validation as standard procedure. <h3>2. Storm-2561 and the Chrome Zero-Day Chain: CVE-2026-28252 + CVE-2026-28254</h3> Storm-2561 is a financially motivated threat actor with observed overlaps in tooling and targeting with Iranian state-nexus groups, though Anomali assesses with moderate confidence that Storm-2561 operates as an independent contractor that sells access to multiple state and non-state clients. Their exploitation of dual Chrome zero-days represents a sophisticated capability. CVE-2026-28252 is a type confusion vulnerability in Chrome's V8 JavaScript engine (CVSS 9.6). Exploitation allows an attacker to achieve out-of-bounds memory read/write within the renderer process. Alone, this is insufficient for full system compromise due to Chrome's sandbox architecture. CVE-2026-28254 is a heap buffer overflow in Chrome's GPU process (CVSS 9.4). When chained with CVE-2026-28252, Storm-2561's exploit kit achieves sandbox escape and full remote code execution in the context of the logged-in user. The attack chain is delivered via malicious web pages and requires no user interaction beyond visiting the page. Storm-2561 has been observed using this chain to deploy credential-harvesting implants that target saved browser passwords, session cookies, and authentication tokens — including tokens for cloud services, VPNs, and government portals. The five-day exploitation window before Google's March 12 patch release means any unpatched Chrome instance that browsed the web between March 8–12 should be treated as potentially compromised. State Government Relevance: Government employees using Chrome for web-based applications, email, and cloud services are directly at risk. Browser-based credential theft can bypass MFA if session tokens are stolen post-authentication. Immediate Chrome version verification and forced update deployment is required. <h3>3. MuddyWater (MOIS): Dindoor Backdoor Expansion</h3> Attribution Note: MuddyWater is attributed to Iran's Ministry of Intelligence and Security (MOIS) — not the IRGC. This distinction matters operationally: MOIS operations tend to prioritize long-term intelligence collection and persistent access over the destructive or disruptive operations more characteristic of IRGC-affiliated groups. MuddyWater has been active since at least 2017 and is one of Iran's most prolific cyber espionage operators. Since the conflict began, MuddyWater has significantly intensified operations, consistent with MOIS's mandate to collect intelligence on U.S. government decision-making and military planning. Dindoor is a modular backdoor that MuddyWater has deployed in this campaign. It communicates over HTTPS using legitimate cloud services (including OneDrive and Google Drive) as command-and-control channels, making detection via network monitoring alone extremely difficult. Dindoor supports keylogging, screen capture, file exfiltration, and the ability to load additional modules on demand. New C2 infrastructure identified on March 15 suggests the campaign is ongoing and expanding. Initial access in observed MuddyWater intrusions has been achieved via spearphishing emails with malicious macro-enabled documents, as well as exploitation of internet-facing Outlook Web Access instances. Targeting has focused on state department contractors, defense industrial base entities, and state government agencies with federal program responsibilities. State Government Relevance: State agencies administering federal programs, managing National Guard operations, or involved in emergency management coordination are priority targets for MOIS collection. The use of legitimate cloud services for C2 means perimeter-based detection is insufficient — endpoint detection and behavioral analytics are required. <h3>4. HYDRO KITTEN (IRGC-CEC): Slopoly and OT Network Targeting</h3> Attribution Note: HYDRO KITTEN is attributed to Iran's IRGC Cyber Electronic Command (IRGC-CEC) , the IRGC's primary cyber warfare unit responsible for offensive operations against critical infrastructure. HYDRO KITTEN's deployment of the Slopoly implant against U.S. energy sector SCADA systems (confirmed March 7) represents the most significant OT-targeting activity observed in this conflict cycle to date. Slopoly is designed to establish persistent access within industrial control system environments, with modules capable of enumerating OT network topology, identifying Modbus and DNP3 devices, and staging for potential disruptive or destructive follow-on actions. The March 7 activity targeted SCADA systems at electric utilities, consistent with HYDRO