<div fs-toc-offsettop="8rem" fs-toc-element="contents" fs-readtime-element="contents" class="blog-rich-text w-richtext margin-trim-off"> <p>The largest combined kinetic-cyber military operation in modern history hit Iran on 28 February 2026. Within hours, Israel executed what multiple outlets are calling "the largest cyberattack in history," plunging Iranian critical infrastructure, state media, and IRGC security communications into a digital blackout — all synchronized with U.S.-Israeli kinetic strikes under Operation Epic Fury.</p> <p>That was two days ago. The retaliation clock is now running.</p> <p>Our continuous threat intelligence monitoring paints a clear picture: <strong>Iranian cyber retaliation against Western and allied organizations is not a question of <em>if</em>, but <em>when</em>. Six independent intelligence firms have reached the same conclusion.</strong></p> <p>Here is what we know, what we expect, and what you should do about it.</p> <p></p> <div id="what-changed-in-the-last-24-hours" style="scroll-margin-top: 8rem;"> <h2><strong>What Changed in the Last 24 Hours</strong></h2> <p>Yesterday's intelligence collection saw a <strong>7x spike</strong> in relevant reporting. The key developments driving this surge:</p> <ul role="list"> <li>RESURGE dormancy warning (27 Feb): CISA disclosed that a malware implant on Ivanti VPN devices can survive patching and sit dormant until the attacker reconnects. If you patched but didn't factory-reset, you may still be compromised.</li> <li>Fortinet FortiCloud SSO zero-day (CVE-2026-24858, CVSS 9.8): A new authentication bypass across most Fortinet products is being actively exploited. Fortinet has blocked FortiCloud SSO as an interim measure.</li> <li>Operation Olalampo named: MuddyWater's campaign, active since late January, now has a name and three identified malware families — none yet in any threat intelligence database.</li> <li>AI-assisted malware confirmed: For the first time, an Iranian APT has been attributed with using AI/LLMs to develop tooling.</li> <li>Handala claims healthcare breach: The IRGC-linked hacktivist group claimed a breach of Israel's largest healthcare provider on 25 February, signaling escalation to civilian targets.</li> </ul> <p>Taken together, our assessment of the Iranian cyber threat has been upgraded from <strong>ELEVATED</strong> to <strong>HIGH</strong>.</p> <p></p> </div> <div id="conflict-timeline" style="scroll-margin-top: 8rem;"> <h2><strong>Conflict Timeline</strong></h2> <table> <tr> <td width="30%"><strong>Date</strong></td> <td width="70%"> <strong>Event</strong> </td> </tr> <tr> <td>25 Jan 2026</td> <td> EU designates IRGC as a terrorist organization — broadens Iranian target set to include European allies</td> </tr> <tr> <td>26 Jan 2026</td> <td> MuddyWater begins Operation Olalampo campaign against MENA organizations</td> </tr> <tr> <td>25 Feb 2026</td> <td> Handala Hack Team claims breach of Clalit, Israel's largest healthcare provider</td> </tr> <tr> <td>28 Feb 2026</td> <td> U.S.-Israeli kinetic strikes hit IRGC sites under Operation Epic Fury</td> </tr> <tr> <td>28 Feb – 1 Mar</td> <td> Israel executes "largest cyberattack in history" — digital blackout of Iranian infrastructure, media, IRGC comms</td> </tr> <tr> <td>1 Mar 2026</td> <td> Six independent intelligence firms warn Iranian cyber retaliation is imminent</td> </tr> </table> <p></p> <p>The retaliation window is now open. Historical pattern: Iran retaliates within 1–3 weeks of kinetic provocation.</p> <p></p> </div> <div id="the-threat-landscape-five-converging-dangers" style="scroll-margin-top: 8rem;"> <h2><strong>The Threat Landscape: Five Converging Dangers</strong></h2> <div id="1-the-retaliation-consensus-is-universal"> <h3><strong>1. The Retaliation Consensus Is Universal</strong></h3> <p>Every major threat intelligence provider has issued warnings. ThreatStream ingested six separate reports on Iranian reprisal risk in the last 72 hours. A former NSA operative quoted by Fortune captured the asymmetry perfectly: <em>"It's in the hands of a 19-year-old hacker in a Telegram room."