Iran’s Cyber War Didn’t Stop When the Bombs Did — Why the Ceasefire Is the Most Dangerous Phase Yet

Anomali Threat Research

Published on

April 20, 2026

Table of Contents

Threat Assessment Level: CRITICAL Fifty-one days into the US-Iran armed conflict, Tehran’s cyber operators are not standing down. They are digging in. Three independent sources confirm that Iranian state-sponsored hacking groups have continued — and in some cases intensified — offensive cyber operations throughout ceasefire negotiations. For CISOs defending critical infrastructure, defense industrial base networks, and Gulf-region operations, the current “quiet” is not peace. It is preparation. <h2>Why This Matters Right Now            </h2> The conventional wisdom says ceasefires reduce risk. In cyberspace, the opposite is true. Iran’s cyber apparatus is using the negotiation window to pre-position access, expand targeting to new vendors and geographies, and preserve leverage for the next escalation. The ceasefire set to expire on 23 April contains no cyber provisions whatsoever — a fact confirmed by multiple policy analysts. Meanwhile, the most consequential gap in our visibility — dormant Iranian access inside Defense Industrial Base networks — has gone 41 days without a single detection. That silence should alarm every CISO in the defense supply chain. <h2>What Changed                                    </h2> <table> <thead> <tr> <th> Date </th> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> US-Iran armed conflict begins </td> <td> Day 0 — kinetic and cyber operations commence simultaneously </td> </tr> <tr> <td> 7 Apr 2026 </td> <td> US officials confirm Iran attempting cyberattacks against critical US infrastructure </td> <td> Official government acknowledgment of active targeting </td> </tr> <tr> <td> 8 Apr 2026 </td> <td> Iranian-linked PLC exploitation expands to Rockwell Automation/Allen-Bradley </td> <td> Vendor scope widens beyond initial Unitronics targeting </td> </tr> <tr> <td> 9 Apr 2026 </td> <td> Ababil of Minab claims admin access to LA Metro VMware vCenter (~1,421 VMs) and train control systems </td> <td> First confirmed OT/transit compromise by Iran-aligned hacktivists on US soil </td> </tr> <tr> <td> 10 Apr 2026 </td> <td> Saudi Arabia reports sharpest increase in cyberattacks since war began; attacks evolving from disruptive to complex </td> <td> Gulf allies facing espionage and supply chain operations, not just DDoS </td> </tr> <tr> <td> 14 Apr 2026 </td> <td> HSToday reports Iranian proxy attacks and cyber threats expanding to Southeast Europe </td> <td> New geographic expansion — NATO/EU states now in targeting aperture </td> </tr> <tr> <td> 16 Apr 2026 </td> <td> NYT confirms Iranian digital warriors continuing operations despite emerging ceasefire </td> <td> Ceasefire has not slowed cyber tempo </td> </tr> <tr> <td> 16 Apr 2026 </td> <td> CISA publishes ICS advisories for AVEVA Pipeline Simulation and Horner Automation PLCs </td> <td> New OT attack surface relevant to energy and manufacturing </td> </tr> <tr> <td> 17 Apr 2026 </td> <td> CISA/FBI/NSA confirm deployment of ICS malware TRK25-ADVANCED against US water utility PLCs; ZionSiphon discovered targeting Israeli desalination </td> <td> Purpose-built ICS malware — a significant capability escalation </td> </tr> <tr> <td> 18 Apr 2026 </td> <td> Forbes analysis: “A ceasefire that ignores cyber is not a real ceasefire” </td> <td> Cyber explicitly excluded from ceasefire terms </td> </tr> <tr> <td> 19 Apr 2026 </td> <td> IRGC Brigadier General Zolfaghari publicly names OpenAI Stargate UAE campus as legitimate retaliatory target </td> <td> Explicit threat to AI/technology infrastructure in the Gulf </td> </tr> <tr> <td> 19 Apr 2026 </td> <td> ThreatStream updates: MuddyWater/UNC5667, UNC1549, Ababil of Minab profiles refreshed; 3 active Ivanti EPMM exploitation campaigns confirmed </td> <td> Ongoing operational activity across multiple actor groups </td> </tr> <tr> <td> 20 Apr 2026 </td> <td> Multi-vertical Iranian espionage campaign active across 17 countries targeting energy, government, telecom, utilities </td> <td> Broadest targeting scope observed this conflict </td> </tr> </tbody> </table> <h2>The Threat Landscape: Three Converging Risks</h2> <h3>1. PLC and ICS Exploitation Is Expanding — Fast</h3> Iranian operators have moved well beyond their initial Unitronics PLC targeting. SecurityWeek and PolySwarm confirmed this month that Rockwell Automation/Allen-Bradley PLCs are now under active exploitation, with CISA warning that other OT vendors “may also be at risk.” This is not theoretical. The TRK25-ADVANCED malware — confirmed by CISA, FBI, and NSA on 17 April — was purpose-built to manipulate US water utility PLCs. A parallel tool, ZionSiphon, targets Israeli desalination infrastructure. New CISA ICS advisories for AVEVA Pipeline Simulation (which allows unauthenticated modification of simulation parameters) and Horner Automation Cscape/XL4/XL7 PLCs (unauthorized system access) further expand the OT attack surface relevant to energy, oil & gas, and manufacturing environments. The IRGC-aligned Cyber Av3ngers and the MOIS-directed hacktivist front Ababil of Minab — which claimed administrative access to LA Metro’s VMware vCenter and train control systems on 9 April — represent the operational arms executing these attacks. The convergence of state-developed ICS malware with hacktivist-branded operations makes attribution deliberately murky and response more complex. Key ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T0816 (Device Restart/Shutdown), T0826 (Loss of Availability), T0855 (Unauthorized Command Message), T0831 (Manipulation of Control) <h3>2. State APT Espionage Is Broadening in Scope and Geography</h3> Two distinct Iranian state ecosystems are operating in parallel: <ul> <li>MOIS (Ministry of Intelligence and Security) directs OilRig/APT34, MuddyWater/UNC5667, SPECTRAL KITTEN/Agrius, UNC1860/Scarred Manticore, UNC757/Pioneer Kitten, and the unified MOIST GRASSHOPPER ecosystem (Handala, Homeland Justice, Karma — reportedly under Seyed Yahya Hosseini Panjaki).</li> <li>IRGC (Islamic Revolutionary Guard Corps) controls Cyber Av3ngers and UNC1549/Imperial Kitten. APT42/Charming Kitten operates under IRGC-IO (IRGC Intelligence Organization).</li> </ul> A ThreatStream-tracked espionage campaign (updated 19 April) attributed to suspected Iranian actors is now active across 17 countries, targeting commercial, education, energy, government, non-profit, telecommunications, and utilities sectors using custom backdoors and legitimate remote access tools. MuddyWater/UNC5667 — updated the same day — continues spearphishing operations with custom malware targeting Israel, Malaysia, Oman, and beyond. UNC1549/Imperial Kitten is assessed with moderate-high confidence to be behind the escalating attacks against Saudi Arabia, which has experienced the sharpest increase in cyber incidents since the war began. Attacks have evolved from disruptive (DDoS, defacement) to complex (espionage, supply chain compromise, persistent access) — a maturation that demands a corresponding defensive upgrade. New geographic expansion: Homeland Security Today reported on 14 April that Iranian proxy attacks and cyber threats are now extending into Southeast Europe, putting NATO and EU member state infrastructure into the targeting aperture for the first time in this conflict. Key ATT&CK Techniques: T1566.001/.002 (Spearphishing Attachment/Link), T1219 (Remote Access Software), T1059.001 (PowerShell), T1078 (Valid Accounts), T1133 (External Remote Services), T1105 (Ingress Tool Transfer) <h3>3. The 41-Day Silence on Defense Industrial Base Targeting Is the Loudest Signal</h3> For 41 consecutive days, no Iranian intrusion activity has been detected against Defense Industrial Base contractors — aerospace, advanced manufacturing, cleared defense facilities. This is not reassuring. It is alarming. Historical precedent (CISA Advisory AA22-320A) documents Iranian actors maintaining dormant access inside compromised networks for months before activating during crises. The current conflict is precisely the crisis that would trigger activation. Pioneer Kitten/UNC757, known for brokering initial access to ransomware affiliates, has also gone silent — potentially preserving access for future leverage rather than monetizing it now. Similarly, APT42/Charming Kitten — which historically surges during negotiations with credential harvesting campaigns designed to collect intelligence for leverage — has shown no detected activity despite a profile update on 8 April. This absence is anomalous and should be treated as a warning, not a comfort. The MOIS-aligned hacktivist brands Handala and Cyber Toufan, extremely active in the early conflict phase, have been silent for 41 days. Possible explanations include operational pause, regrouping under new personas, or a shift to encrypted channels (Telegram) outside current collection visibility. Key ATT&CK Techniques for Hunting: T1078 (Valid Accounts — dormant account activation), T1505.003 (Web Shell persistence), T1567.002 (Exfiltration to Cloud Storage — Rclone/Wasabi staging) <h2>Edge Device Exploitation: The Front Door Remains Wide Open</h2> Three active exploitation campaigns