The Loudest Signal in Iranian Cyber Operations Is Silence — And That Should Worry You

Anomali Threat Research

Published on

May 15, 2026

Table of Contents

Threat Assessment Level: ELEVATED Previous assessment: HIGH (2026-05-14). Downgrade rationale: No new destructive operations confirmed; espionage activity remains steady but below destructive threshold. However, the extended operational silence from hacktivist groups and the expanding ICS attack surface keep this assessment at ELEVATED rather than GUARDED. CISOs should treat this as a "coiled spring" — the absence of attacks is not the absence of threat. <h2> Executive Summary </h2> We are now 76 days into the U.S.-Iran armed conflict that began on 28 February 2026. Iranian cyber operations have entered a paradoxical phase: espionage infrastructure is more active than ever, yet destructive and hacktivist operations have gone silent for over 12 days — the longest pause since the conflict began. This silence, combined with confirmed Russian-Iranian intelligence sharing and seven new CISA ICS advisories expanding the attack surface for Iranian OT-focused groups, creates a threat environment where preparation is indistinguishable from restraint. Three developments demand immediate CISO attention: active Iranian espionage targeting U.S. aerospace contractors via fake recruitment applications, a confirmed command-and-control server operating from Tehran today, and a rapidly expanding AI supply-chain attack surface being exploited by state-sponsored actors. <h2> What Changed (Past 72 Hours) </h2> <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> UNC6446 aerospace espionage IOCs refreshed 2026-05-14 — infrastructure confirmed live </td> <td> Active Iranian targeting of U.S. defense industrial base via fake recruitment apps </td> </tr> <tr> <td> UNC5858 (Black Shadow) impersonating Rafael Advanced Defense Systems in spear-phishing </td> <td> New espionage campaign targeting Israeli defense sector personnel </td> </tr> <tr> <td> UNC6729 distributing trojanized RedAlert rocket-alert apps to Israeli citizens via SMS </td> <td> Mobile surveillance exploiting wartime psychological urgency </td> </tr> <tr> <td> SmartLoader C2 at 213.176.73[.]163 validated active by 3 independent sources </td> <td> Confirmed Iranian C2 infrastructure operating from Tehran ASN </td> </tr> <tr> <td> 7 CISA ICS advisories (Siemens SIMATIC, Ruggedcom, Universal Robots) published 2026-05-14 </td> <td> Fresh attack surface for Cyber Av3ngers-style PLC exploitation </td> </tr> <tr> <td> MCP supply-chain weaponization confirmed by Google Threat Intelligence Group </td> <td> APT31 experimenting with AI Model Context Protocol; SANDCLOCK stealer via trojanized PyPI packages </td> </tr> <tr> <td> Russian-Iranian cyber convergence — Reuters-confirmed intelligence sharing; APT28/APT27 activity detected on Iranian ASN ranges </td> <td> Highest-consequence intelligence gap; combined Russian expertise and Iranian access could produce significantly more sophisticated operations </td> </tr> <tr> <td> Hacktivist silence enters Day 12+ — Handala, Cyber Av3ngers, DieNet, 313 Team all dormant </td> <td> Longest operational pause since conflict onset; historically precedes coordinated bursts </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor / Source </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> U.S.-Iran armed conflict begins </td> <td> — </td> </tr> <tr> <td> 2026-03-11 </td> <td> Destructive wiper destroys 200,000+ Stryker endpoints via weaponized Microsoft Intune </td> <td> UNC5203 / Cotton Sandstorm / BANISHED KITTEN </td> </tr> <tr> <td> 2026-04-07 </td> <td> Reuters confirms Russia providing satellite imagery and cyber support to Iran </td> <td> Reuters / Ukrainian Intelligence </td> </tr> <tr> <td> 2026-04-22 </td> <td> UK NCSC elevates Iran alongside Russia and China as top-tier cyber threats </td> <td> UK NCSC </td> </tr> <tr> <td> 2026-04-26 </td> <td> Iran-linked cyberattack knocks U.S. medical firm offline, disrupts global operations </td> <td> Unattributed (Iran-linked) </td> </tr> <tr> <td> 2026-05-03 </td> <td> Hacktivist groups