A ceasefire on the front line is not a ceasefire on the network. Through 2025 and 2026, an Iranian state-directed persona has spent the quiet stretches breaking machines, spoiling food, and wiping disks across Israeli industry. This is how one of those operations unfolded, and how to find the actor before it reaches your plant floor.
Profero Threat Intelligence | May 2026
The first sign was not a security alert. It was a temperature reading.
On a May afternoon, refrigeration engineers were called to a food-production plant. The cold rooms and freezers were warming up, and the product inside them was fresh. The engineers expected what they usually find: a failed compressor, a leaking valve, a tripped protection. They arrived ready to fix a machine.
What they found was that someone had already been inside the machine, and had changed it on purpose.
The controllers that run the plant’s industrial refrigeration had been reprogrammed. Setpoints were wrong. Safety limits were wrong. The motorized valves that hold gas pressure in check had been switched to manual and pinned open. And the credentials on the central controller, the account the engineers themselves used to manage the system remotely, had been changed, locking the people who maintain the plant out of their own equipment while it failed.
This was not a malfunction. It was sabotage, and it was patient, and it understood the equipment it was destroying.
The same intrusion had already done its work elsewhere on the network. On the plant’s Windows servers, a piece of malware was sitting quietly, persisting as a fake Microsoft update, waiting for a command that could overwrite every disk it could reach. One operation, two target sets: the information technology that runs the business, and the operational technology that runs the building.
This is what the war between wars looks like.
The War Between Wars
Israeli strategists have a phrase for the long, low-intensity contest that runs in the gaps between declared conflicts: the campaign between the wars. Strikes, interdictions, and pressure continue while the front line is officially quiet. Each side denies, each side calibrates, and the fighting never fully stops. It just changes domain.
Cyber is now one of those domains, and it suits the doctrine almost perfectly. After the kinetic exchanges between Israel and Iran in mid-2025 and the uneasy lull that followed, the cyber tempo did not fall. It rose. Iranian-aligned operators treat a ceasefire not as a pause but as cover. Attention drops, defenders stand down, and the political cost of a network intrusion is far lower than the cost of a missile.
The actor in this story is built for exactly that environment. It is deniable by design, destructive by intent, and active precisely when everyone has been told the fighting is over.
A Front With a Job to Do
Profero attributes this activity to Cyber Isnaad Front, an Iranian state-directed persona that emerged in June 2025. The name, drawn from Arabic, translates loosely as “Cyber Support Front,” and the persona presents itself as an independent Arabic-language hacktivist collective acting in solidarity with Palestinian armed groups. It is not independent, and it is not hacktivism in any meaningful sense.
Profero assesses with high confidence that Cyber Isnaad Front is a fronted persona operated by or alongside Aria Sepehr Ayandehsazan (ASA), the IRGC-affiliated successor to Emennet Pasargad. ASA, under its earlier name, was sanctioned by the U.S. Treasury for cyber-enabled influence operations against the 2020 U.S. presidential election and has since run a rotating cast of personas against Israeli targets. Infrastructure overlaps, persona patterning, and victim selection all point back to the same operation. When one brand is exposed, the operators retire it and surface a new one. The machinery does not change.
The public face of Cyber Isnaad Front is a hack-and-leak operation: intrude, steal, curate, and release, paired with scripted videos featuring a costumed human actor and amplified within hours by Iranian state media in Arabic, Hebrew, and English. The persona has claimed defense subcontractors tied to Israel’s major weapons programs, roughly five terabytes from a national fuel-logistics provider, and access affecting more than 160 telecom data-center customers. Independent researchers, including the Foundation for Defense of Democracies, have found that some of those headline claims do not survive verification, even where genuine victim data also appears in the leaks. Exaggeration is part of the product.
But the leak site is the marketing. The intrusions behind it are the operation, and in those intrusions the intent is not always theft. Sometimes it is destruction.
The IT Attack: GRAT, a Wiper Wearing a Microsoft Badge
On the Windows side of the plant, Profero’s incident responders recovered a malware family we track as GRAT, a Go Remote Access Toolkit. It does not look like much. It is a single executable, and it works hard to look boring. Across the samples Profero has analyzed it has shipped as SpellChecker.exe, Checker.exe.exe, and WindowsUpdater.exe, running from user-writable directories like C:\Users\<user>\AppData\Roaming\Microsoft\Spelling\ and C:\ProgramData\. It persists through a scheduled task named “OneDrive Update” that relaunches it every minute and at every boot, hidden and at the highest privilege the host will grant.
