Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now

Anomali Threat Research

Published on

April 3, 2026

Table of Contents

Threat Assessment Level: HIGH Elevated from ELEVATED on 2 April 2026. The IRGC’s unprecedented public declaration naming specific Western corporations as targets, combined with fresh Iranian C2 infrastructure, active exploitation of critical edge-device vulnerabilities, and zero ceasefire signals, warrants a HIGH threat posture for all organizations with Middle East exposure or positions in the supply chains of named companies. <h2>Introduction                                 </h2> Thirty-four days into the Iran conflict that began on 28 February 2026, the cyber dimension has crossed a new threshold. On 1 April 2026, Iran’s Islamic Revolutionary Guard Corps publicly warned Nvidia, Apple, Google, Microsoft, and Tesla that companies with Middle East operations would be considered “legitimate targets.” This is the first time the IRGC has issued named corporate targeting declarations during the conflict — a doctrinal shift from opportunistic disruption to directed, strategic cyber targeting. This isn’t theoretical. In the same 72-hour window, CISA published a fresh block of Iranian APT command-and-control infrastructure, multiple threat actors began exploiting critical Ivanti vulnerabilities with a perfect CVSS 10-class severity, and a sophisticated iOS zero-day exploit chain proliferated from a single commercial surveillance vendor to state-sponsored actors across three continents. Meanwhile, the intelligence picture contains a conspicuous silence: no ceasefire signals, no de-escalation indicators, and known destructive groups like Cyber Av3ngers have gone quiet — a pattern that historically precedes coordinated operations. If your organization operates in the Middle East, sits in the defense industrial base, runs energy or critical infrastructure, or is part of the supply chain for any of the five named companies, this report demands your immediate attention. <h2>What Changed                          </h2> The past 48 hours introduced several developments that collectively drove the threat level from ELEVATED to HIGH: <ul> <li>IRGC named corporate targeting — For the first time, the IRGC publicly identified five specific Western technology companies as legitimate targets, signaling a shift from broad anti-Western rhetoric to directed operational intent.</li> <li>Fresh Iranian C2 infrastructure surfaced — CISA published four new Iranian APT IPs on Asiatech (ASN 43754, Tehran) and an additional IP tagged as AdaptixC2 on Gostaresh Pardazesh (ASN 51889, Tehran), indicating active infrastructure build-out.</li> <li>Ivanti EPMM under multi-actor exploitation — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, unauthenticated remote code execution) are being actively exploited by multiple threat actors across six countries, with MISTBRICK malware deployed post-exploitation.</li> <li>DarkSword iOS exploit chain proliferating — A full-chain iOS exploit leveraging six zero-day vulnerabilities has spread from commercial surveillance vendors to state-sponsored actors, now targeting Saudi Arabia, Turkey, and Ukraine.</li> <li>Janbiya hacktivist group emerged — A new Yemeni pro-Iran hacktivist group expanded the geographic base of the Iran-aligned cyber swarm beyond Iran, Lebanon, and Iraq.</li> <li>ICS/OT attack surface expanded — Three CISA ICS advisories published on 2 April 2026 affect Siemens SICAM 8, Yokogawa CENTUM VP, and Hitachi Energy Ellipse — products deployed across energy and utilities environments actively targeted by IRGC-affiliated actors.</li> <li>Zero ceasefire signals — No diplomatic de-escalation indicators were detected in any collection source. The IRGC’s escalatory rhetoric is the opposite of a ceasefire signal.