Iran's Cyber War Goes Operational: PLC Attacks, Wiper Campaigns, and the Shift to Sustained Targeting of US Infrastructure

Iranian state-affiliated cyber actors have moved from reconnaissance to active disruption of US critical infrastructure. A joint advisory from CISA, FBI, NSA, EPA, DOE, and US Cyber Command, published April 7, 2026, confirms that Iranian APT groups have been exploiting Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) across government services, water and wastewater systems, and energy sector targets since March 2026 [1]. Some PLC campaign victims have already experienced operational disruption and financial loss [1]. Separately, the Handala group, linked to Iran's Ministry of Intelligence and Security (MOIS), wiped over 200,000 devices belonging to medical technology giant Stryker across 79 countries on March 11 [2]. Iran's cyber apparatus appears to be executing destructive operations on a scale and tempo not previously seen from Tehran.

The Center for Strategic and International Studies (CSIS) assessed on April 7 that Iran's approach to cyber conflict is "no longer episodic or symbolic" but instead reflects "a sustained, strategic posture" [3]. That assessment tracks with what defenders are seeing on the ground.

The Trigger: Operation Epic Fury and Its Aftermath

The current wave of Iranian cyber operations is direct retaliation for kinetic strikes. On February 28, 2026, the United States and Israel launched Operation Epic Fury (US) and Operation Roaring Lion (Israel), a combined military offensive that killed Supreme Leader Ali Khamenei, IRGC commander Mohammad Pakpour, and other senior officials [7][5]. Iran's internet connectivity dropped to between 1% and 4% following the initial strikes and remained in a near-complete blackout for over 27 consecutive days as of March 26 [5].

The IRGC responded with an explicit threat on April 1, naming 18 US technology companies, including Apple, Google, Meta, Microsoft, and Nvidia, as "legitimate targets" for retaliation. The statement cited the companies' alleged role in enabling the assassinations [7]. Handala framed its Stryker attack as retaliation for what Iranian state media claimed was a February 28 missile strike on an Iranian school that reportedly killed 175 children [2].

This is the operational context. Every Iranian cyber action in the current period is linked to this escalation cycle.

The PLC Campaign: Targeting Industrial Control Systems

The CISA advisory (AA26-097a) details a campaign targeting internet-facing operational technology devices, specifically Rockwell Automation PLCs [1]. The attackers use leased third-party infrastructure to obscure attribution and employ Studio 5000 Logix Designer, Rockwell's legitimate configuration software, to interact with compromised controllers [1]. They're targeting .ACD project files containing ladder logic, the programming that governs physical industrial processes [1].

The campaign bears strong similarity to previous CyberAv3ngers operations [4]. CyberAv3ngers is an IRGC-affiliated group that previously targeted water utilities in Ireland and Pennsylvania [4]. OpenAI reported in October 2024 that CyberAv3ngers had used ChatGPT for attack planning [4]. A separate campaign by the same ecosystem deployed IOCONTROL malware against US water infrastructure PLCs, exploiting default credentials on Unitronics controllers over TCP port 20256 [12].

The advisory specifically flags inbound traffic on ports 44818, 2222, 502, 102, and 22 as indicators of malicious PLC targeting [1]. Attackers also deployed Dropbear SSH to maintain access to compromised devices [1].

The Stryker Wiper Attack: Weaponizing Enterprise Management Tools

The Handala group's March 11 attack on Stryker, a $25 billion medical technology company with 56,000 employees, was technically notable for what it didn't use: traditional malware [2]. Instead, Handala abused Microsoft Intune, a legitimate enterprise device management platform, to remotely wipe approximately 200,000 devices across 79 countries [2][8]. The group gained administrative access to Stryker's Intune tenant and used native remote wipe functionality to destroy data at scale.

This approach bypasses endpoint detection entirely. The wipe commands came from a trusted management platform, making them indistinguishable from legitimate administrative actions until the damage was done.

