All Posts
Anomali Cyber Watch
1
min read

Iran's Cyber War Machine Isn't Stopping for Peace Talks: What CISOs Need to Know Now

Published on
June 15, 2026
Table of Contents
<p> <strong> Threat Assessment Level: HIGH </strong> </p> <h2> <strong> Introduction </strong> </h2> <p> We are now 107 days into the Iran-Israel conflict, and the intelligence picture is unambiguous: Iranian state-sponsored cyber operations are accelerating, not pausing, despite active ceasefire negotiations. This week, a CVSS 10.0 remote code execution vulnerability in Ivanti Sentry hit CISA's Known Exploited Vulnerabilities catalog with a public proof-of-concept &mdash; and the Iranian threat group most likely to weaponize it has a documented history of exploiting Ivanti products within 72 hours of PoC availability. </p> <p> Simultaneously, fresh phishing infrastructure impersonating military career portals confirms that Defense Industrial Base (DIB) pre-positioning continues unabated. A 46-day silence from one of Iran's most destructive hacktivist proxies &mdash; the same group that wiped 200,000 endpoints in a single operation in March &mdash; is not reassuring. It's alarming. </p> <p> If your organization operates in defense, energy, healthcare, financial services, government, or critical infrastructure, this report demands your immediate attention. </p> <h2> <strong> What Changed (June 11&ndash;15, 2026) </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> June 11 </p> </td> <td> <p> CVE-2026-10520 (Ivanti Sentry, CVSS 10.0) added to CISA KEV </p> </td> <td> <p> Unauthenticated root-level RCE; public PoC published by WatchTowr Labs </p> </td> </tr> <tr> <td> <p> June 12 </p> </td> <td> <p> CVE-2026-35273 (Oracle PeopleSoft, CVSS 9.8) added to CISA KEV </p> </td> <td> <p> Unauthenticated RCE affecting PeopleSoft 8.61/8.62 &mdash; widely deployed in HR/ERP </p> </td> </tr> <tr> <td> <p> June 12 </p> </td> <td> <p> Handala (Void Manticore) broke 9-day silence </p> </td> <td> <p> Claimed FBI drone breach; issued threats against FIFA World Cup teams and US military personnel </p> </td> </tr> <tr> <td> <p> June 14 </p> </td> <td> <p> Handala actor profile refreshed in threat intelligence feeds </p> </td> <td> <p> Targeting expanded to 17 countries across 8 industry verticals </p> </td> </tr> <tr> <td> <p> June 14 </p> </td> <td> <p> Fresh SOCKS proxy infrastructure provisioned on Qeshm Island ISP (ASN 43395) </p> </td> <td> <p> Coincides with expected ceasefire agreement signing &mdash; pre-positioning indicator </p> </td> </tr> <tr> <td> <p> June 15 </p> </td> <td> <p> mtcareers.myftp[.]org confirmed as active Iranian phishing domain </p> </td> <td> <p> Military/defense career impersonation &mdash; DIB targeting during peace talks </p> </td> </tr> <tr> <td> <p> June 15 </p> </td> <td> <p> US Government suspends Anthropic Fable 5 and Mythos 5 AI models </p> </td> <td> <p> Jailbreak vulnerabilities enabling cyberattack generation; export controls applied </p> </td> </tr> <tr> <td> <p> June 15 </p> </td> <td> <p> CVE-2026-42271 (LiteLLM, CVSS 8.8) confirmed in KEV </p> </td> <td> <p> Authenticated RCE in AI proxy infrastructure via MCP stdio transport </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> CyberAv3ngers &mdash; 46 days of operational silence during active conflict </p> </td> <td> <p> <strong> Anomalous gap for an ICS/OT-focused group; probability of high-impact resurgence increases daily </strong> </p> </td> </tr> <tr> <td> <p> June 14 </p> </td> <td> <p> Iranian Mirai/Bashlite botnet staging confirmed on 94.156.152[.]234 </p> </td> <td> <p> <strong> Multi-architecture IoT binaries with Iran-themed naming; DDoS amplification capability against critical infrastructure </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> Conflict &amp; Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event Type </strong> </p> </th> <th> <p> <strong> Detail </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Feb 28, 2026 </p> </td> <td> <p> Conflict onset </p> </td> <td> <p> Iran-Israel hostilities escalate to sustained cyber-kinetic operations </p> </td> </tr> <tr> <td> <p> Mar 11, 2026 </p> </td> <td> <p> Destructive attack </p> </td> <td> <p> Handala/Void Manticore wipes 200,000 endpoints at Stryker </p> </td> </tr> <tr> <td> <p> Apr 30, 2026 </p> </td> <td> <p> Last known activity </p> </td> <td> <p> CyberAv3ngers last confirmed operation &mdash; now 46 days silent </p> </td> </tr> <tr> <td> <p> Jun 8, 2026 </p> </td> <td> <p> Actor emergence </p> </td> <td> <p> UNC6077/Berry Sandstorm (aka Unk_craftycamel) newly tracked &mdash; zero campaign visibility </p> </td> </tr> <tr> <td> <p> Jun 11, 2026 </p> </td> <td> <p> Vulnerability weaponization </p> </td> <td> <p> CVE-2026-10520 (CVSS 10.0) added to KEV with public PoC </p> </td> </tr> <tr> <td> <p> Jun 12, 2026 </p> </td> <td> <p> Vulnerability weaponization </p> </td> <td> <p> CVE-2026-35273 (CVSS 9.8) added to KEV </p> </td> </tr> <tr> <td> <p> Jun 12, 2026 </p> </td> <td> <p> Threat actor activity </p> </td> <td> <p> Handala resurfaces with threats against Western targets </p> </td> </tr> <tr> <td> <p> Jun 14, 2026 </p> </td> <td> <p> Infrastructure staging </p> </td> <td> <p> SOCKS proxy infrastructure on Qeshm Island ISP; Handala profile update </p> </td> </tr> <tr> <td> <p> Jun 15, 2026 </p> </td> <td> <p> Active phishing </p> </td> <td> <p> mtcareers.myftp[.]org &mdash; Iranian DIB career impersonation confirmed active </p> </td> </tr> <tr> <td> <p> Jun 15, 2026 </p> </td> <td> <p> AI threat escalation </p> </td> <td> <p> Anthropic models suspended; LiteLLM CVE-2026-42271 in KEV </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Pioneer Kitten and the Ivanti Sentry Crisis (CVE-2026-10520) </strong> </h3> <p> <strong> Pioneer Kitten </strong> (MOIS-adjacent, also tracked as Fox Kitten/UNC757) has a documented pattern of exploiting Ivanti products within 72 hours of proof-of-concept availability. CVE-2026-10520 is an OS command injection vulnerability in Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1 that grants unauthenticated attackers root-level access. </p> <p> The combination of: </p> <ul> <li> CVSS 10.0 severity </li> <li> Public PoC (WatchTowr Labs, published on GitHub) </li> <li> CISA KEV listing (June 11) </li> <li> Pioneer Kitten's historical exploitation pattern </li> </ul> <p> ...creates an <strong> imminent exploitation window </strong> . Ivanti Sentry is widely deployed across government agencies and DIB contractors for secure remote access &mdash; precisely the environments Pioneer Kitten targets for initial access brokering. </p> <h3> <strong> 2. Handala/Void Manticore &mdash; Expanded Scope, Undiminished Capability </strong> </h3> <p> <strong> Handala </strong> (aliases: UNC5203, HomeLandJustice, BANISHED KITTEN, DUNE) &mdash; the IRGC-affiliated group responsible for wiping 200,000 endpoints at Stryker on March 11 &mdash; has expanded its targeting to <strong> 17 countries across 8 industry verticals </strong> : construction, education, energy, financial services, government, healthcare, manufacturing, and technology. </p> <p> Their TTPs remain focused on maximum destruction: </p> <ul> <li> T1190: Exploiting public-facing applications for initial access </li> <li> T1486: Deploying wipers disguised as ransomware </li> <li> T1565.001: Manipulating stored data </li> <li> T1491.002: External defacement for psychological impact </li> </ul> <p> The June 12 resurfacing with threats against FIFA World Cup teams and US military personnel signals continued intent to target Western interests. </p> <h3> <strong> 3. DIB Pre-Positioning via Career Portal Impersonation </strong> </h3> <p> The domain mtcareers.myftp[.]org (resolving to 52.204.228[.]76 on AWS) represents active Iranian phishing infrastructure targeting defense sector personnel. The "mtcareers" naming convention strongly suggests military technology career portal impersonation &mdash; a social engineering approach designed to harvest credentials from DIB contractor employees. </p> <p> Key characteristics: </p> <ul> <li> Hosted on AWS for legitimacy (ASN 14618) </li> <li> Registered via No-IP.com free DDNS &mdash; enables rapid infrastructure rotation </li> <li> Tagged by Recorded Future's Insikt Group as Iranian-attributed </li> <li> <strong> Active during ceasefire negotiations </strong> &mdash; confirming that diplomacy provides cover for accelerated pre-positioning </li> </ul> <h3> <strong> 4. CyberAv3ngers: 46 Days of Silence </strong> </h3> <p> <strong> CyberAv3ngers </strong> &mdash; the IRGC-affiliated group known for targeting ICS/OT systems (including the November 2023 Unitronics attacks against US water utilities) &mdash; has