When the Bombs Pause, the Hackers Don't: Iran's Cyber War Enters Its Most Dangerous Phase

Anomali Threat Research

Published on

March 27, 2026

Table of Contents

Threat Assessment Level: HIGH Continuity note: Threat level holds at HIGH, unchanged from the prior assessment on 26 March. While kinetic strikes on Iranian energy infrastructure have been paused for 10 days, no corresponding de-escalation has been observed in the cyber domain. The evidence below supports maintaining this level. Nearly four weeks into Operation Epic Fury, the US-Israeli military campaign against Iran that began on 28 February 2026, a dangerous paradox is emerging. On 26 March, the White House announced a 10-day pause on strikes against Iranian energy plants. Ceasefire talks are reportedly "going very well." But in the cyber domain, Iranian state actors, intelligence proxies, and hacktivist fronts are not standing down. They are accelerating. The last 72 hours have delivered a convergence of threats that should command the attention of every CISO in critical infrastructure, healthcare, financial services, and defense: a ransomware strain purpose-built for strategic disruption hit a US hospital system, a government-grade iPhone exploit kit was dumped on GitHub for anyone to use, critical vulnerabilities in industrial control systems used across manufacturing and energy went public, and a phishing-as-a-service platform that law enforcement dismantled three weeks ago is already fully operational again. This is not a drill. This is the new normal for the duration of this conflict — and likely well beyond it. <h2>What Changed                         </h2> <table> <thead> <tr> <th> Development </th> <th> Why It Matters </th> </tr> </thead> <tbody> <tr> <td> Pay2Key ransomware confirmed against US healthcare — full technical analysis published by Halcyon and Beazley Security </td> <td> Iran-linked ransomware encrypted an entire hospital environment in 3 hours. No ransom demand was made, suggesting the goal was disruption, not money. A new Linux variant now targets servers and cloud workloads. </td> </tr> <tr> <td> DarkSword iOS exploit kit leaked on GitHub (25 Mar) </td> <td> A six-vulnerability exploit chain capable of fully compromising any iPhone running iOS 18.0–18.7 is now publicly available. Originally attributed to Russian state actors, it is now accessible to every threat group on the planet — including Iranian APTs. </td> </tr> <tr> <td> Tycoon2FA phishing platform fully reconstituted (23–26 Mar) </td> <td> Despite a major law enforcement takedown on 4 March, this MFA-bypass phishing platform is back at full capacity. It accounted for 62% of phishing attempts blocked by Microsoft in mid-2025 and generated over 30 million malicious emails per month. </td> </tr> <tr> <td> Critical ICS/OT advisories from CISA (24–27 Mar) </td> <td> PTC Windchill PLM (critical RCE — German police physically mobilized to notify companies), WAGO industrial managed switches (CLI escape to full control), Schneider Electric Foxboro DCS and Plant iT/Brewmaxx (privilege escalation to RCE). These expand the attack surface for Iranian ICS operations. </td> </tr> <tr> <td> 5 high-confidence Iranian APT C2 IPs identified </td> <td> Active command-and-control infrastructure on Iranian ISPs (AS213790, AS51889, AS44208) confirmed by DOJ, AIS STIX/TAXII, and multiple commercial feeds. Associated with commodity C2 frameworks (Sliver, Adaptix) and credential theft malware. </td> </tr> <tr> <td> Ceasefire ambiguity window opens </td> <td> Iran rejected the 15-point ceasefire plan on 25 March but talks continue. Historical precedent from other conflicts shows cyber operations often intensify during kinetic pauses — actors shift to below-threshold pressure tools. </td> </tr> </tbody> </table> <h2>Conflict and Threat Timeline (28 Feb – 27 Mar 2026)</h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> </tr> </thead> <tbody> <tr> <td> 28 Feb </td> <td> Operation Epic Fury begins — US-Israeli strikes on Iranian military and nuclear infrastructure </td> </tr> <tr> <td> Early Mar </td> <td> Iranian MOIS and IRGC cyber units activate retaliatory operations across multiple fronts </td> </tr> <tr> <td> 4 Mar </td> <td> Law enforcement takes down Tycoon2FA phishing-as-a-service platform </td> </tr> <tr> <td> ~11 Mar </td> <td> Handala Hack Group (MOIS-affiliated) conducts destructive wiper attack against Stryker, a major US medical device manufacturer </td> </tr> <tr> <td> ~17 Mar </td> <td> GlassWorm supply-chain campaign peaks (400+ malicious GitHub repos, 72 VSCode extensions) </td> </tr> <tr> <td> 20 Mar </td> <td> CISA adds Langflow CVE-2026-33017 (CVSS 9.8) to Known Exploited Vulnerabilities catalog; exploitation begins within 20 hours </td> </tr> <tr> <td> 23 Mar </td> <td> CISA orders federal agencies to patch three iOS vulnerabilities targeted by DarkSword; Tycoon2FA confirmed fully operational again </td> </tr> <tr> <td> 24 Mar </td> <td> FBI attributes Stryker attack to Handala/UNC5203, seizes infrastructure; Handala reconstitutes via Telegram within 24 hours </td> </tr> <tr> <td> 24–26 Mar </td> <td> Pay2Key ransomware intrusion at US healthcare provider publicly disclosed by Halcyon and Beazley </td> </tr> <tr> <td> 25 Mar </td> <td> DarkSword iOS exploit kit leaked on GitHub; Iran rejects 15-point ceasefire plan </td> </tr> <tr> <td> 26 Mar </td> <td> Trump announces 10-day pause on strikes against Iranian energy plants; Pay2Key Linux variant documented by Morphisec </td> </tr> <tr> <td> 26–27 Mar </td> <td> CISA publishes ICS advisories for PTC Windchill, WAGO switches, Schneider Foxboro DCS, Schneider Plant iT </td> </tr> <tr> <td> 27 Mar </td> <td> Ceasefire talks described as "going very well" — cyber operations show no signs of de-escalation </td> </tr> </tbody> </table> <h2>Key Threat Analysis                    </h2> <h3>1. Pay2Key: Ransomware as a Weapon of Strategic Disruption</h3> Pay2Key is not a typical ransomware operation. Attributed to Pioneer Kitten/UNC757 (MOIS), it has re-emerged during the conflict with a clear operational pattern: encrypt fast, demand nothing, and move on. The confirmed healthcare intrusion followed a textbook playbook: <ul> <li>Initial access via a compromised administrator account (T1078 — Valid Accounts)</li> <li>Persistence and lateral movement using TeamViewer (T1219 — Remote Access Software)</li> <li>Credential harvesting with Mimikatz, LaZagne, and ExtPassword (T1003.001, T1555)</li> <li>Defense evasion through a "No Defender" toolkit that registered a fake Avast antivirus instance to suppress Windows Defender (T1562.001)</li> <li>Encryption completed in under 3 hours using ChaCha20 + Curve25519 (T1486)</li> <li>Recovery inhibition via backup deletion (T1490) and event log clearing (T1070.001)</li> </ul> The absence of a ransom demand is the most telling indicator. This is not cybercrime — it is cyber warfare conducted through criminal infrastructure. The new Linux variant (Pay2Key.I2) extends the threat to servers, virtualization hosts, and cloud workloads, using root-level execution, SELinux/AppArmor disabling, and cron-based persistence (T1053.003). Bottom line for CISOs: If you operate in healthcare, you are a named target. If you operate in any US critical infrastructure sector, you are a likely target. Pay2Key's 3-hour encryption timeline means your detection and response window is measured in minutes, not hours. <h3>2. DarkSword: A Government-Grade iPhone Exploit Is Now Open Source</h3> On 25 March, the DarkSword iOS exploit kit — previously restricted to state-level actors — was leaked on GitHub. The kit chains six vulnerabilities, including three zero-days, to achieve full device compromise on any iPhone running iOS 18.0 through 18.7. The attack vector is a malicious webpage loaded in Safari (T1189 — Drive-by Compromise), escalating through a WebContent sandbox escape (T1203) to kernel-level privilege escalation (T1404). Originally attributed to Russian threat actors, the public leak fundamentally changes the threat calculus. Iranian APT groups — particularly those conducting mobile