Iran’s Cyber War Is Accelerating — And the Exploitation Window Just Collapsed to Hours

Anomali Threat Research

Published on

April 10, 2026

Table of Contents

Threat Assessment Level: CRITICAL Nearly six weeks into the Iran–U.S./Israel military conflict, Iranian cyber operations are simultaneously broadening their target set, deepening in sophistication, and accelerating in tempo. A fragile Pakistan-brokered ceasefire announced April 8 has produced zero observable reduction in cyber activity. This week, CISA confirmed active Iranian exploitation of industrial control systems across U.S. critical infrastructure, the IRGC publicly named five major American technology companies as “legitimate targets,” and a critical vulnerability was weaponized in under ten hours — without a proof-of-concept exploit ever being published. If your organization touches energy, government, defense, healthcare, financial services, or aviation, this report demands your attention today. <h2>What Changed This Week            </h2> The threat landscape shifted materially in the past seven days across six dimensions: <ol> <li>CISA confirmed what we feared about ICS/OT. Joint advisory AA26-097A (April 7) validated that IRGC-CEC’s CyberAv3ngers (also tracked as Shahid Kaveh Group) are actively exploiting internet-exposed Rockwell Automation/Allen-Bradley PLCs across U.S. energy, water, and municipal infrastructure. They are persisting via Dropbear SSH implants. CISA warned other OT vendors may also be at risk.</li> <li>Russia is making Iran more dangerous. A Reuters exclusive (April 7) confirmed Russian satellites have conducted dozens of detailed imagery surveys of military facilities and critical sites across the Middle East to help Iran strike U.S. targets. Ukrainian intelligence sources confirmed Russia is also providing direct cyber support. This transforms Iranian targeting from broad and opportunistic to precise and intelligence-driven.</li> <li>The IRGC named names. On April 1, Iran’s Revolutionary Guard publicly declared Nvidia, Apple, Google, Microsoft, and Tesla as “legitimate targets” following drone strikes on AWS data centers in the UAE. This is the first time specific technology companies have been named in an official IRGC targeting declaration.</li> <li>Gulf operations are maturing. Reporting from The National (April 10) confirms Iranian cyberattacks have evolved from disruptive (DDoS, wipers) to complex, persistent operations. Saudi Arabia has experienced the sharpest increase in cyberattacks since the conflict began.</li> <li>The exploitation window collapsed. CVE-2026-39987, a pre-authentication remote code execution flaw in the Marimo Python notebook platform (CVSS 9.3), was exploited in 9 hours and 41 minutes after disclosure — with no PoC available. The attacker built a working exploit directly from the advisory text, harvested credentials and SSH keys, and returned multiple times. This is the new baseline.</li> <li>Credential theft and supply chain vectors are active. Attackers are abusing OAuth authorization flows in Microsoft Azure AD and Google Identity to steal session tokens and bypass MFA entirely. Separately, a confirmed supply chain compromise targeting LiteLLM AI/ML infrastructure is linked to a C2 server at 83.142.209[.]11. These vectors require no malware and leave minimal forensic traces.