Iran cyber risk is not about whether they’ll be active. They will. The real question is whether the next 8 weeks produce a publicly attributed, materially disruptive hit with a new twist beyond the usual password-spray sludge. Tenant sabotage is the part to watch. 👀🔥

2026 prediction: “sovereign cloud” becomes the #1 way to accidentally create telemetry refugees 🛂☁️

Meanwhile: DPRK “IT workers” in the supply chain + OAuth consent hijacks that laugh at MFA 🔑🎭

What’s your log-clears-customs plan?

UNC3944, UNC6040, and UNC6395 are executing targeted campaigns against SaaS, cloud, and virtualization environments, leveraging vishing, OAuth abuse, and supply-chain compromise. Their TTPs require precise, telemetry-driven controls and detection.