Iranian-affiliated threat cluster CL-STA-1128 (overlapping with Cyber Av3ngers and Storm-0784) has escalated targeting of Rockwell Automation FactoryTalk software and Allen-Bradley PLCs following Operation Epic Fury, with Palo Alto Networks Cortex and NGFW management interfaces also identified as targeting vectors for visibility impairment. The mid-April 2026 restoration of Iran’s domestic internet connectivity expands the available operator pool and signals likely increased operational tempo. Organizations in energy, utilities, food processing, and financial services with internet-connected OT assets face elevated risk of destructive attack.