<p> <strong> Threat Assessment Level: HIGH — ESCALATING </strong>
</p>
<p> The numbers are no longer estimates. On June 29, Israel's National Cyber Security Directorate chief publicly confirmed what threat intelligence teams have been tracking for months: Iranian cyberattacks tripled year-over-year, with approximately <strong> 4,800 hostile cyber incidents recorded in June 2026 alone </strong> — up from ~1,600 in June 2025. Eighteen weeks into the Iran-Israel/US cyber conflict that began February 28, 2026, we are witnessing the most sustained state-sponsored cyber escalation campaign since NotPetya.
</p>
<p> But here's what should keep you awake tonight: the absence of destructive operations during this surge isn't reassurance — it's a warning. Iranian operational doctrine builds access first, then executes destruction on political command. The IRGC's cyber units are pre-positioning. The question isn't <em> if </em> they'll strike — it's <em> when </em> and <em> where </em> .
</p>
<h2> <strong> What Changed This Week </strong>
</h2>
<p> The past seven days brought five developments that materially alter the threat landscape:
</p>
<ol> <li> <strong> Official validation of the escalation scale. </strong> Multiple independent outlets — Reuters, Jerusalem Post, The Next Web — confirmed the Israeli government's 3× surge figure. This transforms what was previously an intelligence assessment into established fact. </li> <li> <strong> Fresh Iranian surveillance infrastructure went live. </strong> On July 2, a new cluster of command-and-control domains impersonating Microsoft services and VPN providers was identified, delivering MarkiRAT (aka SCRAPWOOD) — a surveillance tool historically used by IRGC-affiliated actors against dissidents, journalists, and opposition figures. </li> <li> <strong> A validated C2 server was tagged for "retaliation window" operations. </strong> A European-hosted server (Germany, ASN 214351) was confirmed as an active Iranian-linked C2 node deploying DarkComet RAT, explicitly tagged by intelligence sources with the assessment: "Iran declares ceasefire over — cyber retaliation window opens for critical infrastructure." </li> <li> <strong> Pioneer Kitten ransomware convergence confirmed on shared infrastructure. </strong> ASN 213790 (Tehran) now hosts IPs tagged simultaneously to Iranian state actors, LockBit ransomware operations, and Pinchy Spider — reflecting the documented Pioneer Kitten (UNC757) model of selling initial access to ransomware operators and deliberately complicating attribution. </li> <li> <strong> CISA disclosed ICS/OT vulnerabilities directly relevant to Iranian targeting. </strong> July 2 advisories cover satellite attitude control hardware (CubeSpace), satellite terminal access (ST Engineering iDirect), remote terminal units (Schneider Electric), and storage systems — expanding the attack surface at a critical moment in the conflict. </li>
</ol>
<h2> <strong> Conflict & Threat Timeline </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-02-28 </p> </td> <td> <p> Iran-Israel/US cyber conflict begins </p> </td> <td> <p> Initiating event — 18 weeks ago </p> </td> </tr> <tr> <td> <p> 2026-06-08–29 </p> </td> <td> <p> ASN 213790 (Tehran) scanning activity sustained </p> </td> <td> <p> Iranian APT reconnaissance targeting government, healthcare, telecom, chemical sectors </p> </td> </tr> <tr> <td> <p> 2026-06-22 </p> </td> <td> <p> Alhurra exposé reveals IRGC cyber unit structure </p> </td> <td> <p> Opposition sources confirm organizational readiness of IRGC cyber warfare network </p> </td> </tr> <tr> <td> <p> 2026-06-24–25 </p> </td> <td> <p> IOCONTROL/QUEUECAT ICS malware refreshed </p> </td> <td> <p> IRGC-CEC (Cyber Av3ngers) maintaining OT-destructive capability </p> </td> </tr> <tr> <td> <p> 2026-06-29 </p> </td> <td> <p> Israeli NCSD chief confirms 3× cyberattack surge </p> </td> <td> <p> ~4,800 incidents in June 2026; official government validation </p> </td> </tr> <tr> <td> <p> 2026-07-01 </p> </td> <td> <p> DHS HSIN breach confirmed; CVE-2026-45659 added to CISA KEV </p> </td> <td> <p> SharePoint RCE actively exploited across 10,000+ servers </p> </td> </tr> <tr> <td> <p> 2026-07-02 </p> </td> <td> <p> MarkiRAT C2 infrastructure refresh (6 new domains) </p> </td> <td> <p> VPN/Microsoft-themed lures for surveillance tool delivery </p> </td> </tr> <tr> <td> <p> 2026-07-02 </p> </td> <td> <p> CISA ICS advisories: satellite, RTU, IoT, storage </p> </td> <td> <p> CubeSpace firmware upload, iDirect terminal access, Schneider RTU exposure </p> </td> </tr> <tr> <td> <p> 2026-07-03–04 </p> </td> <td> <p> UNC6496 confirmed active; UNC5855/AnonymousForJustice latest IOC </p> </td> <td> <p> IRGC-affiliated phishing kits SARAQAKIT/SILENTRAQIB deployed </p> </td> </tr> </tbody>
</table>
<h2> <strong> Key Threat Analysis </strong>
</h2>
<h3> <strong> The IRGC's Expanding C2 Footprint </strong>
</h3>
<p> Iranian actors are aggressively building out command-and-control infrastructure. Six new domains on the pis2ray[.]online and comi-site[.]website families were identified on July 2, all impersonating Microsoft services or VPN providers. The naming convention — "pis2ray" likely references V2Ray, a popular proxy tool — suggests lures targeting populations that use VPNs to circumvent censorship.
