<p> <strong> Threat Assessment Level: HIGH </strong>
</p>
<p> The Iran-West cyber confrontation — now in its 135th day since the February 28 escalation — continues to produce new capabilities, confirmed operational pipelines, and ominous silences that demand executive attention. This week's intelligence cycle surfaced a previously unreported Iranian-linked backdoor targeting the United States, confirmed the operational merger between mass credential theft and ransomware deployment affecting 430,000 firewalls, and documented the continued expansion of Iranian command-and-control infrastructure. Meanwhile, the extended silence from Iran's most destructive hacktivist proxies matches historical patterns observed before major wiper deployments.
</p>
<p> CISOs overseeing critical infrastructure, defense industrial base contractors, and enterprises running FortiGate, Adobe ColdFusion, or Schneider Electric OT systems should treat this as an action-forcing moment.
</p>
<h2> <strong> What Changed This Week </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Jul 7, 2026 </p> </td> <td> <p> U.S. strikes on Iran open active retaliation window </p> </td> <td> <p> Kinetic trigger for cyber escalation </p> </td> </tr> <tr> <td> <p> Jul 7, 2026 </p> </td> <td> <p> CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) added to CISA KEV </p> </td> <td> <p> Pre-auth RCE, actively exploited, no user interaction </p> </td> </tr> <tr> <td> <p> Jul 8, 2026 </p> </td> <td> <p> <strong> DHS HSIN intrusion disclosed — moderate-confidence Iranian attribution </strong> </p> </td> <td> <p> Government network compromise </p> </td> </tr> <tr> <td> <p> Jul 9, 2026 </p> </td> <td> <p> Iranian GitHub resume lure campaign updated — targeting aerospace/DIB </p> </td> <td> <p> Social engineering evolution for pre-positioning </p> </td> </tr> <tr> <td> <p> Jul 9, 2026 </p> </td> <td> <p> CISA ICS advisories: Schneider Electric Easergy MiCOM Px40 + OpenPLC v3 </p> </td> <td> <p> Grid protection relays and PLC platforms vulnerable </p> </td> </tr> <tr> <td> <p> Jul 10, 2026 </p> </td> <td> <p> CVE-2026-48282 exploitation confirmed in the wild </p> </td> <td> <p> ColdFusion under active attack </p> </td> </tr> <tr> <td> <p> Jul 12, 2026 </p> </td> <td> <p> New Stealc infostealer C2 on Tehran ASN; "Agentemis" Cobalt Strike beacons persist </p> </td> <td> <p> Iranian offensive infrastructure expanding </p> </td> </tr> <tr> <td> <p> Jul 13, 2026 </p> </td> <td> <p> "Salgorea" backdoor discovered — new Iranian-linked malware, US-targeting </p> </td> <td> <p> Novel capability with no prior public reporting </p> </td> </tr> <tr> <td> <p> Jul 13, 2026 </p> </td> <td> <p> Progress ShareFile emergency server shutdown — potential zero-day </p> </td> <td> <p> File transfer appliance threat (MOVEit precedent) </p> </td> </tr> <tr> <td> <p> Jul 2–3, 2026 </p> </td> <td> <p> FortiBleed → INC/Lynx ransomware pipeline confirmed by 4 independent sources </p> </td> <td> <p> 430,000 firewalls compromised; credential-to-ransomware chain validated </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Banished Kitten / Handala operationally silent during peak escalation </p> </td> <td> <p> Absence matches pre-wiper preparation patterns; assessed as pre-operational pause </p> </td> </tr> </tbody>
</table>
<h2> <strong> Conflict & Threat Timeline </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Phase </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Cyber Activity </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Pre-escalation </p> </td> <td> <p> Before Feb 28 </p> </td> <td> <p> Baseline Iranian espionage (APT34, MuddyWater, Pioneer Kitten) </p> </td> </tr> <tr> <td> <p> Initial escalation </p> </td> <td> <p> Feb 28 – Mar 2026 </p> </td> <td> <p> Stryker wiper deployment by Handala/Banished Kitten </p> </td> </tr> <tr> <td> <p> Sustained operations </p> </td> <td> <p> Apr – Jun 2026 </p> </td> <td> <p> Infrastructure build-out, credential harvesting, ICS reconnaissance </p> </td> </tr> <tr> <td> <p> Active retaliation window </p> </td> <td> <p> Jul 7 – present </p> </td> <td> <p> U.S. strikes trigger acceleration: new malware, C2 expansion, ransomware pipeline activation </p> </td> </tr> <tr> <td> <p> Current (Day 135) </p> </td> <td> <p> Jul 13, 2026 </p> </td> <td> <p> Novel backdoor (Salgorea), confirmed ransomware pipelines, proxy silence </p> </td> </tr> </tbody>
</table>
<h2> <strong> Key Threat Analysis </strong>
</h2>
<h3> <strong> 1. Salgorea: A Previously Unknown Iranian-Linked Backdoor </strong>
</h3>
<p> A new malware family designated "Salgorea" was identified on July 13 with no prior public reporting from any vendor or research team. This PE32 backdoor targets the United States and employs <strong> T1614.001 </strong> <strong> (System Language Discovery) </strong> — a technique Iranian actors commonly use to avoid executing on Persian-language systems, ensuring the malware only activates on intended Western targets.