been silent for 46 days during an active conflict. This is anomalous and concerning. </p> <p> Historical pattern analysis suggests three possibilities: </p> <ul> <li> Persona rotation to evade tracking </li> <li> Preparation for a significant destructive operation </li> <li> Shift to new infrastructure not yet attributed </li> </ul> <p> The longer the silence, the higher the probability of a high-impact operation upon resurfacing. </p> <h3> <strong> 5. AI Weaponization: A Two-Vector Threat </strong> </h3> <p> The US Government's emergency suspension of Anthropic's Fable 5 and Mythos 5 models &mdash; combined with CVE-2026-42271 (LiteLLM, CVSS 8.8, authenticated RCE via MCP stdio transport) &mdash; creates a dual AI threat surface: </p> <ul> <li> <strong> Vector A: </strong> Exploiting AI infrastructure for network access (LiteLLM vulnerability) </li> <li> <strong> Vector B: </strong> Weaponizing AI models for capability development (jailbroken models generating exploit code) </li> </ul> <p> Iranian actors, particularly <strong> APT42/Charming Kitten </strong> , have demonstrated interest in AI tools for social engineering and exploit development. The US government's emergency response indicates this threat is assessed as imminent. </p> <h3> <strong> 6. Iranian Botnet Staging (Mirai/Bashlite) </strong> </h3> <p> IP 94.156.152[.]234 is hosting multi-architecture IoT botnet binaries with explicitly Iran-themed naming (iran.armv6l, iran.arm7). This infrastructure provides DDoS amplification capability that could be directed at critical infrastructure during escalation windows &mdash; particularly OT/ICS environments where network flooding can cause physical disruption. </p> <h2> <strong> Named Threat Actors &mdash; Attribution Summary </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Primary Capability </strong> </p> </th> <th> <p> <strong> Current Status </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Handala / Void Manticore </strong> (UNC5203, BANISHED KITTEN, DUNE) </p> </td> <td> <p> IRGC </p> </td> <td> <p> Destructive wipers, defacement </p> </td> <td> <p> Active &mdash; profile refreshed June 14; threats issued June 12 </p> </td> </tr> <tr> <td> <p> <strong> CyberAv3ngers </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> ICS/OT targeting, water/energy </p> </td> <td> <p> Silent 46 days &mdash; anomalous </p> </td> </tr> <tr> <td> <p> <strong> Pioneer Kitten </strong> (Fox Kitten, UNC757) </p> </td> <td> <p> MOIS-adjacent </p> </td> <td> <p> Initial access brokering, Ivanti exploitation </p> </td> <td> <p> Expected to exploit CVE-2026-10520 within 72h </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater </strong> (TEMP.Zagros) </p> </td> <td> <p> MOIS </p> </td> <td> <p> Spearphishing, PowerShell backdoors </p> </td> <td> <p> Active &mdash; last confirmed update May 27 </p> </td> </tr> <tr> <td> <p> <strong> APT42 / Charming Kitten </strong> </p> </td> <td> <p> IRGC-IO </p> </td> <td> <p> Credential harvesting, social engineering, AI interest </p> </td> <td> <p> Active &mdash; AI weaponization concern </p> </td> </tr> <tr> <td> <p> <strong> UNC6077 / Berry Sandstorm </strong> (Unk_craftycamel) </p> </td> <td> <p> Suspected MOIS </p> </td> <td> <p> Unknown &mdash; newly tracked </p> </td> <td> <p> Zero campaign visibility &mdash; emerging actor </p> </td> </tr> </tbody> </table> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Pioneer Kitten exploits CVE-2026-10520 against government/DIB Ivanti Sentry instances </p> </td> <td> <p> <strong> 75% </strong> </p> </td> <td> <p> Within 72 hours </p> </td> <td> <p> Historical pattern: exploits Ivanti within 72h of PoC; public PoC available; KEV-listed </p> </td> </tr> <tr> <td> <p> Additional Iran-attributed phishing domains using career/recruitment themes surface </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> mtcareers domain confirms active campaign; peace talks provide operational cover </p> </td> </tr> <tr> <td> <p> CyberAv3ngers break silence with ICS/OT targeting claim or destructive operation </p> </td> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> 46-day silence during active conflict is anomalous; probability increases daily </p> </td> </tr> <tr> <td> <p> Handala deploys wiper against Western target following negotiation breakdown </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> Within 