Iran's Cyber War Enters a Dangerous New Phase: What CISOs Must Do Now

Anomali Threat Research

Published on

March 18, 2026

Table of Contents

<h2> Executive Summary </h2> The targeted killing of a senior Iranian cyber command figure on 14 March 2026 — part of the broader Operation Epic Fury / Roaring Lion campaign that began 28 February 2026 — has created a dangerous inflection point in Iran's offensive cyber posture. Anomali CTI assesses with high confidence that Iranian state-sponsored and state-aligned threat actors will accelerate retaliatory cyber operations against Western critical infrastructure, allied government networks, and Israeli-linked commercial entities within a 48–72 hour window following leadership disruption events. Defenders should treat the period through late March 2026 as elevated-risk. This post synthesizes intelligence collected through 17 March 2026 and provides actionable guidance for SOC teams, threat hunters, and security leadership. <h2> What Changed — Material Developments Since Last Report </h2> <ul> <li>Cyber Command Decapitation Effect: The 14 March 2026 strike that killed a senior IRGC Cyber Electronic Command (IRGC-CEC) official has disrupted HYDRO KITTEN's operational coordination. Historical precedent (post-Soleimani, 2020) indicates a 72-hour window of disorganized but high-tempo retaliatory cyber activity before reconstitution. Pre-positioned implants may be triggered by surviving operators acting without central authorization.</li> <li>EU Sanctions Escalation: On 11 March 2026, the EU designated four additional Iranian cyber entities, freezing assets and triggering retaliatory hacktivist mobilization. Anomali observed a significant spike in Iranian-aligned hacktivist channel activity within 24 hours of the announcement, with multiple groups pledging coordinated defacement and DDoS campaigns against EU financial and government infrastructure.</li> <li>Storm-2561 VPN Exploitation Campaign: Beginning approximately 7 March 2026, Microsoft Threat Intelligence (MSTIC) tracked Storm-2561 — assessed as an IRGC-affiliated contractor cluster — conducting mass exploitation of unpatched SSL-VPN appliances (Fortinet CVE-2024-21762, Ivanti CVE-2025-0282) against defense-industrial base and logistics targets across the US, UK, Germany, and the Netherlands.</li> <li>MuddyWater (MOIS) Phishing Surge: Iran's Ministry of Intelligence and Security (MOIS)-affiliated MuddyWater has dramatically increased spear-phishing tempo since 1 March 2026, deploying updated DINDOOR implants against government ministries and think tanks across the UK, France, and Israel. This represents a MOIS-directed intelligence collection priority shift aligned with wartime requirements.</li> <li>Hacktivist Swarm Activation: The Handala collective and affiliated groups have claimed responsibility for multiple disruptive operations since 28 February 2026, including data leak publications, website defacements, and sustained DDoS against Israeli and allied targets. Handala's claimed breach of a Tel Aviv logistics firm on 12 March 2026 is under verification.</li> </ul> <h2> Conflict Timeline: Operation Epic Fury / Roaring Lion </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Cyber Relevance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> Operation Epic Fury / Roaring Lion initiated </td> <td> Conflict start; immediate hacktivist mobilization observed </td> </tr> <tr> <td> 01 Mar 2026 </td> <td> MuddyWater (MOIS) phishing campaign surge begins </td> <td> DINDOOR implant variants deployed against UK, French, Israeli government targets </td> </tr> <tr> <td> 02 Mar 2026 </td> <td> Handala collective claims first post-conflict operation </td> <td> DDoS against Israeli financial sector; unverified data leak claim </td> </tr> <tr> <td> 04 Mar 2026 </td> <td> CyberAv3ngers posts targeting list for ICS/SCADA assets </td> <td> IOCONTROL malware references in associated Telegram channels </td> </tr> <tr> <td> 06 Mar 2026 </td> <td> UNC5866 / Emennet Pasargad influence operation detected </td> <td> Coordinated inauthentic behavior campaign targeting EU audiences </td> </tr> <tr> <td> 07 Mar 2026 </td> <td> Storm-2561 VPN exploitation campaign begins </td> <td> Mass scanning of Fortinet/Ivanti appliances; CVE-2024-21762 and CVE-2025-0282 exploited </td> </tr> <tr> <td> 09 Mar 2026 </td> <td> EU preliminary sanctions discussions leaked </td> <td> Hacktivist channel activity spike; multiple groups pledge coordinated response </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> EU formally designates four Iranian cyber entities </td> <td> Hacktivist mobilization confirmed; DDoS targeting EU banking sector begins </td> </tr> <tr> <td> 12 Mar 2026 </td> <td> Handala claims breach of Tel Aviv logistics firm </td> <td> Wiper malware variant referenced; breach under verification </td> </tr> <tr> <td> 13 Mar 2026 </td> <td> IRGC-CEC (HYDRO KITTEN) C2 infrastructure partially disrupted </td> <td> Anomali observes C2 beacon gaps consistent with infrastructure takedown </td> </tr> <tr> <td> 14 Mar 2026 </td> <td> Senior IRGC-CEC official killed in targeted strike </td> <td> High-confidence assessment: decentralized retaliation operations imminent </td> </tr> <tr> <td> 15–17 Mar 2026 </td> <td> Elevated scanning and credential-stuffing activity across Western financial and energy sectors </td> <td> Storm-2561 activity continues </td> </tr> </tbody> </table> <h2> Threat Analysis </h2> <h3> 1. HYDRO KITTEN (IRGC-CEC) — Disrupted but Dangerous </h3> Attribution: IRGC Cyber Electronic Command (IRGC-CEC) Current Status: Partially disrupted; reconstitution expected within 5–10 days HYDRO KITTEN is the IRGC's primary offensive cyber unit, responsible for intrusion operations against critical infrastructure, defense networks, and government targets across the Middle East, Europe, and North America. The 14 March 2026 leadership strike and associated C2 infrastructure disruption observed on 13 March 2026 have degraded — but not eliminated — operational capability. Key Assessment: A degraded adversary with pre-positioned access is more dangerous than a coordinated one. HYDRO KITTEN operators with existing footholds in target networks may execute destructive payloads or exfiltration operations without waiting for central authorization, driven by standing orders or individual initiative. Anomali assesses with moderate-to-high confidence (65–75%) that at least one pre-positioned HYDRO KITTEN implant will be activated against a Western critical infrastructure target before 25 March 2026. TTPs: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1486 (Data Encrypted for Impact), T1561 (Disk Wipe), T1071.001 (Web Protocols for C2). <h3> 2. MuddyWater (MOIS) — Wartime Intelligence Collection Surge </h3> Attribution: Iranian Ministry of Intelligence and Security (MOIS) Current Status: Highly active; elevated operational tempo since 1 March 2026 MuddyWater, affiliated with Iran's Ministry of Intelligence and Security (MOIS) — not the IRGC — has pivoted to aggressive wartime intelligence collection targeting government policy networks, defense think tanks, and diplomatic communications. The group's updated DINDOOR implant, first observed in this campaign on 1 March 2026, features improved anti-analysis capabilities and uses legitimate Microsoft Graph API calls for C2 communication, complicating detection. Key Assessment: MuddyWater's current campaign reflects MOIS wartime intelligence requirements: understanding Western policy responses, identifying potential mediators, and mapping sanctions enforcement networks. This is a collection operation, not a destructive one — but DINDOOR implants provide persistent access that could be repurposed. Malware Families: DINDOOR (updated variant), BugSleep. TTPs: T1566.001 (Spearphishing Attachment), T1059.005 (Visual Basic), T1071.001 (Web Protocols), T1102 (Web Service — Graph API C2), T1027 (Obfuscated Files). Targeting: UK Foreign Office contractors, French Ministry of Armed Forces vendors, Israeli academic institutions, EU policy think tanks. <h3> 3. BANISHED KITTEN / Cotton Sandstorm (IRGC) — Influence and Disruption </h3> Attribution: Islamic Revolutionary Guard Corps (IRGC) Current Status: Active; coordinating with hacktivist proxies BANISHED KITTEN (also tracked as Cotton Sandstorm) operates under IRGC direction and specializes in influence operations combined with disruptive cyber activity. Since 28 February 2026, the group has amplified hacktivist messaging, provided technical infrastructure to affiliated groups, and conducted its own defacement and data leak operations against Israeli and allied targets. TTPs: T1583 (Acquire Infrastructure), T1491 (Defacement), T1059 (Command and Scripting Interpreter), T1585 (Establish Accounts — sockpuppet networks). <h3> 4. APT42 / Charming Kitten (IRGC-IO) — Credential Harvesting at Scale </h3> Attribution: IRGC Intelligence Organization (IRGC-IO) Current Status: Active; credential harvesting campaign ongoing APT42, affiliated with the IRGC Intelligence Organization (IRGC-IO), has maintained a persistent credential harvesting campaign targeting journalists, academics, policy researchers, and dual-national individuals with connections to Iran. Since the conflict began, APT42 has expanded targeting to include family members of Iranian diaspora figures perceived as supporting the conflict, as well as Western government officials involved in Iran policy. TTPs: T1566.002 (Spearphishing Link), T1539 (Steal Web Session Cookie), T1598 (Phishing for Information), T1056.003 (Web Portal Capture). <h3> 5. UNC5866 / Emennet Pasargad — Influence Operations </h3> Attribution: IRGC-affiliated contractor Current Status: Active influence operation UNC5866, overlapping with the Emennet Pasargad contractor network, has been running a coordinated inauthentic behavior campaign since approximately 6 March 2026 to amplify anti-Western narratives, fabricate quotes attributed to Western officials, and seed disinformation about civilian casualties across EU social media platforms. <h3> 6. CyberAv3ngers — ICS/SCADA Threat </h3> Attribution: IRGC-affiliated hacktivist persona Current Status: Active; targeting list published 4 March 2026 CyberAv3ngers posted a targeting list on 4 March 2026 referencing ICS/SCADA assets across water treatment, energy distribution, and manufacturing sectors. The group's use of IOCONTROL malware — capable of targeting a wide range of OT/ICS platforms — represents a credible threat to operational technology environments. Anomali assesses with moderate confidence (50–60%) that at least one claimed CyberAv3ngers ICS intrusion will be verified before end of March 2026. Malware Families: IOCONTROL (ICS/OT-targeting malware). TTPs: T0821 (Modify Controller Tasking), T0565 (Transmitted Data Manipulation), T1489 (Service Stop). <h3> 7. Iranian Hacktivist Swarm </h3> The following groups have pledged or conducted operations since 28 February 2026 in support of Iranian interests: Handala, Cyber Toufan, Soldiers of Solomon, CyberAv3ngers, and several additional Telegram-based collectives. Many of these groups share infrastructure, amplify each other's claims, and may represent overlapping or coordinated personas rather than independent entities. Primary Methods: DDoS, website defacement, data leak publications (often exaggerated or fabricated), Telegram-based psychological operations. Assessment: The majority of these groups lack sophisticated capabilities but generate significant noise that can mask more capable state-sponsored operations running concurrently. SOC teams should not allow hacktivist DDoS response to consume resources needed for APT hunting. <h2> Predictive Analysis — Probability Estimates </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> </tr> </thead> <tbody> <tr> <td> Handala or affiliated group conducts high-profile data leak against Israeli or allied target </td> <td> 65–75% </td> <td> Next 7 days </td> </tr> <tr> <td> Pre-positioned HYDRO KITTEN (IRGC-CEC) implant activated against Western critical infrastructure </td> <td> 55–65% </td> <td> Next 10 days </td> </tr> <tr> <td> Storm-2561 VPN campaign pivots from access establishment to destructive payload deployment </td> <td> 45–55% </td> <td> Next 14 days </td> </tr> <tr> <td> MuddyWater (MOIS) DINDOOR implant repurposed for destructive operation </td> <td> 25–35% </td> <td> Next 30 days </td> </tr> <tr> <td> Kinetic strike against data center or cyber infrastructure node </td> <td> 15–25% </td> <td> Next 30 days </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Hunting Hypotheses </h3> Hypothesis 1: Cloud Storage C2 Staging Technique: T1102 (Web Service), T1105 (Ingress Tool Transfer) Hunt: Search for processes making outbound connections to OneDrive or Dropbox APIs from non-browser, non-Office processes. Correlate with new executable drops in %TEMP% or %APPDATA% within 60 seconds of the cloud API call. HYDRO KITTEN (IRGC-CEC) has been observed using cloud storage services for C2 and payload staging. Hypothesis 2: DINDOOR C2 via Microsoft Graph API Technique: T1102.002 (Bidirectional Communication via Web Service) Hunt: Baseline legitimate Graph API usage in your environment. Alert on Graph API calls (graph.microsoft.com) from processes other than known Office/Teams/OneDrive executables. MuddyWater (MOIS) DINDOOR variants use Graph API mailbox folders as covert C2 channels — look for unusual Read/Write operations on shared mailboxes or calendar items from non-standard processes. Hypothesis 3: Storm-2561 VPN Post-Exploitation Lateral Movement Technique: T1078 (Valid Accounts), T1021.001 (Remote Desktop Protocol), T1550.002 (Pass the Hash) Hunt: Following VPN appliance compromise, Storm-2561 has been observed using harvested VPN credentials to authenticate to internal RDP endpoints within 2–6 hours. Hunt for RDP authentications from VPN-assigned IP ranges to internal servers outside business hours, particularly targeting domain controllers and file servers. Hypothesis 4: Wiper Pre-Deployment Reconnaissance Technique: T1083 (File and Directory Discovery), T1135 (Network Share Discovery), T1057 (Process Discovery) Hunt: Iranian wiper variants conduct rapid pre-deployment enumeration. Alert on cmd.exe or PowerShell executing net share, net view, and tasklist in rapid succession (within 30 seconds) from a non-administrative user context. This pattern has been associated with IRGC-CEC pre-wiper staging. Hypothesis 5: IOCONTROL OT Reconnaissance Technique: T1046 (Network Service Discovery), T1040 (Network Sniffing) Hunt: In OT/ICS environments, alert on IT-side hosts initiating Modbus (TCP/502), DNP3 (TCP/20000), or IEC 61850 (TCP/102) connections to OT network segments. CyberAv3ngers' IOCONTROL malware initiates OT protocol scanning from compromised IT hosts as a precursor to controller manipulation. <h3> IOC Note </h3> IOCs associated with Storm-2561, MuddyWater, and HYDRO KITTEN campaigns referenced in this report are available through Anomali ThreatStream and partner feeds. Organizations should pull the latest indicator sets from their threat intelligence platform and cross-reference with CISA advisories and MSTIC publications for the most current and verified indicators. Do not rely on static IOC lists — these campaigns are actively rotating infrastructure. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Threat Level: CRITICAL Primary threats: Handala DDoS and data leak operations; Storm-2561 credential harvesting targeting SWIFT operator workstations; APT42 (IRGC-IO) credential phishing against executive and compliance personnel. <ul> <li>Activate DDoS mitigation runbooks; pre-position scrubbing capacity with upstream providers</li> <li>Audit VPN and remote access appliance patch status — CVE-2024-21762 and CVE-2025-0282 are being actively exploited</li> <li>Implement step-up authentication for all SWIFT operator sessions</li> <li>Brief fraud and compliance teams on APT42 (IRGC-IO) executive impersonation tactics</li> <li>Review correspondent banking relationships for Iran-adjacent exposure that may attract targeting</li> </ul> <h3> Energy / Utilities </h3> Threat Level: CRITICAL Primary threats: CyberAv3ngers IOCONTROL