</li> </ol> <h2>Conflict & Threat Timeline               </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> Iran–U.S./Israel military conflict begins </td> <td> Kinetic and cyber operations commence simultaneously </td> </tr> <tr> <td> Mar 2026 (ongoing) </td> <td> CyberAv3ngers, Handala, Cyber Toufan hacktivist campaigns escalate </td> <td> Wiper attacks, DDoS, and defacement campaigns against Israeli and allied targets </td> </tr> <tr> <td> Apr 1 </td> <td> IRGC publicly names Nvidia, Apple, Google, Microsoft, Tesla as “legitimate targets” </td> <td> First official declaration expanding targeting to named commercial technology companies </td> </tr> <tr> <td> Apr 2 </td> <td> CSIS publishes analysis of threats to U.S. energy infrastructure </td> <td> Highlights scale, age, and regulatory fragmentation as structural vulnerabilities </td> </tr> <tr> <td> Apr 4 </td> <td> APT42 BELLACIAO/SHELLAFEL campaign updated; Iranian espionage (TWOSTROKE) updated </td> <td> Continued retooling of IRGC-IO espionage platforms </td> </tr> <tr> <td> Apr 7 </td> <td> CISA publishes AA26-097A — Iranian PLC exploitation confirmed </td> <td> Active exploitation of Rockwell Automation PLCs across U.S. critical infrastructure </td> </tr> <tr> <td> Apr 7 </td> <td> Reuters: Russia providing Iran satellite imagery and cyber support </td> <td> Qualitative escalation — Iranian targeting precision increases </td> </tr> <tr> <td> Apr 8 </td> <td> Pakistan-brokered ceasefire announced </td> <td> No observable reduction in Iranian cyber tempo </td> </tr> <tr> <td> Apr 9 </td> <td> Nasir Security (pro-Iranian) confirmed targeting Middle Eastern energy (Saudi Arabia) </td> <td> Spear-phishing and supply chain compromise at HIGH confidence </td> </tr> <tr> <td> Apr 9 </td> <td> MuddyWater/TEMP.Zagros, UNC1549, UNC6729 actor profiles updated </td> <td> Possible retooling or operational preparation </td> </tr> <tr> <td> Apr 10 </td> <td> CVE-2026-39987 exploited in <10 hours without PoC </td> <td> Structural shift in disclosure-to-exploitation timelines </td> </tr> <tr> <td> Apr 10 </td> <td> The National: Iranian attacks shift from disruptive to complex in Gulf states </td> <td> Saudi Arabia hardest hit; evolution toward persistent access operations </td> </tr> </tbody> </table> <h2>Key Threat Analysis                          </h2> <h3>Iranian State Actors: A Two-Headed Apparatus</h3> Iran’s cyber operations are directed by two competing but complementary intelligence organizations, both of which are fully activated: IRGC-affiliated actors: - CyberAv3ngers / Shahid Kaveh Group (IRGC-CEC) — Confirmed active against U.S. PLCs (AA26-097A). Deploying Dropbear SSH for persistence on compromised industrial controllers. - APT42 / CALANQUE (IRGC-IO) — Campaigns updated April 4 (BELLACIAO, SHELLAFEL, TAMECAT tooling). Currently operationally silent — assessed as retooling, not standing down. - HAYWIRE KITTEN / Emennet Pasargad — Information operations and destructive attacks. - BANISHED KITTEN / Cotton Sandstorm (IRGC) — Wiper capability; operationally silent this cycle. - Handala / UNC5203 — Hacktivist proxy with wiper capability; operationally silent this cycle. - UNC1549 / Smoke Sandstorm — Profile updated April 9; aerospace and defense targeting. MOIS-affiliated actors: - MuddyWater / TEMP.Zagros (MOIS) — Profile updated April 9 with no corresponding operational reporting. Possible retooling or improved operational security. - APT34 / OilRig (MOIS) — IOCs collected this cycle include SHA-256 hashes. - UNC5858 / Black Shadow (MOIS) — Profile updated April 7. - Fox Kitten / Lemon Sandstorm (MOIS) — Historically among the fastest to weaponize edge-device CVEs (Ivanti, Citrix, F5). Operationally silent — assessed as pre-positioning. - UNC1860 / Scarred Manticore (MOIS) — Operationally silent. Known for long-dwell persistent access. Critical assessment: The operational silence from APT42, Fox Kitten, UNC1860, Handala, BANISHED KITTEN, and MuddyWater during an active military conflict is not reassuring — it is alarming. These are Iran’s most capable cyber units. Silence during escalation historically precedes major operations, not cessation. <h3>ICS/OT: The Front Line</h3> CISA advisory AA26-097A is the most operationally significant development this cycle. Key details: <ul> <li>Targeted systems: Rockwell Automation CompactLogix and Micro850 PLCs</li> <li>Attack vector: Internet-exposed PLCs exploited directly (T1190)</li> <li>Persistence: Dropbear SSH implants on compromised