TLP:GREEN  ·  Iran / Israel Conflict
Iranian Cyber Operations Intensify:

New Backdoor, Ransomware Pipelines, and the Silence Before the Storm

HIGH. The Iran-West cyber confrontation — now 135 days since the February 28 escalation — continues to produce new capabilities and ominous silences. This cycle surfaced a previously unreported Iranian-linked backdoor (Salgorea), confirmed the operational merger between mass credential theft and ransomware deployment affecting 430,000 firewalls, and documented continued command-and-control expansion. Meanwhile, extended silence from Iran's most destructive hacktivist proxies matches historical patterns observed before major wiper deployments.

I am a
My sector

DateDevelopmentSignificance
Jul 7U.S. strikes on Iran open active retaliation windowKinetic trigger for cyber escalation
Jul 7CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) added to CISA KEVPre-auth RCE, actively exploited, no user interaction
Jul 8DHS HSIN intrusion disclosed — moderate-confidence Iranian attributionGovernment network compromise
Jul 9Iranian GitHub resume lure campaign updated — targeting aerospace/DIBSocial engineering evolution for pre-positioning
Jul 9CISA ICS advisories: Schneider Electric Easergy MiCOM Px40 + OpenPLC v3Grid protection relays and PLC platforms vulnerable
Jul 10CVE-2026-48282 exploitation confirmed in the wildColdFusion under active attack
Jul 12New Stealc infostealer C2 on Tehran ASN; "Agentemis" Cobalt Strike beacons persistIranian offensive infrastructure expanding
Jul 13"Salgorea" backdoor discovered — new Iranian-linked malware, US-targetingNovel capability with no prior public reporting
Jul 13Progress ShareFile emergency server shutdown — potential zero-dayFile transfer appliance threat (MOVEit precedent)
Jul 2–3FortiBleed → INC/Lynx ransomware pipeline confirmed by 4 independent sources430,000 firewalls compromised; credential-to-ransomware chain validated
OngoingBanished Kitten / Handala operationally silent during peak escalationAbsence matches pre-wiper preparation patterns; assessed as pre-operational pause

PhaseTimeframeCyber Activity
Pre-escalationBefore Feb 28Baseline Iranian espionage (APT34, MuddyWater, Pioneer Kitten)
Initial escalationFeb 28 – Mar 2026Stryker wiper deployment by Handala/Banished Kitten
Sustained operationsApr – Jun 2026Infrastructure build-out, credential harvesting, ICS reconnaissance
Active retaliation windowJul 7 – presentU.S. strikes trigger acceleration: new malware, C2 expansion, ransomware pipeline activation
Current (Day 135)Jul 13, 2026Novel backdoor (Salgorea), confirmed ransomware pipelines, proxy silence

A new malware family designated "Salgorea" was identified on July 13 with no prior public reporting from any vendor or research team. This PE32 backdoor targets the United States and employs system language discovery — a technique Iranian actors commonly use to avoid executing on Persian-language systems, ensuring the malware only activates on intended Western targets.

With 14 out of 18 antivirus engines detecting it and a unique import hash, Salgorea represents fresh tooling investment by Iranian operators. Its discovery before any public disclosure demonstrates that adversaries are actively developing new capabilities during this escalation window.

Why it matters: novel malware families indicate Iranian actors are not relying solely on known tools — they are investing in capabilities designed to evade detection signatures built around previously catalogued families like Shamoon, ZeroCleare, or IOCONTROL.

T1614.001

Four independent sources have now confirmed what was previously assessed as probable: operators exploiting the FortiBleed vulnerability are directly feeding stolen credentials to INC Ransom and Lynx ransomware groups. One operator was observed logged into both INC and Lynx negotiation panels using FortiBleed-sourced infrastructure.

The scale is staggering: 430,000 FortiGate firewalls compromised and 110 million credentials stolen. This creates a dual-use threat where Iranian access brokers — particularly Pioneer Kitten (IRGC-affiliated) — can simultaneously serve state espionage objectives and monetize access through criminal ransomware partnerships.

Why it matters: your FortiGate VPN credentials may already be in an adversary's hands. The time between credential theft and ransomware deployment is compressing.

