Iran Is Fighting Two Wars. We Have the IOCs for Both.

Tonight at 9 PM Eastern, the President addresses the nation on the Iran war. The Strait of Hormuz is contested. Isfahan steel plants are burning. Oil futures are swinging on every Truth Social post. Iran says the strait is "fully under their control." Trump says it'll be over in two to three weeks.

That's the kinetic war. The other war — the one that hit a $22 billion medical device manufacturer, the FBI Director's personal email, and Lockheed Martin's hiring pipeline — has been running since before the first missile launched.

We've been tracking it since March 6.

The Cyber Front

March 6, 2026: We detect IP hash 39c0f5d74fa212ac — AT&T AS7018, US origin — polling our STIX feed endpoint /api/v1/stix-feed/collections/idkkk/objects/ every 30 seconds. Garbage collection name. 8,342+ requests, all 403'd. Someone is probing our threat intelligence infrastructure before the shooting starts.

March 11, 2026: Handala Hack Team claims a wiper attack on Stryker Corporation. 200,000+ devices wiped across 79 countries via compromised Microsoft Intune administrator credentials. 50 terabytes of data allegedly exfiltrated. The wiper binary is named CrowdStrike.bin — designed to be trusted by endpoint protection.

We find the wiper sample on GitHub that same day. We publish the IOCs. We index the indicators. Our blog post "The Handala Wiper Masquerades as CrowdStrike. We Found It on GitHub" becomes our most-viewed article of all time at 1,817 views and counting.

March 13, 2026: We index 34 Iran-linked IOCs from fresh vendor publications. Seven hunter-identified IPs remain unresolved.

March 20, 2026: The Department of Justice formally attributes Handala to the Iranian Ministry of Intelligence and Security (MOIS). Four Handala domains seized, including handala-hack[.]to. $10 million FBI reward issued for Handala members.

March 27, 2026: Handala breaches FBI Director Kash Patel's personal Gmail account. 300+ emails and photographs published. The same group that wiped 200,000 medical devices is now inside the FBI Director's inbox.

March 31, 2026: Foreign Policy publishes "Iran Flexes Its Cyber Chops" — connecting Handala, Kash Patel, and Lockheed Martin in a single narrative. The cyber front and the kinetic front are the same front.

April 1, 2026: MuddyWater — a separate Iranian APT attributed to MOIS — is targeting US networks with a new backdoor called Dindoor. Operation Olalampo spans the META region. HydraC2 botnets are staging. The pace is accelerating.

What We're Watching

We have 16 adversary domains under daily DNS surveillance. All Handala and MuddyWater infrastructure. When they spin up a new domain, we see the DNS record change. When they point it at new infrastructure, we correlate the IP against our 1,041,253 IOCs.

Our STIX feed carries every indicator we've published since the conflict escalated:

• Handala wiper — file hashes, C2 domains, infrastructure IPs

• CrowdStrike.bin — the fake binary name and its actual hash

• Intune attack vector — compromised admin credential indicators

• Patel breach — infrastructure used in the email compromise

• MuddyWater/Dindoor — new backdoor IOCs as they're published

• MOIS infrastructure — historical and current command-and-control

275+ organizations in 46 countries pull our feed daily. Microsoft, AT&T, Starlink, BT UK, SinoPac Holdings, PT Telkom Indonesia. When we index an Iranian IOC, it propagates to every SIEM pulling our STIX endpoint within 24 hours.

Two Wars, One Kill Chain

The kinetic war targets Iranian military infrastructure — nuclear facilities, missile production, air defenses, steel plants.

The cyber war targets the adversary's ability to function — medical device manufacturers (Stryker disrupted surgical equipment supply chains), intelligence leadership (Patel's email compromised), defense contractors (Lockheed Martin's hiring pipeline probed), and civilian infrastructure (previous Iranian targeting of US water treatment and port systems).

These aren't separate conflicts. They're complementary operations. While missiles hit Isfahan, wipers hit Kalamazoo. While F-35s suppress air defenses, MOIS-backed hackers suppress the FBI Director's operational security.

The cease-fire Trump described — if it comes — will be kinetic only. The cyber operations don't stop when the shooting does. They didn't start when the shooting started either. Handala was active before the first strike. They'll be active after the last one.

What CSIS, Unit 42, and PYMNTS Are Saying

CSIS: "How Will Cyber Warfare Shape the US-Israel Conflict with Iran?" — The conflict has generated one of the most intensive periods of state-linked cyber warfare since Russia-Ukraine.

Palo Alto Unit 42: "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran" — Updated March 26, covering MOIS, IRGC, and hacktivist operations.

PYMNTS: "Security Experts Brace for Potential Iranian Cyberattacks on Infrastructure" — Energy, healthcare, and shipping historically prioritized. Iran has demonstrated willingness to hit ICS and OT systems.

Halcyon: MuddyWater's Operation Olalampo targeting META region with overlapping RedKitten infrastructure — coordinated operations across Iranian-aligned actors.

Flare: Live monitoring dashboard tracking cyberattacks directly linked to the US-Israel-Iran military conflict.

The vendor threat briefs are updating weekly. We're updating daily. Our STIX feed carries IOCs from all of them, plus our own hunting.

The Pause

Trump extended the pause on strikes against Iranian power infrastructure by 10 days, to April 6 — "as per Iranian Government request." Iran denies requesting anything.

April 6 is five days from now. If the kinetic pause ends, the cyber operations will intensify. MOIS doesn't pause. Handala doesn't pause. The threat actors who wiped 200,000 devices and breached the FBI Director are not waiting for diplomatic outcomes.

If you're in healthcare, energy, defense, financial services, or government — the next five days matter. Point your SIEM at a threat feed that updates daily. Ours does.

https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY

The war you see on TV is one war. The war in your network logs is the other. We have the IOCs for both.

DugganUSA has tracked the Iran cyber conflict since March 6, 2026. 16 domains under daily DNS surveillance. 1,041,253 IOCs indexed. Handala wiper found on GitHub the day of the Stryker attack. STIX feed consumed by 275+ organizations in 46 countries.

The Strait of Hormuz is contested. Your firewall rules aren't.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →