Iran Cyber Threat Intelligence Center
Situation reports, threat actor profiles, and hunting queries for the active conflict.
Situation Overview
Bottom Line Up Front -- from the Iran Conflict Situation Report v1.5, published April 7, 2026
Day 39. President Trump set an 8:00 PM ET April 7 "final" deadline for Iran to reopen the Strait of Hormuz, threatening to destroy "every bridge" and "every power plant in Iran" in a four-hour campaign. Iran rejected the demand and rejected a Pakistan-Egypt-Turkey "Islamabad Accord" ceasefire framework. Israel struck Asaluyeh and Mahshahr petrochemical complexes; the IDF assesses ~85% of Iran's petrochemical export capacity has now been hit. On April 1, the IRGC fired cruise missiles at the QatarEnergy-leased tanker AQUA 1 inside Qatari territorial waters. CISA, FBI, and NSA published joint advisory AA26-097A confirming an Iranian-affiliated APT group has actually disrupted internet-exposed Rockwell/Allen-Bradley PLCs across US Government Services, Water and Wastewater, and Energy sectors -- with operational and financial loss. On March 27, Handala (MOIS-linked) breached FBI Director Kash Patel's personal Gmail in retaliation for the DOJ seizure of four Handala domains, and separately doxxed 28 Lockheed Martin engineers in Israel with kinetic threats.
Day 39 is the most volatile decision window since onset. Trump's ultimatum and Iran's rejection of the Islamabad Accord leave no diplomatic overlap; US strikes against Iranian civilian infrastructure are plausible within 24-48 hours. Israel's destruction of 85% of Iranian petrochemical export capacity accelerates regime financial pressure but reduces Iran's incentive to spare Gulf energy infrastructure from retaliation. AA26-097A is the most consequential cyber publication of the conflict to date: it confirms Iranian APT actors have actually disrupted US critical infrastructure PLCs (not merely attempted access). CISA's March 18 "steady state" framing is functionally retracted. The Handala/Patel breach and Lockheed Martin doxxing extend the threat aperture from corporate networks to personal accounts and physical security of named US officials and defense contractor employees.
Treat the period through April 10 as an elevated retaliation window. Apply Rockwell mitigations per AA26-097A: take Rockwell/Allen-Bradley PLCs off the public internet, change default credentials, deploy SD1771 hardening. Audit all internet-exposed PLCs of any manufacturer (TCP 20256, 44818, 502, 102). Operate under the assumption that Iranian APT groups are actively disrupting US critical infrastructure PLCs -- this is no longer a forecast. For named US officials and senior defense contractor employees, harden personal accounts (hardware-key MFA, recovery channel audit, scrub publicly accessible address data). Defense contractors with named employees in Israel should activate physical security review. Maintain elevated wiper hunt posture. Pre-stage communications language for Iranian retaliation following any Trump strikes, or for Handala-affiliated breach claims against your organization.
Sector Risk Assessment
| Sector | Espionage | Wiper / Destructive | Ransomware | Influence Ops |
|---|---|---|---|---|
| Energy | Critical ↑ | Critical ↑ | High ↑ | Medium → |
| Financial Services | Critical ↑ | High ↑ | Critical ↑ | High ↑ |
| Water / Wastewater NEW | Medium → | Critical ↑ | Medium → | Low → |
| Government | Critical ↑ | High ↑ | High → | Critical ↑ |
| Healthcare ↑ | Medium → | Critical ↑ | High ↑ | Low → |
| Transportation | Medium → | High ↑ | Medium ↑ | Low → |
| Cloud / Data Centers NEW | Medium ↑ | Critical ↑ | High ↑ | Low → |
| Technology / MSPs ↑ | High ↑ | High ↑ | High → | Medium → |
This situation report is actively maintained. Get notified when it updates.
You'll be subscribed to Intruvent Edge, our free threat intelligence newsletter. Unsubscribe anytime.
Active Threat Actors
Eleven Iranian threat groups with confirmed or assessed operations during the conflict. Ordered by operational significance.
Agrius
Lemon Sandstorm
MuddyWater
Handala
APT33 / Peach Sandstorm
APT34 / OilRig
APT35 / APT42 / Charming Kitten
CyberAv3ngers
Hydro Kitten
Cotton Sandstorm
FAD Team (Fatimion Cyber Team)
Respond Now
Immediate actions and detection queries you can deploy today.
