Iran's Cyber War Didn't Stop When the Ceasefire Started — And the Next 72 Hours Are Critical

Anomali Threat Research

Published on

April 21, 2026

Table of Contents

Threat Assessment Level: CRITICAL Maintained from prior cycle. While the executive flash rates operational tempo as HIGH, the combination of active PLC exploitation across US critical infrastructure, confirmed MOIS multi-persona operations, and the approaching ceasefire expiry on April 23 with no cyber provisions warrants a CRITICAL strategic assessment for defensive planning purposes. Fifty-two days into the US-Iran conflict that began on February 28, 2026, a Trump-brokered ceasefire is holding — but it explicitly excludes cyber operations. That single omission has created a permissive environment in which Iranian state-sponsored actors continue to target US critical infrastructure, conduct espionage against government networks, and manipulate industrial control systems — all while diplomats negotiate at the table. Today's intelligence paints a picture that every CISO overseeing critical infrastructure, defense industrial base, or government networks needs to internalize: the ceasefire is a kinetic pause, not a cyber one. Iranian actors are refreshing command-and-control infrastructure, expanding PLC exploitation to new vendors, and maintaining the full spectrum of their offensive capability. And with the ceasefire set to expire on April 23 — two days from now — the window for defensive preparation is closing. This is not theoretical. CISA Advisory AA26-097A confirms active manipulation of Rockwell Automation/Allen-Bradley PLCs in US water, energy, and government facilities. This has moved beyond reconnaissance into active process interference. <h2>What Changed: Key Developments (April 15–21, 2026)</h2> The past week has produced seven significant intelligence developments that collectively raise the threat posture: <table> <thead> <tr> <th> Date </th> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> April 21 </td> <td> DomainTools/Cryptika confirms Homeland Justice, Karma, and Handala are a single MOIS operation ("Void Manticore") </td> <td> Three previously separate hacktivist personas collapsed into one state-directed actor; DOJ seized four domains in March </td> </tr> <tr> <td> April 21 </td> <td> Iran claims US exploited Cisco/Juniper/Fortinet/MikroTik firmware backdoors during strikes; China amplifies narrative </td> <td> Information warfare operation; unverifiable due to 52-day Iranian internet blackout, but firmware integrity audits are prudent </td> </tr> <tr> <td> April 17 </td> <td> CISA/FBI/NSA Advisory AA26-097A confirms Iranian exploitation of Rockwell/Allen-Bradley PLCs across US critical infrastructure </td> <td> Active process interference in water, energy, and government — not just reconnaissance </td> </tr> <tr> <td> April 15 </td> <td> Pro-Iran group claims 24-hour DDoS against Bluesky social media platform </td> <td> Hacktivist operations targeting Western platforms continue through ceasefire </td> </tr> <tr> <td> April 7 </td> <td> Reuters confirms Russia providing satellite ISR and cyber support to Iran; APT28 infrastructure observed on Iranian ASN 213790 </td> <td> Russia-Iran operational cooperation has expanded beyond shared hosting into active military-intelligence support </td> </tr> <tr> <td> Ongoing (52 days) </td> <td> APT33/Peach Sandstorm has produced no confirmed activity against defense industrial base targets since conflict began </td> <td> 52-day silence from Iran's primary DIB-targeting group during active armed conflict is anomalous — pre-positioned dormant access is the leading assessment </td> </tr> </tbody> </table> What hasn't changed — and why that matters: Iran's confirmed wiper arsenal (BiBiWiper, ZeroShred, GoneXML, Meteor, ZeroCleare) remains undeployed against Western targets. This deliberate restraint during ceasefire is assessed as calculated escalation management. If the ceasefire collapses on April 23, wiper deployment against critical infrastructure is the highest-probability immediate Iranian cyber response — estimated within 24–48 hours of breakdown. <h2>Conflict and Threat Timeline               </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> US-Iran armed conflict begins ("Operation Epic Fury") </td> </tr> <tr> <td> Early Mar 2026 </td> <td> Iran's internet disconnected from global internet (blackout ongoing — now 52 days) </td> </tr> <tr> <td> Mar 2026 </td> <td> DOJ seizes four MOIS domains: Handala-Hack[.]to, Karmabelow80[.]org, Justicehomeland[.]org, Handala-Redwanted[.]to </td> </tr> <tr> <td> Mar 7, 2026 </td> <td> MuddyWater C2 domain serialmenot[.]com registered </td> </tr> <tr> <td> Apr 7, 2026 </td> <td> Reuters reports Russia providing satellite ISR and cyber support to Iran for strike targeting </td> </tr> <tr> <td> Apr 9, 2026 </td> <td> MOIS-directed "Ababil of Minab" claims admin access to LA Metro VMware vCenter (~1,421 VMs) and train control systems </td> </tr> <tr> <td> Apr 15, 2026 </td> <td> Pro-Iran group conducts 24-hour DDoS against Bluesky </td> </tr> <tr> <td> Apr 17, 2026 </td> <td> CISA Advisory AA26-097A: Iranian actors actively exploiting Rockwell/Allen-Bradley PLCs in US water, energy, government </td> </tr> <tr> <td> Apr 17, 2026 </td> <td> CISA/FBI/NSA confirm deployment of ICS malware TRK25-ADVANCED against US water PLCs; ZionSiphon targeting Israeli desalination </td> </tr> <tr> <td> Apr 20, 2026 </td> <td> Multi-vertical Iranian espionage campaign confirmed active across 17 countries </td> </tr> <tr> <td> Apr 21, 2026 </td> <td> MuddyWater DinDoor/DinoDance C2 infrastructure refreshed; Void Manticore persona unification confirmed </td> </tr> <tr> <td> Apr 23, 2026 </td> <td> Ceasefire expiry date — no cyber provisions included </td> </tr> </tbody> </table> <h2>The Iranian Cyber Order of Battle: Who's Doing What</h2> Understanding the threat requires understanding the organizational structure behind it. Iran's cyber operations run through two parallel command hierarchies, each with distinct missions and actor groups. <h3>IRGC-Controlled Operations (Kinetic-Adjacent, ICS/OT Focus)</h3> CyberAv3ngers — The IRGC's primary ICS/OT attack group. Confirmed in CISA AA26-097A as actively exploiting Rockwell Automation/Allen-Bradley PLCs across US water, energy, and government sectors. Deployed the purpose-built ICS malware IOCONTROL and TRK25-ADVANCED against programmable logic controllers. Their operations have escalated from defacement and reconnaissance to active process interference — manipulating HMI/SCADA data and extracting PLC project files. APT33 / Refined Kitten / Peach Sandstorm — IRGC-affiliated group and the primary Defense Industrial Base (DIB) threat actor. Named in AA26-097A for PLC exploitation activity. Critical concern: APT33 has been silent for 52 days against DIB targets despite active conflict — this absence is anomalous and may indicate pre-positioned dormant access awaiting activation. UNC1549 / Imperial Kitten — IRGC-linked group focused on aerospace and defense targeting in the Middle East. Part of the broader IRGC operational umbrella. APT42 / Charming Kitten (IRGC Intelligence Organization) — Credential harvesting and surveillance operations targeting journalists, activists, and policy officials. Operates under IRGC-IO rather than the IRGC Cyber-Electronic Command. <h3>MOIS-Directed Operations (Espionage, Wipers, Information Operations)</h3> MuddyWater / UNC5667 / Static Kitten — Iran's most prolific espionage group, confirmed active today with fresh DinDoor/DinoDance backdoor infrastructure. Uses the Deno JavaScript runtime for execution and Microsoft Teams for social engineering. Named in CISA AA26-097A alongside CyberAv3ngers for PLC exploitation — demonstrating MOIS-IRGC operational convergence on ICS targets. OilRig / APT34 / Helix Kitten — Long-running MOIS espionage operation targeting government, energy, and telecommunications. Named in AA26-097A for PLC exploitation activity. UNC1860 — MOIS access broker providing initial footholds to other Iranian groups. Pioneer Kitten / UNC757 — Known for exploiting VPN appliances and selling access. Tradecraft includes Farsi-named webshells and artifacts. Void Manticore / MOIST GRASSHOPPER (Handala = Karma = Homeland Justice) — Newly confirmed as a single MOIS-directed operation. Previously tracked as three separate