When Ceasefires Don’t Apply to Cyberspace: 30 Days Into the Iran Cyber War, the Threat Has Never Been Higher

Anomali Threat Research

Published on

March 30, 2026

Table of Contents

Threat Assessment Level: CRITICAL(Maintained from prior cycle — no de-escalation observed despite diplomatic activity) It has been 30 days since the U.S.-Israel-Iran conflict began on February 28, 2026. In that time, cyberattacks against Western targets have spiked 245%, a Fortune 500 medical device company lost 200,000 endpoints to a state-directed wiper, and the FBI Director’s personal email was breached by an Iranian hacktivist group acting on behalf of Iran’s intelligence ministry. But the most dangerous signal this week isn’t what happened — it’s what didn’t. On March 26, President Trump announced a 10-day pause on strikes against Iran’s energy infrastructure. One day later, the Handala Hack Team executed its most provocative operation to date. The lesson is unambiguous: kinetic ceasefires do not produce cyber ceasefires. If your organization relaxed its security posture when diplomatic talks began, you are more exposed now than at any point in this conflict. This post breaks down the latest developments, the actors driving them, the vulnerabilities being exploited today, and what your teams need to do — immediately. <h2>What Changed This Week </h2> The period of March 27–30 produced the highest single-day intelligence collection volume since Day 15 of the conflict. Seven developments demand executive attention: <ol> <li>Handala breached the FBI Director’s personal email (Mar 27) — a deliberate escalation from corporate targets to the personal accounts of the highest-ranking U.S. law enforcement official, bypassing every federal cybersecurity control.</li> <li>Citrix NetScaler CVE-2026-3055 moved from disclosure to active exploitation in 7 days (Mar 23 → Mar 30) — attackers are stealing authenticated admin session IDs for full appliance takeover. Researchers explicitly compared it to CitrixBleed, which Iranian actors mass-exploited in prior campaigns.</li> <li>F5 reclassified CVE-2025-53521 from denial-of-service to critical RCE (CVSS 9.8) — webshells are being deployed on unpatched BIG-IP APM systems. CISA’s compliance deadline was March 30. Over 240,000 BIG-IP instances remain exposed globally.</li> <li>Previously unreported OilRig/APT34 malware discovered using a stolen Thai code-signing certificate — the Karkoff backdoor, signed with a legitimate Entrust EV certificate, has near-zero antivirus detection and targets energy-sector infrastructure.</li> <li>TeamPCP launched another supply chain attack — malicious versions of the Telnyx Python SDK (700,000+ monthly downloads) were uploaded to PyPI, using audio steganography to hide credential-stealing malware inside a file named ringtone.wav.</li> <li>Dual silence from IRGC’s most aggressive cyber units — APT42/Charming Kitten has been dark for 15+ days and Cyber Av3ngers has been anomalously quiet throughout the entire conflict. Both silences are assessed as operational discipline and potential pre-positioning, not capability degradation. When these groups resurface, their operations will have been planned during this quiet period.</li> <li>DarkSword iOS exploit chain under active use — a zero-click exploit chain targeting iOS 18.4 through current unpatched versions is being leveraged against high-value individuals. Senior officials and executives on unpatched iOS devices are at elevated risk.</li> </ol> <h2>Conflict and Threat Timeline         </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> U.S.-Israel-Iran conflict begins (Operation Epic Fury) </td> <td> War initiates; cyber operations expected to parallel kinetic strikes </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> Handala Hack Team executes Stryker wiper attack </td> <td> 200,000 devices destroyed, 50TB exfiltrated — largest destructive cyber operation of the conflict </td> </tr> <tr> <td> 18 Mar 2026 </td> <td> Akamai reports 245% cyberattack spike </td> <td> Confirms broad escalation across all sectors in first two weeks of war </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> FBI seizes Handala data leak websites </td> <td> Law enforcement disruption of Iranian hacktivist infrastructure </td> </tr> <tr> <td> 23 Mar 2026 </td> <td> FBI FLASH attributes Handala to MOIS </td> <td> Formal U.S. government attribution — state-directed, not independent hacktivism </td> </tr> <tr> <td> 23 Mar 2026 </td> <td> CVE-2026-3055 (Citrix NetScaler) disclosed </td> <td> CVSS 9.3 — SAML IDP memory overread enabling session hijack </td> </tr> <tr> <td> 25 Mar 2026 </td> <td> Iran rejects 15-point ceasefire proposal </td> <td> Diplomatic failure increases probability of continued escalation </td> </tr> <tr> <td> 26 Mar 2026 </td> <td> Trump announces 10-day pause on energy strikes </td> <td> Kinetic de-escalation signal — cyber operations do NOT follow </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> Handala breaches FBI Director’s personal email </td> <td> Escalation to personal accounts of senior officials; occurs one day after kinetic pause </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> OilRig/APT34 samples discovered with stolen Thai EV certificate </td> <td> Supply chain expansion into Southeast Asia; Karkoff backdoor with near-zero detection </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> TeamPCP uploads malicious Telnyx SDK to PyPI </td> <td> Audio steganography credential stealer targeting SSH keys and cloud credentials </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> CVE-2026-3055 active reconnaissance begins </td> <td> Threat actors scanning for vulnerable Citrix NetScaler appliances </td> </tr> <tr> <td> 28 Mar 2026 </td> <td> F5 reclassifies CVE-2025-53521 as critical RCE (CVSS 9.8) </td> <td> Previously categorized as DoS — now confirmed remote code execution with webshells in the wild </td> </tr> <tr> <td> 28–29 Mar 2026 </td> <td> CISA adds CVE-2025-53521 to KEV catalog </td> <td> Federal compliance deadline set for March 30 </td> </tr> <tr> <td> 30 Mar 2026 </td> <td> CVE-2026-3055 active exploitation confirmed </td> <td> Full Citrix appliance takeover via stolen admin sessions — 7 days from disclosure to exploitation </td> </tr> </tbody> </table> <h2>Key Threat Analysis                        </h2> <h3>Iranian State Actors: Two Ministries, Converging Operations</h3> The Iranian cyber threat is not monolithic — it is driven by two competing intelligence services, each with distinct actor groups, mandates, and operational tempos. MOIS (Ministry of Intelligence and Security) — Espionage and Destruction: <table> <thead> <tr> <th> Actor </th> <th> Aliases </th> <th> Current Activity </th> </tr> </thead> <tbody> <tr> <td> Handala Hack Team </td> <td> Void Manticore, UNC5203, Haywire Kitten, DUNE, Red Sandstorm, Storm-842 </td> <td> FBI Director email breach (Mar 27); Stryker wiper (Mar 11). FBI formally attributed to MOIS on Mar 23. </td> </tr> <tr> <td> OilRig / APT34 </td> <td> Helix Kitten, IRN2, Cobalt Gypsy </td> <td> New Karkoff backdoor samples signed with stolen Thai EV certificate; energy sector supply chain targeting </td> </tr> <tr> <td> MuddyWater </td> <td> TEMP.Zagros, Mercury, Seedworm, Static Kitten </td> <td> Tracked; historically targets government and telecom sectors </td> </tr> <tr> <td> Pioneer Kitten </td> <td> Fox Kitten, UNC757, Lemon Sandstorm, Parisite </td> <td> Known for mass exploitation of edge devices (Citrix, F5, Pulse Secure); expected to exploit CVE-2026-3055 </td> </tr> </tbody> </table> IRGC (Islamic Revolutionary Guard Corps) — Disruption and ICS/OT: <table> <thead> <tr> <th> Actor </th> <th> Aliases / Affiliation </th> <th> Current Activity </th> </tr> </thead> <tbody> <tr> <td> APT42 </td> <td> Charming Kitten, Mint Sandstorm, Phosphorus — IRGC-IO </td> <td> Silent for 15+ days — possible capability degradation from Israeli strikes on IRGC cyber HQ, or operational security tightening </td> </tr> <tr> <td> Cyber Av3ngers </td> <td> — IRGC </td> <td> Anomalously silent despite peak ICS/OT advisory volume and active war. Historically