The Coiled Spring: Iran's Cyber Operations Enter Their Most Dangerous Phase

Anomali Threat Research

Published on

May 16, 2026

Table of Contents

Threat Assessment Level: HIGH Seventy-seven days into the U.S.-Iran armed conflict, Iranian cyber operations have entered a paradox that should alarm every security leader: strategic capability is surging while tactical noise has gone silent. Russia is feeding Iran satellite intelligence and cyber tools. Iranian APTs are stealing credentials through Microsoft Teams. IRGC-linked proxies are hacking fuel distribution systems across the United States. And the hacktivist groups that have been the conflict's loudest actors have gone completely dark for 14 days — the longest operational pause since hostilities escalated on February 28, 2026. This is not de-escalation. This is pre-positioning. Meanwhile, a CVSS 9.8 unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (CVE-2026-1340) has been added to CISA's Known Exploited Vulnerabilities catalog — and Iranian actors have historically weaponized Ivanti flaws within days of KEV listing. If your organization operates critical infrastructure, manages mobile device fleets, uses Microsoft Teams for external collaboration, or sits anywhere in the defense industrial base supply chain, this report demands your immediate attention. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Why It Matters </th> </tr> </thead> <tbody> <tr> <td> Iranian actors confirmed hacking U.S. gas station Automatic Tank Gauges (ATGs) </td> <td> ICS escalation ladder expands from water and transit to fuel distribution — systematic sector-hopping </td> </tr> <tr> <td> MuddyWater weaponizing Microsoft Teams for credential theft against energy, government, telecom, and utilities </td> <td> Cloud identity is now the primary Iranian attack vector — bypasses email security entirely </td> </tr> <tr> <td> Russia providing Iran satellite imagery and cyber support (Reuters confirmed) </td> <td> Iranian targeting precision permanently elevated — this is structural, not episodic </td> </tr> <tr> <td> CVE-2026-1340 (Ivanti EPMM, CVSS 9.8) added to CISA KEV </td> <td> Unauthenticated RCE on mobile device management platforms — active exploitation confirmed </td> </tr> <tr> <td> 8 new Siemens ICS advisories (SIMATIC, Ruggedcom, Teamcenter) </td> <td> OT attack surface expanding while Iranian ICS operations intensify </td> </tr> <tr> <td> 14-day hacktivist silence (Handala, Cyber Toufan, DieNet) </td> <td> Longest pause since conflict escalation — retooling or coordinating for larger strike </td> </tr> <tr> <td> Pioneer Kitten/Fox Kitten dormant for 31 days </td> <td> Pre-positioned DIB access may be maintained but undetected — highest-risk blind spot </td> </tr> <tr> <td> UNC6446 refreshes aerospace fake-recruitment infrastructure (May 14) </td> <td> IRGC espionage operations against the aerospace and defense sector remain highly active </td> </tr> <tr> <td> MuddyWater–Silent Chollima infrastructure convergence detected (May 9) </td> <td> Iran-DPRK cyber cooperation signal — potential shared tooling or targeting coordination </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> U.S.-Iran armed conflict begins </td> <td> Kinetic and cyber operations commence simultaneously </td> </tr> <tr> <td> 2026-03-11 </td> <td> UNC5203/Cotton Sandstorm destroys 200,000+ Stryker endpoints via weaponized Microsoft Intune </td> <td> Largest single destructive cyber operation of the conflict </td> </tr> <tr> <td> 2026-04-07 </td> <td> Reuters confirms Russia providing Iran satellite intelligence + cyber support </td> <td> Strategic enabler — elevates Iranian precision targeting permanently </td> </tr> <tr> <td> 2026-04-08 </td> <td> U.S. officials issue urgent warning on Iranian exploitation of critical infrastructure </td> <td> Confirms active targeting of U.S. systems </td> </tr> <tr> <td> 2026-04-14 </td> <td> Iran proxy cyber threats expand to Southeast Europe/Balkans </td> <td> Geographic scope widening beyond