</p>
<p> The malware being delivered is <strong> MarkiRAT </strong> (Google TAG designation: SCRAPWOOD), a Windows surveillance tool with keylogging, screen capture, and file exfiltration capabilities. While historically used against dissidents, the infrastructure scale suggests potential expansion to broader espionage targets.
</p>
<p> <strong> Simultaneously </strong> , a Tehran-based ASN (213790, "Limited Network") continues hosting active scanning infrastructure. Three IPs on this ASN — rated at 90–97 confidence — are conducting reconnaissance against government, healthcare, telecommunications, and chemical sector targets using non-standard ports (T1571) and application-layer protocols (T1071).
</p>
<h3> <strong> Multi-Actor Infrastructure Convergence </strong>
</h3>
<p> A troubling development: ASN 213790 now hosts IPs tagged to Iranian state actors, LockBit ransomware operations, AND Pinchy Spider (GandCrab/REvil lineage). This isn't coincidental — it reflects the documented <strong> Pioneer Kitten </strong> (UNC757) operational model where IRGC-affiliated actors sell initial access to ransomware operators.
</p>
<p> This convergence means:
</p>
<ul> <li> Attribution becomes deliberately harder </li> <li> A "ransomware" incident may actually be state-directed destruction </li> <li> Defenders cannot dismiss Iranian-origin scanning as merely criminal </li>
</ul>
<h3> <strong> The Retaliation Pre-Positioning Phase </strong>
</h3>
<p> The validated C2 server at 62[.]60[.]226[.]10 (hosted in Germany on ASN 214351) represents something more concerning than routine espionage. Tagged by Recorded Future as "Recently-Linked-to-APT" and explicitly associated with Iran's post-ceasefire retaliation posture, this server is deploying <strong> DarkComet RAT </strong> — a remote access tool that provides full system control including file manipulation, credential theft, and destructive capability.
</p>
<p> The server also runs <strong> Keitaro TDS </strong> (Traffic Distribution System), which enables operators to selectively redirect victims based on geography, browser, or other fingerprinting — a hallmark of targeted operations rather than opportunistic campaigns.
</p>
<h3> <strong> ICS/OT Attack Surface Expanding at the Worst Possible Time </strong>
</h3>
<p> CISA's July 2 advisory batch disclosed vulnerabilities in systems directly relevant to Iranian targeting:
</p>
<ul> <li> <strong> CubeSpace CW0057 Reaction Wheel </strong> : Arbitrary firmware upload to satellite attitude control hardware </li> <li> <strong> ST Engineering iDirect iQ-Series Terminals </strong> : Unauthorized access to satellite terminal information </li> <li> <strong> Schneider Electric EasyLogic T150 / Saitel DP RTU </strong> : Sensitive data exposure in remote terminal units </li> <li> <strong> StoneFly Storage Concentrator </strong> : Arbitrary command execution </li>
</ul>
<p> The convergence of satellite system vulnerabilities with Iran's known interest in disrupting military command-and-control makes space-ground segment security an urgent priority.
