Iran’s Cyber War Enters Its Most Dangerous Phase: Active ICS Exploitation, Geographic Expansion, and Two Critical Zero-Days

Anomali Threat Research

Published on

April 13, 2026

Table of Contents

Threat Assessment Level: CRITICAL The threat assessment level remains CRITICAL, unchanged from the prior cycle (April 12, 2026). While the prior executive flash labeled the posture “HIGH — ESCALATING,” the convergence of confirmed active ICS exploitation, two simultaneously exploited CVSS 9.8 zero-days, and geographic expansion of destructive operations meets the threshold for CRITICAL. The diplomatic vacuum following the collapse of US-Iran ceasefire talks on April 12 has removed the last restraint on Iranian cyber tempo. <h2>Introduction                               </h2> Forty-four days into the US-Iran military confrontation, the cyber dimension of this conflict has reached an inflection point that demands immediate executive attention. On April 7, CISA, the FBI, and the NSA issued Joint Advisory AA26-097a — not a warning about potential attacks, but a confirmation that Iranian-affiliated actors are already inside US critical infrastructure, actively exploiting programmable logic controllers across the water, energy, and manufacturing sectors. In the same week, the IRGC-linked destructive group Handala claimed breaches of three major UAE organizations, marking a rapid geographic expansion of wiper operations from Israel to the United States to the Gulf. And two CVSS 9.8 zero-day vulnerabilities — in Fortinet FortiClientEMS and Ivanti EPMM — are being actively exploited in the wild, both in product classes historically favored by Iranian actors for initial access. This is not a forecast. This is a damage report. <h2>What Changed                                </h2> The period from April 7–13, 2026 saw six developments that materially alter the threat landscape for every organization operating critical infrastructure, defense supply chains, or Gulf-connected networks: <ol> <li>CISA/FBI/NSA Joint Advisory AA26-097a confirmed active Iranian exploitation of Rockwell Automation/Allen-Bradley PLCs across US water, energy, and manufacturing — with 5,219 PLCs quantified as internet-exposed.</li> <li>Handala (BANISHED KITTEN) claimed breaches of three major UAE organizations spanning defense, energy, government, and healthcare — the first confirmed Gulf-state targeting by this IRGC-linked destructive group.</li> <li>CVE-2026-35616 (Fortinet FortiClientEMS, CVSS 9.8) — a zero-day allowing unauthenticated remote code execution — was added to CISA’s Known Exploited Vulnerabilities catalog with confirmed in-the-wild exploitation.</li> <li>CVE-2026-1340 (Ivanti EPMM, CVSS 9.8) — a pre-authentication RCE vulnerability — was also confirmed on the KEV with active exploitation.</li> <li>Three new ICS advisories (Contemporary Controls BASC, GPL Odorizers, Mitsubishi GENESIS64/ICONICS) expanded the attack surface for industrial environments already under active Iranian targeting.</li> <li>A Mirai2 botnet variant distributing Iran-themed binaries targeting IoT and embedded architectures (ARM, MIPS, SH4) was detected, with device-type overlap into PLC and ICS environments already under active threat.</li> </ol> These developments occurred against the backdrop of the April 12 collapse of US-Iran ceasefire talks, which removed the primary diplomatic constraint on Iranian cyber operations. <h2>Conflict & Threat Timeline                </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> US-Iran military confrontation begins </td> <td> Day 0 — kinetic and cyber operations commence </td> </tr> <tr> <td> Mar 2026 </td> <td> Handala (BANISHED KITTEN) wiper attack on Stryker (US) </td> <td> First non-Israel destructive operation by Handala </td> </tr> <tr> <td> Apr 4, 2026 </td> <td> CVE-2026-35616 (FortiClientEMS) published </td> <td> CVSS 9.8 zero-day; exploitation confirmed in the wild </td> </tr> <tr> <td> ~Apr 6, 2026 </td> <td> CVE-2026-35616 and CVE-2026-1340 added to CISA KEV </td> <td> Two critical zero-days simultaneously on KEV </td> </tr> <tr> <td> Apr 7, 2026 </td> <td> CISA/FBI/NSA Joint Advisory AA26-097a published </td> <td> Confirms active Iranian exploitation of Rockwell PLCs