controllers</li> <li>Impact potential: PLC register manipulation (T1565.002), service disruption (T1489)</li> <li>Scope: U.S. energy, water, and municipal infrastructure — CISA warns other OT vendors may also be at risk</li> </ul> Compounding this, CISA published six additional ICS advisories in a single cycle covering Contemporary Controls BASC 20T, GPL Odorizers GPL750, Yokogawa CENTUM VP, Hitachi Energy Ellipse, Siemens SICAM 8, and Mitsubishi GENESIS64/ICONICS. This volume — during active Iranian ICS targeting — demands immediate triage. Malware families in the Iranian ICS arsenal: IOCONTROL (custom ICS malware), Meteor (wiper), ZeroCleare (wiper), LOGJAM/Nidiran. <h3>The Sub-10-Hour Exploitation Problem</h3> CVE-2026-39987 changes the math on vulnerability management: <ul> <li>Product: Marimo (open-source Python notebook), versions ≤ 0.20.4</li> <li>Severity: CVSS 9.3, pre-authentication RCE</li> <li>Attack vector: Unauthenticated WebSocket connection to /terminal/ws endpoint</li> <li>Time to exploitation: 9 hours 41 minutes from advisory publication — no PoC existed</li> <li>Attacker behavior: Manual reconnaissance, .env file and SSH key harvesting, multiple return visits over 90 minutes</li> </ul> This is not an isolated event. It represents a structural compression of the disclosure-to-exploitation window. Iranian actors — particularly Fox Kitten/Lemon Sandstorm and UNC4444 — have historically been among the fastest to weaponize edge-device CVEs. The Ivanti Connect Secure vulnerabilities (CVE-2025-0282, CVSS 9.0; CVE-2025-22457, CVSS 9.0) remain on CISA’s Known Exploited Vulnerabilities catalog and are confirmed targets of Iranian operations. <h3>Supply Chain and Credential Theft Vectors</h3> Two additional vectors are active: <ul> <li>OAuth authorization flow abuse: Attackers are exploiting Microsoft Azure AD and Google Identity OAuth flows to steal session tokens, bypassing MFA entirely. This leverages existing client IDs, default permissions, and the absence of consent dialogs. No malware required — the attack lives entirely within legitimate authentication infrastructure (T1528, T1550.001).</li> <li>Supply chain compromise: A C2 server at 83.142.209[.]11 (ASN 205759, “Ghosty Networks,” Netherlands, confidence 96) is linked to a LiteLLM supply chain compromise targeting AI/ML infrastructure. DPRK-linked Axios npm supply chain attacks were also updated this cycle.</li> </ul> <h2>Predictive Analysis: What Comes Next</h2> Based on the convergence of intelligence signals, we assess the following probabilities for the next 7–14 days: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations against Gulf states continue increasing in sophistication and volume; Saudi Arabia remains primary target </td> <td> >75% (HIGH) </td> <td> Confirmed by multiple sources; operational maturation trend is accelerating, not plateauing </td> </tr> <tr> <td> Named tech companies (Nvidia, Apple, Google, Microsoft, Tesla) experience targeted reconnaissance or initial access attempts </td> <td> 50–75% (MODERATE) </td> <td> IRGC public declarations have historically preceded operational activity within 2–4 weeks </td> </tr> <tr> <td> Russia-Iran cyber cooperation produces operationally significant intelligence sharing, enabling more precise targeting of cloud infrastructure </td> <td> 50–75% (MODERATE) </td> <td> Satellite ISR sharing confirmed; cyber cooperation is the logical next step and may already be occurring </td> </tr> <tr> <td> Additional critical CVEs in edge devices (Ivanti, F5, Cisco) are weaponized within hours of disclosure </td> <td> >75% (HIGH) </td> <td> CVE-2026-39987 establishes the new baseline; Iranian actors are historically fast adopters </td> </tr> <tr> <td> Major ICS/OT disruption event at a U.S. water or energy utility attributed to Iranian actors </td> <td> 25–50% (MODERATE) </td> <td> CISA AA26-097A confirms active exploitation; disruption is a capability