enter operational silence (last confirmed activity) </td> <td> Handala, Cyber Av3ngers, DieNet, 313 Team </td> </tr> <tr> <td> 2026-05-07 </td> <td> CVE-2026-6973 (Ivanti EPMM) added to CISA KEV — active exploitation by Pioneer Kitten </td> <td> Pioneer Kitten / Fox Kitten / UNC757 </td> </tr> <tr> <td> 2026-05-09 </td> <td> Infrastructure convergence detected between MuddyWater and North Korean Silent Chollima </td> <td> MuddyWater (MOIS) / Silent Chollima </td> </tr> <tr> <td> 2026-05-12 </td> <td> UNC5858 (Black Shadow) Rafael impersonation campaign IOCs active </td> <td> UNC5858 / Black Shadow </td> </tr> <tr> <td> 2026-05-13 </td> <td> Google TIG publishes MCP weaponization bulletin; SANDCLOCK/PROMPTSTEAL confirmed </td> <td> APT31, APT28, TeamPCP/UNC6780 </td> </tr> <tr> <td> 2026-05-14 </td> <td> UNC6446 aerospace fake-recruitment IOCs refreshed — infrastructure live </td> <td> UNC6446 </td> </tr> <tr> <td> 2026-05-14 </td> <td> 7 CISA ICS advisories: Siemens SIMATIC CN 4100, Ruggedcom ROX, Universal Robots </td> <td> CISA </td> </tr> <tr> <td> 2026-05-14 </td> <td> UNC6729 trojanized RedAlert app IOCs active against Israeli citizens </td> <td> UNC6729 </td> </tr> <tr> <td> 2026-05-15 </td> <td> SmartLoader C2 213.176.73[.]163 confirmed active (3 sources) </td> <td> Recorded Future, ThreatFox </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Defense Industrial Base Under Active Espionage Siege </h3> UNC6446 — a suspected IRGC-affiliated cluster — is actively targeting U.S. aerospace and defense contractors using custom malware disguised as recruitment applications. Their infrastructure was refreshed as recently as 2026-05-14, indicating live operations. This actor operates alongside the previously tracked APT33 (Refined Kitten) , which uses similar fake-resume lures against the same sector. Separately, UNC5858 (Black Shadow) is impersonating Rafael Advanced Defense Systems — Israel's premier defense manufacturer — in spear-phishing campaigns delivering custom backdoors to defense sector personnel. Why this matters: The defense industrial base is being targeted from two directions simultaneously — U.S. aerospace via fake recruitment (UNC6446/APT33) and Israeli defense via company impersonation (UNC5858). Both campaigns use social engineering that bypasses technical controls by exploiting human trust in hiring processes and business communications. ATT&CK Techniques: T1566.002 (Spearphishing Link), T1204.002 (User Execution: Malicious File), T1036.005 (Masquerading: Match Legitimate Name), T1547 (Boot or Logon Autostart Execution) <h3> 2. The 12-Day Hacktivist Silence — Coiled Spring or Strategic Restraint? </h3> Since approximately Day 65 of the conflict (2026-05-03), every major pro-Iran hacktivist group — Handala/UNC5203 , Cyber Av3ngers , DieNet , and 313 Team — has gone operationally silent. This is unprecedented since the conflict began. Historical pattern analysis of Iranian hacktivist operations shows that extended quiet periods (7+ days) have preceded coordinated burst campaigns in 4 of 5 previous instances. Two interpretations exist: <ul> <li> Preparation hypothesis (60% probability): Groups are retooling, pre-positioning, and coordinating for a synchronized multi-target campaign </li> <li> De-escalation hypothesis (40% probability): A strategic decision has been made to keep cyber operations below the threshold that might provoke kinetic retaliation </li> </ul> Either way, the silence is signal, not safety. <h3> 3. ICS/OT Attack Surface Expanding — 7 New CISA Advisories </h3> Seven CISA ICS advisories published 2026-05-14 disclose critical vulnerabilities in: <ul> <li> Siemens SIMATIC CN 4100 — authentication bypass </li> <li> Ruggedcom ROX (versions below 2.17.1) — remote code execution </li> <li> Universal Robots Polyscope 5 — authentication bypass + code execution </li> </ul> Cyber Av3ngers (IRGC-CEC affiliated) have historically weaponized Siemens/PLC vulnerabilities within 7–14 days of public disclosure. The clock started on 2026-05-14. These advisories cover equipment deployed across water treatment, energy generation, manufacturing, and logistics