analyst @ nohacky :~/threat-actors $
cat / threat-actors / cyber-av3ngers
analyst@nohacky:~/cyber-av3ngers.html
active threat profile
type Nation-State
threat_level Critical
status Active
origin Iran — IRGC-CEC linked
last_updated 2026-03-27
CA
cyber-av3ngers

Cyber Av3ngers

also known as: CyberAv3ngers IRGC-CEC persona Soldiers of Solomon (linked)

A textbook example of Iranian "faketivism" — an IRGC-affiliated operation presenting itself as a pro-Palestinian hacktivist group while executing state-directed attacks on industrial control systems. CISA confirmed the November 2023 water facility campaign as IRGC-affiliated, and the Treasury Department sanctioned six IRGC Cyber-Electronic Command (IRGC-CEC) officials for directing the operation — establishing state control beyond reasonable doubt. The group compromised at least 75 OT devices across multiple US critical infrastructure sectors, including 34 in the water and wastewater sector, by exploiting Unitronics PLCs running on default or no credentials. Claroty's subsequent analysis revealed IOCONTROL — a custom ICS cyberweapon and only the tenth ICS malware family ever documented — deployed against fuel management systems in Israel and the US.

attributed origin Iran — IRGC-CEC (sanctioned)
presentation Pro-Palestinian hacktivist persona (faketivism)
first observed October 2023
primary targets ICS/OT — Water, Energy, Fuel, Manufacturing
devices compromised 75+ OT devices (34 in US water sector)
custom malware IOCONTROL — 10th ICS malware family ever
us gov response 6 IRGC-CEC officials sanctioned — $10M bounty
cisa advisory AA23-335A (Dec 2023, updated Dec 2024)
threat level Critical

Overview

Cyber Av3ngers first surfaced in October 2023 in the aftermath of the October 7 Hamas incursion into Israel, presenting as a pro-Palestinian hacktivist group targeting infrastructure with Israeli-manufactured components. The group's defacement messages — "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target" — were engineered to read as ideologically motivated hacktivist activity. Within weeks, CISA had confirmed IRGC affiliation, and within months, the US Treasury Department had named and sanctioned six specific IRGC Cyber-Electronic Command officials for directing the operations.

The group's initial campaign targeted Unitronics Vision Series programmable logic controllers — Israeli-manufactured PLCs and HMIs commonly used in water and wastewater systems, energy, food and beverage manufacturing, transportation, and healthcare. By exploiting the simplest possible vulnerability — default credentials on internet-facing devices — the group compromised at least 75 devices, including 34 in the US water and wastewater sector, across four separate attack waves between November 2023 and January 2024. The Aliquippa, Pennsylvania Municipal Water Authority attack was the most publicly documented incident, attracting immediate national attention to critical infrastructure security gaps.

Claroty's Team82 subsequently discovered IOCONTROL — a custom IoT/OT cyberweapon extracted from a Gasboy fuel management system compromised by CyberAv3ngers. IOCONTROL is only the tenth ICS-specific malware family ever documented, following Stuxnet, Havex, Industroyer, Triton, BlackEnergy2, Industroyer2, PIPEDREAM, COSMICENERGY, and FrostyGoop. Unlike the Unitronics default-credential exploitation (which required minimal technical sophistication), IOCONTROL represents a purpose-built, modular cyberweapon designed to run across diverse IoT/OT device families from different vendors — indicating a parallel development investment beyond opportunistic credential attacks.

75+
OT devices compromised (Nov 2023–Jan 2024)
34
US water sector devices confirmed
6
IRGC-CEC officials sanctioned
10th
ICS malware family ever documented (IOCONTROL)

The Faketivism Model — Cover vs. Reality

Iranian cyber operations increasingly rely on hacktivist personas to provide plausible deniability for state-directed attacks. CyberAv3ngers is a documented example of this pattern — a state operation running under a hacktivist mask that was ultimately confirmed and sanctioned by the US government.

Claimed Identity
Pro-Palestinian Hacktivist Group

Self-presented as an ideologically motivated collective protesting Israeli actions in Gaza after October 7, 2023. Used activist framing, anti-Israel defacement messages, Telegram channel for public announcement of attacks and screenshots, claimed large-scale disruptions (often exaggerated). Styled communications to match hacktivist collectives. Claimed ransomware ("Crucio") against webcam servers — the majority of these claims were determined to be false by analysts.

Actual Operation
IRGC-CEC State-Directed ICS Campaign

Directed by six sanctioned IRGC Cyber-Electronic Command officials, including Hamid Reza Lashgarian — head of the IRGC-CEC and a commander in the IRGC-Quds Force. Funding and tooling that exceeded typical hacktivist capabilities. Custom-developed IOCONTROL malware — a nation-state cyberweapon. Systematic multi-wave attacks across multiple US critical infrastructure sectors over months. The goal was disruption of critical infrastructure for geopolitical effect, not ideological expression.

iocontrol — 10th ics malware family in history

Claroty's Team82 classified IOCONTROL as the tenth malware family ever specifically designed to target Industrial Control Systems — joining Stuxnet, Havex, Industroyer (CrashOverride), Triton/Trisis, BlackEnergy2, Industroyer2, PIPEDREAM (INCONTROLLER), COSMICENERGY, and FrostyGoop. The modular architecture allows IOCONTROL to run on a wide range of IoT and OT device families from different vendors using a single binary. As of December 10, 2024, IOCONTROL had zero detections by any of the 66 antivirus engines on VirusTotal — a stark indicator of its low signature-based detection profile during active deployment.

Target Profile

CyberAv3ngers specifically targeted infrastructure containing Israeli-manufactured components — initially presenting this as ideological targeting but reflecting a strategic mandate to attack critical infrastructure carrying components from a geopolitical adversary.

  • Water and wastewater systems (WWS) — US priority: The primary confirmed victim category in the November 2023–January 2024 campaign. At least 34 US water sector facilities running Unitronics Vision Series PLCs were compromised. The Municipal Water Authority of Aliquippa, Pennsylvania was the most publicly documented single incident. CISA's advisory cited "potential life-safety impact" as a key concern given the role of water treatment PLCs in controlling physical processes.
  • Energy sector: CyberAv3ngers targeted Israeli PLCs used in energy sector applications before expanding to US targets. Unitronics PLCs are widely deployed in energy management and distribution applications globally. CISA noted that energy sector organizations operate HMI-capable Unitronics devices that were within scope of the campaign.
  • Fuel management systems — Israel and US: A parallel campaign targeted Orpak Systems (Israeli-manufactured, widely deployed at Israeli gas stations) and Gasboy fuel control systems (US-manufactured, used at US gas stations). CyberAv3ngers claimed 200 compromised gas stations in Israel and the US. IOCONTROL was embedded in Gasboy's payment terminal (OrPT), giving attackers potential control over fuel dispensing and payment card data exfiltration.
  • Food and beverage manufacturing, transportation, healthcare: CISA's advisory documented CyberAv3ngers activity across these sectors in addition to water/energy, noting that Unitronics PLCs are common across multiple industries. Between November 2023 and January 2024, the group compromised devices across multiple critical infrastructure sectors beyond water.
  • Global scope: The December 2