</p>
<h2> <strong> Named Threat Actors & Attribution </strong>
</h2>
<p> The following groups are confirmed active or maintaining operational readiness:
</p>
<table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Current Activity </strong> </p> </th> <th> <p> <strong> Primary Targets </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> APT42 / Charming Kitten </strong> </p> </td> <td> <p> IRGC-IO </p> </td> <td> <p> Adjacent to UNC6496 phishing operations </p> </td> <td> <p> Government, think tanks, media </p> </td> </tr> <tr> <td> <p> <strong> UNC6496 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Active — deploying SARAQAKIT/SILENTRAQIB phishing kits </p> </td> <td> <p> Credential harvesting at scale </p> </td> </tr> <tr> <td> <p> <strong> UNC5855 / AnonymousForJustice </strong> </p> </td> <td> <p> IRGC (hacktivist front) </p> </td> <td> <p> Latest IOC July 3–4 </p> </td> <td> <p> <strong> Critical infrastructure, IO </strong> </p> </td> </tr> <tr> <td> <p> <strong> Pioneer Kitten / UNC757 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Scanning phase (ASN 213790); ransomware handoff model </p> </td> <td> <p> Edge devices, VPNs, then ransomware </p> </td> </tr> <tr> <td> <p> <strong> Cyber Av3ngers / HYDRO KITTEN </strong> </p> </td> <td> <p> IRGC-CEC </p> </td> <td> <p> IOCONTROL/QUEUECAT malware refreshed June 24–25 </p> </td> <td> <p> ICS/OT — water, energy </p> </td> </tr> <tr> <td> <p> <strong> BANISHED KITTEN / Cotton Sandstorm </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Operational readiness maintained </p> </td> <td> <p> Destructive operations </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater / TEMP.Zagros </strong> </p> </td> <td> <p> MOIS </p> </td> <td> <p> Anomalous silence (pre-strike indicator) </p> </td> <td> <p> Government, telecom, energy </p> </td> </tr> <tr> <td> <p> <strong> UNC2428 </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Tracked — operational status unclear </p> </td> <td> <p> Defense industrial base </p> </td> </tr> <tr> <td> <p> <strong> Handala </strong> </p> </td> <td> <p> IRGC-directed </p> </td> <td> <p> Anomalous silence (pre-strike indicator) </p> </td> <td> <p> Israeli targets, IO/destruction </p> </td> </tr> </tbody>
</table>
<p> <strong> Critical absence signal: </strong> MuddyWater, Handala, and Pioneer Kitten are simultaneously silent during a confirmed 3× escalation. Historically, coordinated silence across Iranian groups precedes destructive operations.
</p>
<h2> <strong> Predictive Analysis </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Trigger </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Iranian destructive operation (wiper/ransomware) against Israeli or Gulf targets </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Within 14 days </p> </td> <td> <p> Next kinetic escalation event </p> </td> </tr> <tr> <td> <p> Pioneer Kitten ransomware handoff using ASN 213790 access </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Within 21 days </p> </td> <td> <p> Access maturation in healthcare/government networks </p> </td> </tr> <tr> <td> <p> IOCONTROL/QUEUECAT deployment against water/energy OT </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> Within 30 days </p> </td> <td> <p> Political command following ceasefire collapse </p> </td> </tr> <tr> <td> <p> Dormant DIB access activation (PTC Windchill, Fortinet VPN) </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> Within 21 days </p> </td> <td> <p> Escalation in US-Iran tensions </p> </td> </tr> <tr> <td> <p> MarkiRAT campaign expansion beyond dissidents to government/corporate targets </p> </td> <td> <p> <strong> 45% </strong> </p> </td> <td> <p> Within 14 days </p> </td> <td> <p> Infrastructure already deployed </p> </td> </tr> <tr> <td> <p> Satellite/space-ground segment attack leveraging CISA-disclosed vulnerabilities </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> Within 60 days </p> </td> <td> <p> Requires capability development beyond current known TTPs </p> </td> </tr> </tbody>
</table>
<h2> <strong> SOC Operational Guidance </strong>
</h2>
<h3> <strong> Immediate Detection Priorities </strong>