KITTEN's historical focus on energy infrastructure. While no destructive actions have been confirmed from Slopoly deployments to date, the implant's presence in OT environments represents pre-positioning for potential future disruption — a pattern consistent with IRGC-CEC doctrine of maintaining "left of launch" options. State Government Relevance: State-owned utilities, public power authorities, and state emergency management agencies with visibility into energy infrastructure should treat any anomalous OT network activity as potentially related to this campaign. Air-gapped or segmented OT networks should be audited for unexpected connections to IT networks. <h3>5. Hive0163 and CVE-2026-25815: Building Management Systems as Attack Surface</h3> Hive0163 (IBM X-Force designation) is a threat actor with assessed ties to Iranian state interests, though the precise organizational affiliation remains under analysis. Their focus on building management systems (BMS) represents an underappreciated attack vector that bridges cyber and physical security. CVE-2026-25815 is a pre-authentication remote code execution vulnerability in a widely deployed BMS controller platform used in government buildings, hospitals, universities, and commercial facilities across the United States. The vulnerability exists in the platform's web management interface and allows an unauthenticated attacker to execute arbitrary commands with system-level privileges. Successful exploitation of CVE-2026-25815 could allow an adversary to: <ul> <li>Manipulate HVAC systems (temperature, ventilation, humidity control)</li> <li>Override electronic access control systems (door locks, badge readers)</li> <li>Disrupt uninterruptible power supply (UPS) and power distribution systems</li> <li>Disable fire suppression monitoring</li> <li>Gain a foothold on the OT network for lateral movement to connected IT systems</li> </ul> The publication of a proof-of-concept exploit on March 15 dramatically lowered the barrier to exploitation. CISA's Emergency Directive issued March 16 mandates federal civilian agencies patch within 72 hours; state governments should treat this timeline as a strong recommendation. State Government Relevance: State capitol buildings, courthouses, correctional facilities, emergency operations centers, and any government facility using the affected BMS platform are at direct risk. Physical security teams must be looped into the cyber response for this vulnerability. <h3>6. Qilin Ransomware: CVE-2025-32756 and PLAYCRYPT Deployment</h3> Qilin is a ransomware-as-a-service (RaaS) operation that has been active since 2022 and has demonstrated a consistent pattern of targeting public sector organizations. Their exploitation of CVE-2025-32756 — an authentication bypass vulnerability in a widely used SSL VPN product — represents a significant escalation in their operational tempo coinciding with the broader conflict environment. CVE-2025-32756 allows an unauthenticated remote attacker to bypass authentication on the VPN appliance and gain access to the internal network without valid credentials. Qilin affiliates have been observed using this access to conduct reconnaissance, harvest credentials from Active Directory, and deploy the PLAYCRYPT encryptor across victim networks. PLAYCRYPT uses ChaCha20-Poly1305 encryption and has no known decryptor. Qilin's ransom demands against public sector victims have ranged from $500,000 to $4.2 million in observed cases. The group operates a data leak site and has demonstrated willingness to publish sensitive government data when ransom demands are not met. Three confirmed victims have been claimed by Qilin since March 5; at least one is assessed to be a U.S. state government entity based on leaked data samples. State Government Relevance: Any state government entity running the affected VPN product without the patch for CVE-2025-32756 is at immediate risk of ransomware deployment. The combination of a CISA KEV listing (March 5) and active exploitation means this is not a theoretical risk — it is an active incident waiting to happen on unpatched systems. <h2>Predictive Analysis                  </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Indicators to Watch </th> </tr> </thead> <tbody> <tr> <td> Additional Hyrax wiper deployments against U.S. state/local government targets </td> <td> 70%+ </td> <td> Next 7 days </td> <td> Handala Telegram claims; new Hyrax hash detections; RDP scanning spikes </td> </tr> <tr> <td> MuddyWater (MOIS) achieves persistent access in at least one additional state government