Handala is linked to Iran's MOIS and has also been connected to the Homeland Justice operation [9]. The FBI seized multiple Handala domains in response, and the group retaliated by targeting FBI Director Kash Patel [6]. Cyble's threat profile confirms that Handala's defining characteristic is destructive wiper deployment rather than ransomware, with multiple malware families in their arsenal: Handala Wiper (destructive malware), Hamsa Wiper (Linux, masquerades as software updates), and Hatef Wiper (data destruction targeting critical directories) [11].

Phishing Infrastructure at Scale

Palo Alto's Unit 42 tracked 7,381 phishing URLs across 1,881 unique hostnames tied to the Iran conflict cycle [5]. These include conflict-themed lures designed to exploit public interest in the military operations. Unit 42 identified specific malicious infrastructure including a fake RedAlert Android application hosted at hxxps://www.shirideitch.com/wp-content/uploads/2022/06/RedAlert.apk and a C2 endpoint at hxxps://api.ra-backup.com/analytics/submit.php [5]. Scam domains like iranforward.org are soliciting cryptocurrency under the guise of humanitarian donations [5].

MOIS Tradecraft: Telegram C2 and Masquerading

An FBI FLASH from March 20, 2026, details MOIS cyber actors using Telegram bots for command and control, communicating through api.telegram.org [9]. The actors distribute malware masquerading as legitimate applications: Pictory, KeePass, and Telegram installers serve as initial access vectors [9]. A payload called MicDriver.zip provides screen and audio recording capabilities [9].

Separately, CISA documented Iranian actors operating under the cover company Danesh Novin Sahand (identification number 14007585836), scanning Check Point Security Gateways for CVE-2024-24919 and collaborating with ransomware affiliates [10].

Defender Capacity Gap

The Foundation for Defense of Democracies (FDD) reported on April 14 that Iranian hackers breached Saint Joseph County's fax server, pursuing psychological impact against local government [6]. The same analysis noted concerns about CISA's reduced workforce capacity during an active campaign [6].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

PLC-focused detection: Monitor for unexpected inbound connections on ports 44818 (EtherNet/IP), 502 (Modbus), 102 (S7comm), 2222, and 22 targeting Rockwell Automation or Allen-Bradley devices [1]. Alert on any external IP communicating with PLCs. Watch for Dropbear SSH deployments on OT devices where SSH shouldn't exist.

Studio 5000 anomalies: Track .ACD file modifications outside of scheduled maintenance windows. Any download or upload of PLC project files from unfamiliar workstations or IP ranges warrants immediate investigation [1].

Intune abuse detection: Review Microsoft Intune audit logs for bulk device wipe commands, particularly from new admin accounts or unusual source IPs. Correlate Intune administrative actions with Azure AD sign-in logs. A mass wipe command affecting hundreds of devices in a short window is never normal [2].

Telegram C2: Query DNS logs and proxy logs for connections to api.telegram.org from servers or endpoints that have no business using Telegram. This is a known C2 channel for MOIS operators [9].

Masquerading malware: Hunt for executables named Pictory, KeePass, or Telegram that aren't installed through official channels. Check for MicDriver.zip in download directories and temp folders [9].

Network-level: Block or alert on the four Handala C2 IPs: 82.25.35.25, 31.57.35.223, 107.189.19.52, 146.185.219.235 [8]. Monitor for connections to handala-hack.to [11].

Analysis

Iran's cyber operations have crossed a threshold. The shift from espionage and pre-positioning to active disruption of critical infrastructure and destruction of enterprise systems represents a qualitative change in risk. The PLC campaign targets the physical processes that keep water flowing and power running. The Stryker wiper attack demonstrated that legitimate enterprise management tools can be turned into weapons of mass data destruction without deploying a single piece of malware.

The CSIS assessment of a "sustained, strategic posture" is supported by the operational tempo [3]. Multiple Iranian entities (IRGC-affiliated CyberAv3ngers, MOIS-linked Handala, and cover company operations under Danesh Novin Sahand) are all active simultaneously against different target sets [4][11][10]. This is coordinated, multi-axis pressure.