traditional targets </td> </tr> <tr> <td> 2026-04-22 </td> <td> UK NCSC names Russia, Iran, and China as most serious cyber threats </td> <td> Tri-state threat convergence acknowledged at national level </td> </tr> <tr> <td> 2026-04-29 </td> <td> Handala infrastructure targeting reported </td> <td> Last confirmed hacktivist operation before silence </td> </tr> <tr> <td> 2026-05-02 </td> <td> Hacktivist operational silence begins </td> <td> 14-day pause and counting </td> </tr> <tr> <td> 2026-05-08 </td> <td> Poland water treatment breaches reported </td> <td> ICS targeting extends to NATO-allied infrastructure </td> </tr> <tr> <td> 2026-05-09 </td> <td> MuddyWater Teams credential theft campaign confirmed </td> <td> Cloud identity exploitation at scale </td> </tr> <tr> <td> 2026-05-09 </td> <td> MuddyWater–Silent Chollima infrastructure convergence detected </td> <td> Iran-DPRK cyber cooperation signal </td> </tr> <tr> <td> 2026-05-14 </td> <td> UNC6446 refreshes aerospace fake-recruitment infrastructure </td> <td> IRGC espionage operations remain highly active </td> </tr> <tr> <td> 2026-05-14 </td> <td> 8 Siemens ICS advisories + 7 CISA ICS advisories published </td> <td> Massive OT attack surface expansion </td> </tr> <tr> <td> 2026-05-15 </td> <td> CVE-2026-1340 (Ivanti EPMM, CVSS 9.8) added to CISA KEV </td> <td> Active exploitation of mobile device management </td> </tr> <tr> <td> 2026-05-15 </td> <td> Iran confirmed hacking U.S. gas station tank readers (ATGs) </td> <td> ICS escalation ladder reaches fuel distribution </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. The ICS Escalation Ladder: Water → Transit → Fuel → ? </h3> Iranian ICS operations are following a methodical pattern. In 2023, Cyber Av3ngers compromised Unitronics PLCs at water treatment facilities. In early 2026, the Ababil of Minab operation targeted U.S. transit OT systems. Now, Iranian actors are confirmed to be hacking Automatic Tank Gauge (ATG) systems — specifically Veeder-Root TLS-350/450 units — at U.S. gas stations. Each operation tests a new sector's defenses using proxy groups before state APTs engage directly. The pattern suggests the next logical targets are power grid edge devices and telecommunications infrastructure . The fuel sector targeting is particularly concerning because ATG systems are frequently internet-exposed with default credentials, creating a low-barrier, high-impact attack surface. Actors: Cyber Av3ngers (IRGC-CEC affiliated), UNC5203/BANISHED KITTEN Techniques: T1190 , T1078 , T0816 , T0826 , T0890 <h3> 2. MuddyWater's Teams Exploitation: Cloud Identity as the New Perimeter </h3> MuddyWater (also tracked as Mango Sandstorm, TA450, MERCURY, Seedworm, Static Kitten, TEMP.Zagros) — Iran's MOIS-affiliated initial-access operator — has shifted from email phishing to Microsoft Teams-based credential theft. The campaign targets energy, government, telecommunications, and utilities sectors. This "living-off-trusted-services" (LOTS) approach bypasses traditional email security controls entirely. Attackers send external tenant messages containing OAuth consent links or device-code phishing URLs through Teams, exploiting the implicit trust users place in the platform. Combined with APT35's Microsoft 365 operations and broader OAuth weaponization trends, Iranian APTs now treat identity infrastructure as their primary attack surface. Actors: MuddyWater/TEMP.Zagros (MOIS-affiliated) Techniques: T1566.001 , T1078.004 , T1528 , T1621 , T1059.001 <h3> 3. Russian-Iranian Cyber Cooperation: A Structural Shift </h3> Reuters reporting from April 7, 2026 — corroborated by Ukrainian intelligence — confirms that Russian satellites have conducted dozens of detailed imagery surveys of military facilities and critical sites across the Middle East to support Iranian operations. This includes direct cyber support: tool sharing, infrastructure co-hosting, and intelligence fusion. This is not a temporary arrangement. Combined with confirmed APT28/APT27 activity