hacktivist personas. Possesses confirmed wiper capability and deploys Rhadamanthys infostealer via phishing campaigns impersonating F5 updates. Initial access via Microsoft SharePoint exploitation. DOJ seized four of their domains in March 2026. <h3>External Enablers</h3> Russia-Iran Cyber Cooperation — Reuters confirmed (April 7) that Russia is providing satellite ISR imagery and cyber support to Iran. APT28 (Russian GRU) infrastructure has been observed operating from Iranian ASN 213790. This cooperation has expanded beyond shared hosting into active military-intelligence support for Iranian targeting. <h2>Active Malware and Tooling</h2> <table> <thead> <tr> <th> Malware / Tool </th> <th> Attribution </th> <th> Function </th> <th> Current Status </th> </tr> </thead> <tbody> <tr> <td> IOCONTROL </td> <td> CyberAv3ngers (IRGC) </td> <td> Purpose-built ICS/OT weapon targeting PLCs </td> <td> Legacy samples circulating; no new variants detected — actors may be shifting to native PLC exploitation </td> </tr> <tr> <td> TRK25-ADVANCED </td> <td> CyberAv3ngers (IRGC) </td> <td> ICS malware targeting US water utility PLCs </td> <td> Confirmed deployed per CISA/FBI/NSA (April 17) </td> </tr> <tr> <td> ZionSiphon </td> <td> Iran-affiliated </td> <td> Targeting Israeli desalination infrastructure </td> <td> Confirmed deployed per CISA/FBI/NSA (April 17) </td> </tr> <tr> <td> DinDoor / DinoDance </td> <td> MuddyWater (MOIS) </td> <td> Backdoor using Deno JavaScript runtime </td> <td> Active — fresh C2 infrastructure registered April 21 </td> </tr> <tr> <td> Rhadamanthys </td> <td> Void Manticore (MOIS) </td> <td> Commercial infostealer (darknet-sourced) </td> <td> Deployed via phishing impersonating F5 updates </td> </tr> <tr> <td> BiBiWiper / ZeroShred / GoneXML / Meteor / ZeroCleare </td> <td> Multiple Iranian actors </td> <td> Destructive wipers </td> <td> Not deployed against Western targets — assessed as held in reserve </td> </tr> </tbody> </table> <h2>Critical Vulnerabilities Under Active Exploitation</h2> CISA Advisory AA26-097A identifies exploitation of architectural exposure rather than specific zero-day CVEs — Iranian actors are targeting internet-exposed Rockwell Automation/Allen-Bradley PLCs via industrial protocols: <table> <thead> <tr> <th> Protocol / Port </th> <th> Service </th> <th> Exploitation Context </th> </tr> </thead> <tbody> <tr> <td> Port 44818 </td> <td> EtherNet/IP (CIP) </td> <td> Primary Rockwell PLC communication — unauthorized read/write of PLC logic </td> </tr> <tr> <td> Port 2222 </td> <td> Rockwell proprietary </td> <td> PLC project file extraction </td> </tr> <tr> <td> Port 102 </td> <td> S7comm (Siemens) </td> <td> Cross-vendor ICS targeting </td> </tr> <tr> <td> Port 502 </td> <td> Modbus </td> <td> HMI/SCADA data manipulation </td> </tr> </tbody> </table> Additionally, Void Manticore's initial access leverages Microsoft SharePoint exploitation (T1190), and CISA issued advisories during this period covering AVEVA Pipeline Simulation, Horner Cscape/XL PLC software, and Delta ASDA-Soft — all relevant to OT environments under Iranian targeting. Organizations running any Rockwell Automation/Allen-Bradley PLCs with internet-facing configurations should treat this as an active compromise scenario, not a theoretical risk. <h2>Predictive Analysis: What Comes Next</h2> Based on current intelligence, operational patterns, and the approaching ceasefire expiry on April 23: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> MuddyWater DinDoor phishing campaign against government/energy targets </td> <td> 70% </td> <td> 72 hours </td> <td> Fresh C2 domain registration pattern matches prior campaign cadence </td> </tr> <tr> <td> Additional pro-Iran hacktivist DDoS against Western platforms </td> <td> 60% </td> <td> 72 hours </td> <td> Bluesky precedent + ceasefire tension escalation </td> </tr> <tr> <td> New CISA ICS advisory referencing Iranian PLC activity </td> <td> 40% </td> <td> 7 days </td> <td> Advisory cadence suggests follow-up to AA26-097A </td> </tr> <tr> <td> Ceasefire collapse triggers wiper deployment against critical infrastructure </td> <td> 15% </td> <td> 24–48 hours post-collapse </td> <td> Low