CISA's reduced workforce capacity creates a dangerous gap precisely when federal coordination is most needed [6]. Smaller infrastructure operators who depend on CISA advisories and incident response support are now more exposed.

References

1. CISA Advisory AA26-097a: Iranian-Affiliated Cyber Actors Exploit PLCs
2. KrebsOnSecurity: Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
3. Industrial Cyber: CSIS Flags Iran's Shift to Sustained Campaign
4. SecurityWeek: Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks
5. Unit 42: Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
6. FDD: How an Iranian Cyberattack Hit US Local Governments
7. TIME: Iran Threatens to Target US Tech Firms
8. SOCRadar: Iran vs. Israel & US Cyber War 2026 Threat Intelligence
9. FBI FLASH: Iran MOIS Cyber Actors Using Telegram C2
10. CISA Advisory AA24-241A: Iran-based Cyber Actors Enabling Ransomware Attacks
11. Cyble: Handala Hack Team Threat Profile
12. Intruvent: Iran Cyber Threat Intelligence Center

Hunt Guide: Hunt Report: Iranian Cyber Operations - PLC Attacks and Enterprise Wiper Campaign

Hypothesis: If Iranian threat actors (CyberAv3ngers, Handala, MOIS operators) are active in our environment, we expect to observe unauthorized PLC modifications, mass device wipe commands via MDM platforms, Telegram-based C2 communications, and connections to known Iranian infrastructure in Sysmon, Windows Security logs, Intune audit logs, and network telemetry.

Intelligence Summary: Iranian state-affiliated actors have shifted from reconnaissance to active disruption of US critical infrastructure through PLC attacks targeting water/energy systems and enterprise-wide wiper campaigns. The Handala group wiped 200,000+ Stryker devices via Microsoft Intune abuse, while CyberAv3ngers-linked actors are modifying industrial control systems using legitimate Rockwell Automation tools.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise networks with focus on: OT/ICS segments, Azure/cloud management planes, internet DMZ, and critical infrastructure control systems
• Timeframe: Immediate: Past 30 days for IOC sweeps; Ongoing: Real-time detection for next 90 days given active campaign
• Priority Systems: Rockwell/Allen-Bradley PLCs, Microsoft Intune management servers, water/energy SCADA systems, medical device controllers, domain controllers with Azure AD Connect

MITRE ATT&CK Techniques

T1072 — Software Deployment Tools (Execution) [P1]

Handala abused Microsoft Intune MDM platform to issue mass device wipe commands, destroying data on 200,000+ endpoints without deploying traditional malware

Splunk SPL:

index=azure_audit sourcetype="azure:aad:audit" operationName="*wipe*" OR operationName="*retire*" | stats count by user, targetResources{}.displayName, activityDateTime | where count > 10

Elastic KQL:

event.dataset:"azure.auditlogs" AND event.action:("wipe" OR "retire" OR "delete") AND event.outcome:"success"

Sigma Rule:

title: Mass Device Wipe via Microsoft Intune
id: 8a7c3d4e-9b2f-4e6a-8c7d-1f2e3a4b5c6d
status: experimental
author: RedSheep Security/Stone
date: 2026-04-07
description: Detects mass device wipe operations through Microsoft Intune that could indicate Handala-style attacks
references:
    - https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.operationName:
            - '*wipe*'
            - '*retire*'
            - 'Delete managed device'
    timeframe: 10m
    condition: selection | count() > 50
falsepositives:
    - Legitimate bulk device retirement during hardware refresh
    - Planned device wipe operations
level: high
tags:
    - attack.impact
    - attack.t1485
    - attack.t1072

Monitor for >50 device wipes within 10 minutes. Correlate with new Intune admin account creation or unusual source IPs in Azure AD logs.