the most active ICS-targeting group. Silence may indicate pre-positioning for a significant operation. </td> </tr> <tr> <td> BANISHED KITTEN </td> <td> Cotton Sandstorm — IRGC </td> <td> Tracked; distinct from MOIS-attributed Handala operations. Associated with IRGC disruptive and influence operations. </td> </tr> <tr> <td> APT33 / Elfin </td> <td> Refined Kitten, Magnallium, Holmium — IRGC </td> <td> Historically targets aviation and energy; no new activity this cycle </td> </tr> <tr> <td> UNC1549 / UNC2428 / UNC6729 </td> <td> — IRGC-affiliated clusters </td> <td> Tracked IRGC-affiliated clusters </td> </tr> </tbody> </table> The convergence of MOIS destructive operations (Handala) with MOIS espionage operations (OilRig) — occurring simultaneously during a diplomatic window — suggests coordinated tasking at the ministry level, not independent actor initiative. <h3>Edge Device Exploitation: Two Critical CVEs Under Active Attack</h3> CVE-2026-3055 — Citrix NetScaler SAML Memory Overread (CVSS 9.3) This vulnerability affects NetScaler ADC and Gateway appliances configured as SAML Identity Providers — a common enterprise configuration. Exploitation leaks authenticated administrative session IDs, enabling complete appliance takeover without credentials. Security researchers at WatchTowr who demonstrated the exploit explicitly compared it to CitrixBleed (CVE-2023-4966), which Pioneer Kitten/Fox Kitten mass-exploited to sell initial access to ransomware operators. <ul> <li>Affected versions: NetScaler ADC/Gateway before 14.1-60.58 and 13.1-62.23; ADC FIPS/NDcPP before 13.1-37.262</li> <li>Time from disclosure to exploitation: 7 days</li> <li>ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1212 (Exploitation for Credential Access), T1078 (Valid Accounts via stolen admin session)</li> </ul> CVE-2025-53521 — F5 BIG-IP APM Pre-Authentication RCE (CVSS 9.8) Originally classified as a denial-of-service vulnerability, F5 reclassified this as critical remote code execution in March 2026 after discovering the original flaw enables full RCE. Attackers are actively deploying webshells on unpatched systems. Shadowserver tracks over 240,000 BIG-IP instances exposed to the internet. CISA added this to the Known Exploited Vulnerabilities catalog on March 27 with a compliance deadline of March 30. <ul> <li>ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell persistence), T1059.003 (Command Shell execution)</li> </ul> The compound risk: Organizations running both Citrix NetScaler and F5 BIG-IP face two independent entry vectors being exploited simultaneously. Iranian actors have historically chained edge device access — gaining initial foothold through one appliance, then pivoting laterally to compromise additional infrastructure. Both product families are documented favorites of Pioneer Kitten/Fox Kitten. <h3>Supply Chain Attacks: Trust Is the New Attack Surface</h3> Three independent supply chain campaigns are running concurrently, all exploiting the same architectural weakness — implicit trust in software dependencies, repositories, and code-signing certificates. TeamPCP / Telnyx PyPI Attack (Mar 27) - Malicious versions telnyx==4.87.1 and telnyx==4.87.2 uploaded to PyPI - Modified _client.py downloads a payload disguised as ringtone.wav - Audio steganography hides credential-stealing malware targeting SSH keys, cryptocurrency wallets (Bitcoin, Ethereum), and cloud credentials (Google Cloud, Azure) - The legitimate Telnyx package has 700,000+ monthly downloads - Safe version: telnyx==4.87.0 - TeamPCP’s wiper tool is tracked as SANDCLOCK (alias: CanisterWorm) - ATT&CK: T1195.001 (Supply Chain Compromise), T1552.004 (Private Key theft), T1036 (Masquerading) OilRig / Stolen Code-Signing Certificate (Mar 27) - Karkoff backdoor signed with a legitimate Entrust EV certificate issued to MOSCII Corporation Co., Ltd. (Bangkok, Thailand) - Internal filename egatdmtools.exe mimics tooling associated with EGAT (Electricity Generating Authority of Thailand) - Near-zero antivirus detection on some samples due to valid certificate trust - Represents OilRig’s geographic expansion into Southeast Asia and supply chain sophistication - ATT&CK: T1588.003 (Obtain Code Signing Certificates), T1553.002 (Subvert Trust Controls), T1199 (Trusted Relationship) GlassWorm / Solana Blockchain C2 (ongoing) - Uses Solana blockchain dead-drop resolvers for command-and-control — making infrastructure takedown nearly impossible - Targets GitHub repositories and npm packages The common thread: abuse of trust. Trusted packages, trusted repositories, trusted certificates. The defense paradigm must shift from “trust the source” to “verify every artifact.” <h3>Mobile Threat: DarkSword iOS Exploit Chain</h3> The DarkSword exploit chain is a zero-click vulnerability set affecting iOS versions 18.4 through current unpatched releases. It is being actively leveraged against high-value individuals — senior government officials, executives, and security personnel. The exploit requires no user interaction and provides full device compromise including access to encrypted communications, stored credentials, and real-time location data. <ul> <li>Vulnerable versions: iOS 18.4 through current unpatched releases</li> <li>Recommended action: Update all iOS devices to the latest available security update immediately; enable Apple Lockdown Mode for all high-risk personnel</li> <li>ATT&CK techniques: T1404 (Exploit OS Vulnerability), T1430 (Location Tracking), T1409 (Stored Application Data)</li> <li>Context: Given Handala’s demonstrated interest in senior official personal devices (FBI Director email breach, Mar 27), mobile device compromise is an active and escalating threat vector for leadership-tier targets</li> </ul> <h2>Predictive Analysis: What Comes Next</h2> Based on 30 days of conflict pattern analysis, current actor postures, and the diplomatic-cyber tempo disconnect: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Iranian actors exploit CVE-2026-3055 (Citrix) at scale </td> <td> 70–80% </td> <td> 72 hours </td> <td> Mirrors CitrixBleed exploitation pattern; Pioneer Kitten has demonstrated this exact playbook before </td> </tr> <tr> <td> Handala publishes additional FBI Director material or targets another senior official </td> <td> 60% </td> <td> 7 days </td> <td> Established pattern of staged releases for maximum psychological impact; personal accounts of other officials likely already compromised </td> </tr> <tr> <td> Ceasefire talks collapse, triggering immediate cyber escalation across all sectors </td> <td> 50% </td> <td> 7–14 days </td> <td> Iran rejected the 15-point plan; counterproposal unlikely acceptable to U.S.; collapse would remove any remaining restraint on cyber operations </td> </tr> <tr> <td> Cyber Av3ngers break silence with ICS/OT disruption operation </td> <td> 40% </td> <td> 14–30 days </td> <td> Anomalous quiet during peak war activity suggests capability preservation, not degradation; IRGC retaliation doctrine activates with ground operations </td> </tr> <tr> <td> IRGC-directed wiper and ICS disruption operations following ground operations approval </td> <td> 70–80% </td> <td> Contingent on Pentagon decision </td> <td> IRGC retaliation doctrine is well-documented; Kharg Island planning would trigger maximum cyber response </td> </tr> <tr> <td> Iranian actors weaponize stolen cloud credentials (Google Cloud, Azure) from TeamPCP campaign </td> <td> 30% </td> <td> 30 days </td> <td> Credentials are being harvested at scale; no Iranian actor observed using this vector yet, but the capability enabler is in place </td> </tr> </tbody> </table> <h2>SOC Operational Guidance             </h2> <h3>Priority Hunting Hypotheses</h3> Hunt 1: Citrix NetScaler Session Hijack (CVE-2026-3055) - ATT&CK: T1190, T1212, T1078 - What to look for: Anomalous SAML authentication requests with empty or malformed parameter values against NetScaler appliances configured as SAML IDP; administrative session tokens appearing from unexpected source IPs; multiple admin sessions from geographically disparate locations - Detection logic: Alert on any NetScaler admin session originating from an IP not in your approved admin IP range; correlate SAML assertion logs for session ID reuse across different source addresses - Action: If vulnerable versions detected, assume compromise and initiate forensic review before patching Hunt 2: F5 BIG-IP Webshell Persistence (CVE-2025-53521) - ATT&CK: T1505.003, T1190, T1059.003 - What to look for: New or modified files in BIG-IP web-accessible directories; unexpected outbound connections from BIG-IP management interfaces; command shell processes spawned by httpd/tmm processes - Detection logic: File integrity monitoring on BIG-IP appliances; baseline known-good file hashes and alert on deviations; monitor for cmd.exe or /bin/sh child processes under web server processes - Action: Reference F5’s IOC advisory (K000160486) for specific webshell indicators; scan all exposed BIG-IP instances immediately Hunt 3: OilRig Karkoff Backdoor via Stolen Certificate - ATT&CK: T1553.002, T1588.003, T1036.001 - What to look for: Executables signed by “MOSCII CORPORATION CO., LTD.” or Entrust EV certificates issued to Thai entities; files named egatdmtools.exe or with product string TOOLS.Net4; .NET binaries with compilation timestamps inconsistent with signing dates (timestomped to 2014) - IOCs to hunt: - 6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c (SHA-256) - ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a (SHA-256) - 216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac (SHA-256) - Action: Block the MOSCII certificate serial across endpoint protection platforms; revoke trust for any Entrust EV certificate matching this issuer/subject pair Hunt 4: TeamPCP Supply Chain Compromise - ATT&CK: T1195.001, T1552.004, T1036 - What to look for: Any system that executed pip install telnyx on or after March 27; presence of ringtone.wav in Python package directories; unexpected outbound connections from CI/CD build systems; SSH key or cloud credential exfiltration attempts - Detection logic: Audit pip install logs across all developer workstations and CI/CD pipelines; search for telnyx==4.87.1 or telnyx==4.87.2 in requirements files and lock files - Action: If compromised version was installed, treat all SSH keys, cloud credentials, and cryptocurrency wallets on that system as compromised — rotate immediately Hunt 5: Iranian C2 Infrastructure - ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted Channel) - IOCs to monitor/block: - 45.147.77[.]210 — Sliver C2 (AS51889, high confidence) - 185.209.42[.]105 — Sliver C2 (AS209836) - 62.60.226[.]42 — Remcos RAT C2 (high confidence) - 172.94.9[.]253 and 172.94.9[.]245 — associated C2 infrastructure - 176.46.152[.]46, 94.183.129[.]173, 84.241.8[.]23 — Iranian-associated IPs - 185.93.89[.]75, 37.98.114[.]178 — additional monitored infrastructure - Action: Block at perimeter; hunt for historical connections in DNS and netflow logs; alert on any beaconing patterns to these addresses Hunt 6: Cyber Av3ngers Pre-Positioning (Proactive) - ATT&CK: T0831 (Manipulation of Control), T0836 (Modify Parameter), T0855 (Unauthorized Command Message) - What to look for: Despite silence, Cyber Av3ngers’ IOCONTROL malware may already be deployed. Search for indicators of the IOCONTROL (also tracked as elf.iocontrol) malware family on any OT/ICS-connected systems; monitor for anomalous PLC behavior, unexpected firmware modifications, or unauthorized Modbus/DNP3 commands - Action: This is a proactive hunt based on absence-as-signal analysis — the group’s silence during peak conflict is assessed as suspicious, not reassuring <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Financial institutions face compound risk from edge device exploitation and supply chain attacks. Iranian actors have historically targeted SWIFT-connected systems and payment infrastructure during geopolitical escalation. <ul> <li>Priority 1: Verify all Citrix NetScaler and F5 BIG-IP appliances in DMZ and payment processing zones are patched against CVE-2026-3055 and CVE-2025-53521. These appliances often sit directly in front of core banking applications.