Twenty-Eight Kittens: CISA Named Three Iranian Operators in AA26-097A. We've Been Indexing the Other Twenty-Five.

CISA dropped advisory AA26-097A this month, naming Iranian-affiliated APT activity targeting programmable logic controllers across United States critical infrastructure since at least March 2026. Water and wastewater systems. Energy. Government services. The advisory cites a small set of operator clusters by name and walks through the tradecraft — abuse of internet-exposed PLCs, credential reuse, lateral movement into industrial control plant networks.

We have been doing the same job on the same actors for years. As of today our adversary index lists twenty-eight Iran-aligned clusters. Our IOC corpus carries 152 indicators attributed to Handala and 431 attributed to MuddyWater alone, with the rest of the kitten menagerie distributed across Charming Kitten, Fox Kitten, Rocket Kitten, Cutting Kitten, Cleaver, OilRig, Infy, Madi, Flash Kitten, and twenty more. CISA names what is operationally necessary for federal-civilian agencies to act. We index everything else because somebody has to keep score.

This is a post about what is going on, what to look for, and why the May 2026 PLC step is the natural next move in a campaign that started before most CISOs had heard the word "Stuxnet."

What the campaign actually looks like

The targets are unglamorous. Municipal water utilities running legacy SCADA stacks. Wastewater treatment plants with Allen-Bradley CompactLogix or Siemens S7-1200 PLCs reachable from the public Internet because someone in 2011 needed remote support and never closed the hole. Substations and small energy cooperatives with HMI panels still on default credentials. The infrastructure that runs underneath everything and that almost nobody is paying attention to.

The tradecraft is also unglamorous. The operators are not burning zero-days. They are reading the same Shodan results any of us can read. They are trying admin / admin and 1100 (the published Unitronics default). They are using compromised RDP and SSH credentials harvested from past campaigns. The activity is opportunistic at the entry, deliberate inside, and patient about timing.

The reason this matters is not that the technique is novel. The reason it matters is that the geopolitical window is open. Iran has spent months under US-Israel pressure, and Iranian doctrine has long held that cyber operations against US critical infrastructure are a proportional response to kinetic and economic measures. The May 2026 escalation against PLCs is not a stretch; it is a Tuesday on the calendar of an apparatus that has been building toward exactly this for a decade.

The cluster landscape, briefly

Iran's cyber apparatus is not one organization with one playbook. It is a layered ecosystem with at least four operating tiers:

The first tier is the state-directed services — IRGC and MOIS. The named clusters on this tier are the ones you have heard of: Charming Kitten, also known as APT35 or Mint Sandstorm, focused on espionage against academia, journalists, and dissidents. OilRig, also known as APT34 or Helix Kitten, focused on Middle East energy and government. MuddyWater, also known as Static Kitten or Earth Vetala, with the broadest target set and the longest operational history. Cleaver, the early Cutting Kitten cluster, originator of the 2014 critical-infrastructure reconnaissance that built much of the tradecraft we are watching now.

The second tier is the semi-official contractor layer — front companies, ideologically aligned engineering firms, university-adjacent research groups that get tasked through informal channels.

The third tier is the hacktivist persona layer. Handala Hack Team is the canonical 2024-2026 example, named after a Palestinian political cartoon character, presenting publicly as ideologically motivated while operating with telltale TTPs and infrastructure overlap with state-aligned clusters. The disclaimers are loud; the operational tells are quiet.

The fourth tier is the foreign-aligned collective layer. Sympathetic groups in adjacent jurisdictions who get tasked, paid, or simply pointed at a target.

The point of the layering is plausible deniability and parallel capacity. When an analyst writes "Iran-linked," it is often genuinely ambiguous which tier the operator sits on. The signal of attribution lives in TTP overlap, infrastructure reuse, language artifacts, and time-zone fingerprints — not in a single confident label.

What our telemetry is showing right now

Three observations from the live data, named cleanly so a defender can act on them.

