Iran's Cyber Apparatus Shifts to Active Preparation: What CISOs Must Know Now

Anomali Threat Research

Published on

June 9, 2026

Table of Contents

Threat Assessment Level: HIGH Maintained from prior cycle. The June 8 Iranian declaration of "resumption of hostilities," combined with confirmed C2 infrastructure refresh, active exploitation of AI toolchain vulnerabilities, and expanding OT attack surface, sustains HIGH threat posture. Absence of destructive operations is assessed as preparation-phase indicator, not de-escalation. <h2> Introduction </h2> One hundred days into the Iran-Israel cyber conflict (ongoing since February 28, 2026), the threat landscape has entered a dangerous inflection point. Iranian state-sponsored actors are refreshing command-and-control infrastructure, hacktivist personas remain operationally active against Israeli government targets, and CISA has confirmed active exploitation of a critical vulnerability in AI gateway infrastructure used across enterprise environments. Meanwhile, the Russian-Iranian criminal nexus continues to deepen — with multiple ransomware and initial access broker groups now sharing Tehran-hosted infrastructure that carries explicit "ceasefire over" operational tagging. For CISOs overseeing critical infrastructure, defense industrial base, energy, or financial services organizations, the next 72 hours represent a heightened risk window. <h2> What Changed </h2> Since the prior cycle (June 8, 2026): <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> CVE-2026-42271 (LiteLLM MCP RCE) added to CISA KEV on June 8 </td> <td> Active exploitation of AI infrastructure confirmed — any organization running LiteLLM 1.74.2–1.83.6 is exposed </td> </tr> <tr> <td> Iranian C2 infrastructure on ASN 51396 refreshed (June 9) </td> <td> Cobalt Strike BEACON server confirmed active on Tehran hosting; BumbleBee loader newly associated with Iranian infrastructure </td> </tr> <tr> <td> ASN 213790 IOCs updated (June 9, 07:58 UTC) </td> <td> APT28/LockBit/Pinchy Spider infrastructure refreshed with 97-confidence indicators targeting government, healthcare, telecom </td> </tr> <tr> <td> UNC5855 (AnonymousForJustice) IOCs confirmed active June 8 </td> <td> Iranian hacktivist persona targeting Israeli Ministry of Defense/Justice remains operational </td> </tr> <tr> <td> 5 ICS advisories published (June 4) </td> <td> Hitachi Energy RTU500, NAVTOR NavBox, ATG systems — expanding OT attack surface while primary ICS threat actor (CyberAv3ngers) remains silent </td> </tr> <tr> <td> BumbleBee loader appears on Iranian C2 for first time </td> <td> Signals deepening Russian-Iranian criminal cooperation beyond LockBit/SystemBC </td> </tr> <tr> <td> Fox Kitten (UNC757) dormant access risk elevated </td> <td> 31 days without new campaign activity during a declared retaliation window raises probability of pre-positioned access activation in DIB contractor networks </td> </tr> </tbody> </table> Unchanged from prior cycle: Iran's June 8 declaration of "resumption of hostilities" remains the primary operational authorization signal. The Handala group's June 3 claim of providing targeting intelligence to Iranian kinetic strike units remains the most significant cyber-to-kinetic convergence event of this conflict. <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran-Israel conflict begins </td> <td> Cyber operations commence alongside kinetic </td> </tr> <tr> <td> 2026-06-03 </td> <td> Handala claims cyber-to-kinetic targeting support </td> <td> First confirmed digital-to-physical convergence </td> </tr> <tr> <td> 2026-06-05 </td> <td> CISA adds CVE-2026-28318, CVE-2026-45247, CVE-2024-21182 to KEV </td> <td> Active