on Iranian ASN ranges and infrastructure convergence between Russian and Iranian C2 servers, this represents a formalized cyber cooperation framework that permanently elevates Iranian targeting precision. Actors: APT28 (Russia/GRU), APT27 (China/MSS — infrastructure overlap), Iranian state APTs (beneficiaries) Techniques: T1591 , T1594 , T1583.006 , T1588.002 <h3> 4. CVE-2026-1340: The Ivanti EPMM Emergency </h3> CVE-2026-1340 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM). It is now in CISA's Known Exploited Vulnerabilities catalog, meaning active exploitation is confirmed in the wild. A second vulnerability, CVE-2026-6973 (CVSS 7.2, authenticated RCE), compounds the risk. Pioneer Kitten (Fox Kitten/UNC757) has historically been the first Iranian actor to weaponize Ivanti vulnerabilities. Given their known focus on edge appliance exploitation and their current 31-day operational silence — which may indicate quiet exploitation rather than inactivity — this CVE demands emergency patching. Affected versions: Ivanti EPMM prior to 12.6.1.1, 12.7.0.1, 12.8.0.1 Actors likely to exploit: Pioneer Kitten/Fox Kitten/UNC757 (IRGC-affiliated) <h3> 5. The 14-Day Hacktivist Silence </h3> Since approximately May 2, 2026, pro-Iranian hacktivist groups — Handala, Cyber Toufan, DieNet, and Cyber Islamic Resistance — have produced zero confirmed operations. This is the longest operational pause since the conflict escalated in late February. Three hypotheses explain this silence, and none are reassuring: <ul> <li> Retooling — upgrading from DDoS/defacement to destructive capabilities (wipers, ransomware) </li> </ul> <ul> <li> Operational security tightening — going dark after attribution efforts exposed infrastructure </li> </ul> <ul> <li> Coordinating a multi-group strike — synchronized operation timed to a geopolitical trigger </li> </ul> Historical precedent: Handala went silent for 10 days before executing the Clalit health system breach. The current 14-day pause exceeds that threshold. <h2> Predictive Analysis: 7-Day Horizon </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> MuddyWater Teams campaign expands to healthcare and education sectors </td> <td> 70% </td> <td> Historical pattern of sector-hopping after initial campaign success </td> </tr> <tr> <td> Hacktivist silence breaks with coordinated multi-group operation targeting critical infrastructure </td> <td> 50% </td> <td> 14-day pause exceeds normal tempo; when Handala returns, expect escalated targeting </td> </tr> <tr> <td> CVE-2026-1340 exploitation attributed to Iranian actor (likely Pioneer Kitten) </td> <td> 40% </td> <td> Pioneer Kitten is historically first-mover on Ivanti vulnerabilities </td> </tr> <tr> <td> Pioneer Kitten dormant DIB access activates </td> <td> 25% </td> <td> No triggering event detected yet, but Russia-Iran intelligence sharing raises targeting precision ceiling </td> </tr> <tr> <td> Iranian ICS operation targets power grid edge devices (next rung on escalation ladder) </td> <td> 20% </td> <td> Logical progression from water → transit → fuel, but no specific indicators yet </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <table> <thead> <tr> <th> Priority </th> <th> What to Monitor </th> <th> ATT&CK ID </th> <th> Detection Logic </th> </tr> </thead> <tbody> <tr> <td> 🔴 Critical </td> <td> Ivanti EPMM exploitation attempts </td> <td> T1190 </td> <td> Monitor WAF/IDS for unauthenticated requests to EPMM API endpoints; alert on any RCE-pattern payloads targeting versions below 12.6.1.1/12.7.0.1/12.8.0.1 </td> </tr> <tr> <td> 🔴 Critical </td> <td> Microsoft Teams external tenant messages with OAuth/device-code links </td> <td> T1566.001 , T1528 , T1621 </td> <td> Inspect Teams messages from external tenants for URLs containing /devicelogin, OAuth consent prompts, or token-harvesting redirects </td> </tr> <tr> <td> 🟠 High </td> <td> ATG/ICS device internet exposure </td> <td> T1190 , T0890 </td> <td> Scan for Veeder-Root TLS-350/450 systems reachable from