in US critical infrastructure </td> </tr> <tr> <td> Apr 7–9, 2026 </td> <td> Three ICS advisories: BASC, GPL Odorizers, GENESIS64 </td> <td> Expanded ICS attack surface during active targeting </td> </tr> <tr> <td> Apr 10–11, 2026 </td> <td> MuddyWater campaign updates across 17 countries </td> <td> BugSleep, PowerStats, StarWhale, DHCSpy malware active </td> </tr> <tr> <td> Apr 12, 2026 </td> <td> US-Iran ceasefire talks collapse </td> <td> Diplomatic constraint on cyber operations removed </td> </tr> <tr> <td> Apr 12–13, 2026 </td> <td> Handala claims breach of 3 UAE organizations </td> <td> Geographic expansion: Israel → US → Gulf states </td> </tr> <tr> <td> Apr 13, 2026 </td> <td> Mirai2 botnet with Iran-themed binaries detected </td> <td> IoT/embedded architecture targeting overlaps ICS device types </td> </tr> </tbody> </table> <h2>Key Threat Analysis                          </h2> <h3>1. Active ICS/OT Exploitation — CyberAv3ngers (IRGC-CEC)</h3> Joint Advisory AA26-097a is the most significant US government attribution of Iranian ICS operations since the Unitronics campaign of 2023. The advisory names CyberAv3ngers (also known as the Shahid Kaveh Group), an IRGC Cyber-Electronic Command unit, as actively exploiting internet-exposed Rockwell Automation/Allen-Bradley PLCs using Dropbear SSH implants. The attack methodology is straightforward and devastating: these actors are exploiting default credentials on PLCs that should never have been internet-accessible. With 5,219 such devices quantified as exposed, the remediation window is closing fast — adversaries will race to exploit remaining targets before patching and network segmentation are completed. Relevant ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts — default credentials), T0816 (Device Restart/Shutdown), T0826 (Loss of Availability), T0890 (Exploitation of Remote Services) The simultaneous release of three additional ICS advisories — affecting Contemporary Controls BASC 20T (building automation), GPL Odorizers GPL750 (gas distribution), and Mitsubishi GENESIS64/ICONICS Suite (industrial SCADA/HMI) — expands the vulnerable surface in precisely the sectors under active Iranian targeting. <h3>2. Handala Geographic Expansion — BANISHED KITTEN (IRGC)</h3> Handala (tracked as BANISHED KITTEN, Void Manticore, UNC5203, Storm-842) operates under IRGC direction using a well-documented operational model: APT34/OilRig establishes initial access and hands off to Handala for destruction and information operations amplification. The claimed breach of three major UAE organizations — spanning defense, energy, government, and healthcare — represents a critical geographic expansion. Handala’s targeting trajectory over the past six weeks tells a clear story: <ul> <li>Pre-conflict: Israel-focused exclusively</li> <li>March 2026: Stryker attack — first US target</li> <li>April 12–13, 2026: Three UAE organizations — first Gulf-state targets</li> </ul> This expansion aligns with a strategic logic: UAE is an Abraham Accords signatory, making it a legitimate target in Iran’s threat calculus. The operational infrastructure remains active across three known domains: handala-hack[.]to (data leak site), handala-alert[.]to (news/amplification), and handala-redwanted[.]to (targeting site). <h3>3. Two Critical Zero-Days Under Active Exploitation</h3> CVE-2026-35616 — Fortinet FortiClientEMS (CVSS 9.8) Improper access control in FortiClientEMS versions 7.4.5–7.4.6 allows unauthenticated remote code execution via crafted requests. FortiClientEMS is widely deployed across defense industrial base contractors and government networks for endpoint management. Fortinet products are a documented Iranian initial-access preference — this CVE will be adopted by Iranian actors if it hasn’t been already. CVE-2026-1340 — Ivanti EPMM (CVSS 9.8) Code injection in Ivanti Endpoint Manager Mobile allowing unauthenticated RCE. Both vulnerabilities are on CISA’s KEV, confirming active exploitation in the wild. Relevant ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), T1059 (Command and Scripting Interpreter) <h3>4. Named Threat Actors — Full Attribution Map</h3> The following Iranian state-directed and state-affiliated groups are assessed as