</p>
<p> With 14 out of 18 antivirus engines detecting it and a unique import hash, Salgorea represents fresh tooling investment by Iranian operators. Its discovery before any public disclosure demonstrates that adversaries are actively developing new capabilities during this escalation window.
</p>
<p> <strong> Why it matters: </strong> Novel malware families indicate that Iranian actors are not relying solely on known tools. They are investing in capabilities designed to evade detection signatures built around previously catalogued families like Shamoon, ZeroCleare, or IOCONTROL.
</p>
<h3> <strong> 2. FortiBleed → Ransomware: The Pipeline Is Real </strong>
</h3>
<p> Four independent sources have now confirmed what was previously assessed as probable: operators exploiting the FortiBleed vulnerability are directly feeding stolen credentials to <strong> INC Ransom </strong> and <strong> Lynx </strong> ransomware groups. One operator was observed logged into both INC and Lynx negotiation panels using FortiBleed-sourced infrastructure.
</p>
<p> The scale is staggering: <strong> 430,000 FortiGate firewalls compromised </strong> and <strong> 110 million credentials stolen </strong> . This creates a dual-use threat where Iranian access brokers — particularly <strong> Pioneer Kitten (IRGC-affiliated) </strong> — can simultaneously serve state espionage objectives and monetize access through criminal ransomware partnerships.
</p>
<p> <strong> Why it matters: </strong> Your FortiGate VPN credentials may already be in an adversary's hands. The time between credential theft and ransomware deployment is compressing. Organizations that haven't rotated credentials are operating on borrowed time.
</p>
<h3> <strong> 3. The Iranian Actor Ecosystem: Four Groups, One Kill Chain </strong>
</h3>
<p> Intelligence continues to validate a coordinated espionage-to-destruction handoff chain across four formally attributed Iranian threat actors:
</p>
<table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Role in Kill Chain </strong> </p> </th> <th> <p> <strong> Current Status </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Pioneer Kitten </strong> (Fox Kitten, UNC757) </p> </td> <td> <p> IRGC </p> </td> <td> <p> Initial access brokering via VPN exploitation </p> </td> <td> <p> Active — FortiBleed pipeline confirmed </p> </td> </tr> <tr> <td> <p> <strong> Banished Kitten / Handala </strong> </p> </td> <td> <p> IRGC </p> </td> <td> <p> Destructive operations, wiper deployment </p> </td> <td> <p> Silent — assessed as pre-operational pause </p> </td> </tr> <tr> <td> <p> <strong> APT34 / OilRig </strong> </p> </td> <td> <p> MOIS </p> </td> <td> <p> Espionage, credential harvesting, lateral movement </p> </td> <td> <p> Active — updated Jul 12 </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater / TEMP.Zagros </strong> </p> </td> <td> <p> MOIS </p> </td> <td> <p> Spearphishing, backdoor deployment, telecom targeting </p> </td> <td> <p> Active — updated Jul 12 </p> </td> </tr> </tbody>
</table>
<p> Additional actors of note: <strong> UNC1860 </strong> (updated Jul 11), <strong> UNC6085 </strong> , and <strong> UNC5187 </strong> all show recent activity updates.