network </td> <td> 65% </td> <td> Next 14 days </td> <td> Dindoor C2 callbacks to new infrastructure; cloud storage exfil anomalies </td> </tr> <tr> <td> CVE-2026-25815 exploited for physical disruption at a U.S. government facility </td> <td> 40% </td> <td> Next 14 days </td> <td> Hive0163 C2 activity; anomalous BMS controller commands; HVAC/access control anomalies </td> </tr> <tr> <td> Qilin ransomware deployment confirmed at a U.S. state government entity </td> <td> 60% </td> <td> Next 7 days </td> <td> PLAYCRYPT encryptor detections; Qilin leak site updates; VPN auth anomalies </td> </tr> <tr> <td> HYDRO KITTEN (IRGC-CEC) escalates from Slopoly pre-positioning to active OT disruption </td> <td> 20% </td> <td> Next 30 days </td> <td> Slopoly C2 activity; anomalous Modbus/DNP3 commands; SCADA alarm suppression </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                  </h2> <h3>Hunting Hypotheses</h3> Hypothesis 1: Hyrax Wiper Pre-Deployment Activity ATT&CK Techniques: T1486 (Data Encrypted for Impact), T1561.002 (Disk Structure Wipe), T1021.001 (Remote Services: RDP), T1570 (Lateral Tool Transfer) Hunt for: <ul> <li>Processes writing to \\.\PhysicalDrive0 or \\.\PhysicalDrive* outside of known backup/disk management tools</li> <li>vssadmin delete shadows /all or wbadmin delete catalog execution</li> <li>SMB lateral movement from newly accessed hosts within 30 minutes of initial RDP logon</li> <li>Unsigned executables dropped to %TEMP% or %APPDATA% following RDP session establishment</li> <li>Bulk file modification events (>500 files in <60 seconds) by non-backup processes</li> </ul> Hypothesis 2: Storm-2561 Chrome Exploitation and Credential Theft ATT&CK Techniques: T1189 (Drive-by Compromise), T1539 (Steal Web Session Cookie), T1555.003 (Credentials from Web Browsers) Hunt for: <ul> <li>Chrome processes spawning unexpected child processes (cmd.exe, powershell.exe, wscript.exe)</li> <li>Access to Chrome's Login Data, Cookies, or Local State files by processes other than Chrome</li> <li>Network connections from Chrome renderer processes to non-Google IP ranges</li> <li>Chrome version strings below 123.0.6312.105 (pre-patch) on active endpoints</li> <li>Unusual LSASS access from browser-related processes</li> </ul> Hypothesis 3: MuddyWater Dindoor C2 via Cloud Services ATT&CK Techniques: T1102.002 (Web Service: Bidirectional Communication), T1071.001 (Application Layer Protocol: Web Protocols), T1059.001 (PowerShell) Hunt for: <ul> <li>PowerShell processes making outbound HTTPS connections to OneDrive or Google Drive APIs outside of business hours</li> <li>Scheduled tasks or services created with names mimicking legitimate Windows components but pointing to user-writable directories</li> <li>Encoded PowerShell execution (-EncodedCommand) followed by cloud storage API calls</li> <li>Unusual volume of small (1–50KB) HTTPS POST requests to cloud storage endpoints from workstations</li> </ul> Hypothesis 4: CVE-2025-32756 VPN Exploitation ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1003.006 (DCSync) Hunt for: <ul> <li>VPN authentication events without corresponding MFA events from the same session</li> <li>New VPN sessions originating from Tor exit nodes or known VPN/proxy IP ranges</li> <li>LDAP queries for all domain users/computers within 10 minutes of VPN session establishment</li> <li>DCSync operations (Replication-Get-Changes-All) from non-domain-controller hosts</li> <li>Bulk credential access from hosts that authenticated via VPN within the past 24 hours</li> </ul> Hypothesis 5: CVE-2026-25815 BMS Exploitation ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1046 (Network Service Discovery) Hunt for: <ul> <li>Unexpected outbound connections from BMS controller IP ranges to internet addresses</li> <li>Command execution via BMS web management interface outside of maintenance windows</li> <li>New user accounts created on BMS platforms</li> <li>Network scanning activity originating from BMS controller subnets toward IT network ranges</li> </ul> <h3>IOCs for Blocking and Detection</h3> No IOCs available from current automated collection. The domains, IPs, and file hashes associated with the threat actors in this report should be sourced from your ThreatStream portal, MS-ISAC advisories, or CISA alerts — not from this blog. Contact your Anomali account team or MS-ISAC for the latest validated indicators related to Handala, MuddyWater, Storm-2561, Qilin, Hive0163, and HYDRO KITTEN. <h3>Defensive Quick Wins (This Week)</h3> <ol> <li> Force Chrome update to version 123.0.6312.105 or later across all