</em></p> <p>Iran's cyber apparatus spans government, military, energy, telecommunications, education, and utilities sectors across the US, Israel, the EU, and Gulf states. The target list is broad and the motivation has never been higher.</p> </div> <div id="2-your-vpn-edge-is-the-front-door-and-it-may-already-be-open"> <h3><strong>2. Your VPN Edge Is the Front Door — And It May Already Be Open</strong></h3> <p>This is the most immediately actionable threat. Three critical vulnerabilities in Ivanti and Fortinet products are under active exploitation right now:</p> <ul role="list"> <li>CVE-2025-0282 (CVSS 9.0): CISA warned on 27 February that the RESURGE malware implant can persist dormant and undetected on Ivanti Connect Secure devices, waiting for the attacker to initiate a connection. If you patched but didn't factory-reset, the implant may still be there.</li> <li>CVE-2026-1281 / CVE-2026-1340 (both CVSS 9.8): Unauthenticated remote code execution in Ivanti Endpoint Manager Mobile. A single threat actor is responsible for 83% of exploitation — attacks trace back to zero-days exploited since July 2025.</li> <li>CVE-2026-24858 (CVSS 9.8): A zero-day authentication bypass across FortiOS, FortiProxy, FortiAnalyzer, FortiManager, and FortiWeb via FortiCloud SSO. Actively exploited. Fortinet has blocked FortiCloud SSO connections as an interim fix.</li> </ul> <p>Why does this matter for the Iran crisis specifically? Because Pioneer Kitten — an Iranian APT group — has a documented history of exploiting exactly these product families. Their profile lists Fortinet CVE-2018-13379, CVE-2023-27997, and Ivanti CVE-2024-21887 among their arsenal. The new vulnerabilities are fresh ammunition for an adversary that already knows how to use these weapons.</p> </div> <div id="3-muddywater-has-gone-ai-assisted"> <h3><strong>3. MuddyWater Has Gone AI-Assisted</strong></h3> <p>MuddyWater (also tracked as STATIC KITTEN), one of Iran's most prolific APT groups, launched Operation Olalampo in late January targeting Middle Eastern and North African organizations with three entirely new malware families: GhostFetch, CHAR, and HTTP_VIP. None of these appear in any threat intelligence database yet.</p> <p>The critical detail: reporting indicates <strong>AI-assisted malware development</strong>. This is the first attributed instance of an Iranian APT leveraging large language models to build tooling. Combined with a separate report of an unsophisticated actor using AI to breach 600+ FortiGate firewalls across 55 countries, the implication is clear — AI is lowering the barrier to entry and accelerating iteration speed across the Iranian threat ecosystem.</p> <p>Expect faster variant generation. Expect polymorphic payloads that evade signature-based detection. Expect the gap between vulnerability disclosure and weaponized exploit to shrink.</p> </div> <div id="4-banished-kitten-is-escalating-to-civilian-targets"> <h3><strong>4. BANISHED KITTEN Is Escalating to Civilian Targets</strong></h3> <p>On 25 February, the Iran-linked Handala Hack Team claimed to have breached Clalit, Israel's largest healthcare provider. This follows a January 2026 influence operation publishing purported data leaks related to Israeli intelligence and military officials.</p> <p>The pattern is unmistakable: BANISHED KITTEN is expanding its target set from military and intelligence to civilian critical infrastructure. Their confirmed arsenal includes ZeroShred wiper, BiBiWiper, GoneXML ransomware, and several custom implants. Healthcare, education, and municipal government are the most likely Western soft targets.</p> </div> <div id="5-the-silence-on-icsot-is-the-loudest-signal"> <h3><strong>5. The Silence on ICS/OT Is the Loudest Signal</strong></h3> <p>For the past several days, we have been actively monitoring for signs of Iranian ICS/OT targeting — specifically the Cyber Av3ngers group and their IOCONTROL malware, which has previously been used against water and energy infrastructure. Despite the highest Iranian motivation in years, we have found zero new indicators of activity.