espionage operations like APT42/Charming Kitten (IRGC-IO) — now have access to a zero-click exploitation capability they previously lacked. This could upgrade Iranian mobile operations from social engineering lures to silent, remote compromise. CISA had already ordered federal agencies to patch on 23 March. If your organization has not enforced iOS 18.8+ or iOS 26 across all managed devices, every iPhone in your fleet is a potential intelligence collection platform. <h3>3. The ICS/OT Attack Surface Just Got Wider</h3> Four CISA Industrial Control System advisories published between 24 and 27 March collectively expand the attack surface available to Iranian ICS-targeting groups like Cyber Av3ngers (IRGC-CEC): <ul> <li>PTC Windchill PLM — Critical RCE vulnerability. Windchill is widely deployed in aerospace and defense manufacturing. The severity prompted German police to physically visit affected companies to deliver notifications.</li> <li>WAGO Industrial Managed Switches — CLI escape vulnerability enabling full device control. These switches are deployed across manufacturing and energy environments.</li> <li>Schneider Electric EcoStruxure Foxboro DCS — Privilege escalation to RCE in distributed control systems used in process industries (oil & gas, chemicals, pharmaceuticals).</li> <li>Schneider Electric Plant iT/Brewmaxx — Privilege escalation to RCE in production management systems used in food & beverage and pharmaceutical manufacturing.</li> </ul> Notably, Cyber Av3ngers — the most prominent Iranian ICS threat actor — has been anomalously silent throughout the entire conflict. This absence is not reassuring. It may indicate a shift to operational security discipline ahead of a significant operation, or capability degradation from Israeli strikes on IRGC cyber headquarters. Either way, the expanding ICS vulnerability landscape means the attack surface is ready if and when they act. <h3>4. Tycoon2FA: The Phishing Platform That Won't Stay Dead</h3> The Tycoon2FA adversary-in-the-middle (AiTM) phishing platform was taken down by law enforcement on 4 March. By 23 March, it was fully operational again. This platform intercepts MFA tokens in real time (T1111 — Multi-Factor Authentication Interception), captures session cookies (T1539), and replays them to hijack authenticated sessions (T1550.004). At its peak, it generated over 30 million malicious emails per month and accounted for 62% of phishing attempts blocked by Microsoft. For organizations relying on MFA as a primary defense layer, Tycoon2FA represents a direct bypass. The platform's rapid reconstitution after takedown demonstrates the resilience of modern phishing-as-a-service infrastructure. <h3>5. The Named Actors: Who Is Operating and Who Is Quiet</h3> The following Iranian-affiliated threat actors remain active or have been confirmed active during this conflict: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Current Status </th> <th> Primary Capability </th> </tr> </thead> <tbody> <tr> <td> Handala Hack Group / UNC5203 </td> <td> MOIS </td> <td> Active — reconstituted within 24 hours of FBI infrastructure seizure </td> <td> Destructive wipers, hacktivism </td> </tr> <tr> <td> MuddyWater </td> <td> MOIS </td> <td> Active </td> <td> Espionage, initial access operations </td> </tr> <tr> <td> APT42 / Charming Kitten </td> <td> IRGC-IO </td> <td> Campaigns updated through 26 Mar (BELLACIAO, SHELLAFEL); no new victim reports </td> <td> Credential harvesting, espionage </td> </tr> <tr> <td> Cyber Av3ngers / HYDRO KITTEN </td> <td> IRGC-CEC </td> <td> Anomalously silent </td> <td> ICS/OT targeting </td> </tr> <tr> <td> BANISHED KITTEN / Cotton Sandstorm </td> <td> IRGC </td> <td> Active </td> <td> Influence operations, wipers </td> </tr> <tr> <td> APT34 / OilRig </td> <td> MOIS </td> <td> Active </td> <td> Espionage, infrastructure compromise </td> </tr> <tr> <td> Pioneer Kitten / UNC757 </td> <td> MOIS </td> <td> Active — Pay2Key operations confirmed </td> <td> Ransomware, initial access brokering </td> </tr> <tr> <td> Void Manticore </td> <td> MOIS </td> <td> Updated in threat feeds </td> <td> Wipers, data destruction </td> </tr> <tr> <td> UNC5858 </td> <td> Assessed MOIS </td> <td> Silent since ~10 Mar </td> <td> Defense industrial base espionage </td> </tr> <tr> <td> UNC6496 </td> <td> Iran-nexus </td> <td> Updated in threat feeds </td> <td> Under assessment </td> </tr> </tbody> </table> The silence of Cyber Av3ngers and UNC5858 warrants close monitoring. In intelligence analysis, absence is signal — not the absence of signal. <h2>Predictive Analysis: What Comes Next</h2> The ceasefire negotiation window is the single most important variable shaping the near-term cyber threat landscape. Based on historical precedent from other conflicts and the current operational posture of Iranian cyber units, we assess the following scenarios: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Indicators to Watch </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations maintain current tempo or increase during the energy strike pause — cyber provides below-threshold pressure while the kinetic channel is paused </td> <td> 60% </td> <td> New hacktivist claims, ransomware targeting expansion beyond healthcare, increased phishing volume against government and DIB targets </td> </tr> <tr> <td> Partial de-escalation in hacktivist activity if ceasefire talks progress, but APT espionage operations continue unabated </td> <td> 25% </td> <td> Reduction in Handala/DieNet public claims, continued APT42 credential harvesting, quiet infrastructure build-out </td> </tr> <tr> <td> Significant cyber escalation if ceasefire talks collapse — expect renewed wiper deployments and ICS targeting within 24 hours of breakdown </td> <td> 15% </td> <td> Ceasefire talk failure announcements, Cyber Av3ngers re-emergence, wiper deployment against energy or healthcare, ICS exploitation attempts </td> </tr> </tbody> </table> Key judgment: The 16-day pause in destructive operations since the 11 March Stryker attack is assessed as capability conservation, not de-escalation. Iranian actors are pre-positioning, harvesting credentials, and maintaining access. A collapse in ceasefire talks could trigger coordinated destructive operations within 24–48 hours. <h2>SOC Operational Guidance                 </h2> <h3>Priority Detection Rules</h3> Pay2Key TTPs (IMMEDIATE): <ul> <li>Monitor for registration of fake antivirus products in Windows Defender exclusion lists — specifically, a fake "Avast Antivirus" entry used to suppress real-time protection (T1562.001)</li> <li>Alert on TeamViewer process execution on servers and workstations where it is not an approved tool (T1219)</li> <li>Hunt for Mimikatz, LaZagne, and ExtPassword execution artifacts — LSASS memory access, credential store queries (T1003.001, T1555)</li> <li>Monitor for .6zldh_p2k file extension creation across file shares and endpoints (T1486)</li> <li>On Linux: alert on SELinux or AppArmor being disabled (setenforce 0, systemctl stop apparmor), and new cron jobs created by non-standard users (T1053.003)</li> <li>Alert on volume shadow copy deletion and backup service termination (T1490)</li> <li>Monitor for Windows Event Log clearing (T1070.001)</li> </ul> DarkSword / iOS Exploitation: <ul> <li>Audit MDM enrollment — identify any managed iOS devices running versions below 18.8 (T1189, T1404)</li> <li>Monitor for anomalous data exfiltration from mobile devices, particularly to unfamiliar external IPs (T1005)</li> <li>If your organization uses mobile threat defense (MTD), verify detection signatures are updated for the DarkSword exploit chain</li> </ul> Tycoon2FA / AiTM Phishing (7-DAY): <ul> <li>Monitor Azure AD / Entra ID sign-in logs for anomalous session cookie replay — look for sign-ins where MFA was satisfied but the source IP or device fingerprint changes mid-session (T1550.004)</li> <li>Alert on OAuth token grants to unfamiliar application IDs, particularly those requesting Mail.Read, Files.Read, or User.Read scopes (T1539)</li> <li>Hunt for phishing emails containing links to known AiTM proxy domains — coordinate with your email security vendor for updated Tycoon2FA indicators</li> <li>Monitor for impossible travel scenarios where a user authenticates from two geographically distant locations within minutes (T1111)</li> </ul> Iranian APT Infrastructure: <ul> <li>Alert on any network connections to the following command-and-control IPs (T1071, T1571):</li> </ul> <ul> <li>172.94.9[.]253 (AS213790 — Limited Network, Iran)</li> <li>172.94.9[.]245 (AS213790 — Limited Network, Iran)</li> <li>45.147.77[.]210 (AS51889 — Gostaresh Pardazesh Dana Negar, Iran)</li> <li>176.46.152[.]46 (AS44208 — Farahoosh Dena, Iran)</li> <li>94.183.129[.]173 (AS31549 — Aria Shatel, Iran)</li> </ul> <ul> <li>Consider blocking or alerting on all traffic to AS213790, AS51889, and AS44208 if your organization has no legitimate business with Iranian ISPs</li> <li>Hunt for Sliver, Adaptix, and BumbleBee C2 beaconing patterns in network telemetry (T1059)</li> </ul> <h3>Hunting Hypotheses</h3> <table> <thead> <tr> <th> Hypothesis </th> <th> Data Sources </th> <th> ATT&CK Techniques </th> </tr> </thead> <tbody> <tr> <td> An attacker has compromised an admin account and is using legitimate remote access tools for lateral movement </td> <td> EDR telemetry, RMM tool logs, authentication logs </td> <td> T1078, T1219 </td> </tr> <tr> <td> Credential harvesting tools are active in the environment following initial compromise </td> <td> LSASS access logs, PowerShell logs, credential store access events </td> <td> T1003.001, T1555 </td> </tr> <tr> <td> A phishing campaign has bypassed MFA and an attacker holds valid session tokens </td> <td> Azure AD sign-in logs, conditional access logs, impossible travel alerts </td> <td> T1111, T1539, T1550.004 </td> </tr> <tr> <td> An attacker is pre-positioning in ICS/OT networks via newly disclosed vulnerabilities </td> <td> ICS network traffic logs, Windchill/Schneider/WAGO patch status, anomalous OT-IT boundary crossings </td> <td> T1190, T1068 </td> </tr> <tr> <td> Iranian C2 infrastructure is communicating with internal hosts </td> <td> Firewall logs, DNS logs, proxy logs, NetFlow data </td> <td> T1071, T1571 </td> </tr> </tbody> </table> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> The American Banker warned on 4 March that the Iran conflict brings the "cyber frontline to US banks." Despite 27 days of conflict, no confirmed Iranian cyber operations against US financial institutions have been publicly reported — but this may reflect underreporting rather than absence of targeting. Financial institutions should: <ul> <li>Prioritize Tycoon2FA detection — AiTM phishing is the most likely initial access vector for credential theft against banking employees and customers</li> <li>Review wire transfer and SWIFT authorization workflows — ensure out-of-band verification is enforced for high-value transactions during the elevated threat period</li> <li>Audit OAuth application permissions in Microsoft 365 and Google Workspace environments — revoke any unfamiliar third-party application grants</li> <li>Coordinate with FS-ISAC for sector-specific Iranian threat indicators and participate in information sharing</li> </ul> <h3>Energy</h3> The Strait of Hormuz blockade and strikes on Gulf energy infrastructure create direct physical and cyber risk. The CISA ICS advisories for Schneider Electric Foxboro DCS and Plant iT/Brewmaxx are directly relevant to oil & gas and process industry environments. Energy sector organizations should: <ul> <li>Immediately audit Schneider Electric DCS and WAGO switch deployments — apply patches or implement compensating controls (network segmentation, access restrictions)</li> <li>Verify OT network segmentation — ensure IT-OT boundaries are enforced and monitored, particularly for lateral movement from compromised IT environments</li> <li>Monitor for Cyber Av3ngers reconnaissance — this IRGC-CEC-linked group has been silent but has historically targeted water and energy infrastructure. Their re-emergence would likely begin with scanning and enumeration</li> <li>Review