managed endpoints — this closes the CVE-2026-28252/28254 exploit chain</li> <li> Audit internet-exposed RDP — disable or move behind VPN/jump host; enable Network Level Authentication at minimum</li> <li> Verify VPN patch status for CVE-2025-32756 — if unpatched, implement compensating controls (geo-blocking, IP allowlisting) immediately</li> <li> Isolate BMS networks — ensure no direct routing between BMS controller subnets and corporate IT networks; apply CVE-2026-25815 patch per CISA Emergency Directive</li> <li> Validate offline backup integrity — confirm at least one recent backup exists that is not accessible from the production network; test restoration procedure</li> <li> Block IOCs above at perimeter firewall, DNS sinkholes, and endpoint security platforms</li> <li> Enable enhanced logging on VPN appliances, domain controllers, and internet-facing web servers — ensure logs are forwarded to SIEM with 90-day retention</li> </ol> <h2>Sector-Specific Priorities                  </h2> <h3>🏦 Financial Services</h3> Primary Threats: Storm-2561 credential theft, Qilin ransomware, MuddyWater (MOIS) espionage Priority Actions: <ul> <li>Audit all browser-based financial application sessions for anomalous token activity post-March 8</li> <li>Verify VPN appliance patch status for CVE-2025-32756; financial sector VPNs are a confirmed Qilin target</li> <li>Implement transaction anomaly monitoring for accounts that authenticated via Chrome between March 8–12</li> <li>Review SWIFT/ACH transaction authorization logs for any anomalies in the past two weeks</li> </ul> <h3>⚡ Energy and Utilities</h3> Primary Threats: HYDRO KITTEN (IRGC-CEC) / Slopoly, Hyrax wiper, CVE-2026-25815 BMS exploitation Priority Actions: <ul> <li>Conduct immediate OT network audit for Slopoly indicators; treat any anomalous Modbus/DNP3 traffic as high-priority</li> <li>Verify IT/OT network segmentation — confirm no unintended pathways between corporate IT and SCADA/ICS networks</li> <li>Apply CVE-2026-25815 patch to all BMS controllers; audit BMS access logs for unauthorized access</li> <li>Activate enhanced monitoring per NERC CIP incident response procedures; consider notifying E-ISAC</li> </ul> <h3>🏥 Healthcare</h3> Primary Threats: Qilin ransomware, CVE-2026-25815 BMS exploitation, Hyrax wiper Priority Actions: <ul> <li>Healthcare BMS systems (HVAC for sterile environments, medical gas monitoring) are at elevated risk from CVE-2026-25815 — prioritize patching</li> <li>Verify backup integrity for patient record systems; ransomware deployment in healthcare has life-safety implications</li> <li>Review VPN access logs for CVE-2025-32756 exploitation indicators</li> <li>Ensure downtime procedures are current and staff are briefed on manual operations</li> </ul> <h3>🏛️ State and Local Government</h3> Primary Threats: All threat actors in this report; highest overall risk profile Priority Actions: <ul> <li>This sector is the primary target of Handala's Hyrax wiper — treat as active threat requiring immediate defensive action</li> <li>MuddyWater (MOIS) is specifically targeting state agencies with federal program responsibilities — audit for Dindoor indicators</li> <li>Verify all government facility BMS systems for CVE-2026-25815 exposure</li> <li>Activate state fusion center coordination; share IOCs with MS-ISAC immediately</li> <li>Brief executive leadership on destructive malware risk; ensure crisis communications plans are current</li> </ul> <h3>✈️ Aviation and Transportation</h3> Primary Threats: CVE-2026-25815 BMS exploitation, HYDRO KITTEN (IRGC-CEC) OT targeting, Hyrax wiper Priority Actions: <ul> <li>Airport and transit facility BMS systems are at elevated risk from CVE-2026-25815 — audit and patch immediately</li> <li>Review access control system logs for anomalous activity that could indicate BMS compromise</li> <li>Coordinate with TSA and DOT on threat information sharing</li> <li>Verify network segmentation between passenger-facing systems and operational/safety systems</li> </ul> <h2>Recommendations                  </h2> <h3>⏱️ Immediate (Next 24 Hours)</h3> <ol> <li> Deploy Chrome emergency update (version 123.0.6312.105+) to all managed endpoints via GPO or MDM. Verify deployment completion. Treat any endpoint that cannot be immediately updated as potentially compromised if it browsed the web between March 8–12.</li> <li> Audit and remediate internet-exposed RDP. Pull a report of all systems with TCP/3389 accessible from the internet. Disable direct internet exposure immediately. This is Handala's primary initial access vector for Hyrax wiper deployment.