</li> </ul> <h2>Conflict & Threat Timeline              </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> Iran conflict begins </td> <td> Kinetic and cyber operations commence simultaneously </td> </tr> <tr> <td> Early Mar 2026 </td> <td> MOIS Counter-Terrorism Division leader Seyed Yahya Hosseini Panjaki killed in US-Israeli strikes </td> <td> Decapitation events historically trigger retaliatory cyber surges </td> </tr> <tr> <td> 3 Mar 2026 </td> <td> Janbiya hacktivist group first appears on Telegram </td> <td> Yemeni pro-Iran hacktivist expands the geographic base of the cyber swarm </td> </tr> <tr> <td> 18 Mar 2026 </td> <td> Google Threat Intelligence Group documents DarkSword iOS exploit chain </td> <td> Six iOS zero-days (iOS 18.4–18.7) weaponized by multiple actors </td> </tr> <tr> <td> 24 Mar 2026 </td> <td> APTIran and Cyber Islamic Resistance documented deploying ALPHV and LockBit ransomware </td> <td> Ransomware used as a weapon of war against Israeli critical infrastructure </td> </tr> <tr> <td> 30 Mar 2026 </td> <td> Google/Mandiant discloses MuddyWater Campaign 26.029 </td> <td> 17-country, 7-vertical MOIS espionage operation with 15+ custom backdoors </td> </tr> <tr> <td> 31 Mar 2026 </td> <td> MuddyWater expands via TWOSTROKE backdoor to Azerbaijan and Turkey </td> <td> Campaign scope widens beyond initial target set </td> </tr> <tr> <td> 1 Apr 2026 </td> <td> IRGC publicly names Nvidia, Apple, Google, Microsoft, Tesla as “legitimate targets” </td> <td> Unprecedented — first named corporate targeting declaration during the conflict </td> </tr> <tr> <td> 2 Apr 2026 </td> <td> CISA/MD-ISAC publishes Asiatech APT IP block; Cisco Talos discloses UAT-10608 mass exploitation of CVE-2025-55182 (React2Shell) </td> <td> Fresh Iranian C2 infrastructure; 766 hosts compromised in 24 hours </td> </tr> <tr> <td> 2 Apr 2026 </td> <td> CSIS publishes warning on U.S. energy infrastructure cyber threats from Iran </td> <td> Institutional validation of escalating risk to energy sector </td> </tr> <tr> <td> 3 Apr 2026 </td> <td> DarkSword report updated with UNC6748, PARS Defense, UNC6353 attribution; Ivanti EPMM multi-actor exploitation campaigns confirmed </td> <td> iOS exploit proliferation accelerates; edge-device exploitation intensifies </td> </tr> </tbody> </table> <h2>Key Threat Analysis                         </h2> <h3>1. IRGC Named Corporate Targeting: A Doctrinal Shift</h3> The IRGC’s public declaration naming Nvidia, Apple, Google, Microsoft, and Tesla as targets (reported by CNBC and Tokenist, corroborated by CSIS analysis) represents more than rhetoric. Iranian state cyber doctrine has historically moved from public signaling to operational action within weeks. The 2012 Shamoon attacks against Saudi Aramco, the 2014 Sands Casino attack, and the 2023 Cyber Av3ngers campaign against Unitronics PLCs all followed periods of escalatory public statements. What this means for CISOs: If your organization is one of the five named companies, a supplier to them, or operates in the Middle East technology ecosystem, you should assume reconnaissance and pre-positioning activity is already underway. MOIS and the IRGC Cyber Electronic Command have demonstrated the capability to execute on these declarations. Tracked actors with capability to execute: - MuddyWater (MOIS) — 17-country espionage operation already active - OilRig / APT34 (MOIS) — long-standing corporate espionage capability - APT42 (IRGC-IO) — credential harvesting and social engineering specialists - UNC1860 / ShroudedSnooper (MOIS-linked) — pre-positioning in telecom and ISP networks - Handala Hack Team (IRGC-affiliated) — destructive wiper capability - Cyber Av3ngers / HYDRO KITTEN (IRGC Cyber Electronic Command) — ICS/OT targeting <h3>2. Ivanti EPMM Critical Vulnerabilities Under Active Exploitation</h3> CVE-2026-1281 and CVE-2026-1340 — both rated CVSS 9.8 — affect Ivanti Endpoint Manager Mobile (EPMM) and allow unauthenticated remote code execution via code injection. Multiple threat actors are actively exploiting these vulnerabilities across automotive, financial services, government, manufacturing, and transportation sectors in at least six countries. Post-exploitation, attackers are deploying MISTBRICK malware. This fits a well-established Iranian playbook. Iranian