</h3>
<p> <strong> DNS/Proxy Monitoring — MarkiRAT C2 ( </strong> <strong> T1071.001 </strong> <strong> , </strong> <strong> T1583.001 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Endpoints resolving domains on pis2ray[.]online or comi-site[.]website families are communicating with Iranian surveillance C2" </li> <li> Detection: DNS query logs for any subdomain of pis2ray[.]online or comi-site[.]website </li> <li> Action: Block at DNS resolver and web proxy; alert on any historical resolution </li>
</ul>
<p> <strong> Network Telemetry — Iranian APT Scanning ( </strong> <strong> T1595.001 </strong> <strong> , </strong> <strong> T1571 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Inbound connections from ASN 213790 (Limited Network, Tehran) indicate active Iranian reconnaissance" </li> <li> Detection: Firewall/IDS alerts for source IPs 192[.]253[.]248[.]55, 192[.]253[.]248[.]169, 77[.]90[.]185[.]253 on non-standard ports </li> <li> Action: Block inbound; investigate any established sessions in last 30 days </li>
</ul>
<p> <strong> C2 Beaconing — DarkComet RAT ( </strong> <strong> T1071.001 </strong> <strong> , </strong> <strong> T1105 </strong> <strong> , </strong> <strong> T1219 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Outbound connections to 62[.]60[.]226[.]10 indicate active DarkComet RAT compromise" </li> <li> Detection: Network flow data for destination IP 62[.]60[.]226[.]10; DarkComet behavioral signatures (mutex patterns, registry keys) </li> <li> Action: Immediate isolation of any communicating endpoint; full forensic triage </li>
</ul>
<p> <strong> VPN-Themed Phishing ( </strong> <strong> T1566.002 </strong> <strong> , </strong> <strong> T1036.005 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Phishing emails referencing VPN services or Microsoft authentication that link to pis2ray[.]online infrastructure deliver MarkiRAT" </li> <li> Detection: Email gateway rules for URLs containing pis2ray, comi-site; user-reported phishing with VPN themes </li> <li> Action: Quarantine; extract and block additional infrastructure from email headers </li>
</ul>
<h3> <strong> Ongoing Hunting Campaigns </strong>
</h3>
<p> <strong> ICS/OT Firmware Integrity ( </strong> <strong> T1542.004 </strong> <strong> , </strong> <strong> T0839 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Satellite communication terminals or RTUs have received unauthorized firmware modifications" </li> <li> Detection: Compare firmware hashes against vendor-published baselines for ST Engineering iDirect, CubeSpace, Schneider EasyLogic/Saitel DP </li> <li> Action: Isolate any device with firmware mismatch; engage vendor for validation </li>
</ul>
<p> <strong> Dormant Access Detection ( </strong> <strong> T1078 </strong> <strong> — Valid Accounts) </strong>
</p>
<ul> <li> Hunt hypothesis: "Iranian actors hold dormant credentials in Fortinet VPN, PTC Windchill, or GitHub Enterprise from prior Pioneer Kitten campaigns" </li> <li> Detection: Audit VPN authentication logs for accounts with no activity >60 days that suddenly authenticate; review GitHub Enterprise audit logs for repository access from unexpected geolocations </li> <li> Action: Force credential rotation on all edge device service accounts; enable MFA enforcement gaps audit </li>
</ul>
<p> <strong> SharePoint RCE Exploitation — CVE-2026-45659 ( </strong> <strong> T1190 </strong> <strong> ) </strong>
</p>
<ul> <li> Hunt hypothesis: "Unpatched SharePoint servers are being exploited via CVE-2026-45659 for initial access" </li> <li> Detection: SharePoint ULS logs for anomalous web part instantiation; IIS logs for exploitation signatures; CISA KEV compliance scan </li> <li> Action: Emergency patch; if patching delayed >48h, implement WAF virtual patch or take offline </li>
</ul>
<h2> <strong> Sector-Specific Defensive Priorities </strong>
</h2>
<h3> <strong> Financial Services </strong>
</h3>
<p> <strong> Primary threat: </strong> Pioneer Kitten ransomware handoff model — Iranian actors gain access, sell to ransomware operators (LockBit affiliates on shared ASN 213790 infrastructure).