active or pre-positioned in the current conflict: <table> <thead> <tr> <th> Actor </th> <th> Aliases </th> <th> Affiliation </th> <th> Current Activity </th> </tr> </thead> <tbody> <tr> <td> CyberAv3ngers </td> <td> Shahid Kaveh Group, HYDRO KITTEN </td> <td> IRGC-CEC </td> <td> Active PLC exploitation (AA26-097a) </td> </tr> <tr> <td> Handala </td> <td> BANISHED KITTEN, Void Manticore, UNC5203, Storm-842 </td> <td> IRGC </td> <td> UAE breach claims; wiper operations </td> </tr> <tr> <td> APT34 </td> <td> OilRig </td> <td> MOIS </td> <td> Initial access provider for Handala handoff </td> </tr> <tr> <td> MuddyWater </td> <td> Mango Sandstorm, TA450, Seedworm </td> <td> MOIS </td> <td> Operationally silent — anomalous; last active Apr 10–11 </td> </tr> <tr> <td> APT42 </td> <td> CALANQUE </td> <td> IRGC-IO </td> <td> BELLACIAO/SHELLAFEL espionage campaigns </td> </tr> <tr> <td> Fox Kitten </td> <td> — </td> <td> MOIS </td> <td> Active espionage operations </td> </tr> <tr> <td> APT35 </td> <td> Tortoiseshell </td> <td> IRGC-affiliated </td> <td> Active operations </td> </tr> <tr> <td> Shamoon Group </td> <td> — </td> <td> Iranian-affiliated </td> <td> Profile updated Apr 12; no new operations — possible pre-positioning </td> </tr> <tr> <td> Silent Librarian </td> <td> — </td> <td> Iranian-affiliated </td> <td> Profile updated Apr 12 </td> </tr> </tbody> </table> <h3>5. Mirai2 Botnet with Iran-Themed Binaries</h3> Intelligence collection identified a Mirai2 botnet variant distributing binaries with Iran-themed filenames (iran.armv5l, iran.i486, iran.mipsel, iran.sh4) from IP 83[.]168[.]110[.]191. While this is assessed as likely criminal rather than state-directed, the targeting of IoT/embedded architectures (ARM, MIPS, SH4) overlaps with PLC and ICS device architectures — creating potential for confusion during incident response and an additional threat to already-stressed OT environments. <h3>6. Notable Absences — What’s Missing Is Also Signal</h3> MuddyWater silence: Despite being one of Iran’s most active cyber espionage groups — with confirmed operations across 17 countries — MuddyWater has gone operationally silent during peak conflict escalation. This is anomalous given their historical pattern of parallel kinetic-cyber operations and may indicate retooling or preparation for a significant operation. DIB pre-positioning gap: There has been no new intelligence on Iranian pre-positioning within defense industrial base contractor networks for 34 days — during the most active Iranian cyber campaign in years. This represents either a collection gap or undetected dormant access. Both possibilities are unacceptable. No Western hacktivist counter-operations: The absence of Anonymous or other Western hacktivist activity against Iranian targets creates an asymmetric information operations environment where pro-Iran groups (Handala, DieNet, 313 Team) dominate the narrative without counter-pressure. <h2>Predictive Analysis — Next 72 Hours</h2> <table> <thead> <tr> <th> Probability </th> <th> Scenario </th> </tr> </thead> <tbody> <tr> <td> HIGH (>75%) </td> <td> Additional Iranian PLC exploitation attempts accelerate as AA26-097a drives defender response — actors will race to exploit remaining exposed PLCs before patching completes </td> </tr> <tr> <td> MODERATE (50–75%) </td> <td> Handala releases stolen UAE data on its data leak site within 48–72 hours to maximize information operations impact during US blockade discussions </td> </tr> <tr> <td> MODERATE (50–75%) </td> <td> CVE-2026-35616 (FortiClientEMS) exploitation adopted by Iranian actors — Fortinet products are a documented Iranian initial-access preference </td> </tr> <tr> <td> LOW-MODERATE (25–50%) </td> <td> MuddyWater reactivation with new tooling, possibly leveraging APT42 BELLACIAO/SHELLAFEL infrastructure overlap </td> </tr> <tr> <td> LOW-MODERATE (25–50%) </td> <td> Shamoon-style wiper deployment against Gulf-state energy infrastructure, potentially via Handala’s expanded operational pipeline </td> </tr> </tbody> </table> <h2>SOC Operational Guidance            </h2> <h3>What to Monitor</h3> <table> <thead> <tr> <th> Focus Area </th> <th> ATT&CK Technique </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> PLC/ICS