exploitation of SolarWinds Serv-U, Magento 2, Oracle WebLogic </td> </tr> <tr> <td> 2026-06-08 </td> <td> Iran declares "resumption of hostilities" </td> <td> Assessed as authorization signal for IRGC cyber retaliation </td> </tr> <tr> <td> 2026-06-08 </td> <td> CVE-2026-42271 (LiteLLM) added to CISA KEV </td> <td> AI infrastructure actively exploited in the wild </td> </tr> <tr> <td> 2026-06-08 </td> <td> UNC5855/AnonymousForJustice IOCs last seen </td> <td> Iranian hacktivist persona operationally active </td> </tr> <tr> <td> 2026-06-09 </td> <td> ASN 51396 Cobalt Strike C2 refreshed </td> <td> Tehran-hosted C2 with "ceasefire over" tagging active </td> </tr> <tr> <td> 2026-06-09 </td> <td> ASN 213790 APT28/LockBit cluster updated </td> <td> Multi-actor criminal infrastructure refreshed at confidence 97 </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Russian-Iranian Criminal Nexus Deepens </h3> The infrastructure cluster on ASN 213790 ("Limited Network," Tehran) now hosts operations attributed to APT28 , LockBit Gang , Pinchy Spider (REvil/GandCrab lineage), and as of this cycle, BumbleBee (historically associated with Russian initial access broker Exotic Lily/UNC2500). A parallel cluster on ASN 51396 (Pfcloud UG, Tehran) hosts confirmed Cobalt Strike BEACON servers and Tofsee C2 infrastructure. This is no longer a bilateral Russian-Iranian arrangement — it is a multi-party criminal ecosystem operating under apparent Iranian state tolerance. The explicit "Iran declares ceasefire over — cyber retaliation window opens for critical infrastructure" tag observed on the Cobalt Strike C2 IP suggests this infrastructure is pre-staged for retaliatory operations. Key IOCs (ASN 213790): <ul> <li> 192.253.248[.]169 — APT28/LockBit tagged, confidence 97, targeting government/healthcare/telecom </li> <li> 77.90.185[.]253 — Pinchy Spider, chemical sector targeting, confidence 91 </li> <li> 185.93.89[.]147 — APT28/Mirage RAT, confidence 91 </li> </ul> Key IOCs (ASN 51396): <ul> <li> 217.60.241[.]17 — Cobalt Strike BEACON, confidence 80 </li> <li> 217.60.241[.]14 — Tofsee C2, confidence 93 </li> <li> 217.60.241[.]39 — Tofsee C2, confidence 90 </li> </ul> <h3> 2. AI Infrastructure Under Active Attack — CVE-2026-42271 </h3> CVE-2026-42271 (CVSS 8.8) is a remote code execution vulnerability in LiteLLM versions 1.74.2–1.83.6. The flaw allows any authenticated user — including holders of low-privilege internal API keys — to execute arbitrary commands on the AI gateway host via MCP (Model Context Protocol) server test endpoints. This matters because: <ul> <li> LiteLLM is widely deployed as a multi-model AI gateway in enterprise environments </li> <li> The MCP protocol is designed to give AI agents tool access — a compromised gateway becomes a privilege escalation vector into every system the AI agent can reach </li> <li> Iranian actors (MuddyWater, APT35) have demonstrated cloud-focused operations and would leverage this for living-off-trusted-services attacks </li> <li> CISA KEV listing confirms active exploitation — this is not theoretical </li> </ul> <h3> 3. Expanding OT/ICS Attack Surface </h3> Five ICS advisories published in a single week create new exploitation opportunities: <ul> <li> Hitachi Energy RTU500 (ICSA-26-155-04) — power grid substation automation, deployed across Gulf state electricity infrastructure </li> <li> NAVTOR NavBox (ICSA-26-155-01) — maritime navigation systems vulnerable to SOAP endpoint exploitation </li> <li> Automatic Tank Gauge (ATG) systems — CISA multi-agency hardening guidance issued for fuel monitoring infrastructure </li> <li> Hitachi Energy ITT600 and B&R PPT30 — additional ICS components with