48h of breakdown </p> </td> <td> <p> Demonstrated capability (200K endpoints wiped March 11); expanded targeting scope </p> </td> </tr> <tr> <td> <p> Iranian actors weaponize jailbroken AI models for exploit generation </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> APT42 interest in AI tools; Anthropic models suspended due to confirmed jailbreak vulnerabilities </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> What to Monitor </strong> </p> </th> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Ivanti Sentry exploitation attempts </p> </td> <td> <p> T1190, T1059.004 </p> </td> <td> <p> Monitor Ivanti Sentry logs for unauthenticated API calls to admin endpoints; alert on OS command injection patterns in HTTP parameters </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Phishing with military/defense career lures </p> </td> <td> <p> T1566.001, T1566.002 </p> </td> <td> <p> Email gateway rules for domains matching *careers* on free DDNS providers (No-IP, DuckDNS, DynDNS); inspect links to myftp.org subdomains </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> IoT botnet staging downloads </p> </td> <td> <p> T1584.005, T1059.004 </p> </td> <td> <p> Network detection for HTTP GETs to /bins.sh, /bot.*, or binaries with iran.* naming from IoT device subnets </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> LiteLLM MCP exploitation </p> </td> <td> <p> T1190 </p> </td> <td> <p> Monitor /mcp-rest/test/* endpoints for unexpected command execution; audit authenticated sessions for privilege abuse </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Oracle PeopleSoft RCE attempts </p> </td> <td> <p> T1190 </p> </td> <td> <p> WAF rules for CVE-2026-35273 exploitation patterns against PeopleSoft 8.61/8.62 instances </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> Wiper deployment indicators </p> </td> <td> <p> T1486, T1565.001 </p> </td> <td> <p> Endpoint detection for mass file encryption/deletion patterns; monitor for MBR/VBR overwrites; alert on bulk file system changes </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> DDNS-based C2 communications </p> </td> <td> <p> T1583.006, T1071.001 </p> </td> <td> <p> <strong> DNS analytics for high-frequency queries to free DDNS providers from internal hosts </strong> </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> Hypothesis: Pioneer Kitten has already scanned your Ivanti Sentry instances. </strong> </li> <ul> <li> Hunt: Review Ivanti Sentry access logs for the past 7 days. Look for unauthenticated requests to administrative API endpoints, particularly from IP ranges associated with Iranian hosting providers or VPN exit nodes. </li> <li> Technique: T1190, T1595.002 (Active Scanning: Vulnerability Scanning) </li> </ul> <li> <strong> Hypothesis: Career-themed phishing emails have reached employee inboxes. </strong> </li> <ul> <li> Hunt: Search email logs for messages containing "military careers," "defense careers," "mt careers," or links to myftp.org / No-IP.com subdomains. Check for any credential submissions to these domains in proxy logs. </li> <li> Technique: T1566.002, T1078 (Valid Accounts) </li> </ul> <li> <strong> Hypothesis: IoT devices on your network are communicating with botnet C2. </strong> </li> <ul> <li> Hunt: Query DNS/proxy logs for connections from IoT device segments to 94.156.152[.]234. Search for bins.sh or shell script downloads from any external IP to IoT subnets. </li> <li> Technique: T1584.005, T1059.004 </li> </ul> <li> <strong> Hypothesis: CyberAv3ngers have rotated to new infrastructure you haven't blocked. </strong> </li> <ul> <li> Hunt: Review ICS/OT network segments for new outbound connections to previously unseen IPs/domains. Cross-reference with known CyberAv3ngers TTPs (Unitronics default credential abuse, T1078, T1133). </li> <li> Technique: T1133 (External Remote Services), T1078 </li> </ul> </ol> <h3> <strong> IOC Blocking Table </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> mtcareers.myftp[.]org </p> </td> <td> <p> Iranian DIB phishing &mdash; military career impersonation </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 52.204.228[.]76 </p> </td> <td> <p> Hosting for mtcareers phishing domain (AWS) </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 94.156.152[.]234 </p> </td> <td> <p> Mirai/Bashlite