iran

LockBit Won't Die: 207 Victims in 2026 and What Ransomware Resilience Actually Looks Like

John Z Black Apr 15, 2026

Ransomware & Cybercrime #ransomware #lockbit #raas #local-government #critical-infrastructure #handala #iran #winona-county

Despite one of the most aggressive law enforcement operations in ransomware history, LockBit has claimed 207 victims in 2026. Winona County got hit twice in three months. The RaaS model is more durable than takedowns.

The Week the Clock Ran Out

John Z Black Apr 13, 2026

Threat Intelligence #weekly-recap #ai-security #anthropic #iran #ot-security #supply-chain #activemq #ivanti #lapd #surveillance #plugx #juniper

Defenders got squeezed this week. AI sped up vuln discovery, OT attacks stayed active, and trusted update channels turned into incident response events.

The Week the Clock Ran Out

John Z Black Apr 13, 2026

Threat Intelligence #weekly-recap #ai-security #anthropic #iran #ot-security #supply-chain #activemq #ivanti #lapd #surveillance #plugx #juniper

Defenders got squeezed this week. AI sped up vuln discovery, OT attacks stayed active, and trusted update channels turned into incident response events.

Russian Satellites. Iranian Missiles. A U.S. AWACS. Three Sources Now Document the Same Kill Chain.

John Z Black Apr 13, 2026

Threat Intelligence #russia #iran #threat-intelligence #awacs #satellite-isr #cyber-operations #state-actors #geopolitical

A Russian satellite imaged Prince Sultan Air Base before the March 27 strike. Iran hit a U.S. E-3 Sentry AWACS. A Russian satellite returned the next day for damage assessment. A Ukrainian intelligence assessment, a Western military source, and a U.S. orbital analytics firm all now document pieces of that sequence.

Iran Cut Off 90 Million People From the Internet. Its Own Spies Kept Working.

John Z Black Apr 12, 2026

Privacy & Digital Rights #iran #internet-shutdown #digital-rights #censorship #starlink #charming-kitten #handala #netblocks

Iran's internet blackout hit 1,055 hours, the second-longest national shutdown on record. The detail that makes this a security story: Iranian intelligence services ran active cyber operations throughout, using foreign-hosted infrastructure the blackout doesn't touch.

Six Federal Agencies Just Told You to Disconnect Your PLCs. Here's What Forced Their Hand.

John Z Black Apr 8, 2026

Threat Intelligence #iran #plc #scada #critical-infrastructure #water-systems #cisa #fbi #ot-security

FBI, CISA, NSA, EPA, DOE, and Cyber Command co-signed a single advisory on Iranian hackers disrupting PLCs at U.S. water, energy, and government facilities. This isn't theoretical.

Stryker Recovered from an Iranian Wiper Attack. It Took Three Weeks and 80,000 Devices.

John Z Black Apr 3, 2026

Threat Intelligence #iran #handala #wiper #healthcare #stryker #nation-state #critical-infrastructure #fbi

Iran's Handala group wiped 80,000 devices across Stryker's global network. Maryland EMS lost digital ECG transmission. The DOJ confirmed Iran's government runs Handala.

The Week Toolchain Trust Collapsed, Again

John Z Black Mar 30, 2026

Threat Intelligence #weekly-recap #supply-chain #teampcp #ai-security #authentication #iran #healthcare #bpfdoor #privacy

TeamPCP kept hitting developer tooling. AI attack surfaces went from theoretical to exploited. Attackers logged in instead of breaking in. And Iran went after the FBI director's personal inbox.

Your Security Camera Is Probably Someone Else's Window Into the War

John Z Black Mar 28, 2026

Threat Intelligence #iot #ip-cameras #iran #russia #nation-state #hikvision #tp-link #wartime #physical-security #consumer

Nation-states are routinely hacking unpatched IP cameras to gather physical intelligence during active conflicts, and the cameras being targeted are the cheap, forgotten ones in your building's lobby.

Iran Is Running Every Cyberattack at Once

John Z Black Mar 28, 2026

Threat Intelligence #iran #unit42 #apt #wiper #handala #stryker #nation-state #bearlyfy #geopolitics #cyber-warfare

Iran isn't running a cyber campaign right now. It's running all of them simultaneously, and Unit 42's latest brief documents exactly that.

From Wiping 80,000 Devices to Hacking the FBI Director: Handala's March

John Z Black Mar 27, 2026

Threat Intelligence #iran #handala #kash-patel #fbi #nation-state #hack-and-leak #stryker #geopolitics

Iran-linked Handala publicly warned they were coming for the FBI. Kash Patel said nothing. The next morning, his cigar photos were on the internet.

