All Posts
Anomali Cyber Watch
1
min read

Iran's Cyber War Machine Hits 3× Surge: What CISOs Must Do Before the Next Strike

Published on
July 6, 2026
Table of Contents
<p> <strong> Threat Assessment Level: HIGH &mdash; ESCALATING </strong> </p> <p> The numbers are no longer estimates. On June 29, Israel's National Cyber Security Directorate chief publicly confirmed what threat intelligence teams have been tracking for months: Iranian cyberattacks tripled year-over-year, with approximately <strong> 4,800 hostile cyber incidents recorded in June 2026 alone </strong> &mdash; up from ~1,600 in June 2025. Eighteen weeks into the Iran-Israel/US cyber conflict that began February 28, 2026, we are witnessing the most sustained state-sponsored cyber escalation campaign since NotPetya. </p> <p> But here's what should keep you awake tonight: the absence of destructive operations during this surge isn't reassurance &mdash; it's a warning. Iranian operational doctrine builds access first, then executes destruction on political command. The IRGC's cyber units are pre-positioning. The question isn't <em> if </em> they'll strike &mdash; it's <em> when </em> and <em> where </em> . </p> <h2> <strong> What Changed This Week </strong> </h2> <p> The past seven days brought five developments that materially alter the threat landscape: </p> <ol> <li> <strong> Official validation of the escalation scale. </strong> Multiple independent outlets &mdash; Reuters, Jerusalem Post, The Next Web &mdash; confirmed the Israeli government's 3&times; surge figure. This transforms what was previously an intelligence assessment into established fact. </li> <li> <strong> Fresh Iranian surveillance infrastructure went live. </strong> On July 2, a new cluster of command-and-control domains impersonating Microsoft services and VPN providers was identified, delivering MarkiRAT (aka SCRAPWOOD) &mdash; a surveillance tool historically used by IRGC-affiliated actors against dissidents, journalists, and opposition figures. </li> <li> <strong> A validated C2 server was tagged for "retaliation window" operations. </strong> A European-hosted server (Germany, ASN 214351) was confirmed as an active Iranian-linked C2 node deploying DarkComet RAT, explicitly tagged by intelligence sources with the assessment: "Iran declares ceasefire over &mdash; cyber retaliation window opens for critical infrastructure." </li> <li> <strong> Pioneer Kitten ransomware convergence confirmed on shared infrastructure. </strong> ASN 213790 (Tehran) now hosts IPs tagged simultaneously to Iranian state actors, LockBit ransomware operations, and Pinchy Spider &mdash; reflecting the documented Pioneer Kitten (UNC757) model of selling initial access to ransomware operators and deliberately complicating attribution. </li> <li> <strong> CISA disclosed ICS/OT vulnerabilities directly relevant to Iranian targeting. </strong> July 2 advisories cover satellite attitude control hardware (CubeSpace), satellite terminal access (ST Engineering iDirect), remote terminal units (Schneider Electric), and storage systems &mdash; expanding the attack surface at a critical moment in the conflict. </li> </ol> <h2> <strong> Conflict &amp; Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-02-28 </p> </td> <td> <p> Iran-Israel/US cyber conflict begins </p> </td> <td> <p> Initiating event &mdash; 18 weeks ago </p> </td> </tr> <tr> <td> <p> 2026-06-08&ndash;29 </p> </td> <td> <p> ASN 213790 (Tehran) scanning activity sustained </p> </td> <td> <p> Iranian APT reconnaissance targeting government, healthcare, telecom, chemical sectors </p> </td> </tr> <tr> <td> <p> 2026-06-22 </p> </td> <td> <p> Alhurra expos&eacute; reveals IRGC cyber unit structure </p> </td> <td> <p> Opposition sources confirm organizational readiness of IRGC cyber warfare network </p> </td> </tr> <tr> <td> <p> 2026-06-24&ndash;25 </p> </td> <td> <p> IOCONTROL/QUEUECAT ICS malware refreshed </p> </td> <td> <p> IRGC-CEC (Cyber Av3ngers) maintaining OT-destructive capability </p> </td> </tr> <tr> <td> <p> 2026-06-29 </p> </td> <td> <p> Israeli NCSD chief confirms 3&times; cyberattack surge </p> </td> <td> <p> ~4,800 incidents in June 2026; official government validation </p> </td> </tr> <tr> <td> <p> 2026-07-01 </p> </td> <td> <p> DHS HSIN breach confirmed; CVE-2026-45659 added to CISA KEV </p> </td> <td> <p> SharePoint RCE actively exploited across 10,000+ servers </p> </td> </tr> <tr> <td> <p> 2026-07-02 </p> </td> <td> <p> MarkiRAT C2 infrastructure refresh (6 new domains) </p> </td> <td> <p> VPN/Microsoft-themed