facilities. <h3> 4. AI Supply-Chain Weaponization Reaches State-Sponsored Scale </h3> Google Threat Intelligence Group confirmed that the Model Context Protocol (MCP) — an emerging standard for AI tool integration — is being actively weaponized: <ul> <li> APT31 (China-nexus) is experimenting with MCP for AI-assisted operations </li> <li> TeamPCP/UNC6780 compromised the LiteLLM Python package on PyPI to distribute the SANDCLOCK credential stealer (March 2026) </li> <li> APT28 deployed PROMPTSTEAL malware leveraging stolen Hugging Face API tokens </li> <li> A SANDWORM_MODE supply-chain worm targets AI coding assistants via malicious MCP servers, harvesting SSH keys, AWS credentials, and CI/CD secrets </li> </ul> ATT&CK Techniques: T1195.001 (Supply Chain Compromise), T1528 (Steal Application Access Token), T1552.004 (Unsecured Credentials: Private Keys) <h3> 5. Russian-Iranian Cyber Convergence — The Unattributed Alliance </h3> Reuters confirmed on 7 April 2026 that Russia is providing Iran with satellite imagery and cyber support to target U.S. forces. Ukrainian intelligence corroborates this. Infrastructure analysis has detected APT28/APT27 activity on Iranian ASN ranges , suggesting shared or co-located infrastructure. Yet no joint cyber operation has been publicly attributed. This is the highest-consequence intelligence gap in the current conflict. The combination of Russian offensive cyber expertise with Iranian access and targeting knowledge could produce operations significantly more sophisticated than either actor achieves alone. <h2> Predictive Analysis — Next 7 Days </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Pro-Iran hacktivist groups break silence with coordinated DDoS/defacement campaign </td> <td> 60% </td> <td> 12-day pause historically precedes burst activity; 4-of-5 historical precedent </td> </tr> <tr> <td> Cyber Av3ngers or affiliate begins scanning/exploitation of Siemens SIMATIC/Ruggedcom vulnerabilities </td> <td> 40% </td> <td> 7–14 day historical exploitation window from disclosure; equipment widely deployed </td> </tr> <tr> <td> UNC6446 fake-recruitment campaign produces confirmed compromise at U.S. aerospace contractor </td> <td> 25% </td> <td> IOCs refreshed 2026-05-14 indicate active operations; social engineering bypasses technical controls </td> </tr> <tr> <td> MuddyWater resurfaces with new infrastructure targeting energy/government sectors </td> <td> 15% </td> <td> Profile updated without campaign data suggests retooling complete; MOIS primary initial-access operator </td> </tr> <tr> <td> Russian-Iranian joint cyber operation publicly attributed </td> <td> 10% </td> <td> Infrastructure overlap confirmed but operational convergence not yet observed </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> Hunt Hypothesis 1: SmartLoader C2 Communication <ul> <li> Monitor for outbound connections to 213.176.73[.]163 (ASN 207957, Serv.host Group) </li> <li> Detection logic: HTTP/HTTPS beaconing to this IP with regular intervals; look for T1071.001 (Web Protocols) and T1573 (Encrypted Channel) patterns </li> <li> Block at perimeter firewall, proxy, and EDR network indicators </li> </ul> Hunt Hypothesis 2: Fake Recruitment Application Execution <ul> <li> Monitor for execution of unsigned .exe/.msi files delivered via email to HR/recruiting departments </li> <li> ATT&CK: T1204.002 (User Execution: Malicious File), T1036 (Masquerading) </li> <li> Correlate with email gateway logs showing recruitment-themed subjects from external senders to aerospace/defense business units </li> <li> Hunt for processes spawned from user Downloads/Desktop folders with recruitment-themed filenames </li> </ul> Hunt Hypothesis 3: Trojanized Mobile Applications via SMS <ul> <li> Monitor MDM solutions for sideloaded APKs (non-Play-Store installations) on managed Android devices </li> <li> ATT&CK: T1660 (Phishing: SMS), T1444 (Masquerade as Legitimate Application) </li> <li> Alert on any RedAlert-themed APK installation from non-official sources </li> <li> Relevant primarily for organizations with Israeli operations or personnel </li> </ul> Hunt Hypothesis 4: AI/ML