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Audit all Fortinet/Ivanti/Cisco edge device firmware and patch levels against CISA KEV </li> <li> Implement network segmentation between SWIFT/payment systems and general corporate network </li> <li> Enable enhanced monitoring on inter-bank communication channels for anomalous authentication </li> <li> Review cyber insurance policy exclusions for state-sponsored attacks disguised as ransomware </li>
</ul>
<h3> <strong> Energy </strong>
</h3>
<p> <strong> Primary threat: </strong> IOCONTROL/QUEUECAT (IRGC-CEC/Cyber Av3ngers) targeting Schneider/Siemens/Yokogawa ICS; Schneider EasyLogic/Saitel DP RTU vulnerabilities disclosed July 2.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Patch Schneider EasyLogic T150 and Saitel DP RTU per CISA ICSA-26-181-04 within 7 days </li> <li> Verify EcoStruxure IT Data Center Expert patched per ICSA-26-181-03 </li> <li> Conduct firmware integrity verification on all RTUs and PLCs in OT environment </li> <li> Ensure OT network monitoring can detect IOCONTROL behavioral patterns (DNS tunneling to elf[.]iocontrol family) </li> <li> Test manual override procedures for critical processes in case of control system compromise </li>
</ul>
<h3> <strong> Healthcare </strong>
</h3>
<p> <strong> Primary threat: </strong> Iranian APT scanning from ASN 213790 explicitly targets healthcare sector (IP 192[.]253[.]248[.]169, confidence 97). Ransomware handoff risk is elevated.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Block ASN 213790 IP ranges at perimeter; alert on any historical connections </li> <li> Ensure offline backups of EHR systems are current and tested (ransomware resilience) </li> <li> Audit remote access pathways (VPN, RDP, Citrix) for unnecessary exposure </li> <li> Implement application allowlisting on clinical workstations to prevent RAT execution </li> <li> Brief clinical engineering teams on medical device firmware integrity checks </li>
</ul>
<h3> <strong> Government </strong>
</h3>
<p> <strong> Primary threat: </strong> Multi-vector — credential phishing (UNC6496/SARAQAKIT), SharePoint RCE (CVE-2026-45659), surveillance (MarkiRAT), and pre-positioned access for destructive operations.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Emergency patch SharePoint for CVE-2026-45659 — 10,000+ servers exposed globally </li> <li> Implement phishing-resistant MFA (FIDO2) for all privileged accounts; disable SMS/voice MFA </li> <li> Audit Azure AD/Entra ID for anomalous OAuth application grants from unexpected geolocations </li> <li> Review Conditional Access policies for gaps exploitable by Iranian IP ranges </li> <li> Conduct tabletop exercise for simultaneous wiper + data leak scenario (Iranian doctrine) </li>
</ul>
<h3> <strong> Aviation & Logistics </strong>
</h3>
<p> <strong> Primary threat: </strong> Satellite communication terminal vulnerabilities (ST Engineering iDirect iQ-Series, CubeSpace reaction wheel) combined with Iranian interest in disrupting military and civilian C2 links.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Audit all satellite terminal firmware against vendor baselines (CISA ICSA-26-183-01/02) </li> <li> Segment satellite ground station networks from corporate IT </li> <li> Implement out-of-band communication procedures in case of SATCOM disruption </li> <li> Review supply chain for any Iranian-manufactured or Iranian-transited components </li> <li> Monitor for anomalous satellite terminal behavior (unexpected firmware updates, configuration changes) </li>
</ul>
<h2> <strong> Prioritized Defense Recommendations </strong>
</h2>
<h3> <strong> IMMEDIATE (Within 24 Hours) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block MarkiRAT C2 domains at DNS/proxy: starvpn[.]pis2ray[.]online, microsoft[.]comi-site[.]website, min[.]comi-site[.]website, min[.]pis2ray[.]online, microsoft[.]pis2ray[.]online, c[.]pis2ray[.]online </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block/alert on IP 62[.]60[.]226[.]10 — validated Iranian C2 server (DarkComet RAT, retaliation-tagged) </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Add IPs 192[.]253[.]248[.]55, 192[.]253[.]248[.]169, 77[.]90[.]185[.]253 to monitoring/block — active Iranian scanning </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify SharePoint patched for CVE-2026-45659; if unpatched, implement WAF rules or take offline </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Brief leadership on 3× escalation confirmation and 70% probability of destructive operations within 14 days </p> </td> </tr> </tbody>
</table>
<h3> <strong> 7-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Audit satellite terminals (ST Engineering iDirect iQ-Series) and RTUs (Schneider EasyLogic/Saitel DP) for firmware integrity </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Patch Schneider Electric EasyLogic T150, Saitel DP RTU, and EcoStruxure IT Data Center Expert per CISA advisories </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy detection rules for MarkiRAT/SCRAPWOOD behavioral indicators — VPN-themed lures, V2Ray proxy references, pis2ray[.]online DNS queries </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Force credential rotation on all edge device service accounts (Fortinet, Ivanti, Cisco) </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IR </p> </td> <td> <p> Update incident response playbooks for simultaneous wiper + ransomware + data leak scenario </p> </td> </tr> </tbody>