botnet staging &mdash; Iran-themed binaries </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> d3cdc3f18bbc5bb050ec5b212d7e28ae972185de8b3b7361f68bc4a53450ce49 </p> </td> <td> <p> Mirai/Bashlite multi-arch IoT botnet binary </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> Vpsvault[.]host </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> markherman.59veterans[.]com </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> b27[.]icu </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> sjrhs[.]org </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> mtscvs[.]com </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> mebeliotmasiv[.]com </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 91.132.228[.]133 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.198.224[.]214 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 84.32.214[.]103 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.207.163[.]89 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 115.190.225[.]63 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]220 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]230 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]231 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 206.123.156[.]238 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]169 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]52 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]55 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 185.93.89[.]43 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 172.94.9[.]250 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 192.253.248[.]181 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 217.60.241[.]17 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 62.60.226[.]42 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.86.5[.]225 </p> </td> <td> <p> C2 infrastructure </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream Next-Gen. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services </strong> </h3> <p> <strong> Primary threat: </strong> Handala/Void Manticore has expanded targeting to include financial services across 17 countries. Their wiper-as-ransomware technique (T1486) is designed to destroy data while creating confusion about whether recovery is possible. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Validate offline backup integrity for core banking systems &mdash; assume wipers will target both primary and backup volumes </li> <li> Review Oracle PeopleSoft deployments (HR/payroll) &mdash; CVE-2026-35273 provides unauthenticated RCE to these systems </li> <li> Ensure SWIFT/payment systems are network-segmented from general IT infrastructure </li> <li> Brief fraud teams on Iranian social engineering campaigns using career-themed lures </li> </ul> <h3> <strong> Energy </strong> </h3> <p> <strong> Primary threat: </strong> CyberAv3ngers' 46-day silence is most concerning for energy sector organizations. Their historical targeting of ICS/OT systems (Unitronics PLCs, SCADA/HMI) and the active Mirai/Bashlite botnet staging suggest DDoS-as-disruption capability against OT networks. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Audit all internet-facing OT/ICS devices &mdash; remove any with default credentials </li> <li> Deploy network monitoring at IT/OT boundaries specifically watching for connections to 94.156.152[.]234 </li> <li> Review Arista EOS network switch configurations against published security advisories </li> <li> Ensure safety instrumented systems (SIS) are air-gapped from control networks </li> <li> Prepare for DDoS against OT networks &mdash; validate that safety systems function independently of network connectivity </li> </ul> <h3> <strong> Healthcare </strong> </h3> <p> <strong> Primary threat: </strong> Handala's expanded targeting now explicitly includes healthcare. Their March 11 wiper attack (200,000 endpoints) demonstrates willingness to cause mass disruption regardless of humanitarian impact. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Prioritize Ivanti Sentry patching &mdash; healthcare organizations commonly deploy Ivanti for remote clinician access </li> <li> Ensure electronic health record (EHR) systems have tested offline operational procedures </li> <li> Validate that medical device networks are segmented from administrative IT </li> <li> Review all DDNS-based connections from clinical networks &mdash; free DDNS services (No-IP.com) are being abused for C2 </li> </ul> <h3> <strong> Government </strong> </h3> <p> <strong> Primary threat: </strong> Pioneer Kitten's expected exploitation of CVE-2026-10520 directly targets government Ivanti Sentry deployments. The mtcareers phishing domain specifically targets government/military personnel. </p> <p> <strong> Actions: </strong> </p> <ul> <li> <strong> Emergency Ivanti Sentry patching </strong> &mdash; this is the #1 priority for government networks </li> <li> Implement additional authentication controls on all remote access gateways pending patch deployment </li> <li> Brief all personnel with security clearances on career-themed phishing campaigns &mdash; "mtcareers" specifically targets military/defense job seekers </li> <li> Audit AWS-hosted services for unauthorized connections from 52.204.228[.]76 </li> <li> Review Ivanti Sentry logs for any unauthenticated access in the past 14 days (pre-PoC scanning may have occurred) </li> </ul> <h3> <strong> Aviation &amp; Logistics </strong> </h3> <p> <strong> Primary threat: </strong> Iranian actors have historically used career-themed lures against aviation sector personnel (tracked as Nimbus Manticore/MiniFast campaigns). The mtcareers domain may represent an extension of this targeting. </p> <p> <strong> Actions: </strong> </p> <ul> <li> Alert HR/recruiting teams about fraudulent career portal domains &mdash; verify all job application platforms before sharing with candidates </li> <li> Review supply chain vendor access &mdash; Iranian actors use initial access brokering (Pioneer Kitten) to move laterally through contractor networks </li> <li> Audit all Ivanti and Oracle deployments in logistics management systems </li> <li> Monitor for anomalous VPN connections from geographic regions inconsistent with employee locations </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops / Vulnerability Management </p> </td> <td> <p> <strong> Patch all Ivanti Sentry instances </strong> to R10.5.2, R10.6.2, or R10.7.1 minimum. CVE-2026-10520 is CVSS 10.0 with public PoC and active exploitation expected within 72 hours. If patching is not possible within 24h, implement network-level access restrictions to Sentry admin interfaces. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC / Network Security </p> </td> <td> <p> <strong> Block </strong> mtcareers.myftp[.]org and IP 52.204.228[.]76 at DNS, proxy, and email gateway layers. Add all IOCs from the blocking table above to detection and prevention controls. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC / Network Security </p> </td> <td> <p> <strong> Block </strong> 94.156.152[.]234 and deploy network detection for bins.sh download patterns and iran.* binary naming in HTTP traffic, particularly from IoT device subnets. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC / Email Security </p> </td> <td> <p> <strong> Deploy email filtering rules </strong> for messages containing military/defense career themes with links to free DDNS providers (myftp.org, no-ip.com, ddns.net, duckdns.org). </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive / IR </p> </td> <td> <p> <strong> Validate incident response readiness </strong> &mdash; confirm IR retainer is active, contact lists are current, and wiper-specific playbooks are tested. Handala's demonstrated capability (200K endpoints) means response time is measured in minutes, not hours. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops / Vulnerability Management </p> </td> <td> <p> <strong> Patch Oracle PeopleSoft </strong> to address CVE-2026-35273 (CVSS 9.8, unauthenticated RCE). Any PeopleSoft 8.61/8.62 instance is vulnerable. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> DevOps / Cloud Security </p> </td> <td> <p> <strong> Audit LiteLLM proxy deployments </strong> for versions below 1.83.7. CVE-2026-42271 allows authenticated users to execute arbitrary commands via MCP stdio transport. Patch or restrict /mcp-rest/test/* endpoints. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC / Threat Hunting </p> </td> <td> <p> <strong> Execute hunting hypotheses </strong> listed above &mdash; prioritize Ivanti Sentry log review and career-themed phishing email searches. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Network Security / OT </p> </td> <td> <p> <strong> Deploy IoT botnet detection </strong> &mdash; monitor IoT device subnets for outbound connections to known staging IPs and shell script downloads. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops / Network </p> </td> <td> <p> <strong> Review Arista EOS switch configurations </strong> against published security advisories. Ensure network infrastructure is not exploitable as a pivot point. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO / Threat Intelligence </p> </td> <td> <p> <strong> Commission proactive threat hunt </strong> for CyberAv3ngers persona rotation. 46 days of silence during active conflict is anomalous &mdash; search for new Telegram channels, rebranded personas, and infrastructure overlap with known aliases. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> CISO / Security Architecture </p> </td> <td> <p> <strong> Conduct wiper resilience assessment &mdash; validate that backup systems are isolated from production networks, test restoration procedures, and confirm that safety-critical systems can operate independently during a mass wiper event. </strong> </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CISO / Vendor Management </p> </td> <td> <p> <strong> Audit all Ivanti, Oracle, and AI/ML platform deployments </strong> across the enterprise and supply chain. These three vendor categories represent the current Iranian exploitation focus. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Security Architecture </p> </td> <td> <p> <strong> Implement network segmentation review </strong> &mdash; ensure ICS/OT, medical devices, IoT, and AI infrastructure are properly segmented from general IT networks. Iranian actors exploit flat networks for lateral movement. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Threat Intelligence </p> </td> <td> <p> <strong> Establish collection requirements </strong> for UNC6077/Berry Sandstorm (aka Unk_craftycamel) &mdash; newly tracked Iranian actor with zero campaign visibility. Coordinate with threat intelligence vendors for early indicator sharing. </p> </td> </tr> </tbody> </table> <h2> <strong> The Bottom Line </strong> </h2> <p> One hundred and seven days into this conflict, the pattern is clear: <strong> Iranian cyber operations do not pause for diplomacy. </strong> Every ceasefire negotiation window we've observed has coincided with accelerated pre-positioning &mdash; not de-escalation. </p> <p> Today's intelligence confirms this pattern with hard evidence: </p> <ul> <li> Active phishing infrastructure targeting defense personnel <strong> during peace talks </strong> </li> <li> A CVSS 10.0 vulnerability in the exact product category Iranian actors prefer to exploit, <strong> with a public PoC and a 72-hour exploitation window </strong> </li> <li> A destructive threat group that wiped 200,000 endpoints three months ago, now targeting 17 countries across 8 industries </li> <li> A 46-day silence from an ICS/OT-focused group that historically precedes significant operations </li> </ul> <p> The threat level remains <strong> HIGH </strong> . The question is not whether Iranian actors will exploit these opportunities &mdash; it's whether your organization will be patched, segmented, and prepared when they do. </p> <p> Patch Ivanti Sentry today. Block the IOCs today. Validate your wiper response playbook today. Tomorrow may be too late. </p> <p> <em> Published 2026-06-15 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream Next-Gen. CISA KEV, and partner feeds. For IOC feeds and STIX packages, contact your Anomali representative. </em> </p> <p> <em> Previous threat level: HIGH (2026-06-14) &rarr; Current threat level: HIGH (unchanged). No de-escalation indicators observed. </em> </p>

FEATURED RESOURCES

July 10, 2026
Anomali Cyber Watch

Iranian Cyber Operations Reach Inflection Point: FortiBleed Pipeline Weaponized, Multi-Actor Convergence Accelerates

Read More
July 10, 2026
Anomali Cyber Watch
Public Sector

Critical ColdFusion Vulnerability, New Phishing-as-a-Service Platform, and Russian Infrastructure Refresh Demand Immediate State Government Action

Read More
July 8, 2026
Anomali Cyber Watch
Public Sector

Critical Vulnerabilities and Novel Attack Techniques Threaten State Government Networks

Read More
Explore All