Figure 14: Certificate Transparency - globalconference-hub.com conference phishing cluster

• IAEA confirmed Iran's 60% enriched uranium stockpile at 412 kg - sufficient for 3–4 nuclear devices - Iran subsequently expelled inspectors on Feb 10 [35]
• Iran internet connectivity collapsed to 1–4% during Operation Epic Fury, per NetBlocks real-time monitoring - 216-hour continuous blackout documented [36]
• HRANA confirmed 2,000+ civilian deaths by January 7, 2026; January 8–9 crackdown estimated 30,000–36,500 killed - deadliest in Islamic Republic history [37]
   

1.2 Threat Actor Matrix

Note: Political/military events in this section are based on open-source news reporting and official statements. Cyber events are linked to named threat actors with associated IOCs. Each reference tag indicates the source for the preceding claim.

2.1 Phase 1 - Economic Collapse & Uprising (Dec 28, 2025 – Jan 31, 2026)
 

December 28, 2025 - Iranian Uprising Erupts

POLITICAL: Catastrophic economic collapse triggers mass protests across all 31 Iranian provinces. Rial at all-time low; 16+ hour daily power cuts; fuel rationing. Chants of 'Death to Khamenei' in Tehran, Isfahan, Mashhad, Tabriz, Shiraz. Millions in streets within 72 hours. IRGC and Basij deployed immediately; live fire from Day 1.

Late December 2025 - Iranian APT Cyber Response

CYBER: Cotton Sandstorm / Emennet Pasargad (IRGC) begins amplification of anti-protest narratives across Arabic-language social media. APT42 (IRGC-IO) targets diaspora journalists and opposition figures. [48]

MuddyWater (MOIS) activates surveillance infrastructure; BugSleep/MuddyRot deployed against civil society groups. [19,47]

January 7, 2026 - Confirmed Death Toll

POLITICAL: Workers' strikes spread: oil refinery workers, teachers, truckers. Jan 3: IRGC announces shoot-to-kill orders. Jan 5: Evin Prison protesters break out. Jan 7: confirmed death toll surpasses 2,000 civilians. [37]

January 8–9, 2026 - THE MASSACRE

January 10–31, 2026 - International Response & Cyber Escalation

• Jan 15: MuddyWater DinDoor backdoors detected in Israeli defence-sector targets (Symantec/Carbon Black) [28]
• Jan 20: IRGC places ballistic missile units on highest alert [38]
• Jan 28: US deploys USS Harry S. Truman CSG - joins USS Gerald R. Ford in Gulf
• APT42 compromises US State Dept email server (disclosed Feb 14 by CISA) [23,48]
• Scarred Manticore / UNC1860 achieves persistent access in 3 Middle East government networks - handoff to MuddyWater confirmed
• Cotton Sandstorm: 400M+ social media impressions amplifying anti-US sentiment

2.2 Phase 2 - Pre-War Escalation (February 1–27, 2026)
 

February 7, 2026 - Nuclear Enrichment Status

• IAEA reports 60% enriched uranium stockpile at 412 kg - sufficient for 3–4 nuclear devices [35]
• Feb 10: Iran expels IAEA inspectors from Fordow and Isfahan; terminates NPT safeguards [35]
• Feb 14: CISA publicly attributes APT42 breach of US State Dept [23]

February 15–27, 2026 - MuddyWater Pre-Positioning
 

Targets (not independently verified - sourced from Check Point Research disclosure): [25]

• US major bank (unnamed; East Coast; SWIFT-connected) [25,28]
• US international airport (unnamed; 3 terminals) [25,28]
• Canadian nonprofit (critical infrastructure adjacent) [25,28]
• Israeli branch of US defence/aerospace software company [25,28]
• Malware: DinDoor (Deno JS runtime) + Fakeset backdoor; C2: WebSocket/HTTPS → 185.236.25.119 (SELF-VERIFIED live) [3,10,25]
• Certificates: Self-signed 'Amy Cherne' / 'Donald Gay' - confirmed in Check Point malware analysis [25]
• Kill switch: Awaiting activation via Ethereum contract 0x2B77671c - SELF-VERIFIED on Etherscan [16]