new vulnerabilities </li> </ul> The primary ICS threat actor CyberAv3ngers (IRGC-CEC affiliated) remains silent — assessed as preparation-phase behavior rather than de-escalation, particularly given the expanding attack surface. <h3> 4. Named Threat Actors — Current Status </h3> <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Status (as of June 9) </th> <th> Primary Targets </th> </tr> </thead> <tbody> <tr> <td> Pioneer Kitten / Fox Kitten (UNC757) </td> <td> IRGC </td> <td> Profile updated June 8; no new campaign data (31 days quiet) </td> <td> DIB contractors, VPN infrastructure </td> </tr> <tr> <td> APT33 / Refined Kitten </td> <td> IRGC </td> <td> Tracked; infrastructure active </td> <td> Energy, aerospace, government </td> </tr> <tr> <td> APT42 / Charming Kitten </td> <td> IRGC-IO </td> <td> Tracked </td> <td> Credential harvesting, surveillance </td> </tr> <tr> <td> CyberAv3ngers </td> <td> IRGC-CEC </td> <td> Silent — assessed as preparation phase </td> <td> ICS/OT, water, energy </td> </tr> <tr> <td> MuddyWater / TEMP.Zagros </td> <td> MOIS </td> <td> Silent — anomalous given typical tempo </td> <td> Government, telecom, energy (19 countries) </td> </tr> <tr> <td> APT34 / OilRig </td> <td> MOIS </td> <td> Tracked </td> <td> Financial, government, energy </td> </tr> <tr> <td> UNC5855 / AnonymousForJustice </td> <td> Iran (hacktivist) </td> <td> Active — IOCs seen June 8 </td> <td> Israeli government, defense </td> </tr> <tr> <td> Handala </td> <td> Pro-Iran hacktivist </td> <td> Active — claimed kinetic targeting support June 3 </td> <td> Israeli infrastructure, cyber-to-kinetic </td> </tr> <tr> <td> HYDRO KITTEN </td> <td> IRGC-CEC </td> <td> Tracked </td> <td> Water/energy ICS </td> </tr> </tbody> </table> <h2> Predictive Analysis — Next 72 Hours to 14 Days </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Indicators to Watch </th> </tr> </thead> <tbody> <tr> <td> Phishing/exploitation campaigns leveraging refreshed Iranian C2 infrastructure </td> <td> 70% </td> <td> 24–72 hours </td> <td> Cobalt Strike BEACON callbacks to ASN 51396/213790; BumbleBee ISO/VHD delivery </td> </tr> <tr> <td> MuddyWater breaks silence with new campaign targeting Gulf state government/energy </td> <td> 40% </td> <td> 3–7 days </td> <td> Power Automate/Microsoft Teams social engineering lures; TEMP.Zagros infrastructure activation </td> </tr> <tr> <td> CyberAv3ngers deploy new ICS capability against RTU500/ATG systems </td> <td> 15% </td> <td> 7–14 days </td> <td> IOCONTROL variants in OT telemetry; anomalous Modbus/DNP3 traffic to RTU500 units </td> </tr> <tr> <td> Fox Kitten (UNC757) dormant access activated in DIB contractor networks </td> <td> 25% </td> <td> 24–72 hours (retaliation window) </td> <td> Fortinet/Citrix/Ivanti VPN webshell activity; lateral movement from contractor segments </td> </tr> <tr> <td> Destructive wiper deployment (BiBiWiper, ZeroShred, GoneXML variants) </td> <td> 20% </td> <td> 3–14 days </td> <td> Wiper precursors: mass credential harvesting, AD enumeration, backup deletion </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> <ol> <li> Iranian C2 Communication ( T1071.001 , T1572 ) </li> </ol> <ul> <li> Hunt Hypothesis: Hosts in your environment are beaconing to refreshed Iranian C2 infrastructure on ASN 51396 (217.60.241.0/24) or ASN 213790 (192.253.248.0/24, 77.90.185.0/24, 185.93.89.0/24). </li> <li> Detection: DNS/proxy logs for connections to the IOCs listed above. EDR telemetry for Cobalt Strike BEACON malleable C2 profiles (HTTPS on port 443 with abnormal JA3/JA4 fingerprints). NetFlow for periodic beaconing patterns (60–90 second intervals) to Tehran-geolocated IPs. </li> <li> Action: Block at perimeter; isolate any host with confirmed connection; initiate forensic triage. </li> </ul> <ol start="2"> <li> BumbleBee Loader Delivery ( T1059.003 , T1105 , T1218.011 ) </li> </ol> <ul> <li> Hunt Hypothesis: Initial access via ISO/VHD container files delivering BumbleBee DLL via legitimate signed binary sideloading. </li> <li> Detection: Monitor for mshta.exe execution with network callbacks (T1218.011). Alert on ISO/VHD mount events followed by DLL execution from mounted volume. Watch for powershell.exe spawning from unusual parent processes. </li> <li> Action: Block ISO/VHD attachments at email gateway; alert on DLL sideloading from removable/mounted volumes. </li> </ul> <ol start="3"> <li> LiteLLM MCP Exploitation ( T1190 , T1059.004 , T1078 ) </li> </ol> <ul> <li> Hunt Hypothesis: Adversary with low-privilege API key exploiting MCP test endpoints for RCE on AI gateway hosts. </li> <li> Detection: Monitor HTTP POST requests to /mcp-rest/test/connection and /mcp-rest/test/tools/list endpoints. Alert on command execution (shell spawning) from LiteLLM process. Audit API key usage for keys accessing MCP endpoints that shouldn't have that privilege. </li> <li> Action: Patch to 1.83.7+. Disable MCP test endpoints in production. Revoke unnecessary API keys. </li> </ul> <ol start="4"> <li> Fox Kitten Dormant Access Indicators ( T1133 , T1505.003 , T1078 ) </li> </ol> <ul> <li> Hunt Hypothesis: Pre-positioned webshells or VPN credential compromise from Pioneer Kitten/UNC757 activating during retaliation window. </li> <li> Detection: Search for known Fox Kitten webshell filenames: ASPXSPY, TUNNA, REGEORG. Hunt for Farsi-named files in web-accessible directories (kharpedar, nanash, arbab). Audit Fortinet/Citrix/Ivanti VPN logs for anomalous authentication from Iranian IP ranges. </li> <li> Action: Full webshell scan of internet-facing servers; VPN credential rotation for high-privilege accounts. </li> </ul> <ol start="5"> <li> MuddyWater Preparation Indicators ( T1566.001 , T1566.002 , T1059.001 ) </li> </ol> <ul> <li> Hunt Hypothesis: MuddyWater (MOIS) preparing phishing campaign using Microsoft Power Automate or Teams-based social engineering. </li> <li> Detection: Monitor for suspicious Power Automate flow creation by non-standard users. Alert on Teams messages containing links to transfer[.]sh or similar file-sharing services. Watch for mshta.exe executing HTA files (e.g., ukraine2023[.]hta pattern). </li> <li> Action: Restrict Power Automate flow creation to approved users; block known MuddyWater delivery domains. </li> </ul> <h3> ATT&CK Technique Coverage Matrix </h3> <table> <thead> <tr> <th> Technique ID </th> <th> Technique Name </th> <th> Actor Association </th> <th> Detection Layer </th> </tr> </thead> <tbody> <tr> <td> T1071.001 </td> <td> Application Layer Protocol: Web </td> <td> CLU-046 (Cobalt Strike) </td> <td> Network/Proxy </td> </tr> <tr> <td> T1572 </td> <td> Protocol Tunneling </td> <td> Cobalt Strike BEACON </td> <td> Network/EDR </td> </tr> <tr> <td> T1059.003 </td> <td> Command Interpreter: Windows CMD </td> <td> BumbleBee </td> <td> EDR/Sysmon </td> </tr> <tr> <td> T1059.004 </td> <td> Command Interpreter: Unix Shell </td> <td> CVE-2026-42271 </td> <td> Host/Application </td> </tr> <tr> <td> T1105 </td> <td> Ingress Tool Transfer </td> <td> Cobalt Strike stager </td> <td> Network/EDR </td> </tr> <tr> <td> T1190 </td> <td> Exploit Public-Facing Application </td> <td> CVE-2026-42271, RTU500, NAVTOR </td> <td> WAF/IDS </td> </tr> <tr> <td> T1486 </td> <td> Data Encrypted for Impact </td> <td> LockBit </td> <td> EDR/Backup monitoring </td> </tr> <tr> <td> T1133 </td> <td> External Remote Services </td> <td> Fox Kitten (VPN) </td> <td> VPN/Auth logs </td> </tr> <tr> <td> T1505.003 </td> <td> Server Software Component: Web Shell </td> <td> Fox Kitten </td> <td> File integrity/EDR </td> </tr> <tr> <td> T1218.011 </td> <td> Signed Binary Proxy Execution: Mshta </td> <td> MuddyWater/BumbleBee </td> <td> EDR/Sysmon </td> </tr> <tr> <td> T1566.001 </td> <td> Phishing: Spearphishing Attachment </td> <td> APT28/MuddyWater </td> <td> Email gateway </td> </tr> <tr> <td> T0826 </td> <td> Loss of Availability </td> <td> CyberAv3ngers (ICS) </td> <td> OT monitoring </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: APT34/OilRig credential harvesting and data exfiltration; LockBit ransomware deployment via Iranian-hosted infrastructure. <ul> <li> Audit SWIFT and core banking system access logs for connections to ASN 213790/51396 IP ranges </li> <li> Enable conditional access policies blocking authentication from Iranian IP geolocation </li> <li> Review Magento 2 e-commerce platforms for CVE-2026-45247 (CVSS 9.8) — if running customer-facing payment portals on Magento, patch immediately </li> <li> Validate offline backup integrity for ransomware resilience; test restoration procedures this week </li> </ul> <h3> Energy </h3> Primary threat: CyberAv3ngers ICS targeting; RTU500 and ATG system exploitation; Iranian pre-positioning in SCADA networks. <ul> <li> Inventory all Hitachi Energy RTU500 deployments; validate firmware versions against ICSA-26-155-04 </li> <li> Segment RTU500 management interfaces from corporate IT networks — no internet exposure </li> <li> Implement CISA ATG hardening guidance: disable internet-facing management, change default credentials, restrict physical access </li> <li> Deploy OT-specific anomaly detection on Modbus/DNP3 protocols for substation communications </li> <li> Conduct tabletop exercise for scenario: simultaneous cyber disruption of grid SCADA during kinetic escalation </li> </ul> <h3> Healthcare </h3> Primary threat: APT28/LockBit ransomware targeting via Iranian infrastructure (healthcare explicitly tagged in IOC targeting metadata). <ul> <li> Healthcare is explicitly listed in the targeting tags for 192.253.248[.]169 (confidence 97) — block this IP immediately </li> <li> Ensure medical device network segments cannot reach Iranian ASN ranges </li> <li> Validate that EHR/EMR backup systems are air-gapped and tested for restoration </li> <li> Review VPN access for third-party medical equipment vendors — Fox Kitten targets exactly these supply chain connections </li> <li> Pre-position incident response retainers; confirm ransomware playbook includes patient safety protocols </li> </ul> <h3> Government </h3> Primary threat: UNC5855/AnonymousForJustice targeting government ministries; APT28 infrastructure targeting government sector; MuddyWater (MOIS) social engineering. <ul> <li> Government is explicitly tagged in targeting metadata for multiple IOCs in this cycle </li> <li> Implement phishing-resistant MFA (FIDO2) for all government email and VPN access — MuddyWater and APT42 specialize in credential theft </li> <li> Monitor for AnonymousForJustice-pattern attacks: defacement, data exfiltration for Telegram leaks, ICYALARM-style smishing </li> <li> Restrict Microsoft Teams external communication; monitor Power Automate for unauthorized flow creation </li> <li> Brief staff on social engineering TTPs: fake interview scenarios, urgent "security update" lures </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: NAVTOR NavBox maritime exploitation; supply chain compromise via DIB contractor networks; Fox Kitten VPN targeting. <ul> <li> Audit all NAVTOR NavBox deployments for SOAP endpoint