CanisterWorm: TeamPCP Hides Its C2 on a Blockchain You Can't Take Down

John Z Black Mar 26, 2026

Threat Intelligence #teampcp #malware #blockchain #supply-chain #iran #wiper #kubernetes

TeamPCP's new wiper, CanisterWorm, uses an ICP blockchain canister as its C2 resolver -- no domain to seize, no server to kill. And it now runs on any system, not just Kubernetes.

Stryker Finds a Malicious File in Its Systems. Production Is Coming Back Online.

John Z Black Mar 25, 2026

Incidents & Breaches #stryker #handala #iran #healthcare #incident-response #unit42

Stryker's forensic investigation with Palo Alto Networks Unit 42 found a malicious file used to run commands and conceal activity, a separate finding from the initial Handala attack. Production recovery is underway.

Someone Is Broadcasting a Numbers Station Through the Iran War

John Z Black Mar 24, 2026

Threat Intelligence #numbers-station #iran #sigint #shortwave #military-intelligence #osint #ramstein #priyom

Since US and Israeli strikes on Iran began on February 28, a shortwave numbers station at 7910 kHz has been broadcasting in Farsi twice daily. Signal analysis points toward Ramstein Air Base.

The Week the Infrastructure Fought Back (and Lost)

John Z Black Mar 23, 2026

Weekly Recap #the-week-in-cyber #mobile-security #supply-chain #identity #iran #dprk #ransomware #ai-fraud #threat-intelligence

The week of March 16-22 hit management planes, identity infrastructure, and security tooling itself -- and North Korea kept hiring.

You Can't Seize the Internet: Iran's Handala Hackers Were Back Online Hours After the FBI Acted

John Z Black Mar 22, 2026

Threat Intelligence #iran #handala #doj #mois #stryker #mdm #microsoft-intune #cyber-deterrence #state-sponsored

The DOJ seized four Handala domains. Iran's MOIS-backed hackers had new infrastructure up within hours, called the action 'trivial,' and kept operating. That tells you everything about the limits of domain seizures as deterrence.

Handala, Publicly Attributed: What the FBI Seizure Changes About Iran Cyber Signaling

John Z Black Mar 21, 2026

Threat Intelligence #iran #handala #mois #fbi #attribution #nation-state #wiper #threat-intelligence

The FBI seized Handala's sites and released a 40-page warrant formally linking the group to Iran's intelligence ministry. Attribution just moved from analyst opinion to federal court filing.

Iran Didn't Need Malware to Cripple Stryker. They Just Used Microsoft Intune.

John Z Black Mar 17, 2026

Threat Intelligence #iran #stryker #handala #intune #mdm #wiper #healthcare #nation-state #critical-infrastructure

The Handala group wiped tens of thousands of Stryker devices using the company's own MDM platform. No malware. No exploit. Just admin access and the willingness to press the button.

Iran's Digital Battlefield: GPS Jamming, Hijacked Cameras, Internet Kill Switch, and AI Disinfo

John Z Black Mar 14, 2026

Geopolitics & Cyber #iran #gps-spoofing #security-cameras #internet-shutdown #disinformation #ai #electronic-warfare #conflict

The Iran conflict isn't just missiles and headlines. It's GPS spoofing that breaks delivery apps, hijacked security cameras used for pre-strike surveillance, a near-total internet blackout for 87 million people, and AI-generated war propaganda flooding social media.

Hackers Used Stryker's Own IT Tool to Nuke Its Entire Device Fleet

John Z Black Mar 14, 2026

Threat Intelligence #handala #stryker #mdm #microsoft-intune #iran #wiper #healthcare #nation-state

An Iranian-linked group called Handala reportedly hijacked Microsoft Intune and wiped Stryker's devices at scale. The tool designed to secure their fleet became the weapon that destroyed it.

Iran Hit a Medical Device Giant, a NATO Parliament, and Your Instagram Feed on the Same Day

John Z Black Mar 12, 2026

Threat Intelligence #iran #handala #stryker #wiper-attack #critical-infrastructure #influence-operations #nato #threat-intelligence

March 11 wasn't three separate cyberattacks. It was one coordinated Iranian campaign across three fronts: a wiper on Stryker, a breach of Albania's parliament, and an influence op on Instagram. All in 24 hours.

The War Near Iran Is Breaking Your Apps: GPS Jamming, Cyber Escalation, and Civilian Collateral

John Z Black Mar 11, 2026

Geopolitical Security #iran #gps-jamming #electronic-warfare #cyber-escalation #critical-infrastructure #geopolitics

GPS jamming near Iran is wrecking delivery and navigation apps across the region. Unit 42 warns of escalating Iranian cyber risk. Modern conflict has a civilian tech blast radius.