targeting ICS/SCADA; HYDRO KITTEN (IRGC-CEC) pre-positioned implants potentially targeting grid management systems; hacktivist DDoS against customer-facing portals. <ul> <li>Immediately audit IT/OT network segmentation — verify no unauthorized bridging</li> <li>Hunt for IOCONTROL indicators on historian servers and engineering workstations</li> <li>Implement emergency change freeze on ICS/SCADA systems until threat level decreases</li> <li>Coordinate with E-ISAC and ICS-CERT on shared threat intelligence</li> <li>Verify offline backups of all ICS configuration files are current and accessible</li> </ul> <h3> Healthcare </h3> Threat Level: HIGH Primary threats: Wiper deployment via HYDRO KITTEN (IRGC-CEC) pre-positioned access; ransomware-adjacent disruption by hacktivist groups; MuddyWater (MOIS) targeting of health ministry contractors. <ul> <li>Verify backup integrity and test restoration procedures for EHR systems</li> <li>Implement network segmentation between clinical and administrative networks if not already in place</li> <li>Coordinate with HHS/HC3 for sector-specific threat intelligence sharing</li> </ul> <h3> Government / Defense Industrial Base </h3> Threat Level: CRITICAL Primary threats: MuddyWater (MOIS) DINDOOR spear-phishing targeting cleared personnel; Storm-2561 VPN exploitation targeting contractor remote access; APT42 (IRGC-IO) credential harvesting against policy and acquisition personnel; HYDRO KITTEN (IRGC-CEC) targeting of defense networks. <ul> <li>Issue immediate advisory to cleared personnel regarding MuddyWater (MOIS) spear-phishing themes (conflict-related policy documents, sanctions analysis lures)</li> <li>Audit all VPN and remote access solutions for CVE-2024-21762 and CVE-2025-0282 patch status</li> <li>Hunt for DINDOOR Graph API C2 indicators across email and endpoint telemetry</li> <li>Coordinate with CISA and sector ISAC for classified threat briefings</li> <li>Review and tighten data loss prevention policies for sensitive program information</li> </ul> <h3> Aviation / Logistics </h3> Threat Level: HIGH Primary threats: Storm-2561 targeting logistics networks for supply chain intelligence; Handala claimed breach of logistics firm (12 March 2026, under verification); BANISHED KITTEN (IRGC) / Cotton Sandstorm influence operations targeting aviation safety narratives. <ul> <li>Audit partner and vendor network access — Storm-2561 has used supply chain access as initial vector</li> <li>Verify integrity of flight operations and logistics management systems</li> <li>Coordinate with CISA and TSA on aviation-specific threat intelligence</li> <li>Monitor for disinformation targeting aviation safety to preempt public confidence impacts</li> </ul> <h2> Recommendations </h2> <h3> Immediate (Next 24 Hours) </h3> <ol> <li>[CISO/SOC Director] Elevate SOC to heightened monitoring posture; extend analyst coverage hours through at least 25 March 2026 given HYDRO KITTEN (IRGC-CEC) reconstitution timeline.</li> <li>[Vulnerability Management] Emergency patch audit for CVE-2024-21762 (Fortinet SSL-VPN) and CVE-2025-0282 (Ivanti Connect Secure) — Storm-2561 is actively exploiting both. If patching cannot be completed within 24 hours, implement compensating controls (disable affected features, restrict access to trusted IPs).</li> <li>[SOC] Pull the latest Storm-2561 IOCs from Anomali ThreatStream and MSTIC advisories into SIEM, EDR, and network blocking lists. Prioritize high-confidence C2 infrastructure indicators.</li> <li>[Threat Hunting] Initiate Hunting Hypothesis 1 (cloud storage C2 staging) and Hypothesis 3 (Storm-2561 VPN lateral movement) immediately — these represent the highest-probability active threat vectors as of 17 March 2026.</li> <li>[OT/ICS Security] If you operate ICS/SCADA environments, immediately verify IT/OT segmentation and hunt for IOCONTROL indicators. CyberAv3ngers' 4 March 2026 targeting list should be reviewed against your asset inventory.</li> <li>[Communications] Brief executive leadership and board-level risk committee on elevated threat posture. Prepare holding statements for potential incident disclosure scenarios.