The escalation of geopolitical tensions specifically focused on the Iranian Conflict over the last days of February 2026 has intensified the significant cyber and physical security risks to organizations globally. 

With threat activity emanating from advanced Iranian state-sponsored actors, aligned hacktivist collectives, and opportunistic criminal groups, security teams must remain agile, informed, and proactive. 

The Iranian Conflict Intelligence Dashboard has been updated to equip defenders with timely, high-fidelity intelligence that specifically reflects the dynamic threat environment shaped by this high-profile regional conflict with a heightened focus on Iran-linked activity.

Key Threat Actor Groups & Campaign Themes Tracked Include:

• IRGC-affiliated Cyber Units (e.g., APT33, APT34, APT39, APT42): Tracking activity from primary state-sponsored groups.
• Proxies and Ideological Hacktivist Actors: Monitoring activity from groups like CyberAv3ngers, APT IRAN, Handala Hack, Lulzsec, Dark Storm Team, GhostSec, Cyber Islamic Resistance, and others aligned with Iranian strategic interests.
• Coordinated Influence and Disinformation Campaigns.
• OT and Critical Infrastructure Targeting Efforts, particularly those targeting Israeli and Western assets.

Rather than tracking isolated threats, the –Iranian Conflict Intelligence Dashboard dashboard provides strategic context and operational detail across the broader cyber conflict spectrum, enabling faster detection, response, and mitigation.

Key Benefits:

• Conflict-Centric Intelligence Aggregation – Centralized indicators of compromise (IOCs), TTPs, and threat insights related to Iranian-linked campaigns, sourced from open source intelligence (OSINT), premium threat feeds, and internal telemetry.
• Live Threat Environment Tracking – Monitors shifts in activity across major adversary groups, cyber incidents, defacements, DDoS campaigns, and geopolitical events fueling escalation.
• Accelerated Incident Response – Enriched and correlated intelligence to support triage, prioritization, and response activities during periods of elevated tension or retaliatory operations.
• Custom Visualization & Analysis – Interactive dashboards featuring timeline analysis, actor overlap matrices, infrastructure clustering, and geographic threat origination maps.
• ThreatConnect Automation Integration – Seamless correlation with existing ThreatConnect adversary profiles, intrusion sets, and signature-based alerts to identify high-risk overlaps with organizational environments.

Leveraging this dashboard allows security teams to anticipate conflict-related threats, understand attacker motivations, and tailor defenses to emerging risks as the Iranian cyber conflict evolves.

Specific Intelligence Focus: Iranian Malware List

• APT42: tamecat, tabbycat, vbrevshell, powerpost, brokeyolk, chairsmack, asyncrat
• APT34: powbat, powruner, bondupdater
• APT33: shapeshift, dropshot, turnedup, nanocore, netwire, alfa shell
• Other Related Malware: Gh0st Rat, quasarrat, amadey, bittersweet, cointoss, lateop

Specific Intelligence Focus: Iranian ICS Targets

ICS Systems Likely to be targeted by Iranian threat actors (based on analysis like the Censys report):

• “Unitronics” or (“Vision” AND (PLC OR HMI))
• “Tridium” or “Niagara”
• “Orpak” or “SiteOmat”
• “red lion”

Dashboard Components Include:

1. Indicators linked to state-sponsored and proxy cyber operations.
2. Threat groups aligned to Iranian strategic cyber interests.
3. Reports and advisories referencing the conflict, regional escalations, or actor-attributed activity.
4. Campaign tracking with attribution timelines, victimology insights, and strategic objectives.
5. MITRE ATT&CK techniques used by affiliated groups, mapped to known incidents.
6. Keyword and tag intelligence trends across conflict-related reporting.
7. Infrastructure associations (e.g., shared IPs, domains, malware hashes).
8. Actor and alias mapping, including cross-reference to public and private sector intelligence.
9. Vulnerabilities linked to recent Iran intelligence activity.

Screen Capture of Iranian Conflict Intelligence Dashboard

Lead Contributor – Adrian Dela Cruz , Customer Success Engineer

To gain access to the Iranian Conflict Intelligence Dashboard, please reach out to your Customer Success team or reach out to us through our contact form.

The dashboard is also available here, and can be added manually to your ThreatConnect instance.

The post Iranian Conflict Intelligence Dashboard Immediately Available for ThreatConnect appeared first on ThreatConnect.

Mustang Panda—also known in industry and government reporting as BASIN, BRONZE PRESIDENT, CAMARO DRAGON, EARTH PRETA, FIREANT, G0129, HIVE015, HoneyMyte, LUMINOUS MOTH, Polaris, RedDelta, STATELY TAURUS, TA416, TANTALUM, TEMP.HEX, TWILL TYPHOON, or UNC6384—is a highly active, state-sponsored Chinese cyber-espionage group assessed to operate under the People’s Republic of China (PRC). Active for over a decade, the group is distinguished by its high operational tempo and “volume over stealth” approach to espionage.

Mustang Panda has consistently targeted entities that intersect with Beijing’s geopolitical priorities, particularly government and diplomatic institutions, maritime logistics organizations, and religious institutions. Their campaigns demonstrate a persistent focus on intelligence collection related to foreign policy, trade routes, and sensitive diplomatic engagements.

Multiple cybersecurity vendors and government agencies assess with high confidence that Mustang Panda operates in alignment with PRC strategic objectives, based on victimology patterns, infrastructure choices, and activity timing that aligns with Chinese working hours (UTC+8).

The new Mustang Panda Dashboard in ThreatConnect offers security teams centralized visibility into this highly active and adaptable adversary.

Key Benefits:

• Centralized Intelligence: Aggregates Mustang Panda-related IOCs, TTPs, malware families, and campaign telemetry from open sources, commercial feeds, and internal data.
• Continuous Threat Tracking: Monitors real-time updates on actor infrastructure, targeting patterns, and evolving tradecraft.
• Accelerated Incident Response: Provides enriched, contextual intelligence to reduce detection-to-response timelines.
• Visual Reporting & Executive Insights: Interactive charts, timelines, and executive-ready dashboards support risk prioritization and communication.
• Automated Correlation: Leverages ThreatConnect’s automation engine to map Mustang Panda indicators across intrusion sets, malware families, and victim profiles.

Mustang Panda’s consistent targeting of government, diplomatic, and maritime entities underscores the ongoing risk to sensitive political and economic interests worldwide. 

The Mustang Panda Dashboard equips defenders with the ability to visualize campaigns, correlate activity, and act decisively—directly within the ThreatConnect platform.

Note: To maximize the value of this dashboard, organizations may benefit from integration with premium threat intelligence sources such as Dataminr, Mandiant, Recorded Future, or CrowdStrike.

Lead Contributor – Travis Meyers, Customer Success Manager

To gain access to the Mustang Panda Dashboard, please connect with your Customer Success team or reach out to us through our contact form.

Further Resources

For more detailed information and resources on Salt Typhoon, please refer to the following:

We urge all organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing these recommendations, you can significantly reduce your risk and protect your critical assets.

Mustang Panda Known Exploited Vulnerabilities

The post Mustang Panda Intelligence Dashboard Immediately Available for ThreatConnect appeared first on ThreatConnect.