Iran's Cyber Forces Are Converging: FortiBleed, Cisco KEV, and the Access-to-Destruction Pipeline

Anomali Threat Research

Published on

June 19, 2026

Table of Contents

Threat Assessment Level: ELEVATED (trending HIGH) The Iran-Israel conflict is now in its 112th day. On the cyber front, something structural has changed: Iran's state-affiliated cyber actors are no longer operating as discrete units with separate missions. IRGC and MOIS-affiliated operators are sharing tooling, sharing infrastructure, and collapsing the time between gaining access and executing destruction. This week, two simultaneous perimeter-access events — a mass Fortinet credential exposure and active exploitation of a Cisco vulnerability — have opened windows that Iranian operators are uniquely positioned to exploit. If your organization runs Fortinet or Cisco SD-WAN at the perimeter, this is your 24-hour action window. <h2> What Changed </h2> The past 72 hours introduced five developments that shift the defensive calculus: <ol> <li> FortiBleed — Mass Fortinet Credential Exposure. CISA issued an urgent advisory on 2026-06-18 warning that leaked Fortinet device credentials are being exploited globally across government and private sector networks. This is not a vulnerability — it's a credential dump. Patching doesn't fix it. Only credential rotation does. </li> <li> CVE-2026-20253 Added to CISA KEV. A Cisco product vulnerability is now confirmed actively exploited in the wild and added to the Known Exploited Vulnerabilities catalog. Organizations running Cisco SD-WAN Manager are directly exposed. </li> <li> Pioneer Kitten + Handala Convergence Confirmed with Fresh IOCs. Seven new malware samples (SHA-256 hashes, confidence 80) are tagged simultaneously to Pioneer Kitten, Handala, Banished Kitten, Refined Kitten, and Helix Kitten — confirming that Iranian cyber units are operating a shared-tooling model spanning both IRGC and MOIS-affiliated actors. A single access broker can now hand off directly to a destructive operator with no intermediary. </li> <li> MuddyWater (MOIS) Blockchain C2 Evolution. MuddyWater's C2 node at 157.20.182[.]49 (Netherlands) is confirmed active following a 27-day operational silence, with intelligence indicating evolution toward blockchain-based command-and-control infrastructure that renders traditional domain seizure and IP sinkholing ineffective. </li> <li> ICS/OT Attack Surface Expanding Rapidly. Eleven ICS advisories across two days (five Rockwell on 2026-06-16; six mixed vendors on 2026-06-18) have expanded the operational technology attack surface across Schneider Electric, Mitsubishi, Rockwell, and AzeoTech platforms. Cyber Av3ngers updated their operational profile on 2026-06-16 amid this disclosure surge — a pattern consistent with capability acquisition. </li> </ol> Change from prior assessment: The previous cycle (2026-06-18) assessed the threat level as ELEVATED trending HIGH. Today's assessment maintains ELEVATED — the FortiBleed credential exposure and Cisco KEV listing represent two simultaneous perimeter-access events affecting core defensive infrastructure, but no confirmed Iranian exploitation of these specific vectors has been attributed yet. The trend toward HIGH remains active pending attribution confirmation. <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> Iran-Israel conflict begins </td> <td> Day 0 — cyber operations authorized </td> </tr> <tr> <td> 2026-05-XX </td> <td> MuddyWater DLL side-loading campaign reported </td> <td> POWERSTATS backdoor evolution; India targeting </td> </tr> <tr> <td> 2026-06-16 </td> <td> Five Rockwell Automation ICS advisories published </td> <td> OT attack surface expansion; Cyber Av3ngers profile updated </td> </tr> <tr> <td> 2026-06-17 </td> <td> Pioneer Kitten / Handala tooling convergence confirmed </td> <td> Access-to-destruction pipeline established </td> </tr> <tr> <td> 2026-06-17 </td> <td> MuddyWater POWERSTATS refresh after 27-day silence </td> <td> Retooling complete; Gulf telecom targeting likely </td> </tr> <tr> <td> 2026-06-18 </td> <td> CISA FortiBleed advisory — mass credential exposure </td> <td> Perimeter access at scale without zero-days </td> </tr> <tr> <td> 2026-06-18 </td> <td> CVE-2026-20253 added to CISA KEV </td> <td> Active Cisco exploitation confirmed </td> </tr> <tr> <td> 2026-06-18 </td> <td> Six ICS/OT advisories (Schneider, Mitsubishi, Rockwell, AzeoTech, AVer) </td> <td> Sustained OT vulnerability disclosure velocity </td> </tr> <tr> <td> 2026-06-18 </td> <td> MuddyWater C2 node 157.20.182[.]49 confirmed active </td> <td> Netherlands-hosted infrastructure; blockchain C2 evolution </td> </tr> <tr> <td> 2026-06-19 </td> <td> Malicious domain yiranzai[.]top flagged (Kaspersky, conf 100) </td> <td> Malware distribution; "iran" in domain name — possible lure/false-flag </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. FortiBleed: When Credentials Replace Zero-Days </h3> The FortiBleed event fundamentally changes the economics of initial access for Iranian operators. Pioneer Kitten (also tracked as UNC757, Parisite, Fox Kitten) has a documented playbook for exploiting Fortinet vulnerabilities — CVE-2024-21887 and FortiSandbox authentication bypasses are part of their standard toolkit. With mass credentials now available, they no longer need zero-days to breach Fortinet-protected networks. What this means operationally: An actor who previously needed to develop or purchase exploits can now simply authenticate. This lowers cost, increases speed, and enables simultaneous operations against dozens of targets. ATT&CK Techniques: <ul> <li> T1078.001 — Valid Accounts: Default Accounts </li> <li> T1133 — External Remote Services </li> <li> T1110.001 — Brute Force: Password Guessing </li> </ul> <h3> 2. CVE-2026-20253: Cisco SD-WAN Under Active Exploitation </h3> CISA's addition of CVE-2026-20253 to the KEV catalog confirms in-the-wild exploitation. Cisco SD-WAN Manager is prevalent across defense industrial base (DIB) networks and government infrastructure — exactly the target set that Iranian actors prioritize. ATT&CK Techniques: <ul> <li> T1190 — Exploit Public-Facing Application </li> </ul> <h3> 3. The Iranian Shared-Tooling Model </h3> The simultaneous tagging of malware samples to Pioneer Kitten, Handala, Banished Kitten, Refined Kitten (APT33), and Helix Kitten (APT34) is not an attribution error — it is evidence of a deliberate cross-organizational model. Notably, this convergence spans both IRGC-affiliated units (Pioneer Kitten, Handala, Banished Kitten) and actors more broadly associated with Iranian intelligence (Refined Kitten, Helix Kitten), suggesting that shared malware repositories are operating across organizational boundaries within Iran's cyber apparatus rather than being confined to a single command. Implications: <ul> <li> Attribution becomes harder (multiple actors use identical tooling) </li> <li> A single detection signature can disrupt multiple campaigns </li> <li> The access-to-destruction timeline compresses from weeks to hours </li> <li> Pioneer Kitten (access broker) can hand off directly to Handala (wiper operator) </li> </ul> <h3> 4. MuddyWater's Blockchain C2 Evolution </h3> MuddyWater (MOIS, also tracked as TEMP.Zagros, Static Kitten) has an active C2 node at 157.20.182[.]49 hosted in the Netherlands (ASN 152485, HOSTERDADDY). Intelligence references indicate evolution toward blockchain-based command-and-control infrastructure — a technique that renders traditional domain seizure and IP sinkholing ineffective. ATT&CK Techniques: <ul> <li> T1071.001 — Application Layer Protocol: Web Protocols </li> <li> T1573 — Encrypted Channel </li> <li> T1574.002 — DLL Side-Loading </li> <li> T1059.001 — PowerShell </li> </ul> <h3> 5. ICS/OT Attack Surface Expanding Faster Than Patching </h3> Eleven ICS advisories in two days (five Rockwell on 2026-06-16, six mixed vendors on 2026-06-18) have expanded the operational technology attack surface across Schneider Electric (Easergy, EcoStruxure, PowerLogic, Saitel), Mitsubishi (MELSEC iQ-F), Rockwell (FactoryTalk Historian), and AzeoTech (DAQFactory). Cyber Av3ngers — the IRGC-affiliated group that has previously targeted water and energy ICS — updated their operational profile on 2026-06-16 but has been operationally silent since. This silence during a period of expanded OT vulnerability disclosure is concerning and may indicate capability acquisition. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> FortiBleed exploitation attributed to Pioneer Kitten </td> <td> 70% </td> <td> 7 days </td> <td> Documented Fortinet exploitation playbook; active operational tempo </td> </tr> <tr> <td> CVE-2026-20253 exploitation linked to Iranian pre-positioning in DIB networks </td> <td> 50% </td> <td> 14 days </td> <td> Cisco SD-WAN prevalence in DIB; Iranian DIB targeting history </td> </tr> <tr> <td> Cyber Av3ngers announce new ICS campaign leveraging Schneider/Mitsubishi disclosures </td> <td> 30% </td> <td> 21 days </td> <td> Advisory-as-reconnaissance pattern; actor profile refresh timing </td> </tr> <tr> <td> MuddyWater blockchain C2 renders traditional network blocking ineffective for at least one campaign </td> <td> 40% </td> <td> 30 days </td> <td> Active infrastructure development; Anomali blog confirmation </td> </tr> <tr> <td> Pioneer Kitten hands off FortiBleed access to Handala for destructive operation </td> <td> 25% </td> <td> 14 days </td> <td> Convergence confirmed but no specific targeting evidence yet </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> Hunt Hypothesis 1: FortiBleed Credential Abuse <ul> <li> Monitor for unauthorized administrative sessions on all Fortinet devices </li> <li> Alert on logins from unexpected geolocations or ASNs, especially outside business hours </li> <li> Hunt for T1078.001 (Valid Accounts) followed by T1133 (External Remote Services) in authentication logs </li> <li> Check for new VPN tunnels, admin account creation, or configuration exports in the last 7 days </li> </ul> Hunt Hypothesis 2: MuddyWater C2 Communication <ul> <li> Hunt for any historical or active connections to 157.20.182[.]49 across firewall, proxy, DNS, and EDR telemetry (last 30 days) </li> <li> Monitor for T1574.002 (DLL Side-Loading) — unusual DLL loads in non-standard paths </li> <li> Alert on T1059.001 (PowerShell) with encoded commands or web requests to unfamiliar Netherlands-hosted infrastructure </li> <li> Investigate any DNS resolution of yiranzai[.]top in the last 48 hours </li> </ul> Hunt Hypothesis 3: Pioneer Kitten/Handala Tooling <ul> <li> Retroactively scan all endpoints for the seven SHA-256 hashes (listed in IOC table below) across 90-day telemetry </li> <li> Monitor for T1486 (Data Encrypted for Impact) precursors: mass file enumeration, shadow copy deletion, service stops </li> <li> Alert on T1105 (Ingress Tool Transfer) from IP ranges in ASN 213790 or ASN 60631 (Tehran-based) </li> </ul> Hunt Hypothesis 4: Cisco SD-WAN Exploitation <ul> <li> Audit all Cisco SD-WAN Manager instances for indicators of CVE-2026-20253 exploitation </li> <li> Monitor for T1190 (Exploit Public-Facing Application) — unexpected process spawning from SD-WAN management services </li> <li> Check for unauthorized configuration changes or new user accounts on SD-WAN controllers </li> </ul> <h3> Detection Engineering Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Approach </th> <th> Data Source </th> </tr> </thead> <tbody> <tr> <td> T1078.001 </td> <td> Anomalous Fortinet admin logins (geo, time, frequency) </td> <td> Auth logs, SIEM </td> </tr> <tr> <td> T1133 </td> <td> New VPN sessions from unregistered devices </td> <td> VPN concentrator logs </td> </tr> <tr> <td> T1190 </td> <td> Exploit signatures for CVE-2026-20253 </td> <td> IDS/IPS, WAF </td> </tr> <tr> <td> T1574.002 </td> <td> DLL loads from writable directories (AppData, Temp, ProgramData) </td> <td> EDR, Sysmon Event 7 </td> </tr> <tr> <td> T1059.001 </td> <td> Encoded PowerShell with network callbacks </td> <td> EDR, Script Block Logging </td> </tr> <tr> <td> T1071.001 </td> <td> HTTP/S beaconing to low-reputation infrastructure </td> <td> Proxy logs, NDR </td> </tr> <tr> <td> T1486 </td> <td> Volume shadow copy deletion + mass file modification </td> <td> EDR, Windows Event 524 </td> </tr> <tr> <td> T1499 </td> <td> Unexpected CIP traffic patterns to Logix controllers </td> <td> OT network monitoring </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> <ul> <li> Primary risk: FortiBleed credential exposure on Fortinet-protected banking infrastructure; Pioneer Kitten has historically monetized access through ransomware partnerships </li> <li> Action: Emergency credential rotation on all Fortinet devices; audit for unauthorized SWIFT/payment