</li> <li>[IR Retainer] Contact your incident response retainer provider to confirm availability and pre-position response resources given sector-wide elevated risk.</li> </ol> <h3> Seven Days (By 25 March 2026) </h3> <ol> <li>[Threat Hunting] Complete all five hunting hypotheses from this report across full environment. Document and escalate any findings immediately.</li> <li>[Identity & Access] Audit all privileged accounts for signs of compromise consistent with APT42 (IRGC-IO) credential harvesting. Enforce phishing-resistant MFA (FIDO2/hardware token) for all privileged access.</li> <li>[Network Security] Implement or verify egress filtering to block outbound connections to cloud storage services (OneDrive, Dropbox) from non-standard processes — key HYDRO KITTEN (IRGC-CEC) C2 evasion technique.</li> <li>[Email Security] Update email security gateway rules to flag or quarantine messages with conflict-related lure themes (Iran sanctions, Operation Epic Fury policy documents, ceasefire negotiations) — primary MuddyWater (MOIS) phishing pretexts.</li> <li>[Backup & Recovery] Verify and test backup integrity for all Tier 1 systems. Ensure at least one backup copy is offline and air-gapped. Iranian wiper variants are known to target backup infrastructure.</li> <li>[ISAC Coordination] Submit any observed IOCs or TTPs to your sector ISAC for community benefit. Request any classified or TLP:AMBER threat briefings available for your sector.</li> </ol> <h3> Thirty Days (By 17 April 2026) </h3> <ol> <li>[Architecture] Conduct a formal review of remote access architecture. Evaluate migration from legacy SSL-VPN to Zero Trust Network Access (ZTNA) solutions — Storm-2561's sustained VPN exploitation campaign demonstrates the strategic risk of VPN-dependent architectures.</li> <li>[Tabletop Exercise] Conduct a wiper malware tabletop exercise. Validate incident response, business continuity, and communications playbooks against an Iranian destructive attack scenario.</li> <li>[OT Security Program] If not already in place, initiate an OT/ICS asset inventory and network visibility program. CyberAv3ngers' IOCONTROL capability requires OT-specific detection tooling.</li> <li>[Threat Intelligence Program] Evaluate whether current threat intelligence subscriptions provide adequate coverage of Iranian state-sponsored actors. Consider adding ISAC membership, government threat sharing programs (CISA AIS, UK NCSC), and commercial Iranian APT-focused feeds.</li> <li>[Supply Chain Risk] Conduct a third-party risk review focused on vendors with access to your network. Storm-2561 has demonstrated supply chain pivot capability — your vendors' VPN security posture is your risk.</li> </ol> <h2> Bottom Line                                                        </h2> Two and a half weeks into Operation Epic Fury / Roaring Lion, Iran's cyber apparatus is operating under unprecedented stress — leadership disrupted, infrastructure partially degraded, and international isolation deepening. But this is precisely when the threat is most acute. A degraded adversary with pre-positioned access is more dangerous than a coordinated one. HYDRO KITTEN (IRGC-CEC) operators with existing footholds in Western networks may act on standing orders or individual initiative, without the operational discipline that central coordination provides. MuddyWater (MOIS) continues its intelligence collection mission with wartime urgency. Storm-2561 has established access in dozens of VPN-dependent organizations and has not yet deployed its most destructive capabilities. The hacktivist swarm provides cover and noise. The organizations that will weather this period are those that act now — patching aggressively, hunting proactively, and treating the next 72 hours as the highest-risk window of this conflict to date. The organizations that will face the worst outcomes are those waiting for a confirmed incident before mobilizing.

FEATURED RESOURCES

March 18, 2026

Anomali Cyber Watch