T0883 — Internet Accessible Device (Initial Access) [P1]

Iranian actors targeting internet-facing Rockwell Automation PLCs on ports 44818, 502, 102, 2222, and 22 for ladder logic manipulation

Splunk SPL:

index=firewall dest_port IN (44818, 502, 102, 2222, 22) dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) action=allowed | stats count by src_ip, dest_ip, dest_port | where count > 5 AND NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip)

Elastic KQL:

destination.port:(44818 OR 502 OR 102 OR 2222 OR 22) AND destination.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16) AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)

Sigma Rule:

title: External Connections to PLC Control Ports
id: 7f8e9a2c-4d1b-5e3a-9c8f-2a1e6b7d4f5c
status: stable
author: CISA
date: 2026-04-07
description: Detects external IP addresses connecting to common PLC control ports
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 44818  # EtherNet/IP
            - 502    # Modbus
            - 102    # S7comm
            - 2222   # Alternate SSH
            - 22     # SSH
    filter:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter
falsepositives:
    - Legitimate remote vendor support
    - Authorized remote access for maintenance
level: high
tags:
    - attack.initial_access
    - attack.t0883

Any external connection to PLC ports is suspicious. Validate against approved vendor access lists.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

MOIS actors using Telegram bot API for C2 communications through api.telegram.org

Splunk SPL:

index=proxy OR index=dns dest="api.telegram.org" src_category!=workstation | stats count by src, dest, user | where count > 10

Elastic KQL:

destination.domain:"api.telegram.org" AND NOT host.type:"workstation"

Servers and OT systems should never communicate with Telegram. Any match requires immediate investigation.

T1036.005 — Masquerading: Match Legitimate Name or Location (Defense Evasion) [P2]

Iranian malware masquerading as legitimate installers: Pictory, KeePass, Telegram, with MicDriver.zip providing screen/audio recording

Splunk SPL:

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\Pictory.exe" OR Image="*\\KeePass.exe" OR Image="*\\Telegram.exe") | join type=outer ProcessGuid [search index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ImageLoaded="*\\MicDriver.dll"] | table _time, ComputerName, User, Image, CommandLine, ImageLoaded

Elastic KQL:

event.code:"1" AND process.name:("Pictory.exe" OR "KeePass.exe" OR "Telegram.exe") AND NOT process.code_signature.exists:true

Sigma Rule:

title: Iranian Masquerading Malware Execution
id: 9c5f7b3e-2a1d-4f8c-b7e9-3d5a8f2c1b4e
status: experimental
author: RedSheep Security/Stone
date: 2026-04-07
description: Detects execution of known Iranian malware masquerading as legitimate applications
references:
    - https://www.ic3.gov/CSA/2026/260320.pdf
logsource:
    product: windows
    category: process_creation
detection:
    selection_process:
        Image|endswith:
            - '\Pictory.exe'
            - '\KeePass.exe'
            - '\Telegram.exe'
    selection_unsigned:
        Signed: 'false'
    selection_suspicious_path:
        Image|contains:
            - '\AppData\Local\Temp\'
            - '\Downloads\'
            - '\Users\Public\'
    condition: selection_process and (selection_unsigned or selection_suspicious_path)
falsepositives:
    - Unsigned legitimate versions of these applications
    - Portable application usage
level: high
tags:
    - attack.defense_evasion
    - attack.t1036.005

Focus on unsigned executables or those running from Temp/Downloads folders. Check for MicDriver.zip in same timeframe.

T1485 — Data Destruction (Impact) [P1]

Deployment of multiple wiper variants: Handala Wiper, Hamsa Wiper (Linux), and Hatef Wiper targeting critical directories

Splunk SPL:

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 (TargetFilename="*.exe" OR TargetFilename="*.dll" OR TargetFilename="*.sys") | bucket _time span=1s | stats dc(TargetFilename) as deleted_files by _time, ComputerName, User | where deleted_files > 100

Elastic KQL:

event.action:"deletion" AND file.extension:("exe" OR "dll" OR "sys" OR "dat" OR "db") | stats count by host.name, user.name | where count > 100

Mass file deletion in short timeframe indicates wiper activity. Isolate system immediately.

