The Deceptive Lull: Why the Iran Cyber Conflict's Real Threat Isn't the One Making Headlines

Anomali Threat Research

Published on

March 5, 2026

Table of Contents

While 149 hacktivist DDoS attacks dominate the news cycle, Iranian state espionage operators have quietly deployed new malware against defense and nuclear targets — and they did it before the bombs started falling. Here's what CISOs need to know right now. Seven days into Operation Epic Fury, the cyber dimension of the U.S.-Israel-Iran conflict has split into two distinct tracks. The loud one — a swarm of hacktivist groups launching DDoS attacks across 16 countries — is getting all the attention. The quiet one — precision espionage malware targeting your defense contractors and nuclear researchers — is the one that should keep you up at night. This post breaks down what's actually happening, what's coming next, and what your teams should be doing about it today. <h2>What Changed This Week</h2> The last 72 hours produced the highest volume of actionable cyber threat intelligence since the conflict began. Three developments stand out: <ol> <li>New malware discovered targeting the defense industrial base. Google's Threat Intelligence Group (GTIG) disclosed SHADYSMILE, a previously unknown C++ backdoor delivered through fake recruitment materials bearing a U.S. defense contractor's logo. Samples date back to June 2025 — meaning Iranian operators were building this capability months before the current conflict.</li> </ol> <ol> <li>APT42 pivoted to nuclear sector espionage. The same week the U.S.-Iran nuclear talks collapsed, APT42 (also known as Charming Kitten) deployed its TAMECAT backdoor against nuclear research personnel using fake academic seminar invitations. A malicious LNK file was submitted to VirusTotal on March 1 — three days after strikes began.</li> </ol> <ol> <li>IP camera compromise is now part of the kill chain. Check Point confirmed that Iranian actors intensified targeting of IP cameras across seven countries starting February 28, with targeting spikes correlating directly to missile launch timing. This isn't surveillance — it's active battle damage assessment supporting kinetic operations.</li> </ol> Meanwhile, the hacktivist noise continues: 149 DDoS attacks, 12 groups, 16 countries. But as CrowdStrike's Adam Meyers put it, the claims are "claim-driven rather than evidence-backed." CloudFlare's CEO noted that malicious traffic from Iran itself actually dropped — operators are sheltering during strikes. <h2>Conflict & Threat Timeline</h2> <table> <tbody> <tr> <td> Date </td> <td> Event </td> <td> Significance </td> </tr> <tr> <td> Mid-2025 </td> <td> SHADYSMILE backdoor samples first appear </td> <td> Iranian operators pre-staging defense sector espionage months before conflict </td> </tr> <tr> <td> Jan 14–15, 2026 </td> <td> First IP camera targeting spike </td> <td> Correlated with Iran closing airspace in anticipation of U.S. strikes </td> </tr> <tr> <td> Late Feb 2026 </td> <td> U.S.-Iran nuclear talks collapse </td> <td> Strategic trigger for APT42 nuclear sector targeting </td> </tr> <tr> <td> Feb 28 </td> <td> Operation Epic Fury begins; IP camera targeting intensifies across 7 countries </td> <td> Kinetic and cyber operations launch simultaneously </td> </tr> <tr> <td> Feb 28 </td> <td> First hacktivist DDoS attack (Hider Nex / Tunisian Maskers Cyber Force) </td> <td> Hacktivist swarm activates within hours of strikes </td> </tr> <tr> <td> Feb 28 – Mar 2 </td> <td> 149 DDoS attacks hit 110 organizations across 16 countries </td> <td> Peak hacktivist volume; 12 groups participate </td> </tr> <tr> <td> Mar 1 </td> <td> APT42 TAMECAT deployed against nuclear researchers </td> <td> State espionage continues despite Iran's internet at ~1% capacity </td> </tr> <tr> <td> Mar 1 </td> <td> Camera targeting extends to Lebanon </td> <td> BDA collection expanding geographically </td> </tr> <tr> <td> Mar 2 </td> <td> UNC5866 actor entry created (Emennet Pasargad-linked) </td> <td> New actor tracking for malware delivery and information operations </td> </tr> <tr> <td> Mar 3 </td> <td> CISA acting director reassigned; partial agency shutdown </td> <td> U.S. cyber defense posture degraded at worst possible time </td> </tr> <tr> <td> Mar 4 </td> <td> GTIG publishes SHADYSMILE and TAMECAT reports </td> <td> First public disclosure of new Iranian malware families </td> </tr> <tr> <td> Mar 