Behind that bland exterior is a single binary that bundles eleven separate tool subsystems. GRAT can enumerate a host down to its installed antivirus and BitLocker state, manage processes, rewrite the registry, manipulate Windows services, run a full VNC server with synthetic keystroke injection, and push stolen files to attacker-controlled cloud storage.
It can encrypt files for ransom through a module its authors named “BigBang.”
And it can wipe.
The wipe is the point. On a single operator command, GRAT overwrites the physical disk and then destroys the partition table. A multi-pass variant uses direct syscalls to run a zero, random, and 0xFF overwrite for good measure. A host that receives that command does not come back. There is nothing left on it to recover from.
It runs a dual-channel command-and-control architecture: commands arrive over RabbitMQ wrapped in TLS, and results return over a plain-text Redis channel, both reaching the same server at 84[.]201[.]6[.]131 on the non-standard ports 7878 and 9988.
Every connection parameter is AES-256 encrypted inside the binary, and the key rotates with each build. The three samples Profero reverse-engineered share identical infrastructure and byte-identical connection code while their keys, passwords, and queue names differ. That is the signature of a builder: one keyed sample produced per target, so that cracking one does not crack the rest.
It is workmanlike malware. It does not need to be more than that. The sophistication in this campaign is not in the binary. It is in knowing what to break.
The OT Attack: Sabotage by Setpoint
Which brings us back to the cold rooms.
The plant ran two industrial refrigeration systems, an older array and a newer one, both built on CO2 (R-744) as the refrigerant. The attacker treated them differently, and the difference is instructive.
On the older system, the attacker changed parameters only: setpoints, protection thresholds, alarm and alert limits. This is the cruder form of the attack, and it is still dangerous. Picture a temperature controller for a room full of fresh meat. Move the setpoint from +2°C to +50°C and the room becomes an oven for its contents. The fix is straightforward once you know to look, and the engineers restored the old system the same night. But if no one had been watching, the product would have been lost.
On the newer system, the attacker went much deeper. Beyond setpoints, they wiped and reset the controller’s entire programmatic configuration: the digital and analog inputs mapped to temperature sensors and pressure transmitters, the digital outputs that start compressors, the analog outputs that drive motorized valves and fans, the fault inputs, all of it. Recovery here was not “reset a value.” It was re-engineering the controller from scratch, tracing every wire in the electrical panel against the electrical schematic, identifying it in the program, and redefining it in the controller. That work ran for days.
Then the attacker did the thing that turned a configuration change into physical destruction. The motorized valves that hold gas pressure in the gas cooler and receiver were switched to manual mode and pinned permanently open. Every consumer controller was forced open as well. The intent was specific: keep refrigerant moving with nothing to contain it, so it could not be held where the system needed it.
Here is why that is so destructive in a CO2 system, and why it shows the attacker understood the equipment.
A refrigeration system relies on a clean phase change. Liquid refrigerant enters the evaporator inside the cold room and must leave it entirely as gas. If liquid reaches the compressors, it causes catastrophic damage, because liquid, unlike gas, does not compress. A piston that tries to compress a slug of liquid simply breaks. And CO2 has a second, crueler property: in its liquid state, when it warms, its pressure rises exponentially. If no compressor is taking that pressure down, the system’s relief valves open and vent CO2 to the atmosphere, bleeding the charge out of the plant.
The attacker forced both failure modes at once. When the engineers tried to bring the new compressor array back up, they discovered that three compressors had been destroyed. Replacing them meant a marathon of work: swapping in compressors that were not even identical to the originals, reworking piping and electrical to fit, replacing pressure switches, valves, electrical boxes, drying filters, and relief components, then pressure-testing, vacuum-testing, and recharging with R-744. The system did not return to normal operation for the better part of a week, and one replacement compressor still has to come from the manufacturer overseas.
No malware ran on those controllers. The attacker did not need it. They needed setpoints, valve modes, and an understanding of thermodynamics. The destruction was carried out in the native language of the equipment, and the lockout, changing the central controller’s credentials, was designed to make sure the only people who could undo it could not get in while it happened.
