Iran’s Cyber War Isn’t Waiting for a Ceasefire — and Neither Should You

Anomali Threat Research

Published on

April 29, 2026

Table of Contents

Threat Assessment Level: HIGH Sixty days into the U.S.–Iran conflict, a dangerous pattern has crystallized: Iran’s cyber operations are escalating in spite of active diplomacy, not because of its failure. On the same day Iran’s foreign minister proposed reopening the Strait of Hormuz, the MOIS-linked group Handala published the personal information of 2,379 U.S. Marines stationed in Bahrain on Telegram — after first threatening them via WhatsApp with drone and missile strikes. This is not background noise. This is a qualitative escalation: from hitting corporate networks and government agencies to directly targeting individual deployed service members by name, on their personal devices, through channels that bypass every enterprise security control you’ve built. If your organization touches critical infrastructure, defense, aviation, energy, or government services, this report is your operational briefing. <h2> What Changed </h2> The past 72 hours introduced several developments that shift the threat calculus: <ul> <li> Handala doxxed 2,379 U.S. Marines in Bahrain via Telegram after conducting a WhatsApp-based intimidation campaign — the first confirmed Iranian IO operation targeting individual deployed military personnel by name. </li> <li> The MOIS “access-broker → destructor” model was publicly confirmed by SOCRadar: Handala receives initial network access from more sophisticated upstream Iranian actors, then executes destruction. This means the wiper deployment is the last phase — the intrusion happened weeks or months earlier. </li> <li> CISA added two new KEVs on April 28 , following the April 24 addition of CVE-2024-7399 (Samsung MagicINFO 9 Server, CVSS 8.8) — now confirmed actively exploited in the wild against digital signage systems in airports and transit facilities. </li> <li> A comprehensive aviation/aerospace threat bulletin named Refined Kitten (APT33) as conducting persistent aerospace espionage, while Qilin ransomware hit Tulsa International Airport in January 2026 and European airports were disrupted in early April. </li> <li> Iran-themed Mirai botnet samples were collected from an active C2 server, targeting IoT devices across multiple architectures. </li> <li> CISA published MAR AR26-113A confirming the FIRESTARTER firmware-persistent backdoor on Cisco ASA/FTD devices in a federal civilian agency — a threat that survives standard patching and requires full device reimaging to remediate. </li> <li> APT28 (Russian GRU) infrastructure convergence confirmed : three C2 IPs on Iranian ASN 213790 were identified April 24–26, indicating Russian-Iranian cyber cooperation is moving from diplomatic alignment to operational coordination. </li> <li> Diplomatic-cyber decoupling confirmed : Despite Iran’s Hormuz reopening proposal and FM Araghchi’s meeting with Putin, zero indicators of cyber de-escalation were observed. Cyber operations and diplomacy are running on separate tracks. </li> </ul> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> </tr> </thead> <tbody> <tr> <td> Jan 17–20, 2026 </td> <td> Qilin ransomware hits Tulsa International Airport — data theft + leak site publication </td> </tr> <tr> <td> Feb 28, 2026 </td> <td> Operation Epic Fury launched; U.S.–Iran conflict begins </td> </tr> <tr> <td> Early Mar 2026 </td> <td> Strait of Hormuz effectively closed; Cyber Av3ngers hit ICS/OT targets </td> </tr> <tr> <td> Mar 11, 2026 </td> <td> Handala/Void Manticore executes largest destructive op — 200,000 Stryker endpoints wiped via compromised Intune admin credentials </td> </tr> <tr> <td> ~Apr 7, 2026 </td> <td> CISA/FBI/NSA issue joint advisories warning of Iranian exploitation of U.S. critical infrastructure (water, energy) </td> </tr> <tr> <td> ~Apr 16, 2026 </td> <td> Kinetic ceasefire declared; cyber operations continue unabated </td> </tr> <tr> <td> Apr 4–6, 2026 </td> <td> Wave of European airport IT disruptions; attribution pending </td> </tr> <tr> <td> Apr 23, 2026 </td> <td> CISA publishes MAR AR26-113A: FIRESTARTER firmware-persistent backdoor on Cisco ASA/FTD confirmed in federal civilian agency </td> </tr> <tr> <td> Apr 24, 2026 </td> <td> CISA adds CVE-2024-7399 (Samsung MagicINFO) to KEV catalog; Arctic Wolf confirms active exploitation </td> </tr> <tr> <td> Apr 24–26, 2026 </td> <td> APT28 (Russian GRU) infrastructure convergence confirmed — three C2 IPs on Iranian ASN 213790, indicating Russian-Iranian cyber cooperation </td> </tr> <tr> <td> Apr 27, 2026 </td> <td> Iran FM Araghchi meets Putin in St. Petersburg; Iran proposes Hormuz reopening </td> </tr> <tr> <td> Apr 28, 2026 </td> <td> WSJ reports Iran-linked hackers targeting U.S. troops; CISA adds two new KEVs; aviation/aerospace threat bulletin published </td> </tr> <tr> <td> Apr 29, 2026 </td> <td> Handala publishes PII of 2,379 USMC members on Telegram </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Handala / Void Manticore — From Wipers to Psychological Operations </h3> Handala (also tracked as Void Manticore, HomeLand Justice, Red Sandstorm, Storm-0842, and UNC5203) has emerged as the most operationally aggressive Iranian cyber actor of this conflict. The group is MOIS-linked — confirmed by the U.S. government in March 2026 — which places it under Iran’s intelligence apparatus rather than the IRGC military structure. What makes Handala dangerous is not just its destructive capability, but its operational model. SOCRadar’s analysis states explicitly: “The group operates inside a larger Iranian intelligence structure, gets initial network access handed to it by more sophisticated actors.” This means Handala is the destructor at the end of a kill chain that begins with Iran’s most capable intrusion teams — likely UNC1860 (Scarred Manticore) , APT34 (OilRig) , or similar MOIS-directed actors. Confirmed Handala arsenal: BiBi Wiper, CoolWipe, ChillWipe, Hamsa, Hatef — all destructive tools. The group uses Telegram Bot API for command and control. The Bahrain escalation matters because: - It demonstrates MOIS has acquired or compiled PII databases on U.S. military personnel - WhatsApp delivery bypasses all military email security, SIPR protections, and enterprise MDM controls - The Stryker precedent (200,000 systems wiped via Intune) proves Handala follows IO threats with destructive action - The $10M reward for information on Handala (following the claimed FBI Director Gmail hack) signals U.S. government assessment of the group’s severity <h3> 2. The MOIS Access-Broker Model — Detect Upstream, Not at Detonation </h3> The most strategically significant intelligence from this cycle is the public confirmation of Iran’s access-broker → destructor handoff model . This mirrors Russia’s GRU model (where Sandworm receives access from SVR/FSB operations) and has profound defensive implications: By the time you detect Handala’s wipers, you’ve already lost. The initial access — credential theft, VPN exploitation, cloud identity compromise — was performed weeks or months earlier by a different, quieter actor. Your detection strategy must focus on the upstream indicators: <ul> <li> UNC1860 / Scarred Manticore — MOIS’s primary access-broker, known for long-dwell network reconnaissance </li> <li> APT34 / OilRig — MOIS-directed espionage group with extensive credential harvesting capabilities </li> <li> Pioneer Kitten / UNC757 — Hybrid actor known for selling VPN access; bridges criminal and state operations </li> </ul> <h3> 3. Refined Kitten (APT33) and the Aviation/Aerospace Convergence </h3> A PolySwarm threat bulletin identified Refined Kitten (APT33/Elfin) as conducting persistent espionage operations against the aviation and aerospace sectors — MITRE identifies these as APT33’s primary targeting verticals alongside energy. This converges with multiple data points: - Scattered Spider expanded into airline targeting (FBI warning, 2025), using help desk social engineering and identity-centric intrusion - Qilin ransomware hit Tulsa International Airport (January 17–20, 2026) - Collins Aerospace/MUSE ransomware disrupted Heathrow, Brussels, Berlin, and Dublin airports (September 2025) - A “Fake Resume on GitHub” campaign targeting