TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)

Unit 42 · 2026-04-17 · Read original ↗

ATT&CK techniques detected

20 predictions
T1583.001Domains
99%
“domain uses an unconventional gambling top - level domain ( tld ), suggesting difficulty in registering a traditional country code tld ( cctld ). another domain directly exposes a payment form via the / payment - form / path. iran targeting we identified a campaign misusing the n…”
T1583.001Domains
97%
“covert infrastructure for espionage. palo alto networks customers can receive protections from and mitigations for relevant threat actor activity through the following products and services : - next - generation firewalls with advanced threat prevention - advanced url filtering a…”
T1583.001Domains
92%
“automation tools and manufacturing operations management software. our assessment is based on a review of the unique port combinations observed across all of the hosts and their correlation to known static mappings for the factorytalk software. - since april 1, cortex xpanse scan…”
T1566.002Spearphishing Link
91%
“second consists of crypto and investment scams using domains branded with the word “ dubai, ” which leverage lures related to high - value real estate and luxury lifestyles. figures 3 and 4 below show examples of scam domains for asset management and banking. targeted regional en…”
T1584.001Domains
88%
“domain uses an unconventional gambling top - level domain ( tld ), suggesting difficulty in registering a traditional country code tld ( cctld ). another domain directly exposes a payment form via the / payment - form / path. iran targeting we identified a campaign misusing the n…”
T1657Financial Theft
78%
“threat actors to the appendix. update march 26, 2026 unit 42 conducted an in - depth investigation into conflict - themed phishing lures identifying 7, 381 related phishing urls spanning 1, 881 unique hostnames. recent threat activity demonstrates a widespread wave of financial f…”
T1583.001Domains
77%
“##orts [. ] cyou - iransusdpportsdf [. ] cyou - firansupport [. ] cyou - kiransupport [. ] cyou - trdfiransupport [. ] cyou - airansupasdports [. ] cyou - biransupasdports [. ] cyou - kiransupportsdf [. ] cyou - fkiransusdpportsdf [. ] cyou - sffifdsfsransupasdports [. ] cyou - p…”
T1566.002Spearphishing Link
67%
“##ain chaining to deceive victims ( figure 5 shows an example of this type of scheme ) opportunistic criminal credit card theft attackers are luring users to fraudulent payment pages that mimic legitimate package delivery services to steal credit card credentials. these malicious…”
T1498Network Denial of Service
65%
“including an israeli bank in ddos attacks - the fad team ( often referred to in reports as the fatimiyoun cyber team or fatimion ) is composed of pro - regime actors who focus on wiper malware and permanent data destruction - claimed responsibility via their public telegram board…”
T1584.001Domains
62%
“significance. other nation - state - aligned threat actors may attempt to exploit the situation to activate cyberattacks to further their own interests. geographically dispersed operators and affiliated cyber proxies may also target governments in regions hosting u. s. military b…”
T1583.001Domains
57%
“threat brief : escalation of cyber risk related to iran ( updated april 17 ) updates update april 17, 2026 as of april 17, 2026, iran has begun restoring limited access to the internet after disconnecting from it for the past 47 days. iran is limiting domestic access to only webs…”
T1498.001Direct Network Flood
54%
“including an israeli bank in ddos attacks - the fad team ( often referred to in reports as the fatimiyoun cyber team or fatimion ) is composed of pro - regime actors who focus on wiper malware and permanent data destruction - claimed responsibility via their public telegram board…”
T1498Network Denial of Service
53%
“significance. other nation - state - aligned threat actors may attempt to exploit the situation to activate cyberattacks to further their own interests. geographically dispersed operators and affiliated cyber proxies may also target governments in regions hosting u. s. military b…”
T1584.004Server
48%
“march 2026. executive summary on feb. 28, 2026, the united states and israel launched a significant joint offensive code named operation epic fury ( u. s. ) and operation roaring lion ( israel ). in the hours following the initial strikes, iran began a multi - vector retaliatory …”
T1584.001Domains
43%
“##ain chaining to deceive victims ( figure 5 shows an example of this type of scheme ) opportunistic criminal credit card theft attackers are luring users to fraudulent payment pages that mimic legitimate package delivery services to steal credit card credentials. these malicious…”
T1583.001Domains
38%
“register a new, incremented domain whenever the previous one is blocked. the attack flow involves a malicious javascript that redirects victims to a file - hosting page, which then delivers the stealc payload within a password - protected zip archive. additional examples of these…”
T1583.006Web Services
35%
“aligned personas and collectives have claimed responsibility for a range of disruptive operations, several of which are associated with the recently established “ electronic operations room ” formed on feb. 28, 2026. key observed entities include : - handala hack, a hacktivist pe…”
T1586.002Email Accounts
33%
“register a new, incremented domain whenever the previous one is blocked. the attack flow involves a malicious javascript that redirects victims to a file - hosting page, which then delivers the stealc payload within a password - protected zip archive. additional examples of these…”
T1018Remote System Discovery
32%
“visibility to all asset behaviors. the solution can help identify assets using any factorytalk app - id. additionally, alerts and risks can be used to trigger orchestration via soar / siem solutions to quarantine or isolation actions via ngfw and integrated network access control…”
T1684.001Impersonation
32%
“second consists of crypto and investment scams using domains branded with the word “ dubai, ” which leverage lures related to high - value real estate and luxury lifestyles. figures 3 and 4 below show examples of scam domains for asset management and banking. targeted regional en…”

Summary

Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders.

The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42.