The Threat Has Grown — Here’s What Changed
In March 2026, we published a threat advisory covering emerging cyber activity linked to Iranian state-sponsored threat actors. At the time, activity levels were moderate. That has changed.
Between March 16 and April 16, 2026, six U.S. federal agencies issued a joint advisory, the FBI published a new FLASH bulletin, and multiple cybersecurity research firms documented fresh campaigns tied to Iranian threat groups. The actors involved are not fringe collectives — they represent some of Iran’s most capable and persistent cyber units, including cyber operations linked to the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).
For government agencies and educational institutions, these developments represent a direct and credible threat. Here is what you need to know.
Four Major Campaigns That Defined the Past 30 Days
1. CyberAv3ngers Target U.S. Water and Energy Infrastructure
On April 7, 2026, six U.S. agencies — the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber National Mission Force — issued a joint advisory documenting attacks by CyberAv3ngers, an IRGC-affiliated group, against U.S. critical infrastructure.
The campaign exploited internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) at water treatment and energy facilities. Subsequent research by Censys expanded the known attacker infrastructure, identifying a broader cluster of operator workstations not included in the original advisory.
This is a significant development. Attacks on industrial control systems (ICS) and SCADA environments represent a different category of threat than data theft or ransomware — one with direct implications for public safety.
2. Handala Wiper Attack Destroys 200,000 Devices Across 79 Countries
In one of the most destructive cyberattacks of 2026 to date, the Iran-linked threat actor Handala — attributed to a group known as Void Manticore operating under MOIS — executed a large-scale wiper attack against Stryker Corporation.
Approximately 200,000 devices across 79 countries were wiped using compromised Microsoft Intune credentials. Unlike ransomware, wiper malware does not encrypt data for a ransom payment — it destroys it. There is no recovery key. The goal is disruption and damage.
Check Point Research published detailed indicators of compromise on March 12, 2026. The attack underscores a growing trend: Iranian threat actors are no longer solely focused on espionage. Destructive operations are increasingly part of their playbook.
For any organization heavily reliant on Microsoft Intune for device management — including many school districts, universities, and government agencies — this campaign is a direct warning about the consequences of compromised identity credentials reaching device management platforms.
3. FBI Documents MOIS Telegram Campaign Against Dissidents and Journalists
On March 20, 2026, the FBI published FLASH bulletin FLASH-20260320-001, attributing a parallel MOIS campaign to the use of Telegram as command-and-control (C2) infrastructure.
The campaign distributed masquerading malware — malicious software disguised as legitimate applications including KeePass, Telegram, WhatsApp, and Pictory — primarily targeting dissidents and journalists worldwide. The FBI published twelve MD5 file hashes covering both stage-one and stage-two implants used in the campaign.
While the primary targets in this campaign were individuals rather than organizations, the infrastructure and malware tradecraft documented in the FLASH bulletin have broader implications. Malware distributed through trusted application impersonation is a technique that translates easily to enterprise targeting.
4. APT34 and MuddyWater Expand Infrastructure
Researchers at Hunt.io and Unit 42 (Palo Alto Networks) published new findings on infrastructure associated with two of Iran’s most well-known advanced persistent threat (APT) groups: APT34 (also known as OilRig) and MuddyWater.
APT34’s Dark Scepter cluster was identified with new command-and-control domains, while MuddyWater’s open directory servers revealed fresh IP infrastructure. Both groups have historically targeted government, defense, financial, and energy sector organizations. Their continued infrastructure expansion in this period is consistent with preparation for future operations.
What This Means for Government Agencies and Educational Institutions
These campaigns collectively illustrate a threat actor ecosystem that is diverse, adaptive, and operating across multiple fronts simultaneously. The implications for public sector and higher education security teams are significant.
Organizations leveraging Microsoft Intune and Entra ID need to understand that compromised credentials in a modern managed device environment can result in catastrophic, irreversible data loss. Identity security and device management security are inseparable.
Universities and research institutions should be aware that APT34 and MuddyWater have a documented history of targeting academic environments for intellectual property and research data. The new infrastructure identified in April 2026 suggests these groups are actively preparing for continued operations.
Any organization handling sensitive data needs to account for the social engineering and phishing techniques used to distribute malware in the Telegram C2 campaign. Impersonating widely trusted applications is a low-cost, high-return tactic that works across industries.
The Cumulative Picture: 38 New Indicators of Compromise
Across the four campaigns described above, security researchers and government agencies have documented 38 new indicators of compromise, spanning IPv4 addresses, domain names, and MD5 file hashes. These are in addition to the 46 indicators published in our March 2026 bulletin.
This cumulative IOC set covers threat activity linked to:
- CyberAv3ngers (IRGC-affiliated)
- Handala / Void Manticore (MOIS-attributed)
- APT34 / OilRig — Dark Scepter cluster
- MuddyWater
Possible target environments include Microsoft 365, Microsoft Entra ID, Microsoft Intune, Active Directory, ICS/SCADA systems (specifically Rockwell Automation PLCs), and all endpoints.
This IOC data is available exclusively to Guardian 365 customers. If you are an existing Guardian 365 customer, contact your Customer Success Account Manager (CSAM) for the full IOC listing and deployment details. If your organization is not yet a Guardian 365 customer and you would like access to this intelligence as part of a managed security engagement, contact our team to get started.
How Guardian 365 Is Responding
Guardian 365 customers enrolled in the IOC Feed are receiving automatic blocking rule deployments for all new indicators identified in this update. Deployments are executed through Guardian 365’s configuration management and SOAR platforms on a rolling basis, and enrolled customers receive a deployment notification ticket within two hours of initial deployment.
No manual action is required for enrolled customers. Protections are applied proactively and continuously monitored by our 24x7x365 Security Operations Center.
This is what operationalized threat intelligence looks like — verified indicators, automated enforcement, and continuous monitoring working together to close the gap between emerging threat and effective defense.
Is Your Organization Protected?
The pace of cyber activity in 2026 makes one thing clear: reactive security postures are not sufficient. By the time an organization detects and responds to an attack using traditional methods, the damage — whether data theft, operational disruption, or device destruction — has often already been done.
Guardian 365 provides government agencies and educational institutions with the continuous monitoring, threat intelligence, and automated response capabilities needed to stay ahead of threats like these.
Start with a free security assessment. Our team will evaluate your current environment against the highest-impact and most common attack patterns, including those described in this post, and provide a clear, actionable picture of where your risks are highest along with a mitigation framework to use in improving your security posture.