T1078T1133

Intelligence continues to validate a coordinated espionage-to-destruction handoff chain across four formally attributed Iranian threat actors:

ActorAffiliationRoleStatus
Pioneer Kitten (Fox Kitten, UNC757)IRGCInitial access brokering via VPN exploitationActive — FortiBleed pipeline confirmed
Banished Kitten / HandalaIRGCDestructive operations, wiper deploymentSilent — assessed as pre-operational pause
APT34 / OilRigMOISEspionage, credential harvesting, lateral movementActive — updated Jul 12
MuddyWater / TEMP.ZagrosMOISSpearphishing, backdoor deployment, telecom targetingActive — updated Jul 12

Additional actors of note: UNC1860 (updated Jul 11), UNC6085, and UNC5187 all show recent activity updates.

Four command-and-control IPs on ASN 138415 bearing the "Agentemis" operator signature remain active as of July 13, all communicating on port 29541. These Cobalt Strike BEACON servers have persisted across multiple intelligence cycles, indicating established operational infrastructure rather than ephemeral testing.

The co-location of Stealc infostealers, Remcos RAT, and Cobalt Strike beacons on overlapping Iranian ISP infrastructure suggests a shared operational environment — potentially a cyber operations unit maintaining multiple capability sets for different mission types.

T1071.001T1573.002T1105

This maximum-severity vulnerability (pre-authentication remote code execution via path traversal) affects ColdFusion 2025.9 and 2023.20 and earlier. It requires no user interaction, has changed scope, and is confirmed exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on July 7.

Iranian actors have historically exploited ColdFusion vulnerabilities for initial access. Any unpatched instance is an open door.

T1190

Two ICS advisories published July 9 directly align with known Iranian targeting profiles: Schneider Electric Easergy MiCOM Px40 (protection relays used in electrical grid substations — the exact equipment Cyber Av3ngers has previously targeted) and OpenPLC v3 (authenticated file write leading to privilege escalation on programmable logic controllers).

While no confirmed Iranian exploitation of these specific vulnerabilities has been observed, the alignment with known adversary interests (IOCONTROL campaign, Cyber Av3ngers' water/energy targeting) makes these high-priority for OT defenders.

An Iranian espionage campaign using fake resume and portfolio lures hosted on GitHub continues to evolve, with updates as recent as July 9. The campaign targets aerospace and defense industrial base personnel — consistent with Pioneer Kitten's documented role as an access broker for Iranian intelligence services.

A related campaign uses "GitHub-Resilient Implants" against government and telecom targets in the Middle East. The use of GitHub as a delivery platform exploits trust relationships — security tools are less likely to block downloads from github.com.

T1566.002T1204.001

Banished Kitten / Handala — the IRGC-affiliated group responsible for the March 2026 Stryker wiper attack — has been operationally silent for an extended period during peak escalation. This pattern matches pre-deployment behavior observed before previous destructive operations.

Assessment: this is not cessation. It is preparation.

ScenarioProbabilityTimeframeIndicators to Watch
Salgorea publicly reported by a vendor with additional samples/C270%14 daysVendor blog posts, new VirusTotal submissions
Handala resurfaces with new persona or campaign targeting Israeli/US infrastructure60%14–30 daysNew Telegram channels, infrastructure overlap with known Handala IOCs
Destructive wiper operation by Handala/Banished Kitten60%30 daysPre-wiper reconnaissance, credential harvesting spikes
FortiBleed credentials used in high-profile ransomware incident against critical infrastructure50%14 daysINC/Lynx victim announcements, CI sector targeting
Progress ShareFile vulnerability receives CVE and KEV addition40%7 daysCVE assignment, CISA advisory
Iranian exploitation of Schneider Easergy or OpenPLC vulnerabilities30%30 daysICS-CERT incident reports, Cyber Av3ngers claims

RuleData SourceATT&CKPriority
Outbound to 23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 on port 29541Firewall/NetflowT1071.001CRITICAL
PE32 with imphash 6dca3e9fb3928bbdb54dbce669943ec8EDRT1614.001CRITICAL
ColdFusion path traversal in URIWAF/Web logsT1190HIGH
VPN auth from new ASN + credential age > 90 daysVPN/IAMT1078HIGH
GitHub .exe/.scr download via email linkEmail gatewayT1566.002MEDIUM
System language enumeration before payload executionEDR/SysmonT1614.001MEDIUM
IOC Blocking Table:
23.226.58[.]11643.240.239[.]23443.240.239[.]25423.226.58[.]106