targeting Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340) were confirmed in ThreatStream as of 19 April, targeting government and financial services organizations. A separate campaign exploiting Cisco SD-WAN (CVE-2026-20127) is also active. These edge/VPN appliances remain the primary initial access vector for Iranian state actors — a pattern consistent across MuddyWater, APT34, and Pioneer Kitten operations throughout the conflict. <h2>Infrastructure Intelligence: What the IOCs Reveal</h2> Analysis of confirmed Iranian APT infrastructure reveals two notable patterns: State APT Infrastructure on Iranian ASNs: High-confidence (90+) APT indicators on Asiatech (ASN 43754) and Farahoosh Dena (ASN 44208) — both Iranian internet service providers — are tagged by CISA as active command-and-control infrastructure. The Farahoosh Dena IPs are dual-tagged as both APT infrastructure and Lummastealer (a commodity infostealer), supporting the thesis that MOIS operations are converging with cybercriminal tooling — whether for obfuscation, access brokering, or shared infrastructure. Operational Relay Cluster: Four SOCKS4 proxy IPs on ASN 213790 (“Limited Network”) are being refreshed daily — a pattern consistent with operational relay infrastructure used to anonymize APT traffic. While not directly attributed to a named actor, the rotation pattern and ASN profile warrant watchlisting. <h2>Predictive Analysis: What Comes Next</h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Iranian APTs intensify credential harvesting and pre-positioning as ceasefire deadline (23 Apr) approaches </td> <td> 70% </td> <td> 72 hours </td> <td> Historical APT42 pattern during negotiations; 3/3 source corroboration of continuing operations </td> </tr> <tr> <td> New hacktivist persona emerges to replace quiet Handala/Cyber Toufan brands </td> <td> 50% </td> <td> 7–14 days </td> <td> 41-day silence on established brands; precedent of Iranian persona rotation </td> </tr> <tr> <td> Significant Iranian cyber surge within 72 hours of ceasefire expiry (if no deal) </td> <td> 70% </td> <td> By 26 Apr </td> <td> Ceasefire excludes cyber; pre-positioning activity confirmed; ICS tooling deployed </td> </tr> <tr> <td> Dormant Iranian access activated inside DIB contractor networks </td> <td> 40% </td> <td> 30 days </td> <td> AA22-320A precedent; 41-day detection gap; high strategic value of DIB access during conflict </td> </tr> <tr> <td> Iranian ICS/OT attack against US or Gulf energy infrastructure causing physical disruption </td> <td> 30% </td> <td> 30 days </td> <td> TRK25-ADVANCED deployed; PLC targeting expanding; IRGC explicit threat to UAE infrastructure </td> </tr> <tr> <td> APT42/Charming Kitten credential harvesting surge targeting negotiation principals and policy staff </td> <td> 65% </td> <td> 7 days </td> <td> Historical pattern; anomalous current silence; ceasefire deadline pressure </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                   </h2> <h3>Threat Hunting Hypotheses</h3> Hunt 1 — Dormant Iranian Access in DIB Networks (CRITICAL) - Hypothesis: Iranian actors (Pioneer Kitten/UNC757, MuddyWater) established persistent access in DIB contractor networks prior to or during the early conflict phase and are maintaining dormant footholds. - What to look for: - T1078 (Valid Accounts): Service accounts or VPN accounts with no recent interactive logon that suddenly authenticate — especially from non-US IP ranges or TOR/VPN exit nodes - T1505.003 (Server Software Component: Web Shell): IIS/Apache web shells in DMZ-facing servers, particularly on Exchange or SharePoint - T1567.002 (Exfiltration Over Web Service): Rclone, Wasabi S3, or Backblaze B2 binaries or configuration files; large outbound transfers to cloud storage - T1133 (External Remote Services): Anomalous VPN connections from Iranian ASNs (43754, 44208, 213790) or known anonymization services - Data sources: VPN logs, EDR telemetry, web server access logs, cloud storage audit logs, Active Directory authentication logs Hunt 2 — PLC/ICS Unauthorized Access - Hypothesis: Internet-exposed Rockwell Automation/Allen-Bradley, Horner Automation, or Unitronics PLCs have been accessed or reconfigured by Iranian operators. - What to look for: - T1190: Connections to PLC management ports from external IPs, especially Iranian ASNs - T0855: Unauthorized command messages or configuration changes in PLC audit logs - T0831: Unexpected setpoint modifications in SCADA historian data - Connections from PLCs to the IOCs listed above - Data sources: OT network traffic captures, PLC configuration change logs, SCADA historian, firewall logs for OT DMZ Hunt 3 — APT42 