the internet; alert on any authentication attempts using default credentials </td> </tr> <tr> <td> 🟠 High </td> <td> Siemens SIMATIC/Ruggedcom anomalous access </td> <td> T0890 , T1068 </td> <td> Monitor OT network segments for unexpected connections to Ruggedcom ROX management interfaces and SIMATIC CN 4100 admin panels </td> </tr> <tr> <td> 🟡 Elevated </td> <td> Pioneer Kitten VPN access patterns </td> <td> T1133 , T1078 </td> <td> Hunt for Fortinet/Citrix/Ivanti VPN logins from previously dormant accounts, especially those with Iranian-attributed IOC overlap </td> </tr> <tr> <td> 🟡 Elevated </td> <td> PowerShell execution post-Teams interaction </td> <td> T1059.001 </td> <td> Correlate Teams message receipt from external tenants with subsequent PowerShell execution on the same endpoint within 30 minutes </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ul> <li> Hypothesis: MuddyWater has already compromised cloud identities via Teams. Hunt for: anomalous OAuth token grants in Entra ID logs; new application consent grants from external tenants; device-code authentication from unexpected geolocations. </li> </ul> <ul> <li> Hypothesis: Pioneer Kitten maintains dormant VPN access in our environment. Hunt for: VPN accounts with no activity for 30+ days that were previously active; Fortinet/Citrix/Ivanti admin accounts with password age >90 days; SSL VPN connections from ASNs associated with Iranian hosting providers. </li> </ul> <ul> <li> Hypothesis: ATG/OT systems are internet-exposed with default credentials. Hunt for: Shodan/Censys results for Veeder-Root TLS systems on corporate IP ranges; network flows from OT segments to unexpected external IPs; default credential usage on any ICS/SCADA management interface. </li> </ul> <ul> <li> Hypothesis: Hacktivist groups are conducting reconnaissance during their silence. Hunt for: increased scanning activity from known pro-Iranian infrastructure; DNS lookups for organizational assets from Middle Eastern IP ranges; social media reconnaissance indicators (LinkedIn scraping, employee enumeration). </li> </ul> <h3> Blocking Guidance </h3> Deploy the following IOCs to perimeter defenses and EDR platforms. These indicators are associated with confirmed Iranian APT infrastructure from current intelligence collection: <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 37.220.6[.]115 </td> <td> Iranian APT infrastructure </td> </tr> <tr> <td> Domain </td> <td> customermgmt[.]net </td> <td> MuddyWater C2 infrastructure </td> </tr> <tr> <td> Domain </td> <td> pharmacynod[.]com </td> <td> APT34/OilRig associated </td> </tr> <tr> <td> URL </td> <td> https://customermgmt[.]net/page/macrocosm </td> <td> Active C2 endpoint </td> </tr> <tr> <td> SHA-256 </td> <td> cad8078a2959815328e502e5a7cca0b06a6ff0ec451194e4abffd76eac77cfb6 </td> <td> Iranian APT tooling </td> </tr> <tr> <td> SHA-256 </td> <td> 0f4f282c203362b82bb5e3835d6866daa58fe504b902de4589ac98511881ea13 </td> <td> Associated malware sample </td> </tr> <tr> <td> SHA-256 </td> <td> ac91c50987e95e1c6bce83fc21c47ec9f434b4db902dd7662ed62e32e58b4511 </td> <td> Associated malware sample </td> </tr> <tr> <td> SHA-256 </td> <td> c64aae698d2a7f01bfa01325fefadf332f1907dad6a0814d13e86a54d1ba6a92 </td> <td> Associated malware sample </td> </tr> </tbody> </table> Additional IOCs available via Anomali ThreatStream and partner feeds. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: MuddyWater credential theft via Microsoft Teams targeting financial sector employees; credential harvesting enabling wire fraud and account takeover. Actions: <ul> <li> Restrict external Teams federation to pre-approved partner tenants only </li> <li> Enable Conditional Access policies requiring compliant devices for all financial system access </li> <li> Deploy token theft detection rules in Entra ID — alert on impossible travel for OAuth tokens </li> <li> Review all third-party application consent grants from the past 30 days </li> <li> Brief treasury/payments teams on device-code