</p> <p>We assess two hypotheses:</p> <ul role="list"> <li>Operational preparation: The group is staging for a significant ICS/OT attack while maintaining OPSEC silence. This is consistent with the RESURGE dormancy model — implants placed months ago, waiting for activation.</li> <li>Capability degradation: The digital blackout of Iran may have disrupted C2 infrastructure.</li> </ul> <p>Our recommendation: <strong>treat silence as preparation, not absence.</strong> CISA's latest ICS advisories flag vulnerabilities in Yokogawa CENTUM VP and Johnson Controls systems. If you run operational technology, this is not the time to assume you're off the target list.</p> <p></p> </div> </div> <div id="predictive-assessment-what-comes-next" style="scroll-margin-top: 8rem;"> <h2><strong>Predictive Assessment: What Comes Next</strong></h2> <p>Based on historical Iranian retaliation patterns, current intelligence, and actor capability profiles:</p> <p>Iranian cyber retaliation against Western and allied targets has an <strong>85–90% probability</strong> within the next 14 days.</p> <p>Historical precedent supports this assessment. Iran retaliated within 1–3 weeks of the Soleimani assassination in January 2020 with attacks against Federal Depository Network infrastructure, and escalated Pioneer Kitten's Pay2Key ransomware operations following the June 2025 Israel-Iran conflict.</p> <div id="most-likely-attack-scenario-60-70percent-probability"> <h3><strong>Most Likely Attack Scenario (60–70% probability)</strong></h3> <p>A combination campaign:</p> <ul role="list"> <li>Wiper/ransomware deployment against soft targets (healthcare, education, municipal government) via BANISHED KITTEN's tooling</li> <li>VPN exploitation for espionage access to defense and government networks via Pioneer Kitten or MuddyWater, leveraging the Ivanti and Fortinet vulnerabilities documented above</li> <li>Hacktivist amplification through Handala Hack Team, Cyber Toufan, and Cyber Av3ngers Telegram channels to maximize psychological impact</li> </ul> </div> <div id="most-dangerous-course-of-action-10-15percent-probability-catastrophic-impact"> <h3><strong>Most Dangerous Course of Action (10–15% probability, catastrophic impact)</strong></h3> <p>A coordinated ICS/OT attack on energy or water infrastructure using pre-positioned IOCONTROL implants, combined with hacktivist information operations. Low probability, but the consequences are severe enough to warrant active hunting.</p> </div> <div id="wild-cards"> <h3><strong>Wild Cards</strong></h3> <ul role="list"> <li>Pioneer Kitten's eCrime pivot: In early 2025, this Iranian state group began advertising Pay2Key Ransomware-as-a-Service on Russian-language criminal forums. A single VPN compromise could serve both espionage and destructive objectives simultaneously.</li> <li>SPECTRAL KITTEN and APT42 are both quiet. Either could activate with lock-and-leak operations or credential harvesting campaigns targeting defense and diplomatic personnel.</li> <li>AI-generated phishing at scale, leveraging the same LLM capabilities demonstrated in Operation Olalampo's malware development.</li> </ul> <p></p> </div> </div> <div id="what-you-should-do-right-now" style="scroll-margin-top: 8rem;"> <h2><strong>What You Should Do Right Now</strong></h2> <div id="within-24-hours"> <h3><strong>Within 24 Hours</strong></h3> <ol role="list" style="padding-left: 2rem;"> <li>Disable FortiCloud SSO on all Fortinet devices (FortiOS, FortiProxy, FortiAnalyzer, FortiManager, FortiWeb) until CVE-2026-24858 is patched. Audit whether any FortiGate management ports are exposed to the internet.</li> </ol> </div> <div id="within-48-hours"> <h3><strong>Within 48 Hours</strong></h3> <ol start="2" role="list" style="padding-left: 2rem;"> <li>Factory-reset and rebuild all Ivanti Connect Secure devices that cannot be verified clean per CISA guidance. Patching alone is insufficient — RESURGE persists through standard remediation.