choice, not a capability gap </td> </tr> <tr> <td> Ceasefire negotiations produce meaningful de-escalation in cyber operations </td> <td> <25% (LOW) </td> <td> All indicators point to escalation; IRGC posture is offensive; Russian enablement is increasing </td> </tr> <tr> <td> Dormant Iranian actors (APT42, Fox Kitten, UNC1860, Handala) launch coordinated operations </td> <td> 50–75% (MODERATE) </td> <td> Operational silence during active conflict is historically a pre-positioning indicator </td> </tr> </tbody> </table> <h2>SOC Operational Guidance              </h2> <h3>Priority Detection Rules</h3> <ol> <li> ICS/OT Protocol Exposure (IMMEDIATE) - Hunt hypothesis: CyberAv3ngers are scanning for and exploiting internet-exposed PLCs. If your organization runs Rockwell Automation CompactLogix or Micro850 controllers, assume you are being scanned. - ATT&CK: T1190 (Exploit Public-Facing Application), T1071.001 (Application Layer Protocol — Web), T1565.002 (Data Manipulation — Transmitted Data) - Detection: Alert on any inbound connections to EtherNet/IP (TCP/44818) or CIP protocol ports from external IP ranges. Monitor for Dropbear SSH processes on OT network segments. Audit all PLC firmware versions against CISA AA26-097A indicators. - Action: Any internet-exposed PLC is a critical finding. Isolate immediately.</li> <li> Rapid Exploitation of New CVEs (IMMEDIATE) - Hunt hypothesis: Attackers are building exploits from advisory text alone within hours. Any internet-facing application with a newly disclosed critical CVE is a target. - ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1552.001 (Credentials in Files) - Detection: Monitor for WebSocket connections to unexpected endpoints (the CVE-2026-39987 attack used /terminal/ws). Alert on .env file access, SSH key reads, and credential file enumeration on any internet-facing host within 24 hours of a relevant CVE disclosure. - Action: When a CVSS ≥ 9.0 advisory drops for any software in your environment, treat it as a 4-hour response window, not 24 hours.</li> <li> OAuth Token Theft and MFA Bypass (7-DAY) - Hunt hypothesis: Attackers are abusing OAuth authorization flows (device code grant, authorization code grant) to steal session tokens without triggering MFA. - ATT&CK: T1528 (Steal Application Access Token), T1550.001 (Application Access Token), T1078.004 (Cloud Accounts), T1621 (MFA Request Generation) - Detection: Monitor Azure AD and Google Workspace logs for: unusual device code grant requests, OAuth token refreshes from unexpected geolocations, new OAuth application consents from privileged accounts, and client_id values not in your approved application inventory. - Action: Enforce OAuth application whitelisting. Require admin consent for all new OAuth grants. Alert on any device authorization grant flow that was not initiated by IT.</li> <li> Iranian APT Tooling (ONGOING) - Hunt hypothesis: APT34/OilRig, MuddyWater, and APT42 tooling may be present in your environment from pre-conflict positioning. - ATT&CK: T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1078 (Valid Accounts), T1041 (Exfiltration Over C2) - Detection: Hunt for BELLACIAO, SHELLAFEL, TAMECAT, TWOSTROKE, and IOCONTROL malware family signatures. Monitor for Mimikatz execution (the hacktool.mimikatz indicator was flagged in this cycle’s collection). - Action: Any match on APT34 hashes should be treated as a confirmed intrusion and escalated to incident response immediately.</li> <li> Supply Chain and C2 Infrastructure (7-DAY) - Hunt hypothesis: The LiteLLM supply chain compromise and DPRK npm attacks target AI/ML and developer infrastructure. - ATT&CK: T1195.001 (Supply Chain Compromise — Compromise Software Dependencies), T1071.001 (Web Protocols for C2) - Detection: Block 83.142.209[.]11 at your network perimeter. Audit all LiteLLM deployments for compromise indicators. Review npm dependency trees for unexpected Axios package modifications. Monitor CI/CD pipeline logs for unauthorized modifications. - Action: Pin all software dependencies to verified commit SHAs. Audit AI/ML infrastructure for unauthorized outbound connections.