Credential Harvesting Surge - Hypothesis: APT42/Charming Kitten (IRGC-IO) is preparing or executing credential harvesting campaigns targeting policy staff, negotiation principals, and government officials involved in ceasefire talks. - What to look for: - T1566.002 (Spearphishing Link): Emails with links to fake login portals mimicking Google, Microsoft, or government SSO pages - T1078.004 (Cloud Accounts): Impossible travel alerts or anomalous OAuth token grants in M365/Google Workspace - T1539 (Steal Web Session Cookie): Browser session hijacking via token theft - Known APT42 infrastructure patterns: typosquatted domains mimicking legitimate services - Data sources: Email gateway logs, Entra ID sign-in logs, OAuth application consent logs, conditional access policy alerts <h3>Detection Engineering Priorities</h3> <ol> <li>Create alerting rules for any network connection (inbound or outbound) to the six confirmed APT IPs and four proxy relay IPs listed above</li> <li>Tune VPN authentication alerts to flag logins from Iranian ASNs 43754, 44208, and 213790</li> <li>Deploy YARA rules for TRK25-ADVANCED and IOCONTROL malware families on OT jump hosts and engineering workstations</li> <li>Enable enhanced logging for Ivanti EPMM, Cisco SD-WAN, and FortiSandbox appliances — these are confirmed initial access vectors</li> <li>Monitor for Rclone/cloud exfiltration tools across all endpoints, with particular focus on DIB-classified networks</li> </ol> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Iranian campaigns are actively targeting financial services organizations through Ivanti EPMM exploitation (CVE-2026-1281, CVE-2026-1340). Prioritize patching these vulnerabilities immediately. Monitor for unauthorized OAuth application consents in M365 environments — APT42’s credential harvesting operations frequently target financial sector executives and compliance officers for intelligence value. Review SWIFT and core banking system access logs for anomalous service account activity. Ensure MFA is enforced on all remote access pathways, with phishing-resistant methods (FIDO2) for privileged accounts. <h3>Energy</h3> This sector faces the most acute threat. TRK25-ADVANCED is purpose-built ICS malware targeting water utility PLCs, and PLC exploitation has expanded to Rockwell Automation/Allen-Bradley systems widely deployed in energy environments. The new CISA advisory for AVEVA Pipeline Simulation means pipeline operators must verify that simulation environments are air-gapped from operational networks. Audit all internet-exposed PLCs and RTUs. Implement network segmentation between IT and OT with unidirectional gateways where possible. Gulf-region energy operations should assume they are actively targeted by UNC1549/Imperial Kitten and deploy enhanced monitoring on all remote access pathways. <h3>Healthcare</h3> Healthcare organizations are included in the 17-country multi-vertical espionage campaign tracked this cycle. Iranian actors have historically targeted healthcare for both data theft and ransomware (via Pioneer Kitten’s access brokering to ransomware affiliates). Ensure medical device networks are segmented from enterprise IT. Patch Ivanti EPMM if deployed for mobile device management of clinical staff devices. Monitor for Lummastealer infections, which can harvest credentials that enable lateral movement to EHR systems. <h3>Government</h3> Government agencies are primary targets across multiple active campaigns — the multi-vertical espionage campaign, Ivanti EPMM exploitation, and APT42 credential harvesting all explicitly target government entities. The expansion of Iranian proxy threats to Southeast Europe means European government agencies in NATO/EU member states should elevate their threat posture. Enforce conditional access policies that block authentication from high-risk geographies. Audit all external-facing applications (VPN concentrators, email gateways, collaboration platforms) for unpatched vulnerabilities. Brief staff involved in Iran policy or ceasefire negotiations on APT42 spearphishing TTPs. <h3>Aviation and Logistics</h3> UNC1549/Imperial Kitten’s confirmed targeting includes aerospace and defense logistics. The Ababil of Minab compromise of LA Metro’s VMware vCenter and train control systems demonstrates that transportation infrastructure is in the active targeting set. Aviation and logistics CISOs should audit VMware vCenter and ESXi deployments for unauthorized administrative accounts, review network segmentation between IT management planes and operational technology, and ensure backup/recovery procedures can restore operations if ransomware or wiper malware