lures for surveillance tool delivery </p> </td> </tr> <tr> <td> <p> 2026-07-02 </p> </td> <td> <p> CISA ICS advisories: satellite, RTU, IoT, storage </p> </td> <td> <p> CubeSpace firmware upload, iDirect terminal access, Schneider RTU exposure </p> </td> </tr> <tr> <td> <p> 2026-07-03&ndash;04 </p> </td> <td> <p> UNC6496 confirmed active; UNC5855/AnonymousForJustice latest IOC </p> </td> <td> <p> IRGC-affiliated phishing kits SARAQAKIT/SILENTRAQIB deployed </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> The IRGC's Expanding C2 Footprint </strong> </h3> <p> Iranian actors are aggressively building out command-and-control infrastructure. Six new domains on the pis2ray[.]online and comi-site[.]website families were identified on July 2, all impersonating Microsoft services or VPN providers. The naming convention &mdash; "pis2ray" likely references V2Ray, a popular proxy tool &mdash; suggests lures targeting populations that use VPNs to circumvent censorship. </p> <p> The malware being delivered is <strong> MarkiRAT </strong> (Google TAG designation: SCRAPWOOD), a Windows surveillance tool with keylogging, screen capture, and file exfiltration capabilities. While historically used against dissidents, the infrastructure scale suggests potential expansion to broader espionage targets. </p> <p> <strong> Simultaneously </strong> , a Tehran-based ASN (213790, "Limited Network") continues hosting active scanning infrastructure. Three IPs on this ASN &mdash; rated at 90&ndash;97 confidence &mdash; are conducting reconnaissance against government, healthcare, telecommunications, and chemical sector targets using non-standard ports (T1571) and application-layer protocols (T1071). </p> <h3> <strong> Multi-Actor Infrastructure Convergence </strong> </h3> <p> A troubling development: ASN 213790 now hosts IPs tagged to Iranian state actors, LockBit ransomware operations, AND Pinchy Spider (GandCrab/REvil lineage). This isn't coincidental &mdash; it reflects the documented <strong> Pioneer Kitten </strong> (UNC757) operational model where IRGC-affiliated actors sell initial access to ransomware operators. </p> <p> This convergence means: </p> <ul> <li> Attribution becomes deliberately harder </li> <li> A "ransomware" incident may actually be state-directed destruction </li> <li> Defenders cannot dismiss Iranian-origin scanning as merely criminal </li> </ul> <h3> <strong> The Retaliation Pre-Positioning Phase </strong> </h3> <p> The validated C2 server at 62[.]60[.]226[.]10 (hosted in Germany on ASN 214351) represents something more concerning than routine espionage. Tagged by Recorded Future as "Recently-Linked-to-APT" and explicitly associated with Iran's post-ceasefire retaliation posture, this server is deploying <strong> DarkComet RAT </strong> &mdash; a remote access tool that provides full system control including file manipulation, credential theft, and destructive capability. </p> <p> The server also runs <strong> Keitaro TDS </strong> (Traffic Distribution System), which enables operators to selectively redirect victims based on geography, browser, or other fingerprinting &mdash; a hallmark of targeted operations rather than opportunistic campaigns. </p> <h3> <strong> ICS/OT Attack Surface Expanding at the Worst Possible Time </strong> </h3> <p> CISA's July 2 advisory batch disclosed vulnerabilities in systems directly relevant to Iranian targeting: </p> <ul> <li> <strong> CubeSpace CW0057 Reaction Wheel </strong> : Arbitrary firmware upload to satellite attitude control hardware </li> <li> <strong> ST Engineering iDirect iQ-Series Terminals </strong> : Unauthorized access to satellite terminal information </li> <li> <strong> Schneider Electric EasyLogic T150 / Saitel DP RTU </strong> : Sensitive data exposure in remote terminal units </li> <li> <strong> StoneFly Storage Concentrator </strong> : Arbitrary command execution </li> </ul> <p> The convergence of satellite system vulnerabilities with Iran's known interest in disrupting military command-and-control makes space-ground segment security an urgent priority. </p> <h2> <strong> Named Threat Actors &amp; Attribution </strong> </h2> <p> The following groups are confirmed active or maintaining operational readiness: </p> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Current Activity </strong> </p> </th> <th> <p> <strong> Primary Targets </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> APT42 / Charming Kitten </strong> </p> </td> <td> <p> IRGC-IO </p> </td> <td> <p> Adjacent