APTs — particularly MuddyWater and OilRig — have consistently targeted edge devices (Ivanti, F5 BIG-IP, Citrix ADC, BeyondTrust) as their preferred initial access vector. Organizations running unpatched Ivanti EPMM instances are at critical risk. Additionally, BeyondTrust Remote Support CVE-2026-1731 (CVSS 9.8, pre-authentication RCE) is tracked in active campaigns and should be patched with equal urgency. <h3>3. DarkSword iOS Exploit Chain Proliferation</h3> Google’s Threat Intelligence Group documented DarkSword, a full-chain iOS exploit targeting iOS versions 18.4 through 18.7, leveraging six zero-day vulnerabilities including CVE-2025-31277, CVE-2026-20700, and CVE-2025-43529. What makes this particularly concerning is the proliferation pattern: <ul> <li>UNC6748 — targeted Saudi Arabian users via the phishing domain snapshare[.]chat (Snapchat-themed lure), deploying the GHOSTKNIFE backdoor with keylogging, audio capture, and video capture capabilities</li> <li>PARS Defense (Turkish commercial surveillance vendor) — targeted users in Turkey and Malaysia</li> <li>UNC6353 (suspected Russian) — adopted DarkSword for watering-hole campaigns targeting Ukraine</li> </ul> The payload family includes GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER — all communicating via WebSocket-based C2 with ECDH+AES encryption. All vulnerabilities were patched in iOS 26.3, but organizations with unmanaged or slow-to-update mobile fleets remain exposed. The Saudi Arabian targeting by UNC6748 is directly relevant to the Iran conflict — mobile surveillance of Gulf state officials, journalists, and military personnel is a known Iranian intelligence priority. <h3>5. The Expanding Pro-Iran Hacktivist Swarm</h3> The emergence of Janbiya (aliases: AlJanbiya, YemeniDagger) — a self-proclaimed Yemeni hacktivist group first seen on Telegram on 3 March 2026 — expands the pro-Iran hacktivist ecosystem’s geographic footprint. Janbiya targets Arab countries and Israel, with stated focus on government, military, and transportation sectors. This group joins an already active swarm: - Handala Hack Team (IRGC-affiliated) — wiper deployments, hack-and-leak operations - Cyber Av3ngers / HYDRO KITTEN (IRGC Cyber Electronic Command) — ICS/OT targeting - Cyber Islamic Resistance — ransomware deployment against Israeli infrastructure - APTIran — claimed deployment of ALPHV and LockBit ransomware as weapons of war The current silence from Cyber Av3ngers and Cyber Islamic Resistance during a period of IRGC escalation is itself a warning sign. Historically, operational pauses by destructive groups during escalation periods have preceded coordinated attacks. <h3>6. ICS/OT Attack Surface Expansion</h3> Three CISA ICS advisories published on 2 April 2026 affect products deployed across energy and utilities environments: - Siemens SICAM 8 (power grid protection and control) - Yokogawa CENTUM VP (distributed control systems for process industries) - Hitachi Energy Ellipse (enterprise asset management for utilities) While no Iranian exploitation of these specific products has been confirmed this cycle, the attack surface expansion during an active conflict with an adversary known for ICS targeting (Cyber Av3ngers’ 2023 Unitronics campaign, IOCONTROL malware) makes this a high-priority monitoring area. <h2>Predictive Analysis: What Comes Next</h2> Based on current intelligence, historical Iranian cyber operational patterns, and the escalatory trajectory of the conflict: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Increased Iranian scanning/exploitation of Ivanti EPMM instances </td> <td> 70% </td> <td> Next 72 hours </td> <td> Multi-actor exploitation already confirmed; public disclosure accelerates opportunistic targeting </td> </tr> <tr> <td> Pro-Iran hacktivist group (Handala, Janbiya, or Cyber Av3ngers) claims a new attack </td> <td> 60% </td> <td> Next 72 hours </td> <td> IRGC escalatory signaling historically precedes hacktivist operations; Cyber Av3ngers’ silence is suspicious </td> </tr> <tr> <td> MuddyWater or UNC1860 