Handala — 152 IOCs and a still-active staging pattern. Handala’s 2024-2026 operations leaned on Telegram for victim notification and on commodity hosting (Hetzner, OVH, smaller Eastern European VPS providers) for staging. The signature is still legible: short-lifetime VPS instances, late-night-Iran-time spin-up windows, and a recurring pattern of registering domains with Israeli or western-target lookalike strings. Defenders watching their egress for connections to fresh Hetzner / OVH allocations during 18:00–02:00 UTC, against domains that look like typos of their own brand, are looking in the right window.

MuddyWater — 431 IOCs and the longest-tail of credential-harvesting infrastructure of any Iran cluster. MuddyWater’s historic preference for PowerShell-based loaders, abuse of legitimate cloud-storage services (OneDrive, GitHub raw, occasionally Mega) for second-stage payload retrieval, and rolling C2 over short-lived domains gives defenders a clear three-pronged hunt: PowerShell with base64-encoded payloads, outbound to consumer file-sharing services from server workloads, and short-TTL DNS resolutions against Iran-aligned naming patterns. Microsoft, CrowdStrike, and Mandiant have all written this up at length; our IOC feed indexes the breadth across vendors so a defender can hunt without subscribing to all three.

The PLC step specifically — the Stryker March 11 pattern. On March 11 the medical device manufacturer Stryker Corporation was hit with a destructive wiper-style operation that used no custom malware. The operators abused the company’s mobile device management infrastructure to push commands, bypassing endpoint defenses entirely because the MDM was a trusted internal channel. We covered the incident on the day. The pattern that matters in May 2026 is the same: the operators are not bringing exploits, they are exercising trust. PLC operators exposing remote management endpoints on the public Internet are doing the equivalent of the Stryker MDM — handing the adversary an instrument they already know how to play.

What a defender does on Monday morning

The CISA advisory has the formal mitigation list. The practical version of the same advice, sized for a CISO with a finite week:

Audit every PLC, HMI, and historian for public Internet exposure. Shodan and Censys will tell you in fifteen minutes whether your organization has anything bound to a public IP. If you do, the question is not whether to close it; the question is how fast.

Force a credential rotation on every industrial-control account, then test for residual access. Iran-aligned operators recycle credentials across campaigns for years. Your password from a 2019 phish is still on a list.

Subscribe to a threat intel feed that names Iran-aligned infrastructure at the cluster level, not just the high-profile names. CISA names what is operationally critical for federal-civilian agencies. If you are a municipal utility, a hospital network, an energy cooperative, or a logistics operator, you need the rest of the cluster set too. We publish a STIX feed at analytics.dugganusa.com that consumers in 46 countries pull daily, including Microsoft and AT&T. It is free.

Watch your MDM, RMM, and remote-management telemetry the way you watch your firewall logs. The Stryker pattern was the receipt. The trusted-channel abuse pattern is the next decade of OT compromise.

The longer arc

Iran has been preparing this exact campaign for at least a decade. Cleaver, the 2014 Operation Cleaver investigation, mapped a sixteen-target reconnaissance footprint against US, Canadian, and European critical infrastructure. OilRig, Charming Kitten, MuddyWater all extended the playbook across the 2016-2020 window. Handala formalized the hacktivist front layer in 2023-2024. The May 2026 PLC campaign is what happens when a decade of access, mapping, credential harvest, and operator training meets a geopolitical window that opened in April.

The Iranian capability is not a surprise. It is the receipt for ten years of work that was published, indexed, and openly discussed by every major Western intelligence service. The surprise, if there is one, is that defenders are still reading vendor blogs about it instead of treating it as a known shape and indexing every operator in the menagerie.

We index twenty-eight kittens. CISA names three this month. Pick a number between three and twenty-eight that matches your organization’s exposure to municipal water, regional energy, hospital networks, or logistics. That is how many you should be watching.

If you run threat intel for a utility, a hospital network, an energy co-op, or any organization with PLCs that touch a public IP, the API is open at analytics.dugganusa.com/api/v1/search and the STIX feed is at /api/v1/stix-feed. Free tier is wide enough to use without a credit card. We bill enterprise for support, audits, and bespoke deliverables; defenders trying to keep water safe in May 2026 are not the people we charge.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com