Supply-Chain Compromise <ul> <li> Audit all instances of LiteLLM in CI/CD pipelines — verify package integrity against known-good hashes </li> <li> Monitor for unexpected outbound connections from CI/CD runners to Hugging Face API, unknown MCP servers </li> <li> ATT&CK: T1195.001 (Supply Chain Compromise), T1528 (Steal Application Access Token) </li> <li> Hunt for SANDCLOCK indicators: credential harvesting from .ssh/, AWS credential files, CI environment variables </li> </ul> Hunt Hypothesis 5: Dormant Iranian Access (Webshells & Valid Accounts) <ul> <li> Proactive hunt for web shells ( T1505.003 ) on internet-facing servers, particularly those running Ivanti, cPanel, or Exchange </li> <li> Look for Rclone or Wasabi S3 staging ( T1567.002 ) — data exfiltration preparation </li> <li> Audit valid accounts ( T1078 ) for anomalous login patterns from Iranian ASN ranges or known proxy infrastructure </li> <li> Focus on defense industrial base networks and subcontractor environments </li> </ul> Hunt Hypothesis 6: ICS/OT Reconnaissance <ul> <li> Monitor for scanning activity against Siemens SIMATIC CN 4100, Ruggedcom ROX, and Universal Robots Polyscope 5 management interfaces </li> <li> Alert on any inbound connections to OT management ports from Iranian ASN ranges (particularly ASN 207957, ASN 44244, ASN 58224) </li> <li> Verify network segmentation between IT and OT environments </li> </ul> <h3> Detection Engineering Priorities </h3> <table> <thead> <tr> <th> Rule Category </th> <th> ATT&CK ID </th> <th> Description </th> </tr> </thead> <tbody> <tr> <td> Network IOC </td> <td> T1071.001 </td> <td> Block/alert on 213.176.73[.]163 across all egress points </td> </tr> <tr> <td> Email gateway </td> <td> T1566.002 </td> <td> Flag recruitment-themed emails with executable attachments to aerospace BUs </td> </tr> <tr> <td> Mobile MDM </td> <td> T1660 </td> <td> Alert on sideloaded APKs matching RedAlert naming conventions </td> </tr> <tr> <td> CI/CD monitoring </td> <td> T1195.001 </td> <td> Integrity check on LiteLLM and MCP-related packages at build time </td> </tr> <tr> <td> Web shell detection </td> <td> T1505.003 </td> <td> Scan internet-facing servers for known Iranian web shell patterns </td> </tr> <tr> <td> ICS network monitoring </td> <td> T1046 </td> <td> Alert on reconnaissance of Siemens/Ruggedcom/UR management interfaces </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: Iranian actors historically use ransomware (Pay2Key lineage) and destructive wipers disguised as ransomware against financial institutions during escalation periods. The hacktivist silence may precede DDoS campaigns targeting banking portals. Actions: <ul> <li> Ensure DDoS mitigation is active and tested for customer-facing portals — hacktivist burst campaigns historically target banking first </li> <li> Audit SWIFT and payment processing systems for dormant access; Iranian actors have demonstrated interest in financial disruption </li> <li> Review third-party vendor access, particularly any vendors using LiteLLM or MCP-integrated AI tools in their development pipelines </li> <li> Verify that MDM controls prevent sideloading on corporate mobile devices used for banking authentication </li> </ul> <h3> Energy </h3> Primary threat: Cyber Av3ngers (IRGC-CEC) have a documented history of targeting energy sector ICS/SCADA systems. Seven new CISA ICS advisories create fresh attack surface. The 7–14 day exploitation window is active now. Actions: <ul> <li> Immediately verify patch status for Siemens SIMATIC CN 4100, Ruggedcom ROX (upgrade to ≥2.17.1), and Universal Robots Polyscope 5 </li> <li> Validate IT/OT network segmentation — ensure no direct path from corporate network to PLC management interfaces </li> <li> Deploy monitoring for anomalous Modbus/TCP, OPC-UA, or S7comm traffic patterns </li> <li> Review remote access to OT environments — disable any VPN or jump-host access that is not actively required </li> <li> Conduct tabletop exercise for scenario: "Cyber Av3ngers exploit Ruggedcom ROX to manipulate safety systems" </li> </ul> <h3> Healthcare </h3> Primary threat: A confirmed Iran-linked