Iran's Cyber Arsenal Is Reloading: What CISOs Must Know About the Post-Decapitation Threat Window

Anomali Threat Research

Published on

May 22, 2026

Table of Contents

Threat Assessment Level: HIGH Eighty-three days into the US-Iran conflict, Iranian state cyber infrastructure is actively refreshing while offensive operations remain conspicuously paused. This is not de-escalation — it is reloading. The killing of Iran's supreme leader in April 2026 airstrikes disrupted the Islamic Republic's command-and-control apparatus, but IRGC and MOIS-affiliated cyber units are demonstrably reconstituting. Fresh command-and-control infrastructure went live this week on the same Iranian autonomous system that hosts both Russian APT28 and ransomware operators. CISA simultaneously confirmed critical vulnerabilities in industrial control systems already in Iranian targeting doctrine. The convergence of refreshed attack infrastructure, confirmed ICS vulnerabilities, and a 43-day intelligence gap in defense-industrial base monitoring creates a threat picture that demands immediate executive attention. Historical precedent is clear: after the Soleimani assassination in 2020, Iran's first attributed cyber retaliation came within three weeks. We are now well within that window. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> ASN 213790 infrastructure refreshed (May 16–20) with new C2 IPs tagged to APT28 and Cactus ransomware </td> <td> Russia-Iran shared cyber infrastructure remains active; ransomware-state nexus confirmed </td> </tr> <tr> <td> CISA confirms ScadaBR unauthenticated RCE (ICSA-26-139-03, May 19) </td> <td> Open-source SCADA platform used in water/energy now has confirmed unauth remote code execution — directly in Iranian proxy targeting doctrine </td> </tr> <tr> <td> Siemens RUGGEDCOM/PAN-OS buffer overflow advisory (ICSA-26-139-02, May 19) </td> <td> OT-edge network devices vulnerable to auth bypass — expands ICS attack surface </td> </tr> <tr> <td> Remcos RAT C2 active on Iranian academic infrastructure (May 22) </td> <td> New C2 node at Iranian Research Organization for Science & Technology — possible domestic surveillance or outsourced operations staging </td> </tr> <tr> <td> Cobalt Strike beacon on Arvan Cloud (Iran's largest cloud provider) </td> <td> Active since December 2025 — long-dwell infrastructure suggesting persistent access operations </td> </tr> <tr> <td> APT42/Charming Kitten refreshes BELLACIAO/SHELLAFEL campaign (May 19–20) </td> <td> IRGC-IO espionage operations updated across energy, government, healthcare, manufacturing, chemical, and construction sectors </td> </tr> <tr> <td> Iranian IO apparatus (Handala, Cyber Toufan) remains silent </td> <td> Post-decapitation pause in psychological operations — likely reconstitution, not cessation </td> </tr> <tr> <td> DIB pre-positioning intelligence gap reaches 43 days </td> <td> Longest period without visibility into Iranian dormant access in defense contractor networks </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> US-Iran conflict begins </td> <td> Cyber operations integrated with kinetic warfare </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> Handala/Void Manticore deploys Stryker wiper </td> <td> 200,000+ endpoints destroyed — largest destructive cyber attack of the conflict </td> </tr> <tr> <td> ~Apr 2026 </td> <td> US airstrikes kill Iran's supreme leader </td> <td> Command disruption across IRGC/MOIS cyber units; retaliation clock starts </td> </tr> <tr> <td> 17 Apr 2026 </td> <td> Ababil of Minab critical infrastructure attacks reported </td> <td> Proxy group continues ICS/OT targeting despite leadership disruption </td> </tr> <tr> <td> 18 Apr 2026 </td> <td> OSINT: "Iran cyber retaliation risk rises" </td> <td> Analysts assess elevated probability of retaliatory cyber operations </td> </tr> <tr> <td> 30 Apr 2026 </td> <td> Handala leaks US Marines PII; WhatsApp psyops to deployed personnel </td> <td> Deliberate escalation to military-targeted psychological operations </td> </tr> <tr> <td> 19–20 May 2026 </td> <td> APT42/Charming Kitten refreshes BELLACIAO/SHELLAFEL campaign </td> <td> Espionage operations across energy, government, healthcare, manufacturing, chemical, construction </td> </tr> <tr> <td> 16–20 May 2026 </td> <td> ASN 213790 infrastructure refreshed (APT28 + Cactus) </td> <td> Russia-Iran shared C2 platform actively maintained </td> </tr> <tr> <td> 19 May 2026 </td> <td> CISA publishes ScadaBR RCE and RUGGEDCOM advisories </td> <td> Confirmed attack surface in ICS environments targeted by Iranian proxies </td> </tr> <tr> <td> 20–21 May 2026 </td> <td> 9 new vulnerabilities added to CISA KEV catalog </td> <td> Expanded exploitation landscape </td> </tr> <tr> <td> 22 May 2026 </td> <td> Remcos RAT C2 confirmed on Iranian academic infrastructure </td> <td> New staging infrastructure identified </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Russia-Iran Shared Infrastructure: The ASN 213790 "Cyber Arms Bazaar" </h3> ASN 213790 ("Limited Network," Tehran) has become a bellwether for cross-national cyber cooperation. This week, IPs on this network were confirmed active with high-confidence tagging: <ul> <li> IPs tagged to APT28 (Russia's GRU Unit 26165) with ATT&CK techniques T1059 , T1071 , T1569.002 , and T1571 </li> <li> IPs tagged to Cactus ransomware targeting healthcare, manufacturing, and technology sectors </li> </ul> This dual-use pattern — state APT and ransomware on shared infrastructure — mirrors the documented behavior of Pioneer Kitten (Fox Kitten/UNC757), an IRGC-affiliated group known to sell state-acquired network access to ransomware operators. The implication: Iranian state actors may be monetizing access while maintaining strategic positioning, or Russian and Iranian operators are sharing hosting in a mutual support arrangement validated by multiple OSINT sources reporting active Russia-Iran cyber cooperation. <h3> ICS/OT Vulnerability Convergence </h3> Three CISA advisories published May 19 create an expanded attack surface directly relevant to Iranian targeting: <ul> <li> ScadaBR unauthenticated RCE (ICSA-26-139-03): Open-source SCADA platform used in water treatment and energy — the exact sectors targeted by Cyber Av3ngers and Ababil of Minab </li> <li> Siemens RUGGEDCOM APE1808 / PAN-OS buffer overflow (ICSA-26-139-02): Industrial network devices with authentication portal vulnerability </li> <li> ABB B&R and Hitachi Energy GMS600 advisories: Additional OT platform vulnerabilities </li> </ul> Iranian proxy groups have demonstrated both intent and capability to exploit ICS vulnerabilities. Cyber Av3ngers compromised US water systems in late 2023 using default credentials on Unitronics PLCs. The ScadaBR RCE requires no authentication at all — a lower bar than previous attacks. <h3> The Silence That Speaks: Post-Decapitation Operational Pause </h3> Three significant absences demand attention: <ul> <li> APT42/Charming Kitten — Updated in threat intelligence platforms May 21 but no new phishing infrastructure or credential harvesting campaigns detected. The IRGC Intelligence Organization (IRGC-IO) unit may be reorganizing under new command authority. </li> </ul> <ul> <li> Handala/Cyber Toufan IO operations — Last activity was the Marines PII leak and WhatsApp psyops on April 30. Twenty-two days of silence from groups that were operating at high tempo suggests disruption, not retirement. </li> </ul> <ul> <li> Wiper deployments — No new destructive malware since the Stryker wiper campaign. Given that wipers are Iran's signature retaliatory tool (Shamoon, ZeroCleare, BiBiWiper, Stryker), this conservation of destructive capability during an active reloading phase is ominous. </li> </ul> <h3> Pioneer Kitten: 43 Days in the Dark </h3> The longest-running intelligence gap concerns Iranian pre-positioning in defense-industrial base (DIB) contractor networks. Pioneer Kitten's documented tradecraft includes maintaining dormant access in aerospace and defense contractors, staging tools via GitHub repositories, and selling access to ransomware groups when not conducting state-directed operations. Forty-three days without detection could mean: <ul> <li> Mission complete: access already established, operators in holding pattern </li> <li> Collection failure: insufficient visibility into contractor environments </li> <li> Genuine pause: kinetic operations taking priority over cyber pre-positioning </li> </ul> Any of these scenarios warrants immediate action. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Iranian retaliatory cyber operation (any type) </td> <td> 70% </td> <td> Within 30 days </td> <td> Historical precedent (Soleimani: ~3 weeks), active infrastructure refresh, IO pause suggesting capability conservation </td> </tr> <tr> <td> Renewed IO/psyops campaign targeting military personnel </td> <td> 60% </td> <td> Within 14 days </td> <td> Handala demonstrated capability (Marines PII), IO pause likely temporary reconstitution </td> </tr> <tr> <td> ICS/OT disruption via proxy groups (Cyber Av3ngers, Ababil of Minab) </td> <td> 55% </td> <td> Within 30 days </td> <td> Confirmed ScadaBR RCE, documented proxy targeting of water/energy, low technical barrier </td> </tr> <tr> <td> Wiper deployment against Western targets </td> <td> 40% </td> <td> Within 45 days </td> <td> Absence of wiper activity during reloading phase, Stryker precedent, retaliatory doctrine </td> </tr> <tr> <td> Ransomware surge via Pioneer Kitten access brokering </td> <td> 50% </td> <td> Within 30 days </td> <td> ASN 213790 Cactus tagging, Pioneer Kitten's documented monetization model, 43-day silence </td> </tr> <tr> <td> DIB contractor compromise disclosure </td> <td> 35% </td> <td> Within 60 days </td> <td> 43-day gap may indicate undetected access; disclosure would follow operational use </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Priority Detection Rules </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Focus </th> <th> Hunting Hypothesis </th> </tr> </thead> <tbody> <tr> <td> T1071 (Application Layer Protocol) </td> <td> Monitor for C2 beaconing to ASN 213790 (185.93.89.0/24) </td> <td> "If any internal host communicates with ASN 213790 IPs, it is likely compromised by APT28 or Iranian-affiliated operators" </td> </tr> <tr> <td> T1059 (Command & Scripting Interpreter) </td> <td> PowerShell/cmd execution following connections to known Iranian infrastructure </td> <td> "Execution of encoded PowerShell within 60 seconds of connection to Iranian ASN ranges indicates active C2" </td> </tr> <tr> <td> T1219 (Remote Access Software) </td> <td> Remcos RAT traffic on non-standard port 43155 to 62.60.226[.]42 </td> <td> "Any connection to Iranian Research Organization IP space on high ports suggests Remcos C2" </td> </tr> <tr> <td> T1573.002 (Encrypted Channel) </td> <td> HTTPS beaconing to Arvan Cloud (ASN 202468) with Cobalt Strike JA3/JA4 signatures </td> <td> "Cobalt Strike over HTTPS to Iranian cloud providers indicates long-dwell access operations" </td> </tr> <tr> <td> T1190 (Exploit Public-Facing App) </td> <td> ScadaBR instances receiving unauthenticated requests from external IPs </td> <td> "Any external connection to ScadaBR management interfaces is a potential exploitation attempt" </td> </tr> <tr> <td> T1569.002 (Service Execution) </td> <td> New Windows service creation following C2 communication </td> <td> "Service installation correlated with ASN 213790 traffic indicates lateral movement" </td> </tr> <tr> <td> T0855 (ICS: Unauthorized Command Message) </td> <td> Anomalous SCADA commands to PLCs/RTUs from non-engineering workstations </td> <td> "SCADA commands from IT network segments or unknown sources indicate OT compromise" </td> </tr> </tbody> </table> <h3> Immediate Hunting Priorities </h3> <ul> <li> Hunt for ASN 213790 communications : Query 90 days of proxy, firewall, and DNS logs for any connection to 185.93.89.0/24. Any hit is HIGH priority. </li> </ul> <ul> <li> Hunt for Remcos indicators : Search for connections to 62.60.226[.]42 on any port, particularly 43155. Check for Remcos behavioral signatures (registry persistence, scheduled tasks with encoded payloads). </li> </ul> <ul> <li> Hunt for Cobalt Strike to Arvan Cloud : Search for HTTPS beaconing patterns to 188.121.123[.]185 or broader ASN 202468 ranges. Look for regular interval callbacks (jitter patterns) characteristic of CS beacons. </li> </ul> <ul> <li> ScadaBR exposure audit : Identify all ScadaBR instances. Verify none are internet-exposed. Check for evidence of unauthenticated access attempts. </li> </ul> <ul> <li> Pioneer Kitten dormant access indicators : Audit GitHub repositories associated with contractor development environments for anomalous commits, new SSH keys, or unexpected CI/CD pipeline modifications. </li> </ul> <h3> Blocklist Updates </h3> Block the following at all perimeter firewalls, proxy servers, and EDR platforms: <table> <thead> <tr> <th> IOC </th> <th> Type </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> 185.93.89[.]79 </td> <td> IPv4 </td> <td> ASN 213790, Cactus ransomware/APT infrastructure </td> </tr> <tr> <td> 185.93.89[.]43 </td> <td> IPv4 </td> <td> ASN 213790, Cactus ransomware/APT infrastructure </td> </tr> <tr> <td> 62.60.226[.]42 </td> <td> IPv4 </td> <td> Remcos RAT C2, port 43155 </td> </tr> <tr> <td> 188.121.123[.]185 </td> <td> IPv4 </td> <td> Cobalt Strike beacon, Arvan Cloud </td> </tr> <tr> <td> 84.241.8[.]23 </td> <td> IPv4 </td> <td> Iranian infrastructure, APT-associated </td> </tr> <tr> <td> 94.183.168[.]33 </td> <td> IPv4 </td> <td> Iranian infrastructure, APT-associated </td> </tr> </tbody> </table> Additional IOCs — including indicators associated with APT28 activity on ASN 213790 — are available via Anomali ThreatStream. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat : Ransomware via Pioneer Kitten access brokering; Cactus ransomware operators on shared Iranian infrastructure. <ul> <li> Audit third-party vendor connections for any communication with ASN 213790 ranges </li> <li> Review SWIFT/payment system network segmentation — ensure no path from internet-facing systems to transaction networks </li> <li> Validate that anti-ransomware controls (immutable backups, canary files, behavioral detection) are tested against Cactus TTPs </li> <li> Monitor for credential harvesting campaigns from APT42 targeting finance sector employees (spear-phishing with credential portals) </li> </ul> <h3> Energy </h3> Primary threat : ICS/OT disruption via ScadaBR exploitation or proxy group attacks (Cyber Av3ngers, Ababil of Minab). <ul> <li> Immediate : Inventory all ScadaBR deployments; isolate from internet; apply access controls pending patch </li> <li> Verify OT network segmentation — ensure RUGGEDCOM devices are not reachable from IT networks without explicit firewall rules </li> <li> Review Hitachi Energy GMS600 and ABB B&R device firmware versions against CISA advisories </li> <li> Conduct tabletop exercise for scenario: "Iranian proxy group achieves unauthenticated access to SCADA platform during peak demand" </li> <li> Monitor for reconnaissance scanning of OT protocols (Modbus, DNP3, IEC 104) from Iranian IP ranges </li> </ul> <h3> Healthcare </h3> Primary threat : Cactus ransomware (ASN 213790 IPs explicitly tagged for healthcare targeting); APT42 espionage targeting medical research. <ul> <li> Block ASN 213790 ranges at perimeter — healthcare is explicitly listed in threat tagging </li> <li> Ensure medical device networks are segmented from general IT infrastructure </li> <li> Validate backup integrity for electronic health records and clinical systems </li> <li> Monitor for Remcos RAT indicators — healthcare organizations are common targets for commodity RAT campaigns staged from academic infrastructure </li> <li> Review vendor remote access (VPN, RDP) for connections to Iranian IP space </li> </ul> <h3> Government </h3> Primary threat : APT42/Charming Kitten espionage (BELLACIAO/SHELLAFEL); APT28 operations from shared Iranian infrastructure; psychological operations targeting personnel. <ul> <li> Brief personnel on spear-phishing campaigns using credential harvesting portals — APT42's primary initial access vector </li> <li> Audit OAuth application permissions in M365/Google Workspace for unauthorized grants </li> <li> Monitor for BELLACIAO webshell indicators on IIS/Exchange servers (hardcoded DNS-based C2 pattern) </li> <li> Implement anti-spoofing controls for WhatsApp/Signal — Handala demonstrated capability to message military personnel directly </li> <li> Review cleared personnel PII exposure following Handala's Marines data leak </li> </ul> <h3> Aviation & Logistics </h3> Primary threat : Pioneer Kitten pre-positioning in aerospace/DIB supply chain; APT33/Refined Kitten historical targeting of aviation. <ul> <li> Audit GitHub repositories and CI/CD pipelines for anomalous activity (new SSH keys, unexpected workflow modifications) </li> <li> Review VPN and remote access logs for connections from Iranian IP ranges (particularly ASN 44208, 202468, 213790) </li> <li> Conduct access review for contractor accounts — Pioneer Kitten exploits trusted third-party relationships </li> <li> Verify that air-gapped development environments for sensitive programs remain isolated </li> <li> Monitor for dormant scheduled tasks or services that could indicate pre-positioned access awaiting activation </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block ASN 213790 IP ranges (185.93.89.0/24) at all perimeter firewalls and proxy servers — confirmed APT28 and Cactus ransomware C2 </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Add Remcos C2 indicator 62.60.226[.]42:43155 to blocklist; hunt 90 days of historical logs for any connection </td> </tr> <tr> <td> 3 </td> <td> IT Ops / OT </td> <td> Verify ALL ScadaBR instances are isolated from internet — CISA confirms unauthenticated RCE (ICSA-26-139-03). If internet-exposed, disconnect immediately </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Deploy detection for Cobalt Strike beaconing to Arvan Cloud (ASN 202468), specifically 188.121.123[.]185:443 </td> </tr> <tr> <td> 5 </td> <td> IR Team </td> <td> Validate offline backup integrity for critical systems — wiper deployment probability elevated during retaliation window </td> </tr> </tbody> </table> <h3> 7-DAY Actions </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 6 </td> <td> IT Ops </td> <td> Patch Siemens RUGGEDCOM APE1808 devices per ICSA-26-139-02; apply PAN-OS Captive Portal mitigations </td> </tr> <tr> <td> 7 </td> <td> CISO </td> <td> Commission proactive threat hunt on DIB contractor networks and associated GitHub repositories for dormant Iranian pre-positioning (43-day intelligence gap) </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Develop correlation rule: any IOC on ASN 213790 carrying both APT and ransomware tags → auto-escalate to Tier 3 </td> </tr> <tr> <td> 9 </td> <td> HR / Security </td> <td> Brief personnel with access to classified programs on Pioneer Kitten social engineering and credential harvesting TTPs </td> </tr> <tr> <td> 10 </td> <td> IT Ops </td> <td> Audit all OT-adjacent network devices (RUGGEDCOM, ABB B&R, Hitachi GMS600) against May 2026 CISA ICS advisories </td> </tr> </tbody> </table> <h3> 30-DAY Actions </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 11 </td> <td> CISO </td> <td> Develop Iran-specific incident response playbook covering: wiper deployment, ICS manipulation, ransomware via state-brokered access, and personnel-targeted IO </td> </tr> <tr> <td> 12 </td> <td> CISO </td> <td> Establish intelligence-sharing relationship with sector ISAC for Iran conflict indicators — current 43-day DIB gap may be addressable through peer visibility </td> </tr> <tr> <td> 13 </td> <td> SOC </td> <td> Build detection for Pioneer Kitten → ransomware handoff pattern: initial access via VPN/firewall exploitation, followed by access sale indicators (new admin accounts, RMM tool installation) </td> </tr> <tr> <td> 14 </td> <td> Executive </td> <td> Conduct board-level tabletop exercise: "Iranian retaliatory cyber attack disrupts operations during active military conflict" — test decision-making under dual kinetic/cyber pressure </td> </tr> <tr> <td> 15 </td> <td> IT Ops </td> <td> Implement network-level blocking for all Iranian ASN ranges not required for business operations (ASN 213790, 44208, 202468 as priority) </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> We are in the most dangerous phase of the Iran conflict's cyber dimension. The pattern is unmistakable: infrastructure refreshing, capabilities conserved, IO apparatus reconstituting, and a 43-day blind spot in defense contractor monitoring. Iran's historical playbook — demonstrated after Soleimani, after Stuxnet, after every major escalation — is to absorb the blow, reorganize, and retaliate asymmetrically through cyber operations. The absence of attacks right now is not safety. It is the inhalation before the strike. Three actions will determine whether your organization weathers the next 30 days: <ul> <li> Block the infrastructure now. ASN 213790 is confirmed hostile. Every hour it remains unblocked is an hour of unnecessary exposure to both state espionage and ransomware. </li> </ul> <ul> <li> Find your ScadaBR. If you operate any ICS/SCADA environment, confirm today — not next week — that ScadaBR instances cannot be reached from the internet. CISA confirmed the vulnerability. Iranian proxies have demonstrated the intent. </li> </ul> <ul> <li> Hunt for what you can't see. Forty-three days without visibility into DIB pre-positioning is not acceptable during an active conflict. If you lack the internal capability, engage external threat hunters immediately. The access may already be established — the question is whether you find it before it's used. </li> </ul> The retaliation window is open. Your preparation window is closing. Published 2026-05-22 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream, CISA advisories, and curated OSINT sources. IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds for automated ingestion.

FEATURED RESOURCES

May 22, 2026

Anomali Cyber Watch