to UNC6496 phishing operations </p> </td> <td> <p> Government, think tanks, media </p> </td> </tr> <tr> <td> <p> <strong> UNC6496 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Active &mdash; deploying SARAQAKIT/SILENTRAQIB phishing kits </p> </td> <td> <p> Credential harvesting at scale </p> </td> </tr> <tr> <td> <p> <strong> UNC5855 / AnonymousForJustice </strong> </p> </td> <td> <p> IRGC (hacktivist front) </p> </td> <td> <p> Latest IOC July 3&ndash;4 </p> </td> <td> <p> <strong> Critical infrastructure, IO </strong> </p> </td> </tr> <tr> <td> <p> <strong> Pioneer Kitten / UNC757 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Scanning phase (ASN 213790); ransomware handoff model </p> </td> <td> <p> Edge devices, VPNs, then ransomware </p> </td> </tr> <tr> <td> <p> <strong> Cyber Av3ngers / HYDRO KITTEN </strong> </p> </td> <td> <p> IRGC-CEC </p> </td> <td> <p> IOCONTROL/QUEUECAT malware refreshed June 24&ndash;25 </p> </td> <td> <p> ICS/OT &mdash; water, energy </p> </td> </tr> <tr> <td> <p> <strong> BANISHED KITTEN / Cotton Sandstorm </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Operational readiness maintained </p> </td> <td> <p> Destructive operations </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater / TEMP.Zagros </strong> </p> </td> <td> <p> MOIS </p> </td> <td> <p> Anomalous silence (pre-strike indicator) </p> </td> <td> <p> Government, telecom, energy </p> </td> </tr> <tr> <td> <p> <strong> UNC2428 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Tracked &mdash; operational status unclear </p> </td> <td> <p> Defense industrial base </p> </td> </tr> <tr> <td> <p> <strong> Handala </strong> </p> </td> <td> <p> IRGC-directed </p> </td> <td> <p> Anomalous silence (pre-strike indicator) </p> </td> <td> <p> Israeli targets, IO/destruction </p> </td> </tr> </tbody> </table> <p> <strong> Critical absence signal: </strong> MuddyWater, Handala, and Pioneer Kitten are simultaneously silent during a confirmed 3&times; escalation. Historically, coordinated silence across Iranian groups precedes destructive operations. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Trigger </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Iranian destructive operation (wiper/ransomware) against Israeli or Gulf targets </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Within 14 days </p> </td> <td> <p> Next kinetic escalation event </p> </td> </tr> <tr> <td> <p> Pioneer Kitten ransomware handoff using ASN 213790 access </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Within 21 days </p> </td> <td> <p> Access maturation in healthcare/government networks </p> </td> </tr> <tr> <td> <p> IOCONTROL/QUEUECAT deployment against water/energy OT </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> Within 30 days </p> </td> <td> <p> Political command following ceasefire collapse </p> </td> </tr> <tr> <td> <p> Dormant DIB access activation (PTC Windchill, Fortinet VPN) </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> Within 21 days </p> </td> <td> <p> Escalation in US-Iran tensions </p> </td> </tr> <tr> <td> <p> MarkiRAT campaign expansion beyond dissidents to government/corporate targets </p> </td> <td> <p> <strong> 45% </strong> </p> </td> <td> <p> Within 14 days </p> </td> <td> <p> Infrastructure already deployed </p> </td> </tr> <tr> <td> <p> Satellite/space-ground segment attack leveraging CISA-disclosed vulnerabilities </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> Within 60 days </p> </td> <td> <p> Requires capability development beyond current known TTPs </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> DNS/Proxy Monitoring &mdash; MarkiRAT C2 ( </strong> <strong> T1071.001 </strong> <strong> , </strong> <strong> T1583.001 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Endpoints resolving domains on pis2ray[.]online or comi-site[.]website families are communicating with Iranian surveillance C2" </li> <li> Detection: DNS query logs for any subdomain of pis2ray[.]online or comi-site[.]website </li> <li> Action: Block at DNS resolver and web proxy; alert on any historical resolution </li> </ul> <p> <strong> Network Telemetry &mdash; Iranian APT Scanning ( </strong> <strong> T1595.001 </strong> <strong> , </strong> <strong> T1571 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Inbound connections from ASN 213790 (Limited Network, Tehran) indicate active Iranian reconnaissance" </li> <li> Detection: Firewall/IDS alerts for source IPs 192[.]253[.]248[.]55, 192[.]253[.]248[.]169, 77[.]90[.]185[.]253 