</li> <li>Patch Ivanti EPMM to the latest version addressing CVE-2026-1281 and CVE-2026-1340. If patching is delayed, isolate EPMM from internet-facing access immediately.</li> </ol> </div> <div id="within-7-days"> <h3><strong>Within 7 Days</strong></h3> <ol start="4" role="list" style="padding-left: 2rem;"> <li>Deploy detection rules for BANISHED KITTEN TTPs: ZeroShred wiper, BiBiWiper, GoneXML ransomware, AllinOneNeo implant. Focus on self-extracting archives and Cabinet file delivery mechanisms.</li> <li>Monitor for MuddyWater Operation Olalampo indicators as IOCs become available. Watch for macro-embedded documents from compromised third-party email accounts and QR-code-delivered payloads. </li> <li>Conduct a proactive threat hunt on ICS/OT network segments for IOCONTROL indicators and anomalous MODBUS/DNP3 traffic. Verify firmware currency on PLCs and SCADA systems.</li> </ol> </div> <div id="within-7-days-executive-and-ir-preparedness"> <h3><strong>Within 7 Days (Executive & IR Preparedness)</strong></h3> <ol start="7" role="list" style="padding-left: 2rem;"> <li>Dust off your Iran-specific incident response playbook. If you don't have one, build a streamlined version now covering wiper, ransomware, and VPN compromise scenarios. Pre-assign roles, confirm out-of-band communication channels, and ensure your IR retainer firm is briefed on the current threat landscape.</li> <li>Brief executive leadership and the board. Prepare a one-page summary of the Iranian retaliation risk, the defensive actions underway, and the decisions that may need to be made quickly (e.g., isolating network segments, authorizing emergency patching windows, approving public disclosure). Executives should not be learning about this threat for the first time during an incident.</li> <li>Confirm cyber insurance coverage for state-actor incidents. Many policies exclude acts of war or state-sponsored attacks. Review your policy language now — not after a claim is filed. If exclusions apply, escalate to your broker immediately.</li> <li>Pre-stage breach notification and crisis communications templates. Draft holding statements for customers, regulators, and media. Identify your legal notification obligations by jurisdiction. The first 24 hours of a major incident are consumed by communications — doing this work now buys your technical teams time to focus on containment.</li> </ol> </div> <div id="within-30-days"> <h3><strong>Within 30 Days</strong></h3> <ol start="11" role="list" style="padding-left: 2rem;"> <li>Evaluate your detection capability against AI-augmented adversaries. Signature-based detection will increasingly fail against polymorphic, AI-generated malware. Behavioral analytics and anomaly detection are the appropriate countermeasures.</li> </ol> <p></p> </div> </div> <div id="the-bottom-line" style="scroll-margin-top: 8rem;"> <h2><strong>The Bottom Line</strong></h2> <p>The Iran geopolitical-military cyber threat environment has reached its most dangerous state since the June 2025 conflict. The convergence of kinetic operations, confirmed offensive cyber activity, expanding attack surfaces, and AI-assisted adversary tooling creates conditions that demand immediate defensive action.</p> <p>The VPN edge is the most critical exposure. Ivanti and Fortinet vulnerabilities are being actively exploited by actors with documented Iranian state ties. If you do nothing else today, scan your Ivanti devices for RESURGE persistence and disable FortiCloud SSO.</p> <p>The retaliation window is open. The question is not whether Iran will respond in cyberspace, but whether your organization will be ready when it does.</p> <p></p> <p><em>This analysis was produced by the Anomali CTI platform using continuous intelligence collection from OSINT, CISA advisories, and ThreatStream threat intelligence feeds. Threat assessments reflect data available as of 2 March 2026.</em></p> <p></p> </div>
</div>
<div markup-content="" class="w-condition-invisible"> <div fs-toc-element="contents" markup-content="content" class="blog-rich-text w-dyn-bind-empty"></div>
</div>