</table>
<h3> <strong> 30-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission proactive threat hunt for dormant Iranian access in DIB contractor networks — focus on PTC Windchill, GitHub Enterprise, Fortinet VPN logs </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Expand dark web and Telegram collection for Handala, Cyber Toufan, and AnonymousForJustice channels </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CISO </p> </td> <td> <p> Conduct tabletop exercise simulating Iranian destructive attack: wiper deployment + simultaneous data leak + hacktivist IO amplification </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Implement network segmentation between OT/ICS and IT networks where gaps exist; validate air-gap integrity </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive </p> </td> <td> <p> Review cyber insurance coverage for state-sponsored attacks; assess exclusion clauses for "acts of war" given confirmed state attribution </p> </td> </tr> </tbody>
</table>
<h2> <strong> IOC Blocking Table </strong>
</h2>
<p> The following IOCs are confirmed from intelligence collection and should be actioned immediately:
</p>
<table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192[.]253[.]248[.]55 </p> </td> <td> <p> Iranian APT scanning (ASN 213790) </p> </td> <td> <p> Block/Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192[.]253[.]248[.]169 </p> </td> <td> <p> Iranian APT scanning, healthcare/gov targeting (conf 97) </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 77[.]90[.]185[.]253 </p> </td> <td> <p> Iranian APT scanning, chemical sector (ASN 213790) </p> </td> <td> <p> Block/Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 171[.]22[.]27[.]16 </p> </td> <td> <p> Iranian-linked infrastructure (ASN 60631) </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 62[.]60[.]226[.]10 </p> </td> <td> <p> Validated C2 — DarkComet RAT, retaliation-tagged </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 95[.]38[.]16[.]220 </p> </td> <td> <p> Iranian-linked APT infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> starvpn[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 — VPN-themed lure </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> microsoft[.]comi-site[.]website </p> </td> <td> <p> MarkiRAT C2 — Microsoft impersonation </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> min[.]comi-site[.]website </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> min[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> microsoft[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 — Microsoft impersonation </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> c[.]pis2ray[.]online </p> </td> <td> <p> MarkiRAT C2 </p> </td> <td> <p> Block </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> sonic05[.]irandns[.]com </p> </td> <td> <p> Iranian DNS infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> 4bagh[.]net </p> </td> <td> <p> Iranian credential theft infrastructure </p> </td> <td> <p> Monitor </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> ftp[.]4bagh[.]net </p> </td> <td> <p> Iranian credential exfiltration </p> </td> <td> <p> Monitor </p> </td> </tr> </tbody>
</table>
<p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds.
</p>
<h2> <strong> The Bottom Line </strong>
</h2>
<p> Eighteen weeks into this conflict, we have moved from intelligence assessment to confirmed reality. The Israeli government has validated the 3× escalation. Fresh C2 infrastructure is being deployed weekly. Scanning operations target your sectors specifically. And the coordinated silence of Iran's most destructive groups — Handala, Pioneer Kitten, and BANISHED KITTEN — during peak escalation is not inactivity. It is preparation. MuddyWater's parallel silence, unusual for an MOIS collection apparatus this active in prior phases, compounds the concern.
</p>
<p> The 70% probability of destructive operations within 14 days is not a theoretical exercise. It is based on observed Iranian operational patterns: build access quietly, then execute destruction on political command. The next kinetic escalation event — a strike, a failed negotiation, a provocation — becomes the trigger.
</p>
<p> <strong> Your 24-hour checklist: </strong>
</p>
<ol> <li> Block the IOCs above </li> <li> Verify CVE-2026-45659 (SharePoint) is patched </li> <li> Brief your executive team on the threat level </li> <li> Confirm your IR playbook covers simultaneous wiper + data leak + IO scenarios </li> <li> Validate offline backup integrity for your most critical systems </li>
</ol>
<p> The window to prepare is closing. Act now.
</p>
<p> <em> Anomali CTI Desk | 2026-07-06 </em>
</p>
<p> <em> For IOC feeds, YARA rules, and detection content supporting this analysis, contact your Anomali representative or access ThreatStream Next-Gen directly. </em>
</p>