cyberattack knocked a U.S. medical firm offline in April 2026, disrupting global operations. Healthcare remains a target for both espionage (patient data) and disruption (operational impact during wartime). Actions: <ul> <li> Audit internet-facing systems for unpatched Ivanti EPMM (CVE-2026-6973) — confirmed exploited by Pioneer Kitten/Fox Kitten </li> <li> Review medical device network segmentation, particularly any devices running embedded Siemens or Ruggedcom components </li> <li> Ensure backup and recovery procedures are tested for ransomware/wiper scenarios — Iranian actors have used NotPetya-style destructive attacks disguised as ransomware </li> <li> Brief clinical engineering teams on the ICS advisory implications for connected medical devices </li> </ul> <h3> Government </h3> Primary threat: MuddyWater (MOIS) is the primary initial-access operator for Iranian government-targeting espionage. Their profile was updated 2026-05-14 without new campaign data — suggesting retooling is complete and new operations are imminent. Russian-Iranian intelligence sharing amplifies the sophistication of targeting. Actions: <ul> <li> Hunt for MuddyWater TTPs: PowerShell-based backdoors, legitimate remote admin tools (Atera, ScreenConnect) used for persistence, OAuth token abuse in Microsoft 365/Entra ID </li> <li> Audit conditional access policies — ensure impossible-travel and anomalous-token detections are active </li> <li> Review all .gov email domains for spear-phishing attempts impersonating defense contractors or allied government agencies </li> <li> Coordinate with CISA for latest classified indicators on MuddyWater infrastructure refresh </li> </ul> <h3> Aviation & Logistics </h3> Primary threat: UNC6446 and APT33 (Refined Kitten) are actively targeting aerospace contractors with fake recruitment applications. Universal Robots Polyscope 5 vulnerabilities affect robotic systems used in logistics and manufacturing. Actions: <ul> <li> Immediately brief all hiring managers and HR personnel in aerospace divisions on fake-recruitment-application TTPs — no unsolicited software should be executed during hiring processes </li> <li> Block .exe, .msi, and .scr attachments in emails to recruiting mailboxes </li> <li> Audit contractor and subcontractor VPN access for anomalous patterns — Iranian actors pre-position in supply chain partners before moving to primary targets </li> <li> Verify patch status on any Universal Robots systems in warehouse/logistics automation </li> <li> Hunt for Rclone/Wasabi staging ( T1567.002 ) that would indicate data exfiltration preparation from engineering systems </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC / Network Ops </td> <td> Block C2 IP 213.176.73[.]163 (ASN 207957) at perimeter firewall, proxy, and EDR network indicators — validated SmartLoader C2, confirmed active 2026-05-15 </td> </tr> <tr> <td> 2 </td> <td> SOC / Mobile Security </td> <td> Deploy detection for trojanized RedAlert APK sideloading via SMS on managed mobile devices; alert on non-Play-Store APK installations </td> </tr> <tr> <td> 3 </td> <td> HR / Recruiting </td> <td> Issue urgent advisory to aerospace/defense hiring managers: do NOT execute any software received from job applicants; quarantine all .exe/.msi attachments in recruiting mailboxes </td> </tr> <tr> <td> 4 </td> <td> SOC / Threat Intel </td> <td> Begin monitoring pro-Iran hacktivist Telegram channels (Handala, DieNet, 313 Team) for break-silence indicators — 12-day dormancy historically precedes coordinated campaigns </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> IT Ops / OT Security </td> <td> Audit and patch all Siemens SIMATIC CN 4100, Ruggedcom ROX (<2.17.1), and Universal Robots Polyscope 5 deployments per CISA advisories ICSA-26-134-10/11/12/16/17 </td> </tr> <tr> <td> 6 </td> <td> DevOps / AppSec </td> <td> Audit all LiteLLM package versions in CI/CD pipelines; pin to verified commit SHAs; scan for SANDCLOCK credential stealer indicators in build environments </td> </tr> <tr> <td> 7 </td> <td> IT Ops / Identity </td> <td> Audit Microsoft 365 and Entra ID conditional access policies for OAuth