</p>
<h3> <strong> 4. Agentemis Cobalt Strike Infrastructure: Persistent and Growing </strong>
</h3>
<p> Four command-and-control IPs on ASN 138415 bearing the "Agentemis" operator signature remain active as of July 13, all communicating on port 29541. These Cobalt Strike BEACON servers have persisted across multiple intelligence cycles, indicating established operational infrastructure rather than ephemeral testing.
</p>
<p> The co-location of Stealc infostealers, Remcos RAT, and Cobalt Strike beacons on overlapping Iranian ISP infrastructure suggests a shared operational environment — potentially a cyber operations unit maintaining multiple capability sets for different mission types.
</p>
<h3> <strong> 5. CVE-2026-48282: Adobe ColdFusion CVSS 10.0 — Actively Exploited </strong>
</h3>
<p> This maximum-severity vulnerability (pre-authentication remote code execution via path traversal) affects ColdFusion 2025.9 and 2023.20 and earlier. It requires no user interaction, has changed scope, and is confirmed exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on July 7.
</p>
<p> Iranian actors have historically exploited ColdFusion vulnerabilities for initial access. Any unpatched instance is an open door.
</p>
<h3> <strong> 6. ICS/OT: Schneider Electric and OpenPLC Under the Microscope </strong>
</h3>
<p> Two ICS advisories published July 9 directly align with known Iranian targeting profiles:
</p>
<ul> <li> <strong> Schneider Electric Easergy MiCOM Px40 </strong> : Protection relays used in electrical grid substations — the exact equipment <strong> Cyber Av3ngers </strong> has previously targeted </li> <li> <strong> OpenPLC v3 </strong> : Authenticated file write leading to privilege escalation on programmable logic controllers </li>
</ul>
<p> While no confirmed Iranian exploitation of these specific vulnerabilities has been observed, the alignment with known adversary interests (IOCONTROL campaign, Cyber Av3ngers' water/energy targeting) makes these high-priority for OT defenders.
</p>
<h3> <strong> 7. GitHub Resume Lures: Social Engineering the Defense Industrial Base </strong>
</h3>
<p> An Iranian espionage campaign using fake resume and portfolio lures hosted on GitHub continues to evolve, with updates as recent as July 9. The campaign targets <strong> aerospace and defense industrial base personnel </strong> — consistent with Pioneer Kitten's documented role as an access broker for Iranian intelligence services.
</p>
<p> A related campaign uses "GitHub-Resilient Implants" against government and telecom targets in the Middle East. The use of GitHub as a delivery platform exploits trust relationships — security tools are less likely to block downloads from github.com.
</p>
<h3> <strong> 8. The Silence of Handala: Absence as Signal </strong>
</h3>
<p> <strong> Banished Kitten / Handala </strong> — the IRGC-affiliated group responsible for the March 2026 Stryker wiper attack — has been operationally silent for an extended period during peak escalation. This pattern matches pre-deployment behavior observed before previous destructive operations.
</p>
<p> Assessment: This is not cessation. It is preparation.
</p>
<h2> <strong> Predictive Analysis </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Indicators to Watch </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Salgorea publicly reported by a vendor with additional samples/C2 </p> </td> <td> <p> 70% </p> </td> <td> <p> 14 days </p> </td> <td> <p> Vendor blog posts, new VirusTotal submissions </p> </td> </tr> <tr> <td> <p> Handala resurfaces with new persona or campaign targeting Israeli/US infrastructure </p> </td> <td> <p> 60% </p> </td> <td> <p> 14–30 days </p> </td> <td> <p> New Telegram channels, infrastructure overlap with known Handala IOCs </p> </td> </tr> <tr> <td> <p> Destructive wiper operation by Handala/Banished Kitten </p> </td> <td> <p> 60% </p> </td> <td> <p> 30 days </p> </td> <td> <p> Pre-wiper reconnaissance, credential harvesting spikes </p> </td> </tr> <tr> <td> <p> <strong> FortiBleed credentials used in high-profile ransomware incident against critical infrastructure </strong> </p> </td> <td> <p> 50% </p> </td> <td> <p> 14 days </p> </td> <td> <p> INC/Lynx victim announcements, CI sector targeting </p> </td> </tr> <tr> <td> <p> Progress ShareFile vulnerability receives CVE and KEV addition </p> </td> <td> <p> 40% </p> </td> <td> <p> 7 days </p> </td> <td> <p> CVE assignment, CISA advisory </p> </td> </tr> <tr> <td> <p> Iranian exploitation of Schneider Easergy or OpenPLC vulnerabilities </p> </td> <td> <p> 30% </p> </td> <td> <p> 30 days </p> </td> <td> <p> ICS-CERT incident reports, Cyber Av3ngers claims </p> </td> </tr> </tbody>
</table>
<h2> <strong> SOC Operational Guidance </strong>
</h2>
<h3> <strong> Immediate Detection Priorities </strong>