probability but catastrophic impact — Iran possesses confirmed capability and has historically deployed wipers (Albania 2022, Israel 2023–2024) </td> </tr> <tr> <td> APT33 dormant DIB access activates for data exfiltration or disruption </td> <td> 25% </td> <td> Upon ceasefire collapse or escalation </td> <td> 52-day silence is anomalous; pre-positioning is consistent with APT33 tradecraft </td> </tr> </tbody> </table> The single most important signal in this assessment is what we are NOT seeing. Iran's wiper arsenal remains sheathed. This restraint is deliberate and condition-dependent. The ceasefire expiry on April 23 is the most likely trigger for escalation. Every organization in the blast radius should be operating under the assumption that the restraint may end in 48 hours. <h2>SOC Operational Guidance              </h2> <h3>Immediate Detection Priorities</h3> <ol> <li> MuddyWater DinDoor/DinoDance Activity</li> </ol> <ul> <li>Hunt Hypothesis: Adversary is using Microsoft Teams external messages to deliver lures leading to DinDoor backdoor download from freshly registered domains.</li> <li>ATT&CK Techniques to Monitor:</li> </ul> <ul> <li>T1566.001 (Spearphishing Attachment) — Watch for Teams messages from external tenants containing links or file attachments</li> <li>T1059.007 (JavaScript/Deno Runtime Execution) — Alert on deno.exe or Deno runtime processes spawning on endpoints</li> <li>T1055 (Process Injection) — Monitor for in-memory execution patterns following Deno process launch</li> </ul> <ul> <li>Detection Logic: Create correlation rules for: Teams external message received → file download from uncategorized domain → Deno/Node.js process execution within 15 minutes</li> </ul> <ol start="2"> <li> ICS/OT PLC Exploitation (Per CISA AA26-097A)</li> </ol> <ul> <li>Hunt Hypothesis: Iranian actors are scanning for and connecting to internet-exposed Rockwell/Allen-Bradley PLCs to manipulate process logic and extract project files.</li> <li>ATT&CK Techniques to Monitor:</li> </ul> <ul> <li>T1190 (Exploit Public-Facing Application) — Monitor for unauthorized connections to PLCs from external IPs</li> <li>T1565.002 (Transmitted Data Manipulation) — Alert on unexpected changes to HMI/SCADA display values</li> <li>T1005 (Data from Local System) — Monitor for PLC project file access/download outside maintenance windows</li> <li>T1498/T1499 (Network/Endpoint DoS) — Watch for PLC availability degradation</li> </ul> <ul> <li>Network Monitoring: Deploy packet capture or IDS rules on ports 44818, 2222, 102, and 502. Any external IP connecting to these ports is a critical alert.</li> <li>Baseline Comparison: Compare current PLC logic against known-good backups. Any unauthorized modification is a confirmed compromise indicator.</li> </ul> <ol start="3"> <li> Void Manticore / MOIS Persona Operations</li> </ol> <ul> <li>Hunt Hypothesis: Despite DOJ domain seizures, the Void Manticore operation will pivot to new infrastructure. Watch for Rhadamanthys infostealer delivery via phishing impersonating F5 or other security vendor updates.</li> <li>ATT&CK Techniques to Monitor:</li> </ul> <ul> <li>T1190 (SharePoint Exploitation) — Audit SharePoint instances for exploitation attempts and unauthorized access</li> <li>T1566.001 (Spearphishing) — Monitor for emails impersonating F5 Networks, Fortinet, or other security vendors with executable attachments</li> <li>T1485 (Data Destruction) — Pre-position wiper detection: alert on mass file deletion, MBR/VBR modification, or volume shadow copy deletion (vssadmin delete shadows)</li> <li>T1583.001 (Domain Acquisition) — Monitor certificate transparency logs for new domains mimicking seized infrastructure patterns</li> </ul> <ul> <li>Blocking Actions: Block the following seized domains (and monitor for DNS resolution attempts, which indicate compromised endpoints trying to phone home):</li> </ul> <ul> <li>Handala-Hack[.]to</li> <li>Karmabelow80[.]org</li> <li>Justicehomeland[.]org</li> <li>Handala-Redwanted[.]to</li> </ul> <ol start="4"> <li> Wiper Readiness Posture</li> </ol> <ul> <li>Hunt Hypothesis: If ceasefire collapses, Iranian actors will deploy destructive wipers within 24–48 hours against pre-positioned footholds.