| Date | Development | Significance |
|---|---|---|
| Jul 7 | U.S. strikes on Iran open active retaliation window | Kinetic trigger for cyber escalation |
| Jul 7 | CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) added to CISA KEV | Pre-auth RCE, actively exploited, no user interaction |
| Jul 8 | DHS HSIN intrusion disclosed — moderate-confidence Iranian attribution | Government network compromise |
| Jul 9 | Iranian GitHub resume lure campaign updated — targeting aerospace/DIB | Social engineering evolution for pre-positioning |
| Jul 9 | CISA ICS advisories: Schneider Electric Easergy MiCOM Px40 + OpenPLC v3 | Grid protection relays and PLC platforms vulnerable |
| Jul 10 | CVE-2026-48282 exploitation confirmed in the wild | ColdFusion under active attack |
| Jul 12 | New Stealc infostealer C2 on Tehran ASN; "Agentemis" Cobalt Strike beacons persist | Iranian offensive infrastructure expanding |
| Jul 13 | "Salgorea" backdoor discovered — new Iranian-linked malware, US-targeting | Novel capability with no prior public reporting |
| Jul 13 | Progress ShareFile emergency server shutdown — potential zero-day | File transfer appliance threat (MOVEit precedent) |
| Jul 2–3 | FortiBleed → INC/Lynx ransomware pipeline confirmed by 4 independent sources | 430,000 firewalls compromised; credential-to-ransomware chain validated |
| Ongoing | Banished Kitten / Handala operationally silent during peak escalation | Absence matches pre-wiper preparation patterns; assessed as pre-operational pause |
| Phase | Timeframe | Cyber Activity |
|---|---|---|
| Pre-escalation | Before Feb 28 | Baseline Iranian espionage (APT34, MuddyWater, Pioneer Kitten) |
| Initial escalation | Feb 28 – Mar 2026 | Stryker wiper deployment by Handala/Banished Kitten |
| Sustained operations | Apr – Jun 2026 | Infrastructure build-out, credential harvesting, ICS reconnaissance |
| Active retaliation window | Jul 7 – present | U.S. strikes trigger acceleration: new malware, C2 expansion, ransomware pipeline activation |
| Current (Day 135) | Jul 13, 2026 | Novel backdoor (Salgorea), confirmed ransomware pipelines, proxy silence |
A new malware family designated "Salgorea" was identified on July 13 with no prior public reporting from any vendor or research team. This PE32 backdoor targets the United States and employs system language discovery — a technique Iranian actors commonly use to avoid executing on Persian-language systems, ensuring the malware only activates on intended Western targets.
With 14 out of 18 antivirus engines detecting it and a unique import hash, Salgorea represents fresh tooling investment by Iranian operators. Its discovery before any public disclosure demonstrates that adversaries are actively developing new capabilities during this escalation window.
Why it matters: novel malware families indicate Iranian actors are not relying solely on known tools — they are investing in capabilities designed to evade detection signatures built around previously catalogued families like Shamoon, ZeroCleare, or IOCONTROL.
Four independent sources have now confirmed what was previously assessed as probable: operators exploiting the FortiBleed vulnerability are directly feeding stolen credentials to INC Ransom and Lynx ransomware groups. One operator was observed logged into both INC and Lynx negotiation panels using FortiBleed-sourced infrastructure.
The scale is staggering: 430,000 FortiGate firewalls compromised and 110 million credentials stolen. This creates a dual-use threat where Iranian access brokers — particularly Pioneer Kitten (IRGC-affiliated) — can simultaneously serve state espionage objectives and monetize access through criminal ransomware partnerships.
Why it matters: your FortiGate VPN credentials may already be in an adversary's hands. The time between credential theft and ransomware deployment is compressing.
Intelligence continues to validate a coordinated espionage-to-destruction handoff chain across four formally attributed Iranian threat actors:
| Actor | Affiliation | Role | Status |
|---|---|---|---|
| Pioneer Kitten (Fox Kitten, UNC757) | IRGC | Initial access brokering via VPN exploitation | Active — FortiBleed pipeline confirmed |
| Banished Kitten / Handala | IRGC | Destructive operations, wiper deployment | Silent — assessed as pre-operational pause |
| APT34 / OilRig | MOIS | Espionage, credential harvesting, lateral movement | Active — updated Jul 12 |
| MuddyWater / TEMP.Zagros | MOIS | Spearphishing, backdoor deployment, telecom targeting | Active — updated Jul 12 |
Additional actors of note: UNC1860 (updated Jul 11), UNC6085, and UNC5187 all show recent activity updates.
Four command-and-control IPs on ASN 138415 bearing the "Agentemis" operator signature remain active as of July 13, all communicating on port 29541. These Cobalt Strike BEACON servers have persisted across multiple intelligence cycles, indicating established operational infrastructure rather than ephemeral testing.
The co-location of Stealc infostealers, Remcos RAT, and Cobalt Strike beacons on overlapping Iranian ISP infrastructure suggests a shared operational environment — potentially a cyber operations unit maintaining multiple capability sets for different mission types.
This maximum-severity vulnerability (pre-authentication remote code execution via path traversal) affects ColdFusion 2025.9 and 2023.20 and earlier. It requires no user interaction, has changed scope, and is confirmed exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on July 7.
Iranian actors have historically exploited ColdFusion vulnerabilities for initial access. Any unpatched instance is an open door.
Two ICS advisories published July 9 directly align with known Iranian targeting profiles: Schneider Electric Easergy MiCOM Px40 (protection relays used in electrical grid substations — the exact equipment Cyber Av3ngers has previously targeted) and OpenPLC v3 (authenticated file write leading to privilege escalation on programmable logic controllers).