abuse patterns; verify impossible-travel and token-anomaly detections are active </td> </tr> <tr> <td> 8 </td> <td> Network Security </td> <td> Validate IT/OT network segmentation — confirm no direct routing between corporate networks and ICS/SCADA management interfaces </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 9 </td> <td> CISO / Red Team </td> <td> Commission proactive threat hunt for dormant Iranian access in DIB contractor networks — focus on web shells ( T1505.003 ), valid accounts ( T1078 ), and Rclone/Wasabi staging ( T1567.002 ) </td> </tr> <tr> <td> 10 </td> <td> CISO / IR </td> <td> Update incident response playbooks for Iranian destructive wiper scenario — the March 2026 Stryker attack (200,000+ endpoints destroyed via weaponized Intune) is the reference case </td> </tr> <tr> <td> 11 </td> <td> CISO / Exec </td> <td> Brief board and executive leadership on Russian-Iranian cyber convergence risk — confirmed intelligence sharing has not yet produced attributed joint operations, but infrastructure overlap suggests preparation </td> </tr> <tr> <td> 12 </td> <td> Security Architecture </td> <td> Implement dual-admin controls on MDM platforms (Microsoft Intune, Jamf, etc.) — the March 2026 wiper attack weaponized single-admin MDM access to push destructive payloads at scale </td> </tr> </tbody> </table> <h2> IOC Blocking Table </h2> The following IOCs are validated from current intelligence collection. Implement blocking and alerting across all applicable security controls. <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 213.176.73[.]163 </td> <td> SmartLoader C2, ASN 207957 (Serv.host), Tehran </td> <td> HIGH (3 sources) </td> </tr> <tr> <td> IPv4 </td> <td> 188.34.118[.]98 </td> <td> Iran-conflict associated infrastructure </td> <td> MODERATE </td> </tr> <tr> <td> IPv4 </td> <td> 217.60.241[.]8 </td> <td> Iran-conflict associated infrastructure </td> <td> MODERATE </td> </tr> <tr> <td> IPv4 </td> <td> 46.34.165[.]86 </td> <td> Iran-conflict associated infrastructure </td> <td> MODERATE </td> </tr> <tr> <td> Domain </td> <td> gwyhs.iranance[.]com </td> <td> Iranian infrastructure </td> <td> MODERATE </td> </tr> <tr> <td> Domain </td> <td> getadobeflashplayer[.]net </td> <td> Phishing/malware delivery </td> <td> MODERATE </td> </tr> <tr> <td> URL </td> <td> https://threatfox.abuse[.]ch/ioc/1792419 </td> <td> Reference: SmartLoader C2 reporting </td> <td> INFO </td> </tr> </tbody> </table> Additional IOCs for the campaigns discussed in this report — including UNC6446, UNC5858, and UNC6729 indicators — are available through Anomali ThreatStream Next-Gen and partner feeds (VirusTotal collections referenced in actor profiles). <h2> The Bottom Line </h2> Seventy-six days into this conflict, Iranian cyber operations have settled into a pattern that should unsettle every CISO: persistent espionage at scale, confirmed infrastructure refreshes, expanding attack surface through new ICS vulnerabilities, and a conspicuous silence from destructive-capable groups. The last time Iranian hacktivist groups went this quiet, what followed was the largest destructive cyber operation in the conflict — the Stryker wiper that destroyed over 200,000 endpoints in a single day. The question is not whether Iranian cyber operations will escalate. The question is whether your organization will detect the pre-positioning before the payload deploys. Patch the ICS systems. Hunt for the dormant access. Brief your people on social engineering. And treat the silence as the warning it is. Published 2026-05-15 by the Anomali CTI Desk. For questions or additional indicators, contact your Anomali representative or access the full IOC set via ThreatStream Next-Gen. Continuity note: This assessment downgrades from HIGH (2026-05-14) to ELEVATED based on the absence of new destructive operations. All actor attributions and campaign tracking from the prior cycle are maintained. The downgrade reflects current operational tempo, not reduced capability — Iranian destructive capacity remains intact and could be deployed with minimal warning.

FEATURED RESOURCES

May 15, 2026

Anomali Cyber Watch