</h3>
<p> <strong> Hunt for Agentemis C2 Communications </strong>
</p>
<ul> <li> Monitor for outbound connections to port 29541 on the four identified C2 IPs </li> <li> ATT&CK: T1071.001 (Web Protocols), T1573.002 (Asymmetric Cryptography), T1105 (Ingress Tool Transfer) </li> <li> Hunting hypothesis: "Are any internal hosts communicating with ASN 138415 infrastructure on non-standard ports?" </li> <li> Detection: Firewall logs, netflow data, DNS resolution attempts for these IPs </li>
</ul>
<p> <strong> Hunt for Salgorea Backdoor </strong>
</p>
<ul> <li> Search EDR telemetry for imphash 6dca3e9fb3928bbdb54dbce669943ec8 </li> <li> Search for SHA-256: 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522 </li> <li> ATT&CK: T1614.001 (System Language Discovery) — alert on processes querying system locale/language settings before execution </li> <li> Hunting hypothesis: "Are there PE32 executables in our environment that check system language before executing their primary payload?" </li>
</ul>
<p> <strong> Hunt for FortiBleed Credential Abuse </strong>
</p>
<ul> <li> ATT&CK: T1078 (Valid Accounts), T1133 (External Remote Services) </li> <li> Monitor for VPN authentications from unusual geolocations or at unusual times using credentials associated with FortiGate infrastructure </li> <li> Hunting hypothesis: "Have any VPN accounts authenticated from new ASNs or countries in the past 30 days?" </li> <li> Check for passive sniffer implants on FortiGate devices (memory forensics) </li>
</ul>
<p> <strong> Hunt for ColdFusion Exploitation (CVE-2026-48282) </strong>
</p>
<ul> <li> ATT&CK: T1190 (Exploit Public-Facing Application), T1083 (File and Directory Discovery) </li> <li> Monitor ColdFusion access logs for path traversal patterns (../ sequences, encoded variants) </li> <li> Hunting hypothesis: "Are there ColdFusion instances in our environment that are unpatched and internet-facing?" </li>
</ul>
<p> <strong> Hunt for GitHub-Based Social Engineering </strong>
</p>
<ul> <li> ATT&CK: T1566.002 (Spearphishing Link), T1204.001 (Malicious Link) </li> <li> Monitor email gateway for messages containing github.com links with /resume, /portfolio, /cv path patterns delivering executables (.exe, .scr, .msi) </li> <li> Hunting hypothesis: "Have aerospace/engineering personnel received emails with GitHub links to downloadable executables in the past 30 days?" </li>
</ul>
<h3> <strong> Detection Rules to Deploy </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Rule </strong> </p> </th> <th> <p> <strong> ATT&CK </strong> </p> </th> <th> <p> <strong> Data Source </strong> </p> </th> <th> <p> <strong> Priority </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Outbound to 23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 on port 29541 </p> </td> <td> <p> T1071.001 </p> </td> <td> <p> Firewall/Netflow </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> PE32 with imphash 6dca3e9fb3928bbdb54dbce669943ec8 </p> </td> <td> <p> T1614.001 </p> </td> <td> <p> EDR </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> ColdFusion path traversal in URI </p> </td> <td> <p> T1190 </p> </td> <td> <p> WAF/Web logs </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> </tr> <tr> <td> <p> VPN auth from new ASN + credential age > 90 days </p> </td> <td> <p> T1078 </p> </td> <td> <p> VPN/IAM </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> </tr> <tr> <td> <p> GitHub .exe/.scr download via email link </p> </td> <td> <p> T1566.002 </p> </td> <td> <p> Email gateway </p> </td> <td> <p> MEDIUM </p> </td> </tr> <tr> <td> <p> System language enumeration before payload execution </p> </td> <td> <p> T1614.001 </p> </td> <td> <p> EDR/Sysmon </p> </td> <td> <p> MEDIUM </p> </td> </tr> </tbody>
</table>
<h2> <strong> Sector-Specific Defensive Priorities </strong>
</h2>
<h3> <strong> Financial Services </strong>
</h3>
<p> <strong> Primary threats: </strong> FortiBleed credential abuse for unauthorized access; ransomware deployment via INC/Lynx; Cobalt Strike BEACON for lateral movement to payment systems.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Immediately audit and rotate all FortiGate VPN credentials; enforce MFA on all remote access </li> <li> Deploy behavioral analytics for anomalous transaction system access following VPN authentication </li> <li> Ensure SWIFT/payment infrastructure is segmented from general VPN-accessible networks </li> <li> Monitor for Cobalt Strike BEACON indicators (port 29541, Agentemis watermark) in network telemetry </li>
</ul>
<h3> <strong> Energy </strong>
</h3>
<p> <strong> Primary threats: </strong> Schneider Electric Easergy MiCOM Px40 vulnerabilities in grid protection relays; OpenPLC exploitation for OT access; Iranian ICS targeting (Cyber Av3ngers, IOCONTROL precedent).