phishing TTPs </li> </ul> <h3> Energy </h3> Primary threat: ATG system compromise at fuel distribution facilities; Siemens SIMATIC/Ruggedcom vulnerabilities in power generation and distribution OT environments; MuddyWater targeting energy sector credentials. Actions: <ul> <li> Immediately audit all Veeder-Root ATG systems for internet exposure and default credentials </li> <li> Segment ATG monitoring networks from corporate IT with unidirectional gateways </li> <li> Patch Siemens Ruggedcom ROX devices (3 separate advisories) — prioritize any in operational networks </li> <li> Deploy OT-specific network monitoring (Claroty, Nozomi, Dragos) if not already present </li> <li> Establish fuel supply chain communication protocols with downstream distributors </li> </ul> <h3> Healthcare </h3> Primary threat: MuddyWater campaign expansion to healthcare (70% probability within 7 days); hacktivist return likely to target healthcare systems (Handala precedent: Clalit health system breach followed a 10-day silence). Actions: <ul> <li> Harden Microsoft Teams external access — disable external messaging for clinical staff accounts </li> <li> Ensure EHR systems are segmented from internet-facing collaboration platforms </li> <li> Pre-position incident response playbooks for wiper/ransomware scenarios </li> <li> Verify backup integrity for patient data systems — test restoration procedures </li> <li> Brief clinical leadership on potential service disruption scenarios </li> </ul> <h3> Government </h3> Primary threat: MuddyWater is the primary initial-access operator for Iranian government-targeting campaigns; credential theft enables persistent access to classified and sensitive networks; Russia-Iran intelligence sharing elevates targeting precision against government facilities. Actions: <ul> <li> Enforce phishing-resistant MFA (FIDO2/hardware keys) for all privileged accounts — device-code phishing bypasses SMS/push MFA </li> <li> Audit all Ivanti EPMM deployments managing government mobile devices — patch CVE-2026-1340 within 24 hours </li> <li> Review Entra ID sign-in logs for anomalous device-code authentication patterns </li> <li> Coordinate with CISA for latest Iranian APT indicators and detection signatures </li> <li> Assess exposure to Russian satellite reconnaissance of government facilities </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: UNC6446 fake-recruitment espionage targeting aerospace sector (infrastructure refreshed May 14); Pioneer Kitten pre-positioning in defense industrial base supply chains; fuel distribution disruption impacting aviation logistics. Actions: <ul> <li> Brief HR/recruiting teams on IRGC-linked fake recruitment campaigns — verify all unsolicited job offers and coding challenges before execution </li> <li> Audit VPN and remote access logs for dormant accounts with aerospace/defense contractor access </li> <li> Assess fuel supply chain dependencies — identify single points of failure if ATG systems are disrupted </li> <li> Review all Ivanti/Fortinet/Citrix edge appliances in aviation network segments for unpatched vulnerabilities </li> <li> Coordinate with DIB-ISAC for latest Pioneer Kitten/Fox Kitten indicators </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Patch Ivanti EPMM to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 </td> <td> IT Ops </td> <td> CVE-2026-1340 (CVSS 9.8) is in CISA KEV with active exploitation; Iranian actors historically weaponize Ivanti flaws within days </td> </tr> <tr> <td> Block IOCs listed above at perimeter firewalls, DNS, and EDR </td> <td> SOC </td> <td> Confirmed Iranian APT C2 infrastructure currently active </td> </tr> <tr> <td> Audit ATG systems (Veeder-Root TLS-350/450) for internet exposure </td> <td> OT/ICS Team </td> <td> Iranian actors confirmed targeting; default credentials are the primary vector </td> </tr> <tr> <td> Restrict Microsoft Teams external federation </td> <td> IT Ops/Security </td> <td> MuddyWater actively exploiting Teams for credential theft across