Immediate Actions (0-48 Hours)
From the Iran Conflict Situation Report, Section 8: Action Response Framework
-
1Elevate SOC to 24/7 operations with dedicated Iranian threat monitoring shift
-
2Deploy emergency detection rules for Iranian APT TTPs. Prioritize Lemon Sandstorm VPN exploitation indicators, Agrius wiper signatures, and MuddyWater Operation Olalampo malware families
-
3Emergency patch all internet-facing VPN appliances (Fortinet, Pulse Secure, Citrix, Palo Alto) — Lemon Sandstorm's primary initial access vector
-
4Review and enforce MFA on all critical systems, particularly OT/ICS jump hosts, VPN concentrators, and cloud admin portals
-
5Activate incident response retainer with external forensics provider; confirm SLA and escalation contacts
-
6Verify offline backup integrity for critical systems; test restoration procedures for wiper scenario
-
7NEW Audit cloud infrastructure for single-region dependencies on Middle East availability zones (AWS me-south-1, me-central-1). Verify multi-region failover is active and tested
-
8NEW Review disaster recovery plans for cloud-hosted services. Ensure RPO and RTO account for complete facility loss, not just software failure
-
9NEW Harden enterprise device management platforms (Microsoft Intune, SCCM, Jamf, Google Workspace MDM). Restrict remote wipe permissions to dedicated admin accounts with hardware-bound MFA. Monitor for anomalous MDM commands. Segment MDM administrative access from general IT infrastructure
-
10NEW Assess GPS-dependent operational systems for spoofing resilience. Review navigation, timing, logistics, and financial transaction systems that rely on GNSS signals
-
11NEW Take ICS/SCADA interfaces off the internet immediately. Change default credentials on all PLCs and HMIs. Block industrial protocol ports (TCP 20256, 102, 502, 44818)
-
12NEW Audit RMM platform access and patch SolarWinds N-central (CVE-2025-9316). Review all remote management tool installations for unauthorized instances
-
13NEW Build pre-approved communications protocols for responding to Telegram breach claims before journalists call. Do not assume CISA early warning is functioning at normal capacity; establish independent threat intelligence sources
-
14NEW Treat any ransomware incident in targeted sectors as a potential wiper until proven otherwise. Preserve forensic evidence before assuming criminal intent
Featured Hunting Queries
Copy-paste ready detection queries. One from each threat actor's hunting guide.
AuditLogs
| where LoggedByService == "Intune"
| where OperationName has_any ("Wipe", "Retire", "Reset", "remoteLock", "cleanWindowsDevice", "windowsDefenderScan")
| project TimeGenerated, OperationName, InitiatedBy.user.userPrincipalName, TargetResources[0].displayName, Result
| sort by TimeGenerated desc
let C2Domains = dynamic([
"apps.gist.githubapp.net", "githubapp.net",
"api.gupdate.net", "gupdate.net",
"login.forticloud.online", "fortigate.forticloud.online",
"cloud.sophos.one"
]);
DnsEvents
| where Name has_any (C2Domains)
| extend AlertSeverity = "High"
| project TimeGenerated, ClientIP, Name, QueryType, AlertSeverity
| sort by TimeGenerated desc
title: Suspicious .NET Executable in Windows Temp Staging Directory (Agrius)
id: b2c3d4e5-f6a7-8901-bcde-a91105000001
status: experimental
description: |
Detects .NET executables created in the Windows temp staging
directory C:\windows\temp\s\, a known Agrius wiper deployment location.
logsource:
category: file_event
product: windows
detection:
selection_staging_dir:
TargetFilename|startswith: 'C:\windows\temp\s\'
TargetFilename|endswith:
- '.exe'
- '.dll'
selection_tool_names:
TargetFilename|endswith:
- '\sql.net4.exe'
- '\systems.exe'
- '\IPsecHelper.exe'
condition: selection_staging_dir or selection_tool_names
falsepositives:
- Legitimate software installation to temp directories
level: high
let MuddyWaterRMM = dynamic([
"AteraAgent.exe", "ScreenConnect.ClientService.exe",
"SimpleHelp.exe", "AnyDesk.exe", "Syncro.Overmind.Service.exe",
"RemoteUtilities.exe", "rutserv.exe", "rfusclient.exe",
"level-windows-amd64.exe", "PDQConnect.Agent.exe"
]);
DeviceProcessEvents
| where FileName in~ (MuddyWaterRMM)
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, AccountName
| sort by Timestamp desc
Full detection libraries available in the hunting guides below.
Download Reports
All reports are TLP:CLEAR. Free and ungated. Share with your team.
Iran Conflict Situation Report v1.5
Day 39 comprehensive update. Trump Hormuz ultimatum, Israeli strikes on 85% of Iran's petrochemical capacity, CISA AA26-097A confirming Iranian PLC disruption inside US critical infrastructure, Handala breach of FBI Director Patel's personal Gmail, and expanded threat actor activity across all eleven groups.
View Situation ReportThreat Actor Reports
Agrius
Custom Wiper Malware Deployment
Lemon Sandstorm
VPN Exploitation & Pre-Positioned Access
MuddyWater
RMM Tool Abuse & Custom Backdoors
Handala
MDM Weaponization & Destructive Operations
APT33 / Peach Sandstorm
Cloud Infrastructure Abuse & Password Spraying
APT34 / OilRig
DNS Tunneling C2 & Sleeper Access
APT35 / APT42 / Charming Kitten
Social Engineering & MFA Token Interception
CyberAv3ngers
OT/ICS Targeting & PLC Exploitation
Hydro Kitten
ICS/OT to Financial Sector Pivot
Cotton Sandstorm
Influence Operations & Hack-and-Leak
FAD Team (Fatimion Cyber Team)
Hacktivist OT/ICS Targeting
Stay Informed on the Iran Cyber Conflict
Subscribe to Intruvent Edge for ongoing threat intelligence updates as the situation evolves.
You'll receive Intruvent Edge, our free bi-weekly threat intelligence newsletter. Unsubscribe anytime.