aerospace contractors remains active in threat intelligence feeds (last updated April 28, 2026) The aviation sector is facing a multi-actor convergence: state espionage (APT33), criminal ransomware (Qilin), and supply-chain compromise (Collins Aerospace) — simultaneously. <h3> 4. CVE-2024-7399 — Samsung MagicINFO Under Active Exploitation </h3> CVE-2024-7399 (CVSS 8.8) is an improper pathname limitation vulnerability in Samsung MagicINFO 9 Server (versions before 21.1050) that allows arbitrary file write with SYSTEM authority. CISA added it to the KEV catalog on April 24 after Arctic Wolf confirmed active exploitation. Why this matters for the Iran conflict: Samsung MagicINFO powers digital signage systems in airports, transit hubs, military facilities, and corporate lobbies. These systems are often unpatched, internet-facing, and running with elevated privileges — making them ideal initial access points for actors seeking footholds in physical infrastructure environments. <h3> 5. Iran-Themed Mirai Botnet — Active C2 Infrastructure </h3> Multiple Mirai variant samples with Iran-themed payload paths (/iran.mips, /iran.armv4l, /iran.armv7l) were collected from an active C2 server at 45.153.34[.]205 . While Iran-themed naming does not confirm Iranian state attribution (criminal botnet operators frequently use geopolitical naming for misdirection), the timing and targeting of IoT devices — including IP cameras and embedded systems — aligns with Iran’s documented interest in IoT infrastructure for DDoS and surveillance. <h2> Predictive Analysis — Next 30 Days </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Handala publishes additional PII batches (other service branches, other Gulf bases) within 72 hours </td> <td> 70% </td> <td> Telegram channel active; group in escalatory posture; PII collection suggests broader database </td> </tr> <tr> <td> Diplomatic failure on Hormuz reopening triggers new wave of Iranian cyber operations against energy/maritime targets </td> <td> 50% </td> <td> WSJ reports Trump team “doubts” Iran’s offer; energy sector historically first retaliatory target </td> </tr> <tr> <td> Cyber Av3ngers resurface with new ICS/OT targeting after 49-day silence </td> <td> 30% </td> <td> Anomalous silence likely indicates retooling, not cessation; Unitronics/PLC targeting is their signature </td> </tr> <tr> <td> MOIS-directed destructive operation against a second major U.S. defense contractor (Stryker-style Intune/MDM wipe) </td> <td> 40% </td> <td> Access-broker model confirmed; pre-positioned access likely exists in multiple networks; Handala’s escalatory posture </td> </tr> <tr> <td> Refined Kitten (APT33) aerospace espionage campaign produces confirmed compromise of a DIB contractor </td> <td> 25% </td> <td> 49-day intelligence gap on DIB pre-positioning is the highest-consequence blind spot; “Fake Resume on GitHub” campaign still active </td> </tr> <tr> <td> Russian-Iranian cyber cooperation produces joint or coordinated operation against NATO/Five Eyes target </td> <td> 20% </td> <td> APT28 infrastructure convergence on Iranian ASN confirmed April 24–26; diplomatic coordination (Araghchi-Putin meeting) provides political cover </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> <ol> <li> WhatsApp/Personal Messaging IO Detection (T1585.001, T1566.002) - Hunt hypothesis: Iranian actors are using WhatsApp and Telegram to deliver intimidation messages and phishing links to personnel, bypassing corporate email security entirely. - Detection: You cannot monitor WhatsApp content on personal devices. Instead, monitor for indicators of successful compromise : unusual OAuth token grants from personal devices, new device enrollments in Intune/Entra ID from unexpected geolocations, and anomalous Telegram Bot API traffic on corporate networks. - Action: Brief all personnel on the Handala WhatsApp campaign. Establish a reporting channel for suspicious personal device messages. </li> <li> Intune/MDM Mass Wipe Detection (T1072, T1531, T1078.004) - Hunt hypothesis: An attacker with compromised Intune Global Administrator credentials issues bulk device wipe