February 20–27, 2026 - Infrastructure Provisioning

• Feb 20: Hosterdaddy /26 subnet (194.11.246.64/26) fully operational - 64 nodes, all running dnsmasq 2.85 (MuddyWater fingerprint) - confirmed by ESET [1,24,40]
• Feb 22: Ethereum contract 0x2B77671c - final setString() transaction updating C2 WebSocket URL - SELF-VERIFIED on Etherscan [16]
• Feb 25: OilRig (APT34) activates QUADAGENT targeting Israeli energy infrastructure [49]
• Feb 27: IRGC Aerospace Force places ballistic missile units on 'Launch-Ready Alert' - confirmed via Planet Labs satellite imagery [38]

2.3 Phase 3 - Operation Epic Fury / Operation Roaring Lion (February 28, 2026)

2.4 Phase 4 - Post-Killing War (March 1–17, 2026 - Ongoing)
 

March 2, 2026 - Operation Olalampo

March 11, 2026 - THE STRYKER ATTACK
 

March 12–17, 2026 - Ongoing Conflict

• Mar 13: New DinDoor variant targeting US networks confirmed by Check Point Research [25]
• Mar 14: Iran death toll ~1,444 (HRANA) [37]
• Mar 16: Tsundere C2 panel CONFIRMED LIVE - nmap + curl + Shodan validation - SELF-VERIFIED [3,10,15]

3.1 MuddyWater (MOIS) - CRITICAL

Aliases: Mango Sandstorm · Static Kitten · MERCURY · TA450 · Earth Vetala · Seedworm | Sponsor: MOIS | MITRE: G0069 [47]

CISA Advisories: AA22-055A (Feb 2022) and AA24-060A (Feb 2024, updated) - both confirm ScreenConnect RMM abuse and FortiOS exploitation. [19,21]

Active C2 Infrastructure

Figure 15: Shodan host - Tsundere Netto v2.4.4 C2 panel at 185.236.25.119

Figure 16: Shodan host profile - 185.236.25.119 (JaJoJoo LLC) showing exposed services

Figure 17: Shodan - Full service enumeration of Tsundere C2 host 185.236.25.119

Figure 18: Shodan search for "Tsundere Netto" - UNIQUE worldwide result

Figure 19a: OTX - MuddyWater primary C2 209.74.87.100 (8 pulses, muddywater/iran/mois)

Figure 19b: OTX - MuddyWater C2 194.11.246.78 (12 pulses, 73 tags, PDNS: vwafair.com)

Ethereum Blockchain C2 (Novel Technique - T1102)

SELF-VERIFIED on Etherscan blockchain explorer. These contracts store C2 IP addresses immutably - cannot be seized or removed by any authority. [16,17,18,26,50]

Figure 20: Etherscan - MuddyWater C2 contract 0x2B77671c with setString() C2 rotation transactions

CVEs Exploited

3.2 Void Manticore / Handala Hack (MOIS) - CRITICAL

Aliases: Storm-1084 · Storm-0842 · BANISHED KITTEN · Homeland Justice | Sponsor: MOIS - Counter-Terrorism Division

The March 11, 2026 Stryker attack - wiping 200,000+ systems via Microsoft Intune MDM in 79 countries - is confirmed by 5 independent media sources and Stryker's own SEC 8-K filing. [29,30,31,32,33,34]

Active Infrastructure (Void Manticore)

3.3 CyberAv3ngers (IRGC-CEC) - CRITICAL

Aliases: DEV-0198 | Sponsor: IRGC Cyber Electronic Command | CISA: AA23-335A | US Bounty: $10M (Rewards for Justice) [20,39]

IOCONTROL malware represents the 10th known ICS-specific malware family in history. The $10M Rewards for Justice bounty was announced in December 2023 for information on CyberAv3ngers operators. [20,39]

3.4 APT42 / Charming Kitten (IRGC-IO) - HIGH

Aliases: Mint Sandstorm | Sponsor: IRGC Intelligence Organization | MITRE: G1044 [48]

APT42 academic phishing cluster identified through Certificate Transparency logs (crt.sh). Confidence: MEDIUM - domain naming matches documented APT42 TTPs per Mandiant and Group-IB, but no independent active compromise confirmation. [42,43]

Figure 21: CT logs - APT42 academic phishing infrastructure: researchsummitonline.com