</li> </ol> <h3>MITRE ATT&CK Techniques — Priority Monitoring Matrix</h3> <table> <thead> <tr> <th> Technique ID </th> <th> Technique Name </th> <th> Iranian Actor Association </th> <th> Priority </th> </tr> </thead> <tbody> <tr> <td> T1190 </td> <td> Exploit Public-Facing Application </td> <td> CyberAv3ngers, Fox Kitten, UNC4444 </td> <td> CRITICAL </td> </tr> <tr> <td> T1565.002 </td> <td> Data Manipulation: Transmitted Data </td> <td> CyberAv3ngers (PLC registers) </td> <td> CRITICAL </td> </tr> <tr> <td> T1528 </td> <td> Steal Application Access Token </td> <td> APT42, unattributed OAuth campaigns </td> <td> HIGH </td> </tr> <tr> <td> T1566.001 </td> <td> Spearphishing Attachment </td> <td> APT34, MuddyWater, Nasir Security </td> <td> HIGH </td> </tr> <tr> <td> T1078 </td> <td> Valid Accounts </td> <td> Multiple Iranian actors (credential reuse) </td> <td> HIGH </td> </tr> <tr> <td> T1059.001 </td> <td> PowerShell </td> <td> MuddyWater, APT34 </td> <td> HIGH </td> </tr> <tr> <td> T1552.001 </td> <td> Credentials in Files </td> <td> Unattributed (CVE-2026-39987 pattern) </td> <td> HIGH </td> </tr> <tr> <td> T1489 </td> <td> Service Stop </td> <td> CyberAv3ngers (ICS disruption) </td> <td> HIGH </td> </tr> <tr> <td> T1486 </td> <td> Data Encrypted for Impact </td> <td> BANISHED KITTEN, Cyber Toufan (wipers) </td> <td> MODERATE </td> </tr> <tr> <td> T1498 </td> <td> Network Denial of Service </td> <td> Hacktivist proxies (Handala, Cyber Toufan) </td> <td> MODERATE </td> </tr> </tbody> </table> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Iranian actors have historically targeted SWIFT-connected institutions and payment processors in the Gulf. The shift from disruptive to complex operations (The National, April 10) means financial institutions should expect credential-based persistent access attempts rather than DDoS. <ul> <li>Priority: Audit all OAuth application grants in Azure AD and Google Workspace — OAuth token theft bypasses MFA and provides persistent access to email, SharePoint, and financial applications.</li> <li>Priority: Review third-party API integrations with Gulf-region partners. Supply chain compromise through regional banking partners is a viable vector for APT34/OilRig.</li> <li>Priority: Ensure SWIFT Alliance Lite2 and payment gateway infrastructure is segmented from general corporate networks. Monitor for lateral movement from corporate IT into payment zones.</li> </ul> <h3>Energy</h3> This sector is the primary target. CISA AA26-097A directly addresses energy infrastructure. The CSIS analysis (April 2) highlights that U.S. energy infrastructure’s scale, age, and regulatory fragmentation create structural vulnerabilities. <ul> <li>IMMEDIATE: Conduct an emergency audit of all internet-exposed Rockwell Automation/Allen-Bradley PLCs. Any exposure is a critical finding — CyberAv3ngers are actively exploiting these systems.</li> <li>IMMEDIATE: Verify network segmentation between IT and OT environments. Ensure no EtherNet/IP (TCP/44818) or CIP traffic traverses the IT/OT boundary without explicit firewall rules.</li> <li>7-DAY: Triage the six new CISA ICS advisories (Contemporary Controls BASC 20T, GPL Odorizers GPL750, Yokogawa CENTUM VP, Hitachi Energy Ellipse, Siemens SICAM 8, Mitsubishi GENESIS64/ICONICS) against your deployed asset inventory.</li> <li>30-DAY: Engage an ICS-specialized red team to validate OT network segmentation and PLC access controls. The IOCONTROL malware family is purpose-built for industrial environments.