</li> <li>Priority 2: Audit Python dependencies in quantitative trading platforms, risk engines, and any internal tooling that uses PyPI packages. The TeamPCP campaign’s theft of cryptocurrency wallet keys is directly relevant to digital asset custody operations.</li> <li>Priority 3: Implement certificate transparency monitoring — OilRig’s use of stolen EV certificates means that code-signed malware may bypass application whitelisting controls protecting trading systems.</li> <li>Priority 4: Brief fraud operations teams on the Handala personal account compromise TTP — senior financial executives’ personal email accounts may be targeted for business email compromise or insider information theft.</li> </ul> <h3>Energy</h3> The energy sector is the highest-priority target in this conflict. OilRig’s stolen certificate mimics EGAT (Thailand’s electricity authority) tooling, and Cyber Av3ngers’ historical focus on water and energy ICS systems makes their current silence deeply concerning. <ul> <li>Priority 1: Conduct immediate ICS/OT network segmentation verification. Seven new CISA ICS advisories were issued this week covering Schneider Electric EcoStruxure/Foxboro DCS, PTC Windchill PLM, and WAGO industrial switches. Confirm that advisory mitigations are applied.</li> <li>Priority 2: Hunt for IOCONTROL (elf.iocontrol) malware on any Linux-based OT systems, HMIs, or engineering workstations. Cyber Av3ngers’ silence is assessed as potential pre-positioning, not inactivity.</li> <li>Priority 3: Review all vendor remote access connections — OilRig’s MOSCII certificate compromise demonstrates that trusted vendor relationships are active attack vectors against energy infrastructure.</li> <li>Priority 4: If your organization operates Citrix or F5 appliances in OT network DMZs, treat patching as a safety-critical action, not routine IT maintenance.</li> </ul> <h3>Healthcare</h3> The Stryker wiper attack (March 11, 200,000 devices destroyed) demonstrated that medical device companies are viable targets. Healthcare delivery organizations face risk from both direct targeting and supply chain compromise of medical device vendors. <ul> <li>Priority 1: Verify that all medical device management platforms and MDM systems are segmented from clinical networks. The Stryker attack vector — MDM compromise leading to mass device wipe — is replicable against any healthcare organization using centralized device management.</li> <li>Priority 2: Patch F5 BIG-IP appliances protecting EHR systems and patient portals. Webshell deployment on these appliances provides persistent access to the most sensitive healthcare data.</li> <li>Priority 3: Review the CISA ICS advisory for GDCM (medical imaging library) issued this week — DICOM/PACS systems using this library may be vulnerable.</li> <li>Priority 4: Ensure incident response plans account for destructive (wiper) scenarios, not just ransomware. Iranian actors in this conflict have favored destruction over encryption.</li> </ul> <h3>Government</h3> The FBI Director breach demonstrates that government personnel are being targeted through their personal — not official — accounts and devices. This bypasses EINSTEIN, CDM, and every federal cybersecurity control. <ul> <li>Priority 1: Issue emergency guidance to all senior officials and political appointees: mandate hardware security keys (FIDO2) on all personal email accounts; enable advanced protection programs (Google APP, Apple Lockdown Mode) on personal devices.</li> <li>Priority 2: Conduct a personal attack surface assessment for senior leadership — what personal email providers, social media accounts, and cloud services are they using? Handala has demonstrated the capability and intent to exploit these.</li> <li>Priority 3: Patch all Citrix and F5 appliances in .gov environments against CVE-2026-3055 and CVE-2025-53521. CISA’s KEV compliance deadline for F5 was March 30.</li> <li>Priority 4: Brief counterintelligence teams on OilRig’s supply chain expansion — the stolen Thai vendor certificate technique could be replicated against U.S. government IT contractors.