All four IPs — Agentemis Cobalt Strike C2, port 29541, confidence High. Salgorea backdoor: SHA-256 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522, SHA-1 e0f6941f37b0ea6015185c922e6b35cdfacb4e1e, MD5 2b0383674e54467a1ccde0bf9f53be93, Imphash 6dca3e9fb3928bbdb54dbce669943ec8 — all confidence High. Additional IOCs available via Anomali ThreatStream and partner feeds.

Hunting Hypotheses:
HUNT 01 · T1071.001
Agentemis C2 communications
Are any internal hosts communicating with ASN 138415 infrastructure on non-standard ports? Check firewall logs, netflow data, and DNS resolution attempts for the four identified IPs on port 29541.
HUNT 02 · T1614.001
Salgorea backdoor presence
Are there PE32 executables in our environment that check system language before executing their primary payload? Search EDR telemetry for the imphash and SHA-256 above.
HUNT 03 · T1078
FortiBleed credential abuse
Have any VPN accounts authenticated from new ASNs or countries in the past 30 days? Check for passive sniffer implants on FortiGate devices via memory forensics.
HUNT 04 · T1190
ColdFusion exploitation
Are there ColdFusion instances in our environment that are unpatched and internet-facing? Monitor access logs for path traversal patterns (../ sequences, encoded variants).
HUNT 05 · T1566.002
GitHub-based social engineering
Have aerospace/engineering personnel received emails with GitHub links to downloadable executables in the past 30 days? Monitor email gateway for github.com links with /resume, /portfolio, /cv path patterns delivering .exe/.scr/.msi files.

Financial Services
Banking Infrastructure
Primary threats
FortiBleed credential abuse for unauthorized access; ransomware deployment via INC/Lynx; Cobalt Strike BEACON for lateral movement to payment systems
Actions
  • Immediately audit and rotate all FortiGate VPN credentials; enforce MFA on all remote access
  • Deploy behavioral analytics for anomalous transaction system access following VPN authentication
  • Ensure SWIFT/payment infrastructure is segmented from general VPN-accessible networks
  • Monitor for Cobalt Strike BEACON indicators (port 29541, Agentemis watermark) in network telemetry
Energy
Grid, Substations
Primary threats
Schneider Electric Easergy MiCOM Px40 vulnerabilities in grid protection relays; OpenPLC exploitation for OT access; Iranian ICS targeting (Cyber Av3ngers, IOCONTROL precedent)
Actions
  • Inventory all Schneider Easergy MiCOM Px40 deployments in substations; apply CSAF icsa-26-190-03 mitigations
  • Audit OpenPLC v3 instances for unauthorized file writes; restrict authenticated access to known maintenance accounts only
  • Ensure IT/OT segmentation prevents lateral movement from compromised ColdFusion/FortiGate systems to SCADA networks
  • Establish out-of-band monitoring for protection relay configuration changes
Healthcare
Patient Portals, EHR Systems
Primary threats
Ransomware via FortiBleed pipeline (INC/Lynx); ColdFusion exploitation of patient portal systems; credential theft enabling PHI exfiltration
Actions
  • Prioritize ColdFusion patching for patient-facing portals (CVE-2026-48282 requires no user interaction)
  • Validate backup integrity and test restoration procedures — ransomware deployment probability is elevated
  • Audit FortiGate VPN credentials used by remote clinicians and third-party vendors
  • Monitor for data staging in systems adjacent to EHR databases
Government
Emergency Coordination, .gov Web Apps
Primary threats
Iranian espionage operations (APT34, MuddyWater); DHS HSIN intrusion precedent; Salgorea backdoor targeting US government systems; GitHub social engineering of cleared personnel
Actions
  • Deploy Salgorea indicators across all endpoint detection platforms immediately
  • Brief cleared personnel on GitHub-based social engineering lures — particularly those in aerospace and defense roles
  • Audit ColdFusion deployments in .gov environments (historically prevalent in government web applications)
  • Review authentication logs for indicators of credential reuse from previously compromised FortiGate infrastructure
  • Monitor for language-check behavior as an indicator of Iranian-origin malware
Aviation / Logistics
DIB Contractors, PLM Systems
Primary threats
GitHub resume lure campaign specifically targeting aerospace; Pioneer Kitten access brokering into DIB contractor networks; Progress ShareFile potential zero-day affecting file transfer workflows
Actions
  • Alert HR and recruiting teams to fake resume/portfolio lures hosted on GitHub — verify all candidate-submitted links before execution on corporate systems
  • Audit ShareFile on-premises deployments; consider emergency isolation pending CVE disclosure from Progress
  • Monitor for unauthorized access to PLM systems (PTC Windchill) and engineering data repositories
  • Implement application allowlisting on engineering workstations to prevent execution of downloaded executables from GitHub
No sector cards match the selected filters.