multiple sectors </td> </tr> <tr> <td> Activate IR retainer and confirm 4-hour SLA </td> <td> CISO/Legal </td> <td> Threat level warrants pre-positioned response capability </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Deploy Teams message inspection for OAuth/device-code phishing patterns </td> <td> SOC/Email Security </td> <td> Detect MuddyWater credential harvesting before token theft occurs </td> </tr> <tr> <td> Patch all Siemens SIMATIC CN 4100, Ruggedcom ROX, and Teamcenter instances </td> <td> OT/IT Ops </td> <td> 8 new advisories expand OT attack surface during active Iranian ICS campaign </td> </tr> <tr> <td> Initiate proactive threat hunt for Pioneer Kitten/Fox Kitten indicators </td> <td> SOC/Threat Hunt </td> <td> 31-day dormancy in DIB networks is the highest-risk blind spot; focus on Fortinet/Citrix/Ivanti VPN logs </td> </tr> <tr> <td> Enforce phishing-resistant MFA (FIDO2) for all privileged and admin accounts </td> <td> IAM/IT Ops </td> <td> Device-code phishing bypasses push/SMS MFA — only hardware keys resist this technique </td> </tr> <tr> <td> Conduct tabletop exercise: coordinated Iranian wiper + hacktivist DDoS scenario </td> <td> CISO/IR Team </td> <td> 14-day hacktivist silence may precede coordinated strike; validate response playbooks </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Commission full assessment of fuel distribution OT exposure </td> <td> CISO/OT Security </td> <td> Map all ATG systems, SCADA connections, and remote access paths; Iranian ICS targeting is systematically expanding </td> </tr> <tr> <td> Establish intelligence sharing with Balkan/SE European partner CERTs </td> <td> CISO/CTI </td> <td> Iranian proxy operations confirmed expanding to Southeast Europe </td> </tr> <tr> <td> Deploy unidirectional security gateways for all OT/ICS network segments </td> <td> OT/Network Engineering </td> <td> Prevent lateral movement from IT to OT during Iranian ICS operations </td> </tr> <tr> <td> Review and update cyber insurance coverage for state-sponsored destructive attacks </td> <td> CISO/Legal/Finance </td> <td> 200,000-endpoint Stryker destruction (March 11) demonstrates scale of potential loss </td> </tr> <tr> <td> Develop "dormant access activation" detection playbook </td> <td> SOC/Threat Hunt </td> <td> Pioneer Kitten pattern: maintain quiet access for months, activate during kinetic escalation </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> The Iran cyber conflict has entered its most dangerous phase — not because attacks are increasing, but because they're going quiet in the wrong places while capability surges in the right ones. When MuddyWater moves from email to Teams, they're telling you email security won. Now defend identity. When Cyber Av3ngers move from water PLCs to gas station ATGs, they're telling you they've mapped your critical infrastructure sector by sector. When Russia hands Iran satellite imagery of your facilities, they're telling you the targeting problem is solved — only the timing remains. And when every hacktivist group goes silent simultaneously for two weeks during an active armed conflict, they're telling you something is coming. The 31-day silence from Pioneer Kitten against defense industrial base networks is not absence of threat — it is the threat. Pre-positioned access that activates during kinetic escalation is the scenario with maximum strategic impact and minimum detection probability. Patch Ivanti today. Hunt for dormant access this week. Map your OT exposure this month. The coiled spring will release — the only question is whether you'll be ready. Published 2026-05-16 by the Anomali CTI Desk. Intelligence derived from Anomali ThreatStream, CISA advisories, OSINT collection, and partner feeds. For IOC feeds and detection content, contact your Anomali representative.

FEATURED RESOURCES

May 17, 2026

Anomali Cyber Watch

Iran's Drone Strike on a Nuclear Facility Changes the Cyber Calculus: What CISOs Must Do Now

May 16, 2026

Anomali Cyber Watch