commands, replicating the Stryker attack. - Detection: Alert on: (a) any wipeDevice or retireDevice action in Intune audit logs affecting >10 devices in a 1-hour window; (b) new Global Administrator role assignments in Entra ID; (c) Conditional Access policy modifications disabling MFA for admin accounts; (d) bulk device compliance policy changes. - ATT&CK: T1078.004 (Valid Accounts: Cloud) → T1072 (Software Deployment Tools) → T1531 (Account Access Removal) → T1485 (Data Destruction) - Action: Implement break-glass alerting on all Intune Global Admin actions. Require PIM (Privileged Identity Management) activation with approval for any admin role elevation. </li> <li> MOIS Access-Broker Upstream Detection (T1199, T1078, T1133) - Hunt hypothesis: Upstream MOIS actors (UNC1860, APT34, Pioneer Kitten) have pre-positioned access in your network via VPN credential theft or edge device exploitation, and will hand off access to Handala for destruction. - Detection: (a) Review VPN authentication logs for dormant accounts that suddenly reactivate; (b) hunt for Cisco ASA/FTD indicators of FIRESTARTER (firmware persistence survives updates — requires full reimaging to remediate); (c) audit Fortinet, Ivanti, and Citrix edge devices for unpatched vulnerabilities and anomalous admin sessions; (d) search for Rclone or Wasabi-bound data exfiltration in proxy/CASB logs. - ATT&CK: T1133 (External Remote Services) → T1199 (Trusted Relationship) → T1078 (Valid Accounts) </li> <li> Mirai Botnet C2 and IoT Compromise (T1583.003, T1059.004, T1498) - Hunt hypothesis: IoT devices (IP cameras, embedded Linux systems) on your network are communicating with the active Mirai C2 at 45.153.34[.]205. - Detection: Block 45.153.34[.]205 at the perimeter. Search DNS and netflow logs for historical connections. Scan for ELF binaries on IoT/embedded devices. Monitor for anomalous outbound traffic volume from IoT VLANs. - IOC hashes to deploy to EDR: See blocking table below. </li> <li> Samsung MagicINFO Exploitation (T1190, CVE-2024-7399) - Hunt hypothesis: Attackers are exploiting CVE-2024-7399 to write arbitrary files as SYSTEM on Samsung MagicINFO 9 Server instances, establishing footholds in facilities with digital signage. - Detection: Inventory all MagicINFO instances. Check for unexpected files in system directories. Monitor for SYSTEM-level process execution originating from the MagicINFO web application. - Action: Patch to version ≥21.1050 immediately. If patching is not possible within 48 hours, isolate MagicINFO servers from the internet. </li> </ol> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> The Strait of Hormuz closure is driving energy price volatility that directly impacts financial markets. Iranian actors have historically targeted SWIFT-connected institutions and payment processors during periods of maximum economic pressure. <ul> <li> Priority: Monitor for credential harvesting campaigns targeting treasury and wire transfer systems. APT34/OilRig has a documented history of targeting financial sector DNS infrastructure. </li> <li> Action: Audit all DNS configurations for signs of DNS hijacking (T1584.002). Review SWIFT operator credentials for anomalous access patterns. Ensure transaction monitoring systems flag unusual cross-border payment flows to sanctioned jurisdictions. </li> </ul> <h3> Energy </h3> Energy infrastructure is the highest-probability retaliatory target if Hormuz diplomacy fails. CISA/FBI/NSA advisories from early April specifically warned of Iranian exploitation of U.S. water and energy systems. <ul> <li> Priority: Assume Cyber Av3ngers’ 49-day silence is retooling, not retirement. Their signature target set — Unitronics PLCs, SCADA systems, water treatment facilities — remains at elevated risk. </li> <li> Action: Validate segmentation between IT and OT networks. Audit all Unitronics Vision/Samba PLC instances for default credentials and internet exposure. Review Honeywell BMS, Yokogawa CENTUM, and Siemens SICAM configurations against CISA ICS advisories. Deploy the GRASSMARLIN ICS network mapping tool (CISA advisory, April 28) to identify undocumented OT assets. </li> <li> Edge