default credential abuse </td> <td> T1078 (Valid Accounts) </td> <td> Alert on authentication to Rockwell/Allen-Bradley PLCs from non-OT-management IPs; audit all default credentials on internet-exposed industrial devices </td> </tr> <tr> <td> Edge device exploitation </td> <td> T1190 (Exploit Public-Facing Application) </td> <td> Monitor FortiClientEMS (7.4.5–7.4.6) and Ivanti EPMM for unauthenticated access patterns; correlate with CISA KEV IOCs when published </td> </tr> <tr> <td> Wiper precursor activity </td> <td> T1485 (Data Destruction), T1486 (Data Encrypted for Impact) </td> <td> Monitor for mass file deletion, MBR/VBR modification, or encryption without ransom note — Handala wipers masquerade as ransomware </td> </tr> <tr> <td> Lateral movement from OT to IT </td> <td> T0890 (Exploitation of Remote Services) </td> <td> Alert on any traffic from OT/ICS network segments to IT management networks; Dropbear SSH implants on PLCs will attempt lateral movement </td> </tr> <tr> <td> Dormant account reactivation </td> <td> T1078 (Valid Accounts) </td> <td> Hunt for accounts dormant >30 days that suddenly authenticate — especially in DIB/aerospace environments </td> </tr> <tr> <td> Data staging and exfiltration </td> <td> T1560 (Archive Collection), T1567.002 (Exfil to Cloud Storage) </td> <td> Monitor for unusual archive creation (7z, RAR, ZIP) followed by uploads to cloud storage services </td> </tr> <tr> <td> Credential harvesting from ICS </td> <td> T1552.001 (Credentials in Files) </td> <td> Audit Mitsubishi GENESIS64/ICONICS SQL Server configurations for exposed credentials per ICSA-26-097-01 </td> </tr> <tr> <td> C2 communications </td> <td> T1041 (Exfiltration Over C2 Channel) </td> <td> Monitor for connections to known Handala infrastructure: handala-hack[.]to, handala-alert[.]to, handala-redwanted[.]to, justicehomeland[.]org, karmabelow80[.]org </td> </tr> <tr> <td> IoT/embedded device compromise </td> <td> T1190 </td> <td> Monitor for connections to 83[.]168[.]110[.]191 (Mirai2 C2); scan for unauthorized binaries on ARM/MIPS/SH4 architecture devices </td> </tr> </tbody> </table> <h3>Hunting Hypotheses</h3> <ol> <li>Hypothesis: Iranian actors have already compromised Rockwell PLCs in our environment via default credentials. Hunt for: Dropbear SSH processes on PLC firmware, unexpected outbound connections from OT segments, authentication events using factory-default credentials on Allen-Bradley devices.</li> <li>Hypothesis: FortiClientEMS or Ivanti EPMM has been exploited as an initial access vector. Hunt for: Unauthenticated API calls to FortiClientEMS management interfaces, anomalous process execution on EPMM servers, web shells (T1505.003) deployed post-exploitation.</li> <li>Hypothesis: Dormant access exists in DIB/aerospace networks from prior Iranian espionage operations. Hunt for: Valid accounts inactive >30 days with sudden reactivation, GitHub-sourced developer tools with embedded backdoors (UNC6446 resume lure campaign), exfiltration to cloud storage services from engineering workstations.</li> <li>Hypothesis: APT34 has established initial access that will be handed off to Handala for destruction. Hunt for: OilRig TTPs (DNS tunneling, web shells on Exchange/OWA servers) in environments connected to Gulf-region partners or UAE operations.</li> </ol> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Financial institutions face dual risk: direct targeting by Iranian espionage groups (APT34, APT42) seeking economic intelligence during sanctions enforcement, and collateral impact from destructive operations against interconnected infrastructure. <ul> <li>Immediate: Audit all Fortinet FortiClientEMS and Ivanti EPMM deployments; emergency patch CVE-2026-35616 and CVE-2026-1340. Financial sector adoption of these products for remote workforce management is widespread.</li> <li>7-Day: Review SWIFT and interbank messaging system access controls for dormant accounts. Iranian actors have historically targeted financial messaging infrastructure during geopolitical escalation.</li> <li>30-Day: Conduct tabletop exercise simulating a wiper attack on core banking systems, modeled on Handala’s operational pattern (APT34 initial access → data exfiltration → wiper deployment → public leak).