Block Agentemis C2 IPs at perimeter: 23.226.58[.]116, 43.240.239[.]234, 43.240.239[.]254, 23.226.58[.]106 (port 29541). Hunt for historical connections in 90-day netflow.
SOC Analyst
Deploy Salgorea detection: hunt for imphash 6dca3e9fb3928bbdb54dbce669943ec8 and SHA-256 5338ea423aff0dd6e383c695788e9b1842b2a185ab345c118d2f5480e4dbd522 across all endpoints.
SOC Analyst
Verify ALL Adobe ColdFusion instances are patched beyond versions 2025.9 / 2023.20. CVE-2026-48282 is CVSS 10.0, pre-auth RCE, actively exploited, in CISA KEV. No exceptions.
Incident Responder
Enable enhanced logging on FortiGate VPN infrastructure — capture all authentication events with source IP, ASN, and geolocation for anomaly detection.
SOC Analyst
No immediate actions for the selected roles.
Rotate ALL FortiGate VPN credentials. Enforce MFA. Check for passive sniffer implants on firewall memory. Assume credentials are compromised if running affected firmware.
Incident ResponderIAM Analyst
Create detection rule for GitHub-hosted lures: emails containing github.com/*/resume or github.com/*/portfolio paths delivering executables to aerospace/DIB personnel.
SOC Analyst
Assess Schneider Electric Easergy MiCOM Px40 deployment footprint. Apply CSAF icsa-26-190-03 mitigations. Audit OpenPLC v3 for unauthorized file writes.
ICS / OT
Brief recruiting and HR teams on Iranian fake resume/interview TTPs — verify all candidate-submitted code repositories and portfolio links before execution on corporate systems.
CISO / Exec
No 7-day actions for the selected roles.
Commission assessment of Progress ShareFile on-premises exposure. Emergency shutdown signals potential zero-day with MOVEit-scale implications. Evaluate migration alternatives.
CISO / Exec
Review and test incident response playbook for destructive wiper scenarios. Handala's operational silence during peak escalation matches pre-Stryker-wiper patterns. Ensure offline backups are verified.
CISO / ExecIncident Responder
Validate IT/OT segmentation through red team exercise — specifically test whether compromise of internet-facing systems (ColdFusion, FortiGate) enables lateral movement to ICS/SCADA networks.
CISO / ExecICS / OT
Conduct a tabletop exercise for a simultaneous ransomware + wiper scenario — Iranian actors have demonstrated willingness to deploy both in parallel through different operational units.
Incident Responder
No 30-day actions for the selected roles.
The Bottom Line

We are 135 days into an active cyber conflict with Iran. The adversary is not standing still — they are deploying new malware families, confirming ransomware partnerships, maintaining persistent C2 infrastructure, and positioning for access to aerospace and defense networks through social engineering. The silence from their most destructive units is not reassurance. It is preparation. The convergence of a CVSS 10.0 actively exploited vulnerability, 430,000 compromised firewalls feeding ransomware operators, novel backdoor capabilities, and ICS vulnerabilities in grid protection equipment creates a threat surface that demands immediate action — not next quarter's planning cycle.

1
Are your FortiGate credentials rotated? If not, assume they are in adversary hands.
2
Is your ColdFusion patched? A CVSS 10.0 pre-auth RCE with no user interaction is as bad as it gets.
3
Do you have a wiper response plan? The group that deployed Stryker in March is quiet. That should concern you more than if they were loud.
No items found.