resurfaces with retooled infrastructure </td> <td> 40% </td> <td> Next 7 days </td> <td> MOIS leadership disruption recovery period (~30 days) is ending; operational reactivation expected </td> </tr> <tr> <td> Coordinated wiper attack against Israeli or Gulf state targets </td> <td> 25% </td> <td> Next 7 days </td> <td> Absence of wiper activity during escalation suggests pre-positioning; Handala has demonstrated wiper capability (Handala Wiper, BiBi Wiper, CaddyWiper, ZeroCleare) </td> </tr> <tr> <td> Supply chain attack targeting npm/PyPI ecosystems attributed to Iranian actors </td> <td> 20% </td> <td> Next 14 days </td> <td> Established vector (Axios npm compromise was DPRK-attributed, but Iranian actors have supply chain capability); tech company supply chains are now declared targets </td> </tr> <tr> <td> Destructive attack against U.S. energy infrastructure </td> <td> 15% </td> <td> Next 30 days </td> <td> CSIS warning validates the threat; Cyber Av3ngers have demonstrated ICS capability; regulatory fragmentation creates exploitable gaps </td> </tr> </tbody> </table> <h2>SOC Operational Guidance              </h2> <h3>Immediate Detection Priorities</h3> <ol> <li> Hunting Hypotheses</li> </ol> <table> <thead> <tr> <th> Hypothesis </th> <th> Data Source </th> <th> Query Logic </th> </tr> </thead> <tbody> <tr> <td> Iranian C2 beaconing from internal assets </td> <td> Firewall/proxy logs, NDR </td> <td> Outbound connections to ASN 43754 (Asiatech), ASN 213790 (Limited Network), ASN 51889 (Gostaresh Pardazesh) </td> </tr> <tr> <td> Ivanti EPMM exploitation attempt </td> <td> WAF logs, Ivanti EPMM logs </td> <td> HTTP requests matching CVE-2026-1281/1340 exploitation patterns; unexpected admin API calls; new admin accounts created </td> </tr> <tr> <td> MISTBRICK post-exploitation activity </td> <td> EDR, process telemetry </td> <td> Unusual child processes spawned by Ivanti EPMM service; unexpected outbound connections from EPMM hosts </td> </tr> <tr> <td> DarkSword/GHOSTKNIFE mobile compromise </td> <td> MDM logs, network flow </td> <td> Persistent WebSocket connections from iOS devices to unknown IPs; ECDH+AES encrypted payloads; connections to snapshare[.]chat </td> </tr> <tr> <td> WebSocket-based C2 (novel detection gap) </td> <td> NDR, proxy logs </td> <td> Sustained WebSocket connections (>30 min) from endpoints to IPs not in known-good lists, especially with encrypted payloads </td> </tr> <tr> <td> BeyondTrust exploitation </td> <td> BeyondTrust logs, WAF </td> <td> Unauthenticated requests to BeyondTrust Remote Support admin endpoints; CVE-2026-1731 exploitation signatures </td> </tr> <tr> <td> Wiper pre-positioning </td> <td> EDR, file integrity monitoring </td> <td> Unusual file writes to MBR/boot sectors; scheduled tasks or services with destructive payloads; hunt using wiper family hashes available via Anomali ThreatStream Next-Gen </td> </tr> <tr> <td> AdaptixC2 framework activity </td> <td> NDR, DNS logs </td> <td> Connections to 45.147.77[.]210; DNS queries for domains resolving to ASN 51889; Adaptix framework network signatures </td> </tr> </tbody> </table> <ol start="2"> <li> File Hashes for Blocking/Alerting</li> </ol> Verified SHA-256 hashes for MISTBRICK, TWOSTROKE, GHOSTKNIFE, GHOSTBLADE, GHOSTSABER, and associated wiper families (Handala Wiper, BiBi Wiper) are available directly in Anomali ThreatStream Next-Gen, tagged to the campaigns discussed in this report. Deploy to EDR blocklists and SIEM watchlists via ThreatStream Next-Gen export. Contact your Anomali representative for access. <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Primary threat: Ivanti EPMM exploitation (CVE-2026-1281, CVE-2026-1340) — financial services is explicitly listed as a targeted vertical in active campaigns. Iranian actors have historically targeted SWIFT-connected systems and payment infrastructure. Actions: - Audit all Ivanti EPMM instances immediately; patch or isolate from internet if unpatched - Review BeyondTrust Remote Support deployment for CVE-2026-1731 exposure - Enable