</li> </ul> <h3>Aviation and Logistics</h3> APT33/Elfin has historically targeted aviation, and the broader conflict creates elevated risk for logistics and transportation infrastructure supporting military operations. <ul> <li>Priority 1: Review all edge device exposure — Citrix and F5 appliances in airline reservation systems, cargo management platforms, and airport operations technology are high-value targets.</li> <li>Priority 2: Audit supply chain dependencies in flight operations software and logistics platforms for compromised PyPI/npm packages. The TeamPCP campaign’s broad reach (700,000+ monthly downloads for Telnyx alone) means developer environments across the sector may be affected.</li> <li>Priority 3: Monitor for APT33 reactivation — the group has been quiet but not assessed as degraded. Aviation-sector targeting aligns with IRGC strategic objectives during active conflict.</li> <li>Priority 4: Ensure GPS/GNSS spoofing detection is active on all navigation systems — Iranian electronic warfare capabilities extend to the cyber-physical domain.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> IT Ops </td> <td> Patch all Citrix NetScaler appliances configured as SAML IDP to versions 14.1-60.58+ or 13.1-62.23+ to mitigate CVE-2026-3055. If patching is not possible within 24 hours, disable SAML IDP functionality or restrict access to trusted networks only. Hunt for anomalous SAML authentication requests with empty parameter values. </td> </tr> <tr> <td> IMMEDIATE </td> <td> IT Ops </td> <td> Verify all F5 BIG-IP APM systems are patched against CVE-2025-53521 (CVSS 9.8). Scan for webshells per F5 IOC advisory K000160486. CISA compliance deadline has passed — treat any unpatched system as potentially compromised. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Hunt for OilRig Karkoff backdoor — search for SHA-256 hashes 6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c, ce446f6da9a6a62ca0832a135c44cf13c7fe02ffd8efd8f123dbc0b06f03a38a, and 216f6c98a716b8f5bc0cda61ff0947252bf05d27bb16067d54d8706a45b453ac across all endpoints. Block executables signed by MOSCII Corporation certificate. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block Iranian C2 infrastructure at perimeter: 45.147.77[.]210, 185.209.42[.]105, 62.60.226[.]42, 172.94.9[.]253, 172.94.9[.]245, 176.46.152[.]46, 94.183.129[.]173, 84.241.8[.]23, 185.93.89[.]75, 37.98.114[.]178. Hunt for historical connections in DNS and netflow logs. </td> </tr> <tr> <td> IMMEDIATE </td> <td> CISO </td> <td> Brief senior leadership on personal account security. Handala’s breach of the FBI Director’s personal email demonstrates that personal accounts of senior officials are active targets. Mandate hardware security keys (FIDO2) for all personal email accounts of the leadership team. This is not optional — it is an operational security requirement during active conflict. </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> DevOps </td> <td> Audit all Python dependencies for TeamPCP-compromised packages. Verify telnyx is pinned to version 4.87.0. Rotate all SSH keys, cloud credentials (GCP, Azure), and cryptocurrency wallet keys on any system that ran pip install telnyx on or after March 27. Implement pip hash-checking mode (--require-hashes) for all CI/CD pipelines. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Deploy detection for Sliver and Remcos C2 beacons to Iranian infrastructure. Implement JA3/JA4 fingerprint detection for Sliver framework communications. Monitor for Remcos RAT behavioral indicators (registry persistence, screen capture, keylogging). </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Verify all iOS devices are updated to the latest available iOS security update to mitigate the DarkSword exploit chain (iOS 18.4 and later unpatched versions are vulnerable). Enable Apple Lockdown Mode for all high-risk personnel including executives, security staff, and anyone with access to classified or sensitive systems. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC / OT Security </td> <td> Conduct proactive hunt for IOCONTROL malware (elf.iocontrol) on all OT/ICS-connected Linux systems. Review the seven new CISA ICS advisories (Schneider Electric EcoStruxure/Foxboro DCS, PTC Windchill, WAGO switches) and apply mitigations. Cyber Av3ngers’ silence is assessed as suspicious — do not treat it as absence of threat. </td> </tr> <tr> <td> 7-DAY </td> <td> IR Team </td> <td> Update incident response playbooks to include destructive (wiper) scenarios. Iranian actors in this conflict have favored destruction over ransomware. Ensure offline backups are verified, restoration procedures are tested, and communication plans account for total infrastructure loss scenarios. </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission a supply chain security assessment across Python, npm, and Docker dependencies. TeamPCP (SANDCLOCK/CanisterWorm), GlassWorm, and OilRig’s certificate abuse demonstrate systematic targeting of developer toolchains. Evaluate Software Bill of Materials (SBOM) implementation, artifact signing verification, and dependency pinning across all development environments. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Conduct a personal attack surface assessment for all C-suite and senior leadership. Map personal email providers, cloud accounts, social media presence, and personal device security posture. The Handala FBI Director breach has established a template that will be replicated against private-sector executives. </td> </tr> <tr> <td> 30-DAY </td> <td> IT Ops </td> <td> Implement certificate transparency monitoring for all code-signing certificates used in your environment. OilRig’s use of a stolen EV certificate demonstrates that certificate-based trust is being actively subverted. Alert on any new certificates issued to your organization’s name or your vendors’ names. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / Legal </td> <td> Review and update cyber insurance coverage for state-sponsored destructive attacks. Many policies exclude acts of war — the Stryker wiper attack (200,000 devices) and the broader conflict context may trigger war exclusion clauses. Engage legal counsel and brokers proactively. </td> </tr> </tbody> </table> <h2>The Bottom Line                       </h2> Thirty days into this conflict, three truths have become clear: First, ceasefires don’t apply to cyberspace. The 10-day kinetic pause announced on March 26 was followed within 24 hours by Handala’s most provocative operation — breaching the FBI Director’s personal email. If your organization interpreted diplomatic signals as permission to lower cyber defenses, reverse that decision today. Second, the attack surface has expanded beyond your perimeter. Iranian actors are now targeting personal email accounts of senior officials, stealing code-signing certificates from trusted vendors in Southeast Asia, and poisoning developer toolchains used by hundreds of thousands of organizations. Your security boundary is no longer your network edge — it includes your executives’ personal Gmail accounts, your developers’ PyPI dependencies, and your vendors’ certificate management practices. Third, silence is not safety. Cyber Av3ngers — historically the most aggressive ICS-targeting group in Iran’s arsenal — have been silent throughout the most intense period of the conflict. APT42/Charming Kitten has been dark for over two weeks. These are not signs of degraded capability. They are signs of operational discipline. When these groups resurface, the operations they execute will have been planned during this quiet period. The next 72 hours are critical. Two edge device vulnerabilities favored by Iranian actors are under active exploitation. A ceasefire proposal has been rejected. Ground operations planning continues. Every indicator points to escalation, not de-escalation. Patch your edge devices. Harden your executives’ personal accounts. Audit your supply chain. Hunt for pre-positioned access. And do not mistake a pause in the shooting for a pause in the war.

FEATURED RESOURCES

March 30, 2026

Anomali Cyber Watch