exposure; apply patches per ICSA-26-155-01 </li> <li> Restrict SOAP access to authenticated management networks only — no internet exposure </li> <li> For defense logistics contractors: conduct immediate webshell scan of internet-facing infrastructure </li> <li> Review CI/CD pipeline security — pin GitHub Actions to commit SHAs, audit for unauthorized workflow modifications </li> <li> Validate that vessel navigation systems are segmented from corporate IT and cannot be reached via compromised shore-side infrastructure </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block Iranian C2 IPs at perimeter and EDR: 217.60.241[.]14, 217.60.241[.]17, 217.60.241[.]39, 192.253.248[.]169, 192.253.248[.]180, 77.90.185[.]253, 185.93.89[.]147, 87.107.191[.]39, 5.61.30[.]19, 171.22.27[.]16, 213.177.179[.]189 </td> </tr> <tr> <td> 2 </td> <td> DevOps </td> <td> Patch LiteLLM to 1.83.7+ (CVE-2026-42271). Disable MCP test endpoints. Revoke low-privilege API keys with MCP access </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy BumbleBee detection: alert on ISO/VHD mount → DLL execution chains; mshta.exe with network callbacks </td> </tr> <tr> <td> 4 </td> <td> Executive </td> <td> Authorize emergency threat hunt for Fox Kitten dormant access in VPN/edge infrastructure (31 days without visibility) </td> </tr> <tr> <td> 5 </td> <td> IR </td> <td> Validate incident response retainer activation procedures; confirm 4-hour SLA with IR provider given retaliation window </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> OT Security </td> <td> Review Hitachi Energy RTU500 firmware; segment management interfaces; validate no internet exposure </td> </tr> <tr> <td> 2 </td> <td> Maritime/OT </td> <td> Audit NAVTOR NavBox SOAP endpoints; apply ICSA-26-155-01 patches; restrict to management networks </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Implement MuddyWater detection: Power Automate flow monitoring, Teams external link alerting, HTA execution chains </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Verify SolarWinds Serv-U patched against CVE-2026-28318; audit for webshell artifacts on Serv-U hosts </td> </tr> <tr> <td> 5 </td> <td> Security Engineering </td> <td> Deploy ASN-level blocking for ASN 213790 and ASN 51396 at network edge (entire ranges, not just known IOCs) </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> CISO </td> <td> Commission proactive threat hunt across DIB contractor networks for Fox Kitten artifacts: webshells (ASPXSPY, TUNNA, REGEORG), Farsi-named files, Fortinet/Citrix/Ivanti VPN anomalies </td> </tr> <tr> <td> 2 </td> <td> OT Security </td> <td> Implement CISA ATG hardening guidance across all Automatic Tank Gauge systems; eliminate internet-facing management interfaces </td> </tr> <tr> <td> 3 </td> <td> Security Architecture </td> <td> Audit all AI/ML infrastructure (LiteLLM, Langflow, MCP-enabled agents) for attack surface; implement zero-trust segmentation for AI gateway hosts </td> </tr> <tr> <td> 4 </td> <td> Executive </td> <td> Conduct tabletop exercise: simultaneous ransomware + ICS disruption scenario during geopolitical escalation </td> </tr> <tr> <td> 5 </td> <td> CISO </td> <td> Evaluate ASN-level threat intelligence integration — automate blocking of Iranian hosting ASNs associated with state-sponsored operations </td> </tr> </tbody> </table> <h2> IOC Blocking Table </h2> The following IOCs are confirmed from intelligence collection and should be actioned immediately: <h3> Network Indicators (Block at Perimeter) </h3> <table> <thead> <tr> <th> IP Address </th> <th> ASN </th> <th> Association </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> 217.60.241[.]17 </td> <td> 