enhanced monitoring on SWIFT gateways and interbank transfer systems for anomalous transaction patterns - Verify that mobile banking applications enforce iOS 26.3+ minimum version - Hunt for connections to Asiatech ASN 43754 and Gostaresh Pardazesh ASN 51889 in the last 90 days <h3>Energy</h3> Primary threat: ICS/OT targeting by Cyber Av3ngers and IRGC-affiliated actors. CSIS specifically warned (2 April 2026) that U.S. energy infrastructure faces escalating threats due to scale, age, and regulatory fragmentation. Three CISA ICS advisories (Siemens SICAM 8, Yokogawa CENTUM VP, Hitachi Energy Ellipse) expand the attack surface. Actions: - Verify network segmentation between IT and OT/ICS environments — if flat, segment immediately - Audit Siemens SICAM 8, Yokogawa CENTUM VP, and Hitachi Energy Ellipse deployments against CISA advisories ICSA-26-092-01, ICSA-26-092-02, ICSA-26-092-03 - Deploy passive network monitoring on OT segments to detect reconnaissance and lateral movement - Review Unitronics PLC configurations (Cyber Av3ngers’ known target) — change default credentials, restrict remote access - Establish or test OT incident response playbooks with manual override procedures <h3>Healthcare</h3> Primary threat: Ransomware-as-weapon deployments. APTIran and Cyber Islamic Resistance have deployed ALPHV and LockBit ransomware against Israeli critical infrastructure — healthcare is a historically favored ransomware target, and Iranian actors have shown willingness to target hospitals. Actions: - Verify offline backup integrity for electronic health record (EHR) systems and medical imaging (PACS) - Ensure Ivanti EPMM instances managing clinical mobile devices are patched against CVE-2026-1281/1340 - Enforce iOS 26.3+ on all clinical mobile devices to mitigate DarkSword exploit chain - Pre-position incident response retainers with healthcare-experienced IR firms - Test downtime procedures for clinical operations in the event of a ransomware or wiper attack <h3>Government</h3> Primary threat: Multi-vector targeting — MOIS espionage (MuddyWater’s 17-country campaign), edge-device exploitation (Ivanti EPMM), mobile surveillance (DarkSword/GHOSTKNIFE), and hacktivist DDoS/defacement. Government is listed as a target vertical in both the Ivanti EPMM and Janbiya campaigns. Actions: - Patch Ivanti EPMM (CVE-2026-1281, CVE-2026-1340) and BeyondTrust (CVE-2026-1731) as emergency priority - Enforce iOS 26.3+ and enable Lockdown Mode on devices issued to officials with Middle East portfolios - Deploy DDoS mitigation for public-facing government web services (Janbiya and Handala capability) - Review OAuth configurations on M365/Azure AD for anomalous application consent grants (MuddyWater TTP) - Hunt for MuddyWater indicators — TWOSTROKE backdoor, MOIS-attributed infrastructure on ASN 43754 <h3>Aviation & Logistics</h3> Primary threat: Transportation sector is explicitly targeted by Janbiya and tracked in Ivanti EPMM exploitation campaigns. Iranian actors have historically targeted airline reservation systems and logistics networks for both espionage and disruption. The Strait of Hormuz kinetic conflict creates dual-use targeting where cyber operations support military objectives. Actions: - Audit all internet-facing applications (Ivanti EPMM, Citrix ADC, F5 BIG-IP) for unpatched critical vulnerabilities - Review supply chain management systems for anomalous access patterns — particularly systems with Middle East shipping route data - Implement enhanced monitoring on flight operations and air traffic management networks - Verify that crew communication devices (tablets, phones) are updated to iOS 26.3+ - Establish coordination channels with sector ISACs (A-ISAC, S-ISAC) for real-time threat sharing during the conflict <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🔴 </td> <td> IT Ops </td> <td> Patch or isolate Ivanti EPMM instances against CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8, unauthenticated RCE, actively exploited). If patching requires a maintenance window, isolate from internet