</li> <li>Pre-Incident Detection:</li> </ul> <ul> <li>T1486 (Data Encrypted for Impact) — Ensure ransomware/wiper canary files are deployed across critical file shares</li> <li>T1529 (System Shutdown/Reboot) — Alert on unexpected mass reboots across infrastructure</li> <li>T1542.001 (System Firmware Modification) — Monitor for BIOS/UEFI integrity changes</li> </ul> <ul> <li>Preparation: Verify offline backup integrity today. Confirm backup restoration procedures are tested and documented. Ensure incident response retainer is active and provider is briefed on Iranian wiper TTPs.</li> </ul> <ol start="5"> <li> Russia-Iran Infrastructure Overlap</li> </ol> <ul> <li>Hunt Hypothesis: Russian APT infrastructure operating from Iranian ASN space may be used for reconnaissance or access operations against Western targets.</li> <li>IOC to Monitor:172.94.9[.]253 (APT28-tagged, Iranian ASN 213790) — monitor for any connections to/from this IP in network telemetry</li> </ul> <h3>Hunting Queries to Deploy This Week</h3> <table> <thead> <tr> <th> Hunt </th> <th> Data Source </th> <th> What to Look For </th> </tr> </thead> <tbody> <tr> <td> Deno runtime execution </td> <td> EDR / process telemetry </td> <td> deno.exe, deno process, or Deno-related command-line arguments on any endpoint </td> </tr> <tr> <td> Teams external lure delivery </td> <td> M365 audit logs </td> <td> External tenant messages containing URLs to uncategorized or newly registered domains </td> </tr> <tr> <td> PLC unauthorized access </td> <td> OT network monitoring / firewall logs </td> <td> Any external IP connecting to ports 44818, 2222, 102, 502 </td> </tr> <tr> <td> Webshell persistence (DIB hunt) </td> <td> Web server logs, file integrity monitoring </td> <td> ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG webshells; files with Farsi names (kharpedar, nanash, arbab) </td> </tr> <tr> <td> Rhadamanthys infostealer </td> <td> EDR / sandbox </td> <td> Rhadamanthys behavioral signatures; phishing attachments impersonating F5 updates </td> </tr> <tr> <td> Wiper precursors </td> <td> EDR / Windows event logs </td> <td> vssadmin delete shadows, mass file rename/overwrite, MBR write attempts, bcdedit modifications </td> </tr> </tbody> </table> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Iranian actors have historically targeted financial institutions for both espionage and disruption (the 2012–2013 Operation Ababil DDoS campaign against US banks set the precedent). In the current conflict: <ul> <li>Primary threat: MuddyWater espionage via Teams social engineering and DinDoor backdoor. Financial sector employees are high-value targets for credential harvesting.</li> <li>Secondary threat: Pro-Iran hacktivist DDoS against customer-facing platforms (following the Bluesky pattern).</li> <li>Actions:</li> </ul> <ul> <li>Restrict Microsoft Teams external federation to approved partner tenants only</li> <li>Ensure DDoS mitigation services are active and tested for customer-facing web applications and APIs</li> <li>Monitor for Rhadamanthys infostealer indicators — financial credentials are a primary target for commercial infostealers</li> <li>Review SWIFT and core banking system access logs for anomalous authentication patterns</li> </ul> <h3>Energy</h3> Energy is the highest-risk sector in this threat environment. Iranian actors are actively exploiting PLCs in energy facilities per CISA AA26-097A. <ul> <li>Primary threat: CyberAv3ngers and affiliated actors exploiting Rockwell/Allen-Bradley PLCs — active process interference, not theoretical.</li> <li>Secondary threat: MuddyWater/APT34 espionage targeting energy sector networks for intelligence collection and potential pre-positioning.