51396 (Pfcloud UG, Tehran) </td> <td> Cobalt Strike BEACON </td> <td> 80 </td> </tr> <tr> <td> 217.60.241[.]14 </td> <td> 51396 (Pfcloud UG, Tehran) </td> <td> Tofsee C2 </td> <td> 93 </td> </tr> <tr> <td> 217.60.241[.]39 </td> <td> 51396 (Pfcloud UG, Tehran) </td> <td> Tofsee C2 </td> <td> 90 </td> </tr> <tr> <td> 192.253.248[.]169 </td> <td> 213790 (Limited Network, Tehran) </td> <td> APT28/LockBit </td> <td> 97 </td> </tr> <tr> <td> 192.253.248[.]180 </td> <td> 213790 (Limited Network, Tehran) </td> <td> APT28 </td> <td> 91 </td> </tr> <tr> <td> 77.90.185[.]253 </td> <td> 213790 (Limited Network, Tehran) </td> <td> Pinchy Spider </td> <td> 91 </td> </tr> <tr> <td> 185.93.89[.]147 </td> <td> 213790 (Limited Network, Tehran) </td> <td> APT28/Mirage RAT </td> <td> 91 </td> </tr> <tr> <td> 87.107.191[.]39 </td> <td> — </td> <td> Iranian infrastructure </td> <td> — </td> </tr> <tr> <td> 5.61.30[.]19 </td> <td> — </td> <td> Iranian infrastructure </td> <td> — </td> </tr> <tr> <td> 171.22.27[.]16 </td> <td> — </td> <td> Iranian infrastructure </td> <td> — </td> </tr> <tr> <td> 213.177.179[.]189 </td> <td> — </td> <td> Iranian infrastructure </td> <td> — </td> </tr> </tbody> </table> <h3> File Hashes </h3> SHA-256 file hashes associated with this threat cluster are available via Anomali ThreatStream Next-Gen. The hashes in the source intelligence could not be independently verified against named malware families for this publication cycle and have been withheld to avoid actioning unverified indicators. Analysts should query ThreatStream Next-Gen. for the latest verified hash IOCs associated with ASN 51396, ASN 213790, MuddyWater, and CyberAv3ngers campaigns. <h3> Malicious URLs (Block at Proxy/DNS) </h3> <table> <thead> <tr> <th> URL </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> http://www.akhtaredanesh[.]com/d/file/sym/work.php </td> <td> Iranian C2 endpoint </td> </tr> <tr> <td> http://www.akhtaredanesh[.]com/d/oschool/power.php </td> <td> Iranian C2 endpoint </td> </tr> <tr> <td> transfer[.]sh </td> <td> MuddyWater file staging </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds. <h2> Bottom Line </h2> The Iranian cyber apparatus is not standing down. Infrastructure is being refreshed, criminal partnerships are deepening, and the operational authorization signal — "resumption of hostilities" — was issued 24 hours ago. The silence from MuddyWater and CyberAv3ngers is not reassurance; it is the sound of preparation. CISOs should treat the next 72 hours as an elevated readiness period. The three decisions that matter most right now: <ol> <li> Patch LiteLLM immediately — active exploitation of AI infrastructure is confirmed and represents a new category of attack surface most organizations haven't hardened. </li> <li> Authorize the Fox Kitten hunt — 31 days without visibility into dormant DIB access during a declared retaliation window is an unacceptable risk posture. </li> <li> Block the Iranian C2 cluster — 11 IPs across two Tehran ASNs, refreshed within the last 24 hours, carrying explicit retaliation-window tagging. This is not ambiguous. </li> </ol> The convergence of state-sponsored APTs, criminal ransomware operators, and hacktivist personas on shared Iranian infrastructure — all activated during a declared hostilities window — represents the most dangerous configuration of this conflict's cyber dimension to date. Act now. Anomali CTI Desk | 2026-06-09 | TLP:GREEN This intelligence is derived from Anomali ThreatStream Next-Gen. CISA advisories, and partner feeds. Organizations are encouraged to operationalize the IOCs and detection guidance provided above.

FEATURED RESOURCES

June 9, 2026

Anomali Cyber Watch