5 </td> <td> Check Point publishes IP camera BDA analysis </td> <td> Doctrine of camera-enabled missile targeting confirmed </td> </tr> <tr> <td> Mar 5 </td> <td> This report </td> <td> Day 7: State espionage active, hacktivist noise high, wiper deployment anticipated </td> </tr> </tbody> </table> <h2>Threat Analysis: The Two-Tier Architecture</h2> <h3>Tier 1 — The Noise Layer (Active Now, Lower Risk)</h3> Twelve hacktivist groups — led by Keymous+, DieNet, and NoName057(16) — are responsible for nearly 75% of the 149 confirmed DDoS attacks. New groups have emerged, including Hider Nex, Cyber Isnaad Front, Nation of Saviors, and several others. Notably, pro-Russian groups like NoName057(16) and Russian Legion have joined the campaign, claiming Israeli military breaches. The bottom line for CISOs: This activity is real but overhyped. Multiple independent assessments — from CrowdStrike, Sophos, the Foundation for Defense of Democracies, and Flashpoint — confirm that most hacktivist claims cannot be substantiated. DDoS mitigation is prudent, but this is not where your highest risk lives. <h3>Tier 2 — The Espionage Layer (Active Now, Higher Risk)</h3> This is where the real danger is. Multiple Iranian state-sponsored groups are conducting precision operations: <table> <tbody> <tr> <td> Actor </td> <td> Also Known As </td> <td> Target Sector </td> <td> Malware / Technique </td> <td> Status </td> </tr> <tr> <td> UNC1549 / UNC6446 </td> <td> Overlaps with APT33, APT34 </td> <td> Defense, Aerospace </td> <td> SHADYSMILE backdoor via recruitment lures </td> <td> Active since mid-2025 </td> </tr> <tr> <td> APT42 </td> <td> Charming Kitten, CALANQUE, TA453 </td> <td> Nuclear research </td> <td> TAMECAT PowerShell backdoor via academic lures </td> <td> Active, LNK file submitted Mar 1 </td> </tr> <tr> <td> Cotton Sandstorm </td> <td> Haywire Kitten, Emennet Pasargad, NEPTUNIUM </td> <td> Energy, Financial, Government, Telecom </td> <td> Revived Altoufan Team persona; hack-and-leak </td> <td> Reactivated </td> </tr> <tr> <td> UNC6729 </td> <td> Newly tracked </td> <td> Mobile / civilian </td> <td> Trojanized RedAlert app (Android surveillance) </td> <td> Active SMS phishing campaign </td> </tr> <tr> <td> UNC5866 </td> <td> Likely Emennet Pasargad-linked </td> <td> Manufacturing, Retail </td> <td> Malware delivery + information operations </td> <td> Newly identified (Mar 2) </td> </tr> <tr> <td> Void Manticore </td> <td> BANISHED KITTEN </td> <td> Israeli / Gulf targets </td> <td> BiBiWiper (destructive) </td> <td> Dormant — anticipated activation </td> </tr> <tr> <td> Cyber Av3ngers </td> <td> IRGC-linked </td> <td> Water, Energy (ICS/OT) </td> <td> IOCONTROL </td> <td> Dormant — anticipated activation </td> </tr> </tbody> </table> Key insight: SHADYSMILE and TAMECAT demonstrate that Iranian state operators were pre-staging espionage infrastructure before the conflict began. These campaigns are running on infrastructure hosted outside Iran, meaning they are unaffected by Iran's near-total internet blackout. The surviving Iranian leadership needs to understand what the U.S. and Israel can see and strike next — and these operations are how they're getting that intelligence. <h3>The Handoff Risk — A Novel Threat</h3> The most dangerous moment in this conflict's cyber dimension hasn't happened yet. Right now, the two tiers are operating independently — hacktivists acting autonomously while state operators run pre-staged campaigns from external infrastructure. When Iran's internet restores (assessed as likely within 72 hours), these tiers will converge. The risk: state operators may leverage hacktivist-created noise as cover for more sophisticated intrusions, or hacktivist groups may receive state-level tools and access. Flashpoint's analysts have warned that external operators are "considerably less affected by the bombings and internet blackouts" and "their targeting will be vastly more unpredictable." There is no clean historical precedent for this pattern in Iranian operations. The closest analog is Russia's use of hacktivist fronts like KillNet to mask GRU operations in Ukraine — but Iran's involuntary internet blackout adds a dimension of unpredictability that didn't exist in the Russian playbook. <h2>Vulnerabilities Under Active Exploitation</h2> Two critical vulnerabilities demand immediate attention: <table> <tbody> <tr> <td> CVE </td> <td> Product </td> <td> CVSS </td> <td> Status </td> <td> Why It Matters </td> </tr> <tr> <td> CVE-2026-1281 </td> <td> Ivanti Endpoint Manager Mobile (EPMM) </td> <td> 9.8 </td> <td> Actively exploited — single actor responsible for 83% of exploitation </td> <td> Unauthenticated RCE. Not yet attributed to Iran, but Iranian actors have a documented history of exploiting Ivanti products (CVE-2024-21887, CVE-2025-0282). The exploitation window aligns with Iran's known edge-device playbook. </td> </tr> <tr> <td> CVE-2026-1340 </td> <td> Ivanti EPMM </td> <td> 9.8 </td> <td> Actively exploited — same campaign as above </td> <td> Chained with CVE-2026-1281 for full compromise </td> </tr> <tr> <td> CVE-2025-1960 </td> <td> Schneider Electric WebHMI </td> <td> 9.8 </td> <td> Default credentials vulnerability </td> <td> Directly relevant to ICS/OT environments. Schneider Electric systems are widely deployed in energy and water infrastructure — the exact sectors Iran's Cyber Av3ngers have historically targeted. </td> </tr> </tbody> </table> <h2>Predictive Analysis: What's Coming Next</h2> Based on seven days of continuous intelligence collection, corroborated across multiple independent sources: <table> <tbody> <tr> <td> Probability </td> <td> Scenario </td> <td> Timeframe </td> <td> Implication </td> </tr> <tr> <td> 70% </td> <td> Hacktivist DDoS continues at current or elevated tempo; additional groups join </td> <td> Next 72 hours </td> <td> Sustained noise; limited real impact. Ensure DDoS mitigation is active. </td> </tr> <tr> <td> 60% </td> <td> Iran's internet partially restores, enabling in-country APT operators to resume operations </td> <td> Next 72 hours </td> <td> This is the inflection point. Expect a spike in state-sponsored intrusion attempts against critical infrastructure and defense networks. </td> </tr> <tr> <td> 50% </td> <td> At least one destructive wiper deployment (BiBiWiper variant or new family) against Israeli or Gulf state targets </td> <td> Next 7 days </td> <td> Void Manticore / BANISHED KITTEN has been dormant since October 2025. Wiper capability is likely being held in reserve for escalation. </td> </tr> <tr> <td> 40% </td> <td> Ivanti EPMM exploitation (CVE-2026-1281/1340) attributed to an Iranian actor </td> <td> Next 7 days </td> <td> Would confirm Iran is exploiting the same edge-device attack surface they've used for years. </td> </tr> <tr> <td> 30% </td> <td> ICS/OT attack against U.S. water or energy infrastructure via IOCONTROL or Cyber Av3ngers-lineage tooling </td> <td> Next 14 days </td> <td> The retaliatory escalation scenario. A thwarted ICS attack on a Jordanian wheat silo and IRGC kinetic strikes on Saudi Aramco suggest OT targeting intent is present. </td> </tr> </tbody> </table> <h2>Defense Recommendations</h2> <h3>🔴 Immediate — Next 48 Hours</h3> <ol> <li> Block known Iranian espionage infrastructure.</li> </ol> SHADYSMILE C2 domains — block at DNS and web proxy: <ul> <li>smil22.com</li> <li>promisenature.com</li> <li>bridgekit.net</li> <li>orbitstack.net</li> <li>lunarlab.space</li> </ul> TAMECAT C2 — block at DNS and web proxy: <ul> <li>seminar-session.netlify.app</li> </ul> Iranian scanning IPs — block at perimeter: <ul> <li>185.93.89.138</li> <li>185.93.89.37</li> </ul> <ol start="2"> <li> Hunt for SHADYSMILE and TAMECAT artifacts in your environment.</li> </ol> Search EDR for these file hashes: <ul> <li>4fb2c0e5df6bb10947583239d15100eb1886073ac4f9d3fd8f9072c1ccd7d413 (Ulib.dll)</li> <li>b7faf682cbd91e02d89797999d9418d9935eacb3a474905d2db48462f09354ed (dmcmnutils.dll)</li> <li>c03447fd794fa697a3eea52303f72dba0ccf43152c4a2fdb0d9cf741def20503 (Peopleprofile.exe)</li> <li>13dfb4a0f8609c8c2a125e2a3b6e0dfab885ef92715e10bdc9979b591b25e49f (TAMECAT LNK)</li> <li>8ef9f77b663c15f1030072f4b8326c4ab96cf8350bdb6d3fe22eb3d59b8abfd6 (TAMECAT 8.cmd)</li> </ul> Search email gateways for recruitment-themed lures and academic seminar invitations targeting aerospace, defense, and nuclear personnel — look back 90 days. <ol start="3"> <li> Audit all internet-facing IP cameras.</li> </ol> Enumerate every Hikvision and Dahua camera exposed to the internet. Verify firmware is current, default credentials are changed, and cameras are network-segmented from operational systems. Prioritize any cameras with line-of-sight to critical infrastructure. <ol start="4"> <li> Validate DDoS mitigation posture.