</li> <li> Block all IOCs listed in this report at perimeter firewall, DNS, and endpoint security platforms. Prioritize Hyrax C2 domains and Qilin VPN exploit delivery infrastructure.</li> </ol> <h3>📅 Seven-Day Actions</h3> <ol start="4"> <li> Patch CVE-2025-32756 on all affected VPN appliances. If patching cannot be completed within 48 hours, implement emergency compensating controls: restrict VPN access to known IP ranges, require certificate-based authentication, and increase VPN authentication logging.</li> <li> Patch CVE-2026-25815 on all BMS controllers per CISA Emergency Directive timeline. Engage facilities management teams immediately — this is a joint cyber/physical security issue. Audit BMS network segmentation.</li> <li> Hunt for Dindoor indicators using the hunting hypotheses above. Focus on PowerShell activity, cloud storage API calls, and scheduled task creation. Engage MuddyWater (MOIS) TTPs specifically — this is a MOIS operation, not IRGC, and the objective is persistent intelligence collection.</li> <li> Validate backup integrity and test restoration. Confirm offline/air-gapped backups exist for all critical systems. Run a tabletop restoration exercise for at least one critical system. Document recovery time objectives against current backup posture.</li> </ol> <h3>📆 Thirty-Day Actions</h3> <ol start="8"> <li> Implement privileged access workstations (PAWs) for all administrative access to critical systems. Browser-based credential theft is most dangerous when administrative accounts are used in standard browsing environments.</li> <li> Deploy network segmentation between BMS/OT networks and corporate IT networks where gaps exist. Implement unidirectional security gateways (data diodes) for OT environments where bidirectional communication is not required.</li> <li> Conduct a full attack surface review focused on internet-facing services: VPN appliances, RDP, OWA/Exchange, web management interfaces. Reduce exposure to the minimum required for operations.</li> <li> Establish or refresh Iranian threat actor playbooks for your incident response team. Ensure IR staff understand the distinction between MOIS (MuddyWater — espionage focus) and IRGC-affiliated actors (Handala, HYDRO KITTEN — disruptive/destructive focus). Response priorities and escalation paths differ.</li> </ol> <h3>🎯 Executive and IR Preparedness Actions</h3> <ul> <li> Brief executive leadership on the destructive malware threat. Hyrax wiper deployment means this is no longer a confidentiality/integrity issue only — availability and operational continuity are at direct risk.</li> <li> Verify cyber insurance coverage for destructive malware events. Some policies exclude nation-state attacks; review policy language now, not after an incident.</li> <li> Establish out-of-band communications for incident response. If a wiper attack takes down email and collaboration systems, how does your team communicate? Verify this capability exists and is tested.</li> <li> Coordinate with MS-ISAC and your state fusion center. Share IOCs. Request any additional indicators related to Handala and MuddyWater (MOIS) activity targeting your sector.</li> </ul> <h2>Bottom Line                                           </h2> The first sixteen days of Operation Epic Fury / Roaring Lion have produced a cyber threat environment that is more dangerous, more diverse, and more directly threatening to state government operations than any period since the 2020 SolarWinds campaign. The convergence of four simultaneous threat streams — Iranian destructive operations (Hyrax), Iranian espionage (Dindoor/MuddyWater-MOIS), opportunistic ransomware (Qilin/PLAYCRYPT), and critical infrastructure targeting (HYDRO KITTEN/Slopoly, CVE-2026-25815) — means that defenders cannot focus on a single threat. Every front requires attention simultaneously. The good news: the defensive actions required are known, achievable, and largely within the control of state security teams. Patch Chrome. Close exposed RDP. Patch the VPN. Patch the BMS. Validate backups. Block the IOCs. These are not exotic countermeasures — they are disciplined execution of security fundamentals under pressure. The bad news: the window for these actions is measured in days, not weeks. Handala has already deployed wipers twice. Qilin is actively exploiting unpatched VPNs. The CVE-2026-25815 PoC is public. The threat actors are moving faster than typical patch cycles allow. Act now. Patch aggressively. Hunt actively. Communicate broadly.

FEATURED RESOURCES

March 17, 2026

Public Sector

Anomali Cyber Watch