While no confirmed Iranian exploitation of these specific vulnerabilities has been observed, the alignment with known adversary interests (IOCONTROL campaign, Cyber Av3ngers' water/energy targeting) makes these high-priority for OT defenders.
An Iranian espionage campaign using fake resume and portfolio lures hosted on GitHub continues to evolve, with updates as recent as July 9. The campaign targets aerospace and defense industrial base personnel — consistent with Pioneer Kitten's documented role as an access broker for Iranian intelligence services.
A related campaign uses "GitHub-Resilient Implants" against government and telecom targets in the Middle East. The use of GitHub as a delivery platform exploits trust relationships — security tools are less likely to block downloads from github.com.
Banished Kitten / Handala — the IRGC-affiliated group responsible for the March 2026 Stryker wiper attack — has been operationally silent for an extended period during peak escalation. This pattern matches pre-deployment behavior observed before previous destructive operations.
Assessment: this is not cessation. It is preparation.
| Scenario | Probability | Timeframe | Indicators to Watch |
|---|---|---|---|
| Salgorea publicly reported by a vendor with additional samples/C2 | 70% | 14 days | Vendor blog posts, new VirusTotal submissions |
| Handala resurfaces with new persona or campaign targeting Israeli/US infrastructure | 60% | 14–30 days | New Telegram channels, infrastructure overlap with known Handala IOCs |
| Destructive wiper operation by Handala/Banished Kitten | 60% | 30 days | Pre-wiper reconnaissance, credential harvesting spikes |
| FortiBleed credentials used in high-profile ransomware incident against critical infrastructure | 50% | 14 days | INC/Lynx victim announcements, CI sector targeting |
| Progress ShareFile vulnerability receives CVE and KEV addition | 40% | 7 days | CVE assignment, CISA advisory |
| Iranian exploitation of Schneider Easergy or OpenPLC vulnerabilities | 30% | 30 days | ICS-CERT incident reports, Cyber Av3ngers claims |
| Rule | Data Source | ATT&CK | Priority |
|---|---|---|---|
Outbound to 23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 on port 29541 | Firewall/Netflow | T1071.001 | CRITICAL |
PE32 with imphash 6dca3e9fb3928bbdb54dbce669943ec8 | EDR | T1614.001 | CRITICAL |
| ColdFusion path traversal in URI | WAF/Web logs | T1190 | HIGH |
| VPN auth from new ASN + credential age > 90 days | VPN/IAM | T1078 | HIGH |
| GitHub .exe/.scr download via email link | Email gateway | T1566.002 | MEDIUM |
| System language enumeration before payload execution | EDR/Sysmon | T1614.001 | MEDIUM |
All four IPs — Agentemis Cobalt Strike C2, port 29541, confidence High. Salgorea backdoor: SHA-256 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522, SHA-1 e0f6941f37b0ea6015185c922e6b35cdfacb4e1e, MD5 2b0383674e54467a1ccde0bf9f53be93, Imphash 6dca3e9fb3928bbdb54dbce669943ec8 — all confidence High. Additional IOCs available via Anomali ThreatStream and partner feeds.
../ sequences, encoded variants).- Immediately audit and rotate all FortiGate VPN credentials; enforce MFA on all remote access
- Deploy behavioral analytics for anomalous transaction system access following VPN authentication
- Ensure SWIFT/payment infrastructure is segmented from general VPN-accessible networks
- Monitor for Cobalt Strike BEACON indicators (port 29541, Agentemis watermark) in network telemetry
- Inventory all Schneider Easergy MiCOM Px40 deployments in substations; apply CSAF icsa-26-190-03 mitigations
- Audit OpenPLC v3 instances for unauthorized file writes; restrict authenticated access to known maintenance accounts only
- Ensure IT/OT segmentation prevents lateral movement from compromised ColdFusion/FortiGate systems to SCADA networks
- Establish out-of-band monitoring for protection relay configuration changes
- Prioritize ColdFusion patching for patient-facing portals (CVE-2026-48282 requires no user interaction)
- Validate backup integrity and test restoration procedures — ransomware deployment probability is elevated
- Audit FortiGate VPN credentials used by remote clinicians and third-party vendors
- Monitor for data staging in systems adjacent to EHR databases
- Deploy Salgorea indicators across all endpoint detection platforms immediately
- Brief cleared personnel on GitHub-based social engineering lures — particularly those in aerospace and defense roles
- Audit ColdFusion deployments in .gov environments (historically prevalent in government web applications)
- Review authentication logs for indicators of credential reuse from previously compromised FortiGate infrastructure
- Monitor for language-check behavior as an indicator of Iranian-origin malware
- Alert HR and recruiting teams to fake resume/portfolio lures hosted on GitHub — verify all candidate-submitted links before execution on corporate systems
- Audit ShareFile on-premises deployments; consider emergency isolation pending CVE disclosure from Progress
- Monitor for unauthorized access to PLM systems (PTC Windchill) and engineering data repositories
- Implement application allowlisting on engineering workstations to prevent execution of downloaded executables from GitHub
23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 (port 29541). Hunt for historical connections in 90-day netflow.6dca3e9fb3928bbdb54dbce669943ec8 and SHA-256 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522 across all endpoints.We are 135 days into an active cyber conflict with Iran. The adversary is not standing still — they are deploying new malware families, confirming ransomware partnerships, maintaining persistent C2 infrastructure, and positioning for access to aerospace and defense networks through social engineering. The silence from their most destructive units is not reassurance. It is preparation. The convergence of a CVSS 10.0 actively exploited vulnerability, 430,000 compromised firewalls feeding ransomware operators, novel backdoor capabilities, and ICS vulnerabilities in grid protection equipment creates a threat surface that demands immediate action — not next quarter's planning cycle.