is deployed. Monitor for job-themed spearphishing lures — UNC1549’s signature initial access technique. <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> IT Ops / OT Security </td> <td> Audit ALL internet-exposed Rockwell Automation/Allen-Bradley PLCs for unauthorized access, configuration changes, or connections to known APT infrastructure </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Launch proactive threat hunt on DIB contractor networks for dormant account activation (T1078), web shell persistence (T1505.003), and cloud exfiltration staging (T1567.002) — 41-day detection gap demands immediate action </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy detection rules for Lummastealer C2 communication to Farahoosh Dena ASN 44208 infrastructure </td> </tr> <tr> <td> IMMEDIATE </td> <td> Executive / IR </td> <td> Brief executive leadership and legal counsel on ceasefire expiry timeline (23 April) and the 70% probability of Iranian cyber surge — ensure incident response retainers are active and IR playbooks are current </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Patch Ivanti EPMM to remediate CVE-2026-1281 and CVE-2026-1340 — three active exploitation campaigns confirmed targeting government and financial services </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops / OT Security </td> <td> Verify AVEVA Pipeline Simulation and Horner Automation Cscape/XL4/XL7 PLC deployments are fully segmented from internet-facing networks per CISA ICS advisories </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Patch or mitigate Cisco SD-WAN CVE-2026-20127 — active exploitation campaign confirmed </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Deploy YARA rules for TRK25-ADVANCED and IOCONTROL malware on OT jump hosts, engineering workstations, and historian servers </td> </tr> <tr> <td> 7-DAY </td> <td> Identity / IAM </td> <td> Enforce phishing-resistant MFA (FIDO2/hardware keys) for all privileged accounts, VPN access, and cloud administration — APT42 credential harvesting surge expected </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission assessment of Southeast European partner and ally network exposure to Iranian proxy operations — confirmed geographic expansion </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / IR </td> <td> Conduct tabletop exercise simulating Iranian ICS/OT attack on energy or water infrastructure, incorporating TRK25-ADVANCED and ZionSiphon scenarios </td> </tr> <tr> <td> 30-DAY </td> <td> IT Ops / OT Security </td> <td> Implement unidirectional security gateways (data diodes) between IT and OT networks where architecturally feasible </td> </tr> <tr> <td> 30-DAY </td> <td> CTI </td> <td> Establish Telegram channel monitoring for Handala, Cyber Toufan, and Ababil of Minab — 41-day intelligence gap likely caused by shift to encrypted platforms </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Review and update cyber insurance coverage to ensure war exclusion clauses are understood in the context of the current declared armed conflict </td> </tr> </tbody> </table> <h2>The Bottom Line                            </h2> Fifty-one days into this conflict, the pattern is unmistakable: Iran treats cyberspace as a domain where ceasefires do not apply. The current negotiation phase is not a lull — it is a period of active pre-positioning, intelligence collection, and capability deployment designed to ensure Tehran retains leverage regardless of what happens at the negotiating table. The three developments that should drive your next board conversation: <ol> <li>ICS malware is no longer theoretical. TRK25-ADVANCED and ZionSiphon are purpose-built, deployed, and confirmed by the US intelligence community. PLC exploitation is expanding to new vendors. If your organization operates industrial control systems, assume you are a target.</li> <li>The silence is the signal. Forty-one days without a detection on Defense Industrial Base networks, combined with APT42’s anomalous quiet during a negotiation phase where it historically surges, points to dormant access being preserved — not threats that have passed. Hunt now, not after activation.</li> <li>The ceasefire clock is ticking. With expiry on 23 April and negotiations described as “far” from conclusion, the 72-hour window beginning now represents the highest-probability period for an Iranian cyber escalation. Ensure your incident response capability is not just documented but tested and ready.</li> </ol> The organizations that will weather this phase are those that treat the quiet as preparation time — not peace.

FEATURED RESOURCES

April 20, 2026

Anomali Cyber Watch