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Inventory all Schneider Easergy MiCOM Px40 deployments in substations; apply CSAF icsa-26-190-03 mitigations </li> <li> Audit OpenPLC v3 instances for unauthorized file writes; restrict authenticated access to known maintenance accounts only </li> <li> Ensure IT/OT segmentation prevents lateral movement from compromised ColdFusion/FortiGate systems to SCADA networks </li> <li> Establish out-of-band monitoring for protection relay configuration changes </li>
</ul>
<h3> <strong> Healthcare </strong>
</h3>
<p> <strong> Primary threats: </strong> Ransomware via FortiBleed pipeline (INC/Lynx); ColdFusion exploitation of patient portal systems; credential theft enabling PHI exfiltration.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Prioritize ColdFusion patching for patient-facing portals (CVE-2026-48282 requires no user interaction) </li> <li> Validate backup integrity and test restoration procedures — ransomware deployment probability is elevated </li> <li> Audit FortiGate VPN credentials used by remote clinicians and third-party vendors </li> <li> Monitor for data staging (T1074) in systems adjacent to EHR databases </li>
</ul>
<h3> <strong> Government </strong>
</h3>
<p> <strong> Primary threats: </strong> Iranian espionage operations (APT34, MuddyWater); DHS HSIN intrusion precedent; Salgorea backdoor targeting US government systems; GitHub social engineering of cleared personnel.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Deploy Salgorea indicators across all endpoint detection platforms immediately </li> <li> Brief cleared personnel on GitHub-based social engineering lures — particularly those in aerospace and defense roles </li> <li> Audit ColdFusion deployments in .gov environments (historically prevalent in government web applications) </li> <li> Review authentication logs for indicators of credential reuse from previously compromised FortiGate infrastructure </li> <li> Monitor for T1614.001 (language check) as a behavioral indicator of Iranian-origin malware </li>
</ul>
<h3> <strong> Aviation / Logistics </strong>
</h3>
<p> <strong> Primary threats: </strong> GitHub resume lure campaign specifically targeting aerospace; Pioneer Kitten access brokering into DIB contractor networks; Progress ShareFile potential zero-day affecting file transfer workflows.