system access; review DLP alerts for bulk data staging (T1005, T1074) </li> <li> Monitor: Anomalous after-hours VPN sessions; lateral movement toward financial application servers </li> </ul> <h3> Energy </h3> <ul> <li> Primary risk: ICS/OT attack surface expansion (Schneider Easergy/EcoStruxure/PowerLogic, Mitsubishi MELSEC, Rockwell FactoryTalk); Cyber Av3ngers capability acquisition </li> <li> Action: Validate segmentation between IT and OT networks; audit ICS patch status against ICSA-26-169-01 through -07; increase monitoring of CIP/Modbus traffic for anomalous commands </li> <li> Monitor: T1499 (Endpoint DoS) against PLCs; unauthorized firmware uploads; new connections from engineering workstations to internet-facing infrastructure </li> </ul> <h3> Healthcare </h3> <ul> <li> Primary risk: Pioneer Kitten/Handala convergence IOCs originated from H-ISAC — healthcare is a confirmed target; ransomware/wiper convergence threatens patient safety systems </li> <li> Action: Ingest all seven SHA-256 IOCs immediately; validate backup integrity for clinical systems; ensure offline recovery procedures are tested </li> <li> Monitor: T1486 precursors (shadow copy deletion, service stops on clinical applications); unusual lateral movement from VPN endpoints to clinical network segments </li> </ul> <h3> Government / Defense Industrial Base </h3> <ul> <li> Primary risk: CVE-2026-20253 (Cisco SD-WAN) active exploitation in networks prevalent across DIB; FortiBleed credentials may include government Fortinet instances; MuddyWater (MOIS) targeting of government networks is well-documented </li> <li> Action: Emergency patching of Cisco SD-WAN Manager; Fortinet credential rotation with certificate-based authentication migration; hunt for MuddyWater DLL side-loading indicators </li> <li> Monitor: T1190 against SD-WAN management planes; T1078 from unexpected source IPs on classified network perimeters; data exfiltration indicators (T1041) from systems containing controlled unclassified information (CUI) </li> </ul> <h3> Aviation / Logistics </h3> <ul> <li> Primary risk: Supply chain disruption through IT/OT convergence points; Fortinet devices protecting logistics management systems; maritime OT (NAVTOR NavBox) in adjacent threat clusters </li> <li> Action: Audit Fortinet device inventory across logistics operations centers; validate OT network segmentation for cargo handling and flight management systems; review third-party VPN access credentials </li> <li> Monitor: Unauthorized access to scheduling/dispatch systems; anomalous data flows from operational technology segments; T1133 (External Remote Services) from logistics partner connections </li> </ul> <h2> Indicators of Compromise — Blocking Priority </h2> <h3> Network Indicators (Block Immediately) </h3> <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Attribution </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 157.20.182[.]49 </td> <td> MuddyWater C2 (MOIS; ASN 152485, NL) </td> <td> Block + Hunt 30-day history </td> </tr> <tr> <td> Domain </td> <td> yiranzai[.]top </td> <td> Malware distribution (Kaspersky conf 100) </td> <td> Block DNS + Hunt 48h </td> </tr> </tbody> </table> <h3> File Hashes (EDR Block + Retroactive Hunt) </h3> <table> <thead> <tr> <th> SHA-256 </th> <th> Attribution </th> </tr> </thead> <tbody> <tr> <td> 028d3de0f0709a18c9928526519e761a08f6766d1eca386e908588f995f44e7f </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> 0a5cf97e699c8bfacee7f89ebfaa851ff03dd004a58ffde9c609fcc2cd27f250 </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> 7540bed5efd55f75271bb4b5a5afb28f343ebe64a816f74f0edba8527dc5e181 </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> 2417738503887374dae9891d26ea7033eb7b44656a14b84f15d4e8fa63e4e830 </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> 2a432edfba8a28854b9e3e34be513e96e1dc3426b1bd0976cda71ecfc5a2427c </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> ff5f7d414c6e701be02ec546c56fac589902896fe29fa0ef1e3a96d904a65134 </td> <td> Pioneer Kitten / Handala convergence </td> </tr> <tr> <td> 9f0ac7fa30e86b4015de6f77fe219cced164f317799fdc3faaf35af730a48700 </td> <td> Pioneer Kitten / Handala convergence </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream and partner