</li> </ol> Confirm CDN and WAF configurations are active for all public-facing web properties. Financial services and government portals are the primary hacktivist targets. <h3>🟠 7-Day Actions</h3> <ol start="5"> <li> Patch Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340.</li> </ol> Both are CVSS 9.8, unauthenticated remote code execution, and under active exploitation. A single threat actor is responsible for 83% of observed exploitation. If patching cannot be completed within 7 days, isolate EPMM instances from the internet immediately. <ol start="6"> <li> Audit Schneider Electric WebHMI for default credentials (CVE-2025-1960).</li> </ol> CVSS 9.8. Change all default passwords on any deployed WebHMI instance. This is directly relevant to ICS/OT environments in energy and water sectors. <ol start="7"> <li> Review ICS/OT network segmentation.</li> </ol> The thwarted ICS attack on a Jordanian wheat silo and CISA's batch of eight ICS advisories on March 3 signal that OT targeting is imminent. Validate segmentation for Hitachi Energy RTU500, Mitsubishi MELSEC, and Schneider Electric systems. Ensure SCADA environments are properly air-gapped or segmented. <h3>🟡 30-Day Strategic Actions</h3> <ol start="8"> <li> Launch targeted social engineering awareness training.</li> </ol> Iranian actors — including UNC1549, UNC6446, APT33, APT34, and APT42 — are systematically using fake job offers, personality assessments, and academic seminar invitations to deliver malware. Aerospace, defense, and nuclear sector personnel are the primary targets. Train employees to verify any unsolicited recruitment contact through official channels before opening attachments or clicking links. <ol start="9"> <li> Establish cloud security telemetry.</li> </ol> Multiple sources confirm Iran is leveraging AI tools combined with years of stolen personal data to enhance phishing operations. The next evolution of this threat is likely to target cloud identity systems — OAuth consent flows, Azure AD sign-in anomalies, and API token abuse. If you don't have visibility into these telemetry sources today, begin deploying monitoring for OAuth consent grants, conditional access anomalies, and unusual API activity. <ol start="10"> <li> Pressure-test your incident response plan against a wiper scenario.</li> </ol> With a 50% probability of a destructive wiper deployment in the next 7 days, now is the time to tabletop a BiBiWiper-style attack against your environment. Key questions: Can you restore from backups if endpoints and servers are simultaneously wiped? Do you have out-of-band communication channels if email and collaboration tools are destroyed? Is your IR retainer current and your provider aware of the elevated threat? <h2>A Note on CISA's Degraded Posture</h2> One factor compounding all of the above: CISA — the U.S. government's primary civilian cybersecurity agency — is operating at reduced capacity. The acting director was reassigned and the agency is in a partial shutdown during the highest Iranian cyber threat period since at least 2020. Organizations should not expect timely CISA advisories or incident response support at normal levels. Self-reliance in threat detection and response is now a requirement, not a preference. <h2>The Bottom Line</h2> The loudest part of this conflict — hacktivist DDoS attacks — is the least dangerous. The quietest part — state-sponsored espionage malware pre-positioned in defense and nuclear sector networks, IP cameras weaponized for missile targeting, and dormant wiper capabilities waiting for activation — is where the real risk lives. SHADYSMILE was built months before the first bomb fell. TAMECAT was deployed three days after strikes began. The IP camera BDA campaign is actively supporting missile targeting across seven countries. And CISA — the agency you'd normally call for help — is operating at reduced capacity during the highest Iranian cyber threat period since 2020. The organizations that act this week — blocking IOCs, hunting for pre-positioned access, patching Ivanti, and briefing their executives — will be the ones that weather what comes next. The organizations that wait for confirmation will be the ones responding to an incident. Don't wait. The silence is the signal. This assessment is based on intelligence collected through March 5, 2026. Situation updates will be published daily as long as the threat remains elevated.

FEATURED RESOURCES

March 5, 2026

Anomali Cyber Watch