</p>
<p> <strong> Actions: </strong>
</p>
<ul> <li> Alert HR and recruiting teams to fake resume/portfolio lures hosted on GitHub — verify all candidate-submitted links before execution on corporate systems </li> <li> Audit ShareFile on-premises deployments; consider emergency isolation pending CVE disclosure from Progress </li> <li> Monitor for unauthorized access to PLM systems (PTC Windchill) and engineering data repositories </li> <li> Implement application allowlisting on engineering workstations to prevent execution of downloaded executables from GitHub </li>
</ul>
<h2> <strong> Prioritized Defense Recommendations </strong>
</h2>
<h3> <strong> IMMEDIATE (Within 24 Hours) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block Agentemis C2 IPs at perimeter: 23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 (port 29541). Hunt for historical connections in 90-day netflow. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy Salgorea detection: hunt for imphash 6dca3e9fb3928bbdb54dbce669943ec8 and SHA-256 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522 across all endpoints. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify ALL Adobe ColdFusion instances are patched beyond versions 2025.9 / 2023.20. CVE-2026-48282 is CVSS 10.0, pre-auth RCE, actively exploited, in CISA KEV. No exceptions. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> Enable enhanced logging on FortiGate VPN infrastructure — capture all authentication events with source IP, ASN, and geolocation for anomaly detection. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 7-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Rotate ALL FortiGate VPN credentials. Enforce MFA. Check for passive sniffer implants on firewall memory. Assume credentials are compromised if running affected firmware. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> SOC </p> </td> <td> <p> Create detection rule for GitHub-hosted lures: emails containing github.com/*/resume or github.com/*/portfolio paths delivering executables to aerospace/DIB personnel. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> OT Security </p> </td> <td> <p> Assess Schneider Electric Easergy MiCOM Px40 deployment footprint. Apply CSAF icsa-26-190-03 mitigations. Audit OpenPLC v3 for unauthorized file writes. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> HR / Security Awareness </p> </td> <td> <p> Brief recruiting and HR teams on Iranian fake resume/interview TTPs — verify all candidate-submitted code repositories and portfolio links before execution on corporate systems. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 30-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 9 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of Progress ShareFile on-premises exposure. Emergency shutdown signals potential zero-day with MOVEit-scale implications. Evaluate migration alternatives. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> CISO </p> </td> <td> <p> Review and test incident response playbook for destructive wiper scenarios. Handala's operational silence during peak escalation matches pre-Stryker-wiper patterns. Ensure offline backups are verified. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> Validate IT/OT segmentation through red team exercise — specifically test whether compromise of internet-facing systems (ColdFusion, FortiGate) enables lateral movement to ICS/SCADA networks. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Conduct tabletop exercise for simultaneous ransomware + wiper scenario — Iranian actors have demonstrated willingness to deploy both in parallel through different operational units. </p> </td> </tr> </tbody>
</table>
<h2> <strong> IOC Blocking Table </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Confidence </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 23.226.58[.]116 </p> </td> <td> <p> Agentemis Cobalt Strike C2, port 29541 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 43.240.239[.]234 </p> </td> <td> <p> Agentemis Cobalt Strike C2, port 29541 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 43.240.239[.]254 </p> </td> <td> <p> Agentemis Cobalt Strike C2, port 29541 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 23.226.58[.]106 </p> </td> <td> <p> Agentemis Cobalt Strike C2, port 29541 </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522 </p> </td> <td> <p> Salgorea backdoor </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> e0f6941f37b0ea6015185c922e6b35cdfacb4e1e </p> </td> <td> <p> Salgorea backdoor </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 2b0383674e54467a1ccde0bf9f53be93 </p> </td> <td> <p> Salgorea backdoor </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> Imphash </p> </td> <td> <p> 6dca3e9fb3928bbdb54dbce669943ec8 </p> </td> <td> <p> Salgorea backdoor (PE32) </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> </tbody>
</table>
<p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds.
</p>
<h2> <strong> The Bottom Line </strong>
</h2>
<p> We are 135 days into an active cyber conflict with Iran. The adversary is not standing still — they are deploying new malware families, confirming ransomware partnerships, maintaining persistent C2 infrastructure, and positioning for access to aerospace and defense networks through social engineering. The silence from their most destructive units is not reassurance. It is preparation.
</p>
<p> The convergence of a CVSS 10.0 actively exploited vulnerability (CVE-2026-48282), 430,000 compromised firewalls feeding ransomware operators, novel backdoor capabilities, and ICS vulnerabilities in grid protection equipment creates a threat surface that demands immediate action — not next quarter's planning cycle.
</p>
<p> <strong> Three questions every CISO should answer today: </strong>
</p>
<ol> <li> <strong> Are your FortiGate credentials rotated? </strong> If not, assume they are in adversary hands. </li> <li> <strong> Is your ColdFusion patched? </strong> A CVSS 10.0 pre-auth RCE with no user interaction is as bad as it gets. </li> <li> <strong> Do you have a wiper response plan? </strong> The group that deployed Stryker in March is quiet. That should concern you more than if they were loud. </li>
</ol>
<p> The window between intelligence warning and operational impact is narrowing. Act now.
</p>
<p> <em> Published by Anomali CTI Desk — July 13, 2026 </em>
</p>
<p> <em> For questions or additional indicators, contact your Anomali representative or access ThreatStream Next-Gen for full IOC packages. </em>
</p>