</li> <li>Actions:</li> </ul> <ul> <li>Immediately audit all PLCs for internet exposure and remove any direct internet-facing configurations</li> <li>Deploy monitoring on ports 44818, 2222, 102, 502 at OT network boundaries</li> <li>Verify OT/IT network segmentation — the current Iranian campaign exploits architectural exposure, not zero-days. Segmentation is the primary mitigation</li> <li>Compare PLC logic against known-good baselines; any deviation is a compromise indicator</li> <li>Ensure Safety Instrumented Systems (SIS) are independent of compromised PLC networks</li> <li>Pre-position incident response for OT environments — general IT IR teams may lack ICS expertise</li> </ul> <h3>Healthcare</h3> Healthcare organizations face collateral risk from both targeted espionage and wiper deployment: <ul> <li>Primary threat: Void Manticore (Handala/Karma/Homeland Justice) has deployed wipers against civilian infrastructure historically. Healthcare is a high-impact target if escalation occurs.</li> <li>Secondary threat: Rhadamanthys infostealer targeting healthcare credentials and patient data.</li> <li>Actions:</li> </ul> <ul> <li>Verify offline backup integrity for electronic health record (EHR) systems today</li> <li>Ensure wiper detection canaries are deployed on critical file shares</li> <li>Patch Microsoft SharePoint instances — Void Manticore uses SharePoint exploitation for initial access</li> <li>Review and restrict administrative access to medical device networks</li> <li>Activate or confirm incident response retainer with a provider experienced in healthcare environments</li> </ul> <h3>Government</h3> Government networks are the primary target for Iranian espionage operations and the most likely target for retaliatory cyber operations if the ceasefire collapses: <ul> <li>Primary threat: MuddyWater DinDoor/DinoDance espionage via Teams social engineering — government employees are the highest-priority targets.</li> <li>Secondary threat: APT42/Charming Kitten credential harvesting targeting policy officials and diplomats involved in ceasefire negotiations.</li> <li>Tertiary threat: Wiper deployment against government systems upon ceasefire collapse.</li> <li>Actions:</li> </ul> <ul> <li>Deploy Microsoft Teams external message monitoring and restrict external federation</li> <li>Block DinDoor C2 domains at all network egress points</li> <li>Conduct proactive threat hunt for Iranian webshell persistence (ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG)</li> <li>Brief personnel involved in Iran policy/negotiations on APT42 credential harvesting TTPs</li> <li>Ensure continuity of operations (COOP) plans account for destructive cyberattack scenario</li> </ul> <h3>Aviation and Logistics</h3> The defense industrial base and aviation/logistics sectors face a unique risk profile — the 52-day intelligence gap on APT33/Peach Sandstorm activity: <ul> <li>Primary threat: APT33/Refined Kitten is the primary DIB-targeting actor and has been silent for 52 days despite active conflict. This absence is assessed as potentially indicating pre-positioned dormant access rather than operational pause.</li> <li>Secondary threat: UNC1549/Imperial Kitten targeting aerospace and defense in the Middle East.</li> <li>Actions:</li> </ul> <ul> <li>Immediately initiate threat hunt for APT33 indicators: dormant webshells, Farsi-named artifacts, unauthorized VPN access, anomalous service accounts</li> <li>Audit all internet-facing VPN appliances and remote access infrastructure — Pioneer Kitten/UNC757 specializes in VPN exploitation and access brokering</li> <li>Review supply chain access: audit contractor VPN accounts, third-party remote access sessions, and privileged access from external entities</li> <li>Monitor for data staging and exfiltration indicators — APT33's historical objective is intellectual property theft from aerospace and defense contractors</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> IT Ops / OT </td> <td> Audit ALL Rockwell Automation/Allen-Bradley PLCs for internet exposure. Monitor ports 44818, 2222, 102, 502 for unauthorized connections. Remove any PLC with direct internet-facing configuration per CISA AA26-097A </td> </tr> <tr> <td> 2 </td> <td> SOC </td> <td> Block seized MOIS domains: Handala-Hack[.]to, Karmabelow80[.]org, Justicehomeland[.]org, Handala-Redwanted[.]to. Monitor for DNS resolution attempts (indicates compromised endpoint) </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Monitor for APT28-tagged IP 172.94.9[.]253 in all network telemetry </td> </tr> <tr> <td> 4 </td> <td> IT Ops </td> <td> Verify offline backup integrity for all critical systems. Confirm restoration