</li> </ul> <h3>Energy</h3> Energy is the highest-risk sector in this threat environment. AA26-097a explicitly names energy as an active target, and Handala’s UAE expansion puts Gulf-connected energy operations directly in the crosshairs. <ul> <li>Immediate: Remove ALL Rockwell Automation/Allen-Bradley PLCs from the public internet. Where remote access is operationally required, place behind VPN with MFA and restrict to named management IPs. Audit default credentials on every PLC.</li> <li>Immediate: Review ICS advisories for Contemporary Controls BASC (building automation), GPL Odorizers GPL750 (gas distribution), Yokogawa CENTUM VP, Siemens SICAM 8, and Hitachi Energy Ellipse. Apply patches or compensating controls.</li> <li>7-Day: Validate OT/IT network segmentation. Dropbear SSH implants on compromised PLCs will attempt lateral movement — ensure OT segments cannot reach IT management networks.</li> <li>30-Day: Commission independent assessment of ICS/OT network segmentation and air-gap integrity across all operational technology environments.</li> </ul> <h3>Healthcare</h3> Healthcare faces risk from both targeted operations (Handala’s UAE claims included healthcare organizations) and collateral damage from wiper attacks on shared infrastructure. The March 2026 Stryker attack demonstrated that medical device manufacturers are viable targets. <ul> <li>Immediate: Patch FortiClientEMS and Ivanti EPMM — both are commonly deployed in healthcare for mobile device management of clinical staff.</li> <li>7-Day: Audit all network-connected medical devices for default credentials and unnecessary internet exposure. The same PLC exploitation methodology (default creds on internet-exposed devices) applies to connected medical equipment.</li> <li>30-Day: Review and test incident response plans specifically for wiper scenarios. Healthcare organizations must be prepared for simultaneous loss of EHR, imaging, and connected medical device systems.</li> </ul> <h3>Government</h3> Government agencies are primary targets for both espionage (APT42, MuddyWater) and destructive operations (CyberAv3ngers, Handala). The CISA advisory is directed at government defenders. <ul> <li>Immediate: Implement all AA26-097a mitigations. Ingest CSAF IOCs when the full advisory is published. Audit Ivanti EPMM deployments — government mobile device management is a high-value target.</li> <li>7-Day: Conduct threat hunt for MuddyWater indicators (BugSleep, PowerStats, StarWhale, DHCSpy) across government networks. MuddyWater’s operational silence during peak conflict is anomalous and may precede a significant operation.</li> <li>30-Day: Brief Gulf-region diplomatic and military partners on Handala’s geographic expansion. Share TLP:GREEN indicators and coordinate defensive posture.</li> </ul> <h3>Aviation & Logistics</h3> Aviation and defense logistics face the highest risk from PIR-007 — dormant Iranian pre-positioning in defense industrial base networks. The GitHub resume lure campaign (UNC6446) specifically targeted aerospace. <ul> <li>Immediate: Audit all developer workstations for GitHub-sourced tools and repositories that may contain embedded backdoors. The UNC6446 campaign uses fake coding challenges and resume-themed lures.</li> <li>7-Day: Execute dedicated threat hunt for dormant valid accounts (T1078) in aerospace and defense logistics networks. Focus on accounts inactive >30 days that show any authentication activity. Search for web shells (T1505.003) on externally-facing servers.</li> <li>30-Day: Review supply chain security for all software dependencies. The LiteLLM/TeamPCP compromise (C2 at 83[.]142[.]209[.]11) demonstrates that AI/ML toolchain supply chain attacks are active and may target aerospace R&D environments.