T1565.002 — Data Manipulation: Transmitted Data Manipulation (Impact) [P1]

Modification of PLC ladder logic through .ACD project files to disrupt industrial processes

Splunk SPL:

index=ot_logs sourcetype="rockwell:factorytalk" (action="project_download" OR action="project_upload" OR action="logic_modified") file_extension=".ACD" | eval hour=strftime(_time,"%H") | where hour<6 OR hour>18 | table _time, src_ip, user, action, project_name, controller_name

Elastic KQL:

event.dataset:"rockwell.factorytalk" AND file.extension:"ACD" AND (event.action:"download" OR event.action:"upload" OR event.action:"modify")

Any .ACD file modification outside maintenance windows is critical. Compare against known-good project file hashes.

T1021.004 — Remote Services: SSH (Lateral Movement) [P2]

Deployment of Dropbear SSH on compromised PLCs for persistent access

Splunk SPL:

index=linux sourcetype=linux_secure (process="dropbear" OR process="*/dropbear") | stats count by host, src_ip | where count > 0

Elastic KQL:

process.name:"dropbear" OR process.command_line:"*dropbear*"

Dropbear on industrial controllers is always malicious. Check for listening on port 2222.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (src_ip="82.25.35.25" OR dest_ip="82.25.35.25") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | table _time, index, sourcetype, src_ip, dest_ip, dest_port

index=* (src_ip="31.57.35.223" OR dest_ip="31.57.35.223") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | table _time, index, sourcetype, src_ip, dest_ip, dest_port

index=* (src_ip="107.189.19.52" OR dest_ip="107.189.19.52") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | table _time, index, sourcetype, src_ip, dest_ip, dest_port

index=* (src_ip="146.185.219.235" OR dest_ip="146.185.219.235") | stats count by index, sourcetype, src_ip, dest_ip, dest_port | table _time, index, sourcetype, src_ip, dest_ip, dest_port

index=proxy url="*shirideitch.com*" OR url="*RedAlert.apk" | stats count by src_ip, user, url, action | table _time, src_ip, user, url, action

index=* (dest="api.ra-backup.com" OR url="*api.ra-backup.com*") | stats count by src_ip, dest, url | table _time, src_ip, dest, url

index=dns OR index=proxy (query="iranforward.org" OR dest="iranforward.org" OR url="*iranforward.org*") | stats count by src_ip, query, url | table _time, src_ip, query, url

index=* dest="api.telegram.org" | stats count by src_ip, dest, dest_port, bytes_out | where src_category!="workstation" | table _time, src_ip, dest, dest_port, bytes_out

index=dns OR index=proxy (query="handala-hack.to" OR dest="handala-hack.to" OR url="*handala-hack.to*") | stats count by src_ip, query, url | table _time, src_ip, query, url

index=* (filename="MicDriver.zip" OR file="MicDriver.zip" OR TargetFilename="*MicDriver.zip" OR CommandLine="*MicDriver.zip*") | stats count by host, user, filename | table _time, host, user, filename, CommandLine

index=* (filename="*.ACD" OR file="*.ACD" OR TargetFilename="*.ACD") | stats count by host, user, action, filename | table _time, host, user, action, filename

YARA Rules

MOIS_MicDriver_Recorder — Detects MicDriver screen/audio recording malware used by Iranian MOIS actors

rule MOIS_MicDriver_Recorder {
    meta:
        author = "RedSheep Security/Stone"
        description = "Iranian MOIS MicDriver screen/audio recording malware"
        reference = "FBI FLASH March 20, 2026"
        date = "2026-04-07"
        hash = "Unknown"
    strings:
        $zip = { 50 4B 03 04 }
        $s1 = "MicDriver" ascii wide
        $s2 = "AudioCapture" ascii wide
        $s3 = "ScreenRecord" ascii wide
        $s4 = "api.telegram.org" ascii wide
        $pdb1 = "MicDriver.pdb" ascii
    condition:
        $zip at 0 and (2 of ($s*) or $pdb1)
}