feeds (H-ISAC, Kaspersky). <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> IT Ops </td> <td> Rotate ALL Fortinet device credentials — local admin, RADIUS, LDAP-bound service accounts. Verify no unauthorized admin sessions are active. FortiBleed makes patching irrelevant; only credential rotation addresses this threat. </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Block 157.20.182[.]49 and yiranzai[.]top across all DNS, proxy, firewall, and EDR enforcement points. Hunt for historical connections in last 30 days. </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy the 7 Pioneer Kitten/Handala SHA-256 hashes to EDR blocklists. Run retroactive hunt across 90-day endpoint telemetry. </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Validate no active exploitation of CVE-2026-20253 on Cisco SD-WAN Manager instances. Check for unauthorized accounts or configuration changes. </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> IT Ops </td> <td> Patch all Cisco SD-WAN Manager instances for CVE-2026-20253. This is KEV-listed with confirmed active exploitation. </td> </tr> <tr> <td> 6 </td> <td> OT Security </td> <td> Assess applicability of ICSA-26-169-01 through -07 (Schneider, Mitsubishi, Rockwell, AzeoTech, AVer) against deployed ICS inventory. Prioritize Rockwell FactoryTalk Historian (authentication token theft enables lateral movement). </td> </tr> <tr> <td> 7 </td> <td> SOC </td> <td> Develop behavioral detection for DLL side-loading (T1574.002) — MuddyWater's refreshed POWERSTATS variant uses this technique. Alert on DLL loads from %APPDATA%, %TEMP%, and %PROGRAMDATA% by legitimate signed binaries. </td> </tr> <tr> <td> 8 </td> <td> IR Team </td> <td> Update incident response playbooks to account for the Pioneer Kitten → Handala handoff scenario: initial access via Fortinet credentials, followed by rapid lateral movement and wiper deployment within hours (not weeks). </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 9 </td> <td> CISO </td> <td> Commission assessment of blockchain-based C2 detection capabilities. MuddyWater's (MOIS) evolution toward decentralized C2 creates a structural gap in network-based detection. Evaluate endpoint behavioral analytics and DNS-over-HTTPS inspection capabilities. </td> </tr> <tr> <td> 10 </td> <td> IT Ops </td> <td> Migrate Fortinet management plane authentication to certificate-based (mTLS) to permanently eliminate credential-only access vectors. This addresses both FortiBleed and future credential exposure events. </td> </tr> <tr> <td> 11 </td> <td> CISO </td> <td> Conduct tabletop exercise simulating the converged Iranian attack scenario: Pioneer Kitten gains access via leaked Fortinet credentials, hands off to Handala within 4 hours, Handala deploys wiper across IT and pivots to OT. Test detection, containment, and recovery timelines. </td> </tr> <tr> <td> 12 </td> <td> Security Architecture </td> <td> Implement zero-trust network segmentation assuming perimeter compromise. FortiBleed + CVE-2026-20253 together mean the perimeter cannot be trusted as a single point of defense. Focus on east-west traffic monitoring and microsegmentation around critical assets. </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> Iran's cyber apparatus is converging — access brokers feeding destructive operators, shared malware repositories spanning IRGC and MOIS-affiliated unit boundaries, and C2 infrastructure evolving to resist takedowns. FortiBleed gives them scale. CVE-2026-20253 gives them another door. The Pioneer Kitten/Handala pipeline gives them speed. The 112-day mark of this conflict is not a plateau — it's an inflection point. The operational model Iran is building today (shared tooling, credential-based mass access, blockchain C2) will persist long after any ceasefire. Organizations that rotate credentials, patch Cisco, and hunt for these IOCs today are buying time. Organizations that don't are accepting a risk that compounds daily. Rotate your Fortinet credentials. Patch your Cisco SD-WAN. Hunt for these hashes. Do it today. Anomali CTI Desk | 2026-06-19 | For questions or IOC feeds, contact your Anomali representative or access indicators directly via ThreatStream.

FEATURED RESOURCES

June 19, 2026

Anomali Cyber Watch