on non-standard ports </li> <li> Action: Block inbound; investigate any established sessions in last 30 days </li> </ul> <p> <strong> C2 Beaconing &mdash; DarkComet RAT ( </strong> <strong> T1071.001 </strong> <strong> , </strong> <strong> T1105 </strong> <strong> , </strong> <strong> T1219 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Outbound connections to 62[.]60[.]226[.]10 indicate active DarkComet RAT compromise" </li> <li> Detection: Network flow data for destination IP 62[.]60[.]226[.]10; DarkComet behavioral signatures (mutex patterns, registry keys) </li> <li> Action: Immediate isolation of any communicating endpoint; full forensic triage </li> </ul> <p> <strong> VPN-Themed Phishing ( </strong> <strong> T1566.002 </strong> <strong> , </strong> <strong> T1036.005 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Phishing emails referencing VPN services or Microsoft authentication that link to pis2ray[.]online infrastructure deliver MarkiRAT" </li> <li> Detection: Email gateway rules for URLs containing pis2ray, comi-site; user-reported phishing with VPN themes </li> <li> Action: Quarantine; extract and block additional infrastructure from email headers </li> </ul> <h3> <strong> Ongoing Hunting Campaigns </strong> </h3> <p> <strong> ICS/OT Firmware Integrity ( </strong> <strong> T1542.004 </strong> <strong> , </strong> <strong> T0839 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Satellite communication terminals or RTUs have received unauthorized firmware modifications" </li> <li> Detection: Compare firmware hashes against vendor-published baselines for ST Engineering iDirect, CubeSpace, Schneider EasyLogic/Saitel DP </li> <li> Action: Isolate any device with firmware mismatch; engage vendor for validation </li> </ul> <p> <strong> Dormant Access Detection ( </strong> <strong> T1078 </strong> <strong> &mdash; Valid Accounts) </strong> </p> <ul> <li> Hunt hypothesis: "Iranian actors hold dormant credentials in Fortinet VPN, PTC Windchill, or GitHub Enterprise from prior Pioneer Kitten campaigns" </li> <li> Detection: Audit VPN authentication logs for accounts with no activity &gt;60 days that suddenly authenticate; review GitHub Enterprise audit logs for repository access from unexpected geolocations </li> <li> Action: Force credential rotation on all edge device service accounts; enable MFA enforcement gaps audit </li> </ul> <p> <strong> SharePoint RCE Exploitation &mdash; CVE-2026-45659 ( </strong> <strong> T1190 </strong> <strong> ) </strong> </p> <ul> <li> Hunt hypothesis: "Unpatched SharePoint servers are being exploited via CVE-2026-45659 for initial access" </li> <li> Detection: SharePoint ULS logs for anomalous web part instantiation; IIS logs for exploitation signatures; CISA KEV compliance scan </li> <li> Action: Emergency patch; if patching delayed &gt;48h, implement WAF virtual patch or take offline </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services </strong> </h3> <p> <strong> Primary threat: </strong> Pioneer Kitten ransomware handoff model &mdash; Iranian actors gain access, sell to ransomware operators (LockBit affiliates on shared ASN 213790 infrastructure). </p> <p> <strong> Actions: </strong> </p> <ul> <li> Audit all Fortinet/Ivanti/Cisco edge device firmware and patch levels against CISA KEV </li> <li> Implement network segmentation between SWIFT/payment systems and general corporate network </li> <li> Enable enhanced monitoring on inter-bank communication channels for anomalous authentication </li> <li> Review cyber insurance policy exclusions for state-sponsored attacks disguised as ransomware </li> </ul> <h3> <strong> Energy </strong> </h3> <p> <strong> Primary threat: </strong> IOCONTROL/QUEUECAT (IRGC-CEC/Cyber Av3ngers) targeting Schneider/Siemens/Yokogawa ICS; Schneider EasyLogic/Saitel DP RTU vulnerabilities disclosed July 2. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Patch Schneider EasyLogic T150 and Saitel DP RTU per CISA ICSA-26-181-04 within 7 days </li> <li> Verify EcoStruxure IT Data Center Expert patched per ICSA-26-181-03 </li> <li> Conduct firmware integrity verification on all RTUs and PLCs in OT environment </li> <li> Ensure OT network monitoring can detect IOCONTROL behavioral patterns (DNS tunneling to elf[.]iocontrol family) </li> <li> Test manual override procedures for critical processes in case of control system compromise </li> </ul> <h3> <strong> Healthcare </strong> </h3> <p> <strong> Primary threat: </strong> Iranian APT scanning from ASN 213790 explicitly targets healthcare sector (IP 192[.]253[.]248[.]169, confidence 97). Ransomware handoff risk is elevated. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Block ASN 213790 IP ranges at perimeter; alert on any historical connections </li> <li> Ensure offline backups of EHR systems are current and tested (ransomware resilience) </li> <li> Audit remote access pathways (VPN, RDP, Citrix) for unnecessary exposure </li> <li> Implement application allowlisting on clinical workstations to prevent RAT execution </li> <li> Brief clinical engineering teams on medical device firmware integrity checks </li> </ul> <h3> <strong> Government </strong> </h3> <p> <strong> Primary threat: </strong> Multi-vector &mdash; credential phishing (UNC6496/SARAQAKIT), SharePoint RCE (CVE-2026-45659), surveillance (MarkiRAT), and pre-positioned access for destructive operations. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Emergency patch SharePoint for CVE-2026-45659 &mdash; 10,000+ servers exposed globally </li> <li> Implement phishing-resistant MFA (FIDO2) for all privileged accounts; disable SMS/voice MFA </li> <li> Audit Azure AD/Entra ID for anomalous OAuth application grants from unexpected geolocations </li> <li> Review Conditional Access policies for gaps exploitable by Iranian IP ranges </li> <li> Conduct tabletop exercise for simultaneous wiper + data leak scenario (Iranian doctrine) </li> </ul> <h3> <strong> Aviation &amp; Logistics </strong> </h3> <p> <strong> Primary threat: </strong> Satellite communication terminal vulnerabilities (ST Engineering iDirect iQ-Series, CubeSpace reaction wheel) combined with Iranian interest in disrupting military and civilian C2 links. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Audit all satellite terminal firmware against vendor baselines (CISA ICSA-26-183-01/02) </li> <li> Segment satellite ground station networks from corporate IT </li> <li> Implement out-of-band communication procedures in case of SATCOM disruption </li> <li> Review supply chain for any Iranian-manufactured or Iranian-transited components </li> <li> Monitor for anomalous satellite terminal behavior (unexpected firmware updates, configuration changes) </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block MarkiRAT C2 domains at DNS/proxy: starvpn[.]pis2ray[.]online, microsoft[.]comi-site[.]website, min[.]comi-site[.]website, min[.]pis2ray[.]online, microsoft[.]pis2ray[.]online, c[.]pis2ray[.]online </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block/alert on IP 62[.]60[.]226[.]10 &mdash; validated Iranian C2 server (DarkComet RAT, retaliation-tagged) </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Add IPs 192[.]253[.]248[.]55, 192[.]253[.]248[.]169, 77[.]90[.]185[.]253 to monitoring/block &mdash; active Iranian scanning </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify SharePoint patched for CVE-2026-45659; if unpatched, implement WAF rules or take offline </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Brief leadership on 3&times; escalation confirmation and 70% probability of destructive operations within 14 days </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Audit satellite terminals (ST Engineering iDirect iQ-Series) and RTUs (Schneider EasyLogic/Saitel DP) for firmware integrity </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Patch Schneider Electric EasyLogic T150, Saitel DP RTU, and EcoStruxure IT Data Center Expert per CISA advisories </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy detection rules for MarkiRAT/SCRAPWOOD behavioral indicators &mdash; VPN-themed lures, V2Ray proxy references, pis2ray[.]online DNS queries </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Force credential rotation on all edge device service accounts (Fortinet, Ivanti, Cisco) </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IR </p> </td> <td> <p> Update incident response playbooks for simultaneous wiper + ransomware + data leak scenario </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission proactive threat hunt for dormant Iranian access in DIB contractor networks &mdash; focus on PTC Windchill, GitHub Enterprise, Fortinet VPN logs </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Expand dark web and Telegram collection for Handala, Cyber Toufan, and AnonymousForJustice channels </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CISO </p> </td> <td> <p> Conduct tabletop exercise simulating Iranian destructive attack: wiper deployment + simultaneous data leak + hacktivist IO amplification </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Implement network segmentation between OT/ICS and IT networks where gaps exist; validate air-gap integrity </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Review cyber insurance coverage for state-sponsored attacks; assess exclusion clauses for "acts of war" given confirmed state attribution </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following IOCs are confirmed from intelligence collection and should be actioned immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192[.]253[.]248[.]55 </p> </td> <td> <p> Iranian APT scanning (ASN 213790) </p> </td> <td> <p> Block/Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192[.]253[.]248[.]169 </p> </td> <td> <p> Iranian APT scanning, healthcare/gov targeting (conf 97) </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 77[.]90[.]185[.]253 </p> </td> <td> <p> Iranian APT scanning, chemical sector (ASN 213790) </p> </td> <td> <p> Block/Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 171[.]22[.]27[.]16 </p> </td> <td> <p> Iranian-linked infrastructure (ASN 60631) </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 62[.]60[.]226[.]10 </p> </td> <td> <p> Validated C2 &mdash; DarkComet RAT, retaliation-tagged </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 95[.]38[.]16[.]220 </p> </td> <td> <p> Iranian-linked APT infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> starvpn[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 &mdash; VPN-themed lure </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> microsoft[.]comi-site[.]website </p> </td> <td> <p> MarkiRAT C2 &mdash; Microsoft impersonation </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> min[.]comi-site[.]website </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> min[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> microsoft[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 &mdash; Microsoft impersonation </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> c[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> sonic05[.]irandns[.]com </p> </td> <td> <p> Iranian DNS infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> 4bagh[.]net </p> </td> <td> <p> Iranian credential theft infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> ftp[.]4bagh[.]net </p> </td> <td> <p> Iranian credential exfiltration </p> </td> <td> <p> Monitor </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> The Bottom Line </strong> </h2> <p> Eighteen weeks into this conflict, we have moved from intelligence assessment to confirmed reality. The Israeli government has validated the 3&times; escalation. Fresh C2 infrastructure is being deployed weekly. Scanning operations target your sectors specifically. And the coordinated silence of Iran's most destructive groups &mdash; Handala, Pioneer Kitten, and BANISHED KITTEN &mdash; during peak escalation is not inactivity. It is preparation. MuddyWater's parallel silence, unusual for an MOIS collection apparatus this active in prior phases, compounds the concern. </p> <p> The 70% probability of destructive operations within 14 days is not a theoretical exercise. It is based on observed Iranian operational patterns: build access quietly, then execute destruction on political command. The next kinetic escalation event &mdash; a strike, a failed negotiation, a provocation &mdash; becomes the trigger. </p> <p> <strong> Your 24-hour checklist: </strong> </p> <ol> <li> Block the IOCs above </li> <li> Verify CVE-2026-45659 (SharePoint) is patched </li> <li> Brief your executive team on the threat level </li> <li> Confirm your IR playbook covers simultaneous wiper + data leak + IO scenarios </li> <li> Validate offline backup integrity for your most critical systems </li> </ol> <p> The window to prepare is closing. Act now. </p> <p> <em> Anomali CTI Desk | 2026-07-06 </em> </p> <p> <em> For IOC feeds, YARA rules, and detection content supporting this analysis, contact your Anomali representative or access ThreatStream Next-Gen directly. </em> </p>

FEATURED RESOURCES

July 6, 2026
Anomali Cyber Watch

Iran's Cyber War Machine Hits 3× Surge: What CISOs Must Do Before the Next Strike

Read More
July 6, 2026
Anomali Cyber Watch
Public Sector

Critical Infrastructure Under Siege: SimpleHelp Exploitation, Cisco Vulnerabilities, and Holiday Weekend Ransomware Risk Converge on State Government Networks

Read More
July 6, 2026
No items found.

The Agentic SOC, Recognized: Anomali Wins a 2026 Hacker News Award

Read More
Explore All