The Pattern
It would be comfortable to treat this as one bad week at one plant. It is not.
The pairing is the point. The same operation that planted a disk wiper on the IT network also reached into the OT environment and sabotaged physical plant. That convergence, an actor fluent in both Windows internals and refrigerant physics, is the part defenders should sit up for. The skills usually live in different teams. Here they lived in one campaign.
And the targeting is consistent. Cyber Isnaad Front and the ASA operation behind it concentrate on Israeli defense supply chains, telecom and data-center operators, fuel and transport logistics, and food production. These are not glamorous targets. They are the unglamorous, lightly defended, deeply physical organizations that a population actually depends on, and that is exactly why a deniable front is told to hit them during a lull. The damage is real, the attribution is fuzzy, and the political cost is low.
A ceasefire is when these organizations relax. It is also when this actor is most useful to the people who direct it.
Indicators of Compromise
Network indicators are defanged. Hashes are SHA-256. The username component of file paths is environment-specific and shown as <user>.
| Category | Value |
|---|---|
| C2 server (command channel) | 84[.]201[.]6[.]131:7878 (RabbitMQ over TLS) |
| C2 server (results channel) | 84[.]201[.]6[.]131:9988 (Redis over plain TCP) |
| SHA-256 (Checker.exe.exe) | 6f5f427d96656ae51405e6a5e65253759db45ea0a17da2d70f881404a4ed717b |
| SHA-256 (WindowsUpdater.exe) | 0ad128e813314e4562489478e6def8c6dfcc251e006d7f55b24273e93d3bc7fb |
| SHA-256 (SpellChecker.exe) | c4909b2d7a7f813b5a3d729fe64535033e716ae89dc39c402a6cb8ccbccaadca |
| SHA-256 (WindowsUpdater.exe, additional build) | 86194eb5c5abcfe763899aaad7eb64894c71e816dd7d27427c8bac4ab280533d |
| File path | C:\Users\<user>\AppData\Roaming\Microsoft\Spelling\SpellChecker.exe |
| File path | C:\ProgramData\WindowsUpdater.exe |
| Scheduled task | OneDrive Update |
| Registry key | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Update |
| File size | 10,416,128 bytes (all three reverse-engineered builds) |
| Topic-exchange prefix | topicArgs:1562578125 |
| Microsoft detection name | DoS:Win32/GigaWiper.A!dha |
Associated infrastructure, observed at lower confidence than the core C2 server: 146[.]103[.]40[.]190, 193[.]29[.]104[.]5, 45[.]82[.]66[.]163, 84[.]201[.]6[.]128, 84[.]201[.]6[.]129, 85[.]137[.]56[.]9, 85[.]17[.]55[.]232.
MITRE ATT&CK Mapping
GRAT’s behavior on the IT side maps to the following enterprise techniques.
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 |
| Defense Evasion | Indicator Removal: Clear Windows Event Logs | T1070.001 |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Discovery | System Information Discovery | T1082 |
| Discovery | Security Software Discovery | T1518.001 |
| Command and Control | Application Layer Protocol | T1071 |
| Command and Control | Encrypted Channel: Symmetric Cryptography | T1573.001 |
| Command and Control | Non-Standard Port | T1571 |
| Exfiltration | Exfiltration to Cloud Storage | T1567.002 |
| Impact | Data Encrypted for Impact | T1486 |
| Impact | Disk Wipe: Disk Content Wipe / Structure Wipe | T1561.001 / T1561.002 |
| Impact | Inhibit System Recovery | T1490 |
The OT sabotage maps to MITRE ATT&CK for ICS.
| Tactic | Technique | ID |
|---|---|---|
| Persistence / Evasion | Change Credential | T0892 |
| Impair Process Control | Modify Parameter | T0836 |
| Inhibit Response Function | Modify Program | T0889 |
| Impair Process Control | Change Operating Mode | T0858 |
| Impair Process Control | Manipulation of Control | T0831 |
| Impact | Damage to Property | T0879 |
| Impact | Loss of Availability | T0826 |
| Impact | Data Destruction | T0809 |
YARA Signature
The rule below targets unpacked GRAT samples. The C2 host, RabbitMQ credentials, and queue name are AES-encrypted inside the binary and are not usable as plaintext strings, so the rule anchors on the plaintext topic-exchange literal, embedded Go package and symbol names, operator-facing log strings, and the RabbitMQ and Redis library fingerprints.