access immediately. </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Deploy malware hashes for MISTBRICK, TWOSTROKE, GHOSTKNIFE, GHOSTBLADE, GHOSTSABER, and associated wiper families to EDR blocklists and SIEM correlation rules. Retrieve verified hashes from Anomali ThreatStream Next-Gen (tagged to campaigns in this report). </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Enforce iOS 26.3+ across all managed mobile devices to mitigate DarkSword exploit chain (CVE-2025-31277, CVE-2026-20700, CVE-2025-43529). Enable Lockdown Mode on executive and high-value user devices. </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Deploy WebSocket C2 detection — create detection rules for persistent WebSocket connections (>30 minutes) from endpoints to IPs not on known-good lists, particularly with encrypted payloads. This addresses a gap exploited by GHOSTKNIFE. </td> </tr> <tr> <td> 🟠 </td> <td> IT Ops </td> <td> Patch BeyondTrust Remote Support against CVE-2026-1731 (CVSS 9.8, pre-authentication RCE). Active campaign tracked. </td> </tr> <tr> <td> 🟠 </td> <td> CISO </td> <td> Brief executive leadership on IRGC named corporate targeting declarations. Organizations with Middle East operations or supply chain relationships with Nvidia, Apple, Google, Microsoft, or Tesla should elevate their threat posture. </td> </tr> <tr> <td> 🟠 </td> <td> SOC </td> <td> Audit OAuth application consent grants in M365/Azure AD and Google Workspace for anomalous or overly permissive grants — MuddyWater and APT42 use OAuth phishing for persistent access. </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟡 </td> <td> IT Ops / OT </td> <td> Implement ICS network monitoring for Siemens SICAM 8, Yokogawa CENTUM VP, and Hitachi Energy Ellipse per CISA advisories. Verify IT/OT segmentation. </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Commission a tabletop exercise simulating a coordinated wiper attack against your organization, incorporating Iranian APT TTPs (initial access via edge device, lateral movement, wiper deployment). </td> </tr> <tr> <td> 🟡 </td> <td> DevOps </td> <td> Pin all GitHub Actions to commit SHAs instead of version tags and audit npm/PyPI dependencies for known compromised packages (Axios supply chain compromise pattern). </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Review and update incident response plans specifically for destructive attacks (wipers, ransomware-as-weapon). Ensure plans include manual operational procedures for critical business functions. </td> </tr> <tr> <td> 🟡 </td> <td> IR Team </td> <td> Pre-position incident response retainers with firms experienced in Iranian APT operations. Ensure retainer covers both IT and OT environments. </td> </tr> </tbody> </table> <h2>The Silence Is the Signal                </h2> Three things should keep CISOs awake this week. First, the IRGC has moved from vague threats to naming specific companies — and Iranian cyber doctrine has a track record of following through. Second, the tools are in place: fresh C2 infrastructure is online, critical edge-device vulnerabilities are being exploited at scale, and mobile surveillance capabilities have proliferated to multiple state-sponsored actors. Third, and perhaps most importantly, the groups with the most destructive capabilities — Cyber Av3ngers, Cyber Islamic Resistance — have gone quiet during a period of escalation. In threat intelligence, silence during escalation is not reassurance. It is preparation. There are no ceasefire signals in any collection source. The conflict is 34 days old and accelerating. The window between the IRGC’s public declarations and operational follow-through is measured in days to weeks, not months. Patch your Ivanti EPMM instances today. Block the Iranian C2 infrastructure today. Update your iOS fleet this week. Brief your board on the IRGC’s targeting declarations. And prepare your incident response teams for the possibility that the next attack won’t be espionage — it will be destruction.

FEATURED RESOURCES

April 3, 2026

Anomali Cyber Watch