procedures are tested. This is wiper preparedness — not routine maintenance </td> </tr> <tr> <td> 5 </td> <td> CISO / IR </td> <td> Confirm incident response retainer is active and provider is briefed on Iranian wiper TTPs (BiBiWiper, ZeroShred, GoneXML behavioral patterns) </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC / M365 Admin </td> <td> Deploy Microsoft Teams external message monitoring rules. Detect MuddyWater social engineering via Teams — DinDoor/DinoDance delivery uses Teams as initial lure vector. Consider restricting external federation to approved tenants </td> </tr> <tr> <td> 2 </td> <td> IT Ops / Network </td> <td> Audit Cisco, Juniper, Fortinet, MikroTik firmware versions across all network infrastructure. Verify firmware integrity against vendor-published hashes. Iranian backdoor claims are unverified but firmware hygiene is prudent </td> </tr> <tr> <td> 3 </td> <td> CTI / Hunt Team </td> <td> Execute proactive threat hunt for APT33/Peach Sandstorm in DIB and aerospace networks. Focus on dormant webshells (ASPXSPY, ANTAK, TUNNA, CHOPPER, REGEORG) and Farsi-named artifacts. 52 days of silence during active conflict is anomalous </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Deploy Deno runtime detection across all endpoints — alert on any deno.exe or Deno-related process execution </td> </tr> <tr> <td> 5 </td> <td> IT Ops </td> <td> Patch all Microsoft SharePoint instances — Void Manticore uses SharePoint exploitation for initial access </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> CISO / OT Engineering </td> <td> Commission assessment of OT network segmentation posture across all facilities with Rockwell/Allen-Bradley PLCs. Current Iranian campaign exploits architectural exposure, not zero-days — segmentation is the primary strategic mitigation </td> </tr> <tr> <td> 2 </td> <td> CISO / Executive </td> <td> Conduct tabletop exercise simulating ceasefire collapse + coordinated Iranian wiper deployment against IT and OT environments simultaneously. Test COOP activation, backup restoration, OT manual override procedures </td> </tr> <tr> <td> 3 </td> <td> CISO / Legal </td> <td> Review cyber insurance policy coverage for state-sponsored destructive attacks. Confirm "act of war" exclusion language and whether current conflict triggers exclusions </td> </tr> <tr> <td> 4 </td> <td> CTI </td> <td> Develop collection plan for monitoring Iran's "Internet Pro" / White SIM selective access architecture — identify observable traffic patterns that could reveal Iranian APT C2 maintaining connectivity during the ongoing internet blackout </td> </tr> <tr> <td> 5 </td> <td> CISO / Supply Chain </td> <td> Audit all npm/Node.js dependencies in production applications following CISA advisory on Axios supply chain compromise. Pin critical dependencies to verified commit SHAs </td> </tr> </tbody> </table> <h2>The Bottom Line                            </h2> Two days from now, the ceasefire expires. Cyber was never included in it. Iran's two cyber commands — IRGC and MOIS — are operating at full tempo. MuddyWater registered fresh C2 infrastructure today. CyberAv3ngers are actively manipulating PLCs in US water and energy facilities right now. The MOIS operation behind Handala, Karma, and Homeland Justice has been unmasked as a single coordinated actor with confirmed wiper capability that it is choosing — for the moment — not to use. That restraint is the most important signal in this entire assessment. Iran possesses the capability to deploy destructive wipers against critical infrastructure. It has done so before — against Albania in 2022, against Israel in 2023 and 2024. The decision not to deploy wipers during the ceasefire is a calculated choice, not a capability gap. And calculated choices can be reversed in hours. The 52-day silence from APT33 against defense industrial base targets is the second most important signal. During an active armed conflict, the absence of visible activity from Iran's primary DIB-targeting group is not reassuring — it is alarming. Pre-positioned access is invisible until it activates. The ceasefire bought time. Use it.

FEATURED RESOURCES

April 21, 2026

Anomali Cyber Watch