</li> </ul> <h3>Healthcare</h3> Healthcare organizations are collateral targets — Iranian actors have deployed wipers (Meteor, ZeroCleare) against infrastructure without regard for downstream impact. The shift to complex operations increases the risk of ransomware-style attacks against hospital systems. <ul> <li>Priority: Ensure medical device networks (infusion pumps, imaging systems, building management) are segmented from clinical and administrative networks. Many medical devices run embedded PLCs vulnerable to the same attack patterns described in AA26-097A.</li> <li>Priority: Patch Ivanti Connect Secure to 22.7R2.6+ immediately. Healthcare VPN infrastructure is a known target for Fox Kitten/Lemon Sandstorm.</li> <li>Priority: Review and restrict OAuth application permissions in Microsoft 365 environments. Healthcare organizations frequently have overly permissive OAuth configurations due to EHR integrations.</li> </ul> <h3>Government</h3> Government agencies — federal, state, and municipal — are directly in the crosshairs. CISA AA26-097A specifically names municipal infrastructure. The IRGC’s targeting declaration against tech companies extends to government cloud infrastructure hosted on those platforms. <ul> <li>IMMEDIATE: Municipal water and wastewater utilities must audit PLC exposure per AA26-097A. CyberAv3ngers have previously targeted water treatment facilities.</li> <li>7-DAY: Federal agencies should review .gov domain OAuth configurations and enforce application whitelisting for all Azure AD and Google Workspace tenants.</li> <li>7-DAY: Implement enhanced monitoring for spearphishing campaigns impersonating government contractors. APT42 and MuddyWater both target government personnel through credential phishing.</li> <li>30-DAY: Conduct a tabletop exercise simulating a coordinated Iranian cyber-kinetic attack on municipal infrastructure (water, power, transportation) informed by the AA26-097A TTPs.</li> </ul> <h3>Aviation & Logistics</h3> UNC1549/Smoke Sandstorm specifically targets aerospace and defense. The Russia-Iran satellite imagery sharing makes targeting of aviation infrastructure more precise. Logistics networks supporting military operations in the Middle East are high-value targets. <ul> <li>Priority: Review VPN and remote access infrastructure for all aviation maintenance and logistics systems. Fox Kitten has historically exploited Ivanti, Citrix, and F5 appliances to gain initial access to aerospace networks.</li> <li>Priority: Audit contractor and third-party VPN access. Iranian actors frequently target defense industrial base contractors as a stepping stone to primary targets.</li> <li>Priority: Monitor for reconnaissance against flight management systems, cargo tracking platforms, and airport operational technology. UNC1549’s profile was updated April 9, suggesting active operational preparation.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> </tr> </thead> <tbody> <tr> <td> Verify all Rockwell Automation/Allen-Bradley PLCs are not internet-exposed. Implement network segmentation per CISA AA26-097A. Audit firewall rules for any EtherNet/IP or CIP protocol exposure. </td> <td> IT Ops / OT Security </td> </tr> <tr> <td> Block C2 IP 83.142.209[.]11 at network perimeter (all protocols). Hunt for historical connections in proxy and firewall logs. </td> <td> SOC </td> </tr> <tr> <td> Scan for Marimo deployments across data science/AI infrastructure. Block WebSocket connections to /terminal/ws on any internet-facing instance. Patch to v0.23.0+. (CVE-2026-39987, CVSS 9.3) </td> <td> IT Ops / DevOps </td> </tr> <tr> <td> Add brand impersonation and infrastructure targeting detection for Nvidia, Apple, Google, Microsoft, and Tesla to SIEM correlation rules — IRGC has declared these legitimate targets. </td> <td> SOC </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> </tr> </thead> <tbody> <tr> <td> Confirm Ivanti Connect Secure is patched to 22.7R2.6+ (CVE-2025-22457, CVSS 9.0) and 22.7R2.5+ (CVE-2025-0282, CVSS 9.0). Both are CISA KEV-listed and confirmed Iranian actor targets. </td> <td> IT Ops </td> </tr> <tr> <td> Deploy OAuth authorization flow anomaly detection: monitor for device code grant abuse, unusual client_id reuse, and token refresh from unexpected geolocations in Azure AD and Google Workspace. </td> <td> SOC / Identity Team </td> </tr> <tr> <td> Triage six new CISA ICS advisories (BASC 20T, GPL750, Yokogawa CENTUM VP, Hitachi Energy Ellipse, Siemens SICAM 8, Mitsubishi GENESIS64/ICONICS) against deployed OT asset inventory. </td> <td> OT Security </td> </tr> <tr> <td> Audit all npm dependencies and CI/CD pipelines for unauthorized modifications. Pin dependencies to verified commit SHAs. Review LiteLLM deployments for compromise. </td> <td> DevOps / AppSec </td> </tr> <tr> <td> Brief executive leadership on IRGC targeting declarations and the Russia-Iran ISR cooperation. Ensure crisis communication plans account for a named-company targeting scenario. </td> <td> CISO / Executive Team </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> </tr> </thead> <tbody> <tr> <td> Commission a threat hunt focused on defense industrial base and tech company pre-positioning. Iranian actors may be establishing dormant access during the conflict for future activation. Focus on dormant accounts, unusual GitHub activity, and contractor VPN access patterns. </td> <td> CISO / Threat Hunting </td> </tr> <tr> <td> Conduct a tabletop exercise simulating coordinated Iranian cyber-kinetic attack on critical infrastructure, incorporating AA26-097A TTPs, satellite-enabled targeting, and sub-10-hour exploitation timelines. </td> <td> CISO / IR Team </td> </tr> <tr> <td> Evaluate and implement a “FLASH” patching tier — a 4-hour response window for CVSS ≥ 9.0 vulnerabilities in internet-facing applications where the advisory provides sufficient technical detail for exploit construction. The 24-hour window is no longer sufficient. </td> <td> IT Ops / Vulnerability Management </td> </tr> <tr> <td> Review and update incident response playbooks for Iranian APT intrusions. Ensure playbooks cover ICS/OT scenarios, wiper deployment, OAuth token compromise, and supply chain attacks. </td> <td> IR Team </td> </tr> <tr> <td> Engage an ICS-specialized red team to validate OT network segmentation, PLC access controls, and detection coverage for IOCONTROL malware patterns. </td> <td> CISO / OT Security </td> </tr> </tbody> </table> <h2>The Bottom Line                           </h2> We are nearly six weeks into a military conflict with a nation-state that has invested two decades in offensive cyber capability. Every signal in this intelligence cycle points in the same direction: escalation. <ul> <li>Iranian operations are broadening — from critical infrastructure to named technology companies.</li> <li>They are deepening — from hacktivist disruption to sophisticated persistent access.</li> <li>They are accelerating — exploitation windows have compressed from days to hours.</li> <li>They are being enabled — Russia is providing satellite imagery and cyber support that makes Iranian targeting more precise.</li> <li>There are no de-escalation signals — the April 8 ceasefire has produced zero reduction in cyber tempo.</li> </ul> The operational silence from Iran’s most capable units — APT42, Fox Kitten, UNC1860, MuddyWater, BANISHED KITTEN, and Handala — during an active military escalation is not a sign of restraint. It is a sign of preparation. The organizations that will weather this period are the ones acting now: segmenting OT networks, patching edge devices within hours (not days), hunting for pre-positioned access, and preparing their executive teams and incident responders for scenarios that were theoretical six weeks ago and are operational today. The clock is running. The exploitation window is measured in hours. Act accordingly. Anomali CTI DeskIntelligence sources: CISA, SecurityWeek, Reuters, CNBC, Tokenist, The National, CSIS, Straits Times, Sysdig, Netskope, Anomali ThreatStream Next-Gen

FEATURED RESOURCES

April 10, 2026

Anomali Cyber Watch