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IT Ops </td> <td> Emergency patch Fortinet FortiClientEMS to version >7.4.6 to remediate CVE-2026-35616 (CVSS 9.8, actively exploited). Verify zero remaining instances of versions 7.4.5–7.4.6 in production. </td> </tr> <tr> <td> IT Ops </td> <td> Emergency patch Ivanti EPMM to remediate CVE-2026-1340 (CVSS 9.8, CISA KEV). Audit EPMM access logs for indicators of unauthenticated RCE. </td> </tr> <tr> <td> SOC </td> <td> Block IP 83[.]168[.]110[.]191 and associated Mirai2 MD5 hashes at network perimeter and EDR. Prioritize IoT/OT network segments. </td> </tr> <tr> <td> SOC </td> <td> Block Handala infrastructure domains (handala-hack[.]to, handala-alert[.]to, handala-redwanted[.]to, justicehomeland[.]org, karmabelow80[.]org) at DNS and proxy layers. </td> </tr> <tr> <td> OT/ICS Ops </td> <td> Audit and remediate ALL internet-exposed Rockwell Automation/Allen-Bradley PLCs. Remove from public internet or place behind VPN with MFA. Change all default credentials. </td> </tr> <tr> <td> SOC </td> <td> Ingest CISA AA26-097a indicators (full CSAF when published) and create detection rules for PLC default credential abuse and Dropbear SSH implant activity. </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> SOC </td> <td> Conduct threat hunt for Handala/BANISHED KITTEN indicators in UAE-connected partner networks. Search for Handala DLS domains in DNS and proxy logs. </td> </tr> <tr> <td> SOC </td> <td> Execute dedicated threat hunt for dormant access in DIB/aerospace networks: T1078 (dormant account reactivation), T1505.003 (web shells), T1567.002 (exfiltration to cloud storage). The 34-day intelligence gap during active conflict is an unacceptable blind spot. </td> </tr> <tr> <td> IT Ops </td> <td> Audit Mitsubishi GENESIS64/ICONICS Suite deployments for SQL Server credential exposure per ICSA-26-097-01. Rotate all affected credentials. </td> </tr> <tr> <td> SOC </td> <td> Increase monitoring for MuddyWater infrastructure reactivation. Deploy detection for BugSleep, PowerStats, StarWhale, and DHCSpy malware families. Check for BELLACIAO/SHELLAFEL deployment overlap with APT42 campaigns. </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> CISO </td> <td> Commission independent assessment of ICS/OT network segmentation posture for all Rockwell Automation, Yokogawa CENTUM VP, Siemens SICAM 8, and Hitachi Energy Ellipse deployments. Validate air-gap integrity. </td> </tr> <tr> <td> CISO </td> <td> Brief Gulf-region partners on Handala geographic expansion to UAE. Share TLP:GREEN indicators and recommend perimeter hardening: block Iran and Starlink IP ranges, enforce MFA on all remote access, restrict VPN to business-required countries. </td> </tr> <tr> <td> CISO / IR </td> <td> Conduct tabletop exercise simulating the APT34 → Handala kill chain: initial access via edge device exploitation → lateral movement → data exfiltration → wiper deployment → public data leak on Handala DLS. Test IR playbooks for simultaneous destructive and information operations. </td> </tr> <tr> <td> CISO </td> <td> Evaluate consolidation of threat monitoring across ICS/OT, edge device, and espionage threat vectors. The Iranian operational model — where a single intrusion chain spans espionage, destruction, and information operations — requires integrated detection rather than siloed monitoring. </td> </tr> </tbody> </table> <h2>Bottom Line                               </h2> We are 44 days into the US-Iran military confrontation, and the cyber dimension has entered its most dangerous phase. CISA, the FBI, and the NSA have confirmed that Iranian actors are inside US critical infrastructure right now, exploiting PLCs that control water treatment, energy distribution, and manufacturing processes. Handala’s geographic expansion from Israel to the United States to the UAE in six weeks demonstrates that Iran’s IRGC is systematically broadening its target aperture. Two CVSS 9.8 zero-days in edge devices favored by Iranian actors are being exploited simultaneously. And the collapse of ceasefire talks has removed the last diplomatic brake on Iranian cyber operations. The window to act is measured in hours, not weeks. Every internet-exposed PLC, every unpatched FortiClientEMS instance, every Ivanti EPMM server running a vulnerable version — these are not theoretical vulnerabilities. They are active attack surfaces being exploited by named, attributed threat actors with demonstrated willingness to cross destructive thresholds. Patch. Segment. Hunt. Brief your board. The next 72 hours will define whether your organization is a defender or a headline.

FEATURED RESOURCES

April 13, 2026

Anomali Cyber Watch