devices: Cisco ASA/FTD devices in energy environments must be assessed for FIRESTARTER firmware persistence — standard patching does not remediate this backdoor. Full reimaging is required. </li> </ul> <h3> Healthcare </h3> Healthcare organizations are collateral targets in Iranian campaigns due to shared infrastructure with government networks and the high impact of destructive attacks on patient safety. <ul> <li> Priority: The Intune/MDM mass wipe TTP demonstrated at Stryker is directly applicable to any healthcare organization using Microsoft 365 and Intune for device management — which includes most major health systems. </li> <li> Action: Implement emergency alerting on Intune bulk device actions. Ensure clinical systems (EHR, PACS, lab systems) are on separate device management policies that cannot be wiped by a single compromised admin account. Review Entra ID Conditional Access policies to enforce phishing-resistant MFA (FIDO2/passkeys) for all administrative roles. </li> <li> Ransomware: Qilin’s demonstrated willingness to hit critical infrastructure (Tulsa airport) means healthcare is within their target aperture. Ensure offline backups are tested and recovery procedures are exercised. </li> </ul> <h3> Government </h3> Federal, state, and local government agencies are confirmed targets. CISA’s MAR AR26-113A documented FIRESTARTER in a federal civilian agency. The Handala campaign demonstrates MOIS willingness to target government personnel directly. <ul> <li> Priority: All Cisco ASA/FTD devices in government networks must be assessed for FIRESTARTER firmware persistence. This is not a patchable vulnerability — compromised devices require full reimaging. </li> <li> Action: Conduct firmware integrity verification on all Cisco edge devices. Audit 911/PSAP systems for internet exposure and default credentials. Review all OAuth application consents in government M365 tenants for suspicious third-party applications (T1550.001). Brief personnel on Handala WhatsApp IO campaign — government employees with military connections are potential targets. </li> <li> Supply chain: The “Fake Resume on GitHub” campaign targeting aerospace contractors may extend to government contractor networks. Audit GitHub-hosted development environments for unauthorized repositories and suspicious pull requests. </li> </ul> <h3> Aviation & Logistics </h3> Aviation is facing a multi-actor convergence that makes it the most complex defensive environment in this threat landscape. <ul> <li> Priority: Three distinct threat actors are targeting aviation simultaneously: Refined Kitten (APT33) for espionage, Qilin for ransomware, and Scattered Spider for identity-centric intrusion. Each requires a different defensive approach. </li> <li> Action: Patch all Samsung MagicINFO 9 Server instances (CVE-2024-7399) — these are commonly deployed in airport digital signage. Implement help desk verification procedures to counter Scattered Spider social engineering (T1566.004). Hunt for APT33 indicators in reservation systems, flight operations, and maintenance networks. Audit shared platform dependencies (Collins Aerospace MUSE or similar) for supply-chain risk. </li> <li> Logistics: Maritime logistics companies are directly impacted by the Hormuz closure. Iranian actors may target shipping management systems, port operations, and cargo tracking platforms to amplify economic disruption. </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> Force Protection / CISO </td> <td> Issue advisory to all personnel regarding Handala WhatsApp IO campaign — advise restricting WhatsApp privacy settings, reporting unsolicited messages, and assuming PII compromise for Gulf-stationed personnel </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block C2 IP 45.153.34[.]205 on all perimeter firewalls and EDR; deploy all Mirai and aviation hashes from the IOC table above to endpoint detection </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Implement emergency alerting on Intune wipeDevice/retireDevice actions affecting >10 devices in any 1-hour window — this is the Stryker attack pattern </td> </tr> <tr> <td> IMMEDIATE </td> <td> Identity / IAM </td> <td> Audit all Entra ID Global Administrator accounts — enforce PIM activation with approval workflow; revoke any standing admin access </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Audit and patch all Samsung MagicINFO 9 Server instances to version ≥21.1050 (CVE-2024-7399, CVSS 8.8, KEV-confirmed active exploitation) — prioritize instances in airports, transit, and military facilities </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Implement Intune/Entra ID anomaly detection for bulk device wipe commands, Global Administrator privilege escalation, and Conditional Access policy modifications </td> </tr> <tr> <td> 7-DAY </td> <td> CISO </td> <td> Commission threat hunt for Refined Kitten (APT33) indicators in aerospace and defense contractor networks — focus on credential theft, VPN persistence, and long-dwell reconnaissance </td> </tr> <tr> <td> 7-DAY </td> <td> Network Security </td> <td> Conduct firmware integrity verification on all Cisco ASA/FTD devices — FIRESTARTER persists through standard updates and requires full reimaging to remediate </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Hunt for dormant VPN accounts that have reactivated in the past 60 days — MOIS access-brokers establish persistence months before handing off to destructors </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Develop WhatsApp/personal messaging security guidance for all personnel — current security controls focus on corporate email and managed devices; personal device IO vectors are unaddressed </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Conduct tabletop exercise simulating an Intune/MDM mass wipe attack — validate that incident response procedures can recover 200,000+ endpoints and that backup/restore processes are tested </td> </tr> <tr> <td> 30-DAY </td> <td> IR Team </td> <td> Update incident response playbooks to include the MOIS access-broker model — ensure IR procedures account for the possibility that the initial intrusion actor and the destructive actor are different groups with different TTPs </td> </tr> <tr> <td> 30-DAY </td> <td> Executive </td> <td> Brief the board on diplomatic-cyber decoupling — stakeholders should plan for sustained Iranian cyber operations regardless of ceasefire outcomes; budget and staff accordingly </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> Eight weeks into this conflict, three realities demand executive attention: First, the access is already there. The confirmed MOIS access-broker model means that Iran’s most capable intrusion teams have likely pre-positioned access in networks that Handala and similar destructors haven’t touched yet. The 49-day intelligence gap on defense industrial base pre-positioning is not reassuring silence — it is the sound of an undetected intrusion. Every day without a confirmed hunt is a day of assumed risk. Second, diplomacy will not save your network. The diplomatic-cyber decoupling is now an established pattern, not an anomaly. Handala escalated to targeting U.S. Marines on the same day Iran proposed reopening the Strait of Hormuz. Plan for sustained Iranian cyber operations through any ceasefire, any negotiation, any diplomatic breakthrough. Cyber is the one domain where Iran faces no escalation penalty. Third, your perimeter has moved. When an MOIS-linked group can threaten your people on WhatsApp, dox them on Telegram, and wipe 200,000 of your endpoints through your own MDM platform, the traditional security perimeter is irrelevant. The attack surface now includes personal devices, cloud identity infrastructure, digital signage systems, AI development toolchains, and the social media accounts of your workforce. The threat actors named in this report — Handala, APT33, APT34, MuddyWater, Cyber Av3ngers, UNC1860, Pioneer Kitten, Scattered Spider, Qilin — are not theoretical risks. They are operational, they are targeting your sector, and the intelligence confirms they are accelerating. Act on the recommendations in this report today. The next Stryker-scale event is a matter of when, not if.

FEATURED RESOURCES

April 29, 2026

Anomali Cyber Watch