physical security posture at facilities with internet-connected ICS — the convergence of kinetic and cyber threats means physical access controls matter more than usual</li> </ul> <h3>Healthcare</h3> Healthcare is the most actively targeted sector in this conflict. The Stryker wiper attack (11 March, attributed to Handala/UNC5203) and the Pay2Key ransomware intrusion represent a coordinated multi-actor campaign against US healthcare. Organizations should: <ul> <li>Assume you are a target — Iranian actors have demonstrated both willingness and capability to attack healthcare during this conflict</li> <li>Reduce your encryption blast radius — segment clinical networks from administrative networks, ensure backup systems are air-gapped and tested</li> <li>Deploy Pay2Key-specific detections — fake AV registration, TeamViewer on clinical systems, .6zldh_p2k file extension, 3-hour encryption timeline means automated response is essential</li> <li>Activate crisis communication plans — the Stryker attack generated significant media coverage; prepare for the reputational dimension of a healthcare cyber incident</li> <li>Coordinate with H-ISAC for healthcare-specific threat intelligence and indicators</li> </ul> <h3>Government</h3> US government agencies face a degraded defensive posture due to the partial CISA shutdown and leadership turnover. Iranian espionage operations (APT42, APT34, MuddyWater) are specifically designed to target government credentials and communications. Government organizations should: <ul> <li>Enforce iOS patching to 18.8+ or iOS 26 immediately — CISA ordered federal patching on 23 March; the DarkSword GitHub leak makes this urgent for all government mobile devices</li> <li>Audit VPN infrastructure — Ivanti EPMM (CVE-2026-1281, CVE-2026-1340) remains actively exploited; Iranian actors have historically targeted Ivanti, Fortinet, and Cisco edge devices</li> <li>Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible — Tycoon2FA bypasses traditional MFA; only phishing-resistant methods are effective</li> <li>Review Langflow and AI workflow tool deployments — CVE-2026-33017 (CVSS 9.8) enables unauthenticated RCE and was exploited within 20 hours of disclosure</li> </ul> <h3>Aviation and Logistics</h3> The Strait of Hormuz blockade creates cascading supply-chain disruption. PTC Windchill PLM is widely deployed in aerospace and defense manufacturing. Aviation and logistics organizations should: <ul> <li>Patch PTC Windchill PLM immediately — critical RCE vulnerability; the severity prompted German police to physically notify affected companies</li> <li>Audit supply chain dependencies on Gulf shipping routes — cyber disruption to port management systems or logistics platforms could compound physical supply chain delays</li> <li>Monitor for UNC5858 activity — this actor was previously observed impersonating Rafael (Israeli defense contractor) in operations targeting defense industrial base entities; currently silent but not confirmed inactive</li> <li>Review third-party vendor access — supply chain compromise (GlassWorm campaign: 400+ malicious GitHub repos, 72 VSCode extensions) remains a viable initial access vector</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block Iranian C2 infrastructure at perimeter: 172.94.9[.]253, 172.94.9[.]245, 45.147.77[.]210, 176.46.152[.]46, 94.183.129[.]173. Consider ASN-level blocking for AS213790, AS51889, AS44208. </td> </tr> <tr> <td> IMMEDIATE </td> <td> IT Ops </td> <td> Enforce iOS 18.8+ or iOS 26 on all managed mobile devices. DarkSword exploit kit is now publicly available — any device on iOS 18.0–18.7 is vulnerable to zero-click compromise via Safari. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy Pay2Key detection rules: fake Avast AV registration in Defender exclusions, TeamViewer lateral movement, .6zldh_p2k file extension, SELinux/AppArmor disabling on Linux, volume shadow copy deletion. </td> </tr> <tr> <td> IMMEDIATE </td> <td> Executive / IR </td> <td> Validate incident response playbooks for ransomware and wiper scenarios. Pay2Key's 3-hour encryption timeline means manual response processes will fail — automated containment must be in place. </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Patch PTC Windchill PLM to latest version. Priority for aerospace, defense, and manufacturing environments. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops / OT </td> <td> Apply Schneider Electric patches for EcoStruxure Foxboro DCS and Plant iT/Brewmaxx. Audit WAGO industrial managed switches for CLI escape vulnerability. Implement compensating network segmentation if patching requires maintenance windows. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC / IAM </td> <td> Implement Tycoon2FA detection: monitor for AiTM session cookie replay, anomalous OAuth token grants, impossible travel on authenticated sessions. Evaluate migration to phishing-resistant MFA (FIDO2/WebAuthn) for high-value accounts. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Audit all Ivanti, Fortinet, and Cisco VPN appliances for patch currency. Iranian actors continue to actively exploit edge device vulnerabilities (CVE-2026-1281, CVE-2026-1340). </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission an assessment of AI workflow tools (Langflow and similar) deployed in your environment. CVE-2026-33017 enables unauthenticated RCE via AI pipeline injection and was exploited within 20 hours of public disclosure. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / Legal </td> <td> Establish a monitoring framework for cyber operations tempo during ceasefire negotiations. Iranian actors historically use negotiation periods for pre-positioning and credential harvesting. Cyber activity will be the leading indicator of whether talks are succeeding or failing. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Evaluate healthcare sector convergence risk — if your organization touches healthcare (as vendor, partner, or insurer), assess exposure to the coordinated multi-actor campaign targeting US healthcare entities. </td> </tr> <tr> <td> 30-DAY </td> <td> Executive </td> <td> Brief the board on the sustained nature of the Iran cyber threat. Even if a ceasefire is reached, Iranian cyber capabilities built during this conflict will persist. The threat landscape has permanently shifted. </td> </tr> </tbody> </table> <h2>Bottom Line                                 </h2> Twenty-seven days into this conflict, the pattern is clear: Iranian cyber operations are not a sideshow to the kinetic campaign — they are a co-equal front. The 10-day energy strike pause has not produced a corresponding cyber pause. If anything, the negotiation window creates more risk, not less, as Iranian actors use cyber operations as below-threshold leverage while diplomats talk. The convergence of threats we are tracking — state-sponsored ransomware against hospitals, government-grade mobile exploits going public, critical ICS vulnerabilities stacking up, and resilient phishing infrastructure that shrugs off law enforcement — is not a coincidence. It is the product of a sophisticated adversary operating across multiple fronts with strategic intent. Three things should keep CISOs up tonight: <ol> <li>Pay2Key encrypts in 3 hours. If your detection-to-containment pipeline takes longer than that, you will lose the race. Test it today.</li> <li>Every unpatched iPhone is a potential collection platform. DarkSword is on GitHub. The barrier to exploitation just dropped to zero. Enforce the patch.</li> <li>The quiet actors are the dangerous ones. Cyber Av3ngers — Iran's most capable ICS threat group — has been silent for the entire conflict. When they move, the target will be industrial. Make sure your OT segmentation holds.</li> </ol> The ceasefire talks may succeed. The bombs may stop. But the cyber capabilities Iran has built, the access it has established, and the infrastructure it has pre-positioned will not disappear with a signature on a document. The threat landscape has permanently shifted. Act accordingly.

FEATURED RESOURCES

March 27, 2026

Anomali Cyber Watch