rule APT_Iran_GRAT_CyberIsnaadFront
{
meta:
description = "GRAT (Go Remote Access Toolkit) RAT/ransomware/wiper"
actor = "Cyber Isnaad Front (Iran / ASA, ex-Emennet Pasargad)"
author = "Profero Threat Intelligence"
date = "2026-05-20"
tlp = "CLEAR"
hash1 = "6f5f427d96656ae51405e6a5e65253759db45ea0a17da2d70f881404a4ed717b"
hash2 = "0ad128e813314e4562489478e6def8c6dfcc251e006d7f55b24273e93d3bc7fb"
hash3 = "c4909b2d7a7f813b5a3d729fe64535033e716ae89dc39c402a6cb8ccbccaadca"
strings:
// Plaintext topic-exchange literal in .rdata, stable across all builds
$topic = "topicArgs:1562578125" ascii
// Go package / symbol names embedded in the binary
$pkg1 = "rabbit/bin.ConnectRabbitMQAMQP" ascii
$pkg2 = "rabbit/tools/tool_wipe_main" ascii
$pkg3 = "rabbit/tools/tool_clear_event_log_main" ascii
$pkg4 = "rabbit/tools/tool_vnc_main" ascii
$sym1 = "GRATClientInfo" ascii
// Operator-facing log / status strings
$log1 = ">>> >>> Run special command <<<" ascii
$log2 = "Redis status updated > Received task" ascii
$log3 = "command not implemented" ascii
$log4 = "vnc is running" ascii
// C2 transport library fingerprints
$go1 = "github.com/rabbitmq/amqp091-go" ascii
$go2 = "github.com/redis/go-redis/v9" ascii
condition:
uint16(0) == 0x5A4D and
filesize > 8MB and filesize < 16MB and
$go1 and $go2 and
(
$topic or
2 of ($pkg*) or
2 of ($log*) or
(1 of ($pkg*) and $sym1)
)
}
Detection and Hardening
On the IT side, hunt for scheduled tasks that run an unsigned binary from %APPDATA% or C:\ProgramData, especially tasks named after Microsoft products such as “OneDrive Update.” Alert on outbound traffic to 84[.]201[.]6[.]131 and on AMQPS or Redis connections to the non-standard ports 7878 and 9988. Because the Redis results channel is plain TCP, passive capture of RPush traffic with task:{task_id} keys confirms an active infection. Block the listed hashes, scan with the YARA rule, and treat any host that logged a DoS:Win32/GigaWiper.A!dha detection as compromised: isolate it and preserve a disk image before remediation. Patch internet-facing VPN, edge, and SharePoint systems, which remain this actor’s consistent way in.
On the OT side, the lesson is harder and older. Segment control networks from IT. Remove or tightly broker remote access into central controllers, and make sure the credentials that protect them are unique, monitored, and recoverable through a path the attacker cannot also lock. Alarm on out-of-band setpoint and operating-mode changes, not just on process values, because in this incident the alarms themselves had been retuned. Keep offline, version-controlled backups of controller programs, so that recovery from a wiped controller is a restore and not a multi-day reverse-engineering exercise against a wiring diagram. And rehearse the failure: a tabletop exercise that walks an IT-to-OT intrusion end to end is worth more than any single product.
Closing
There was no headline the week this happened. No leak video, no state-media amplification, no claim on a Telegram channel. That absence is the tell. The hack-and-leak persona is the part of this operation built to be seen. The destruction is the part built to be denied.
A ceasefire changes what is visible. It does not change what is being done. For the organizations that keep a country fed, fueled, connected, and defended, the safest assumption is the one this incident proves: the war between wars is still being fought, and some of it is being fought inside your controllers.
Profero’s Incident Response team works intrusions like this one, across IT and OT, worldwide. If you operate critical infrastructure and want to know whether this actor has already been inside, or to make sure it cannot get in, contact@profero.io.
Profero Threat Intelligence. Indicators and the YARA signature in this post may be used freely for detection and defense.