Handala_Wiper_Generic — Generic detection for Handala wiper variants based on destruction patterns

rule Handala_Wiper_Generic {
    meta:
        author = "RedSheep Security/Stone"
        description = "Generic detection for Handala/Hamsa/Hatef wiper variants"
        reference = "Cyble Handala Hack Team Profile"
        date = "2026-04-07"
    strings:
        $wipe1 = { C7 45 ?? 00 00 00 00 [0-10] E8 ?? ?? ?? ?? [0-5] 83 F8 00 }  // Zeroing memory pattern
        $wipe2 = "\\??\\PhysicalDrive" wide
        $wipe3 = "\\??\\C:" wide
        $api1 = "CreateFileW" ascii
        $api2 = "WriteFile" ascii
        $api3 = "SetFilePointer" ascii
        $randbytes = { 41 B8 00 10 00 00 [0-5] E8 ?? ?? ?? ?? }  // 4096 byte chunks
    condition:
        uint16(0) == 0x5A4D and
        (2 of ($wipe*) or (all of ($api*) and $randbytes))
}

Suricata Rules

SID 1000001 — ET TROJAN Handala C2 Communication to Known Infrastructure

alert tcp $HOME_NET any -> [82.25.35.25,31.57.35.223,107.189.19.52,146.185.219.235] any (msg:"ET TROJAN Handala C2 Communication to Known Infrastructure"; flow:established,to_server; reference:url,socradar.io/blog/cyber-reflections-us-israel-iran-war/; classtype:trojan-activity; sid:1000001; rev:1;)

SID 1000002 — ET EXPLOIT Iranian PLC Attack - Studio 5000 Project File Transfer

alert tcp any any -> $HOME_NET [44818,502,102] (msg:"ET EXPLOIT Iranian PLC Attack - Studio 5000 Project File Transfer"; flow:established,to_server; content:".ACD"; nocase; content:"Logix"; distance:0; within:50; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a; classtype:attempted-admin; sid:1000002; rev:1;)

SID 1000003 — ET MALWARE MOIS Telegram Bot C2 Communication

alert tls $HOME_NET any -> any 443 (msg:"ET MALWARE MOIS Telegram Bot C2 Communication"; tls_sni; content:"api.telegram.org"; flow:established,to_server; reference:url,www.ic3.gov/CSA/2026/260320.pdf; classtype:command-and-control; sid:1000003; rev:1;)

SID 1000004 — ET PHISHING Iranian Conflict-themed Phishing Domain

alert dns $HOME_NET any -> any 53 (msg:"ET PHISHING Iranian Conflict-themed Phishing Domain"; dns_query; content:"iranforward.org"; nocase; reference:url,unit42.paloaltonetworks.com/iranian-cyberattacks-2026/; classtype:social-engineering; sid:1000004; rev:1;)

Data Source Requirements

Sources

• CISA Advisory AA26-097a: Iranian-Affiliated Cyber Actors Exploit PLCs
• KrebsOnSecurity: Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
• Industrial Cyber: CSIS Flags Iran's Shift to Sustained Campaign
• SecurityWeek: Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks
• Unit 42: Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
• FDD: How an Iranian Cyberattack Hit US Local Governments
• TIME: Iran Threatens to Target US Tech Firms
• SOCRadar: Iran vs. Israel & US Cyber War 2026 Threat Intelligence
• FBI FLASH: Iran MOIS Cyber Actors Using Telegram C2
• CISA Advisory AA24-241A: Iran-based Cyber Actors Enabling Ransomware Attacks
• Cyble: Handala Hack Team Threat Profile
• Intruvent: Iran Cyber Threat Intelligence Center