Iran-linked wipers/APTs/OT

Key Questions

What activities are associated with Iran-linked threat actors?

Iran-linked groups are conducting cyber espionage via the Kim Wolf botnet and Ghost CMS hacks. Handala has targeted Intune, Entra, PLCs, and ABB systems with wiper malware.

Which other APT groups are mentioned in the emerging threats?

North Korea's Lazarus group and APT28 using NTLM techniques are active. These actors focus on espionage and credential theft operations.

What defensive priorities are suggested for OT and IT environments?

Air-gapping critical systems, implementing MDM controls, and maintaining OT inventory are priorities. These steps help limit the impact of wiper and APT campaigns.

Handala Intune/Entra/PLC/ABB wipes; NK Lazarus; APT28 NTLM; Iran cyber espionage (Kim Wolf botnet, Ghost CMS). Pri: airgaps/MDM/OT inventory. Status: developing.

Sources (2)

Updated May 26, 2026

CISO Security Intel

Iran-linked wipers/APTs/OT

Key Questions

What activities are associated with Iran-linked threat actors?

Which other APT groups are mentioned in the emerging threats?

What defensive priorities are suggested for OT and IT environments?

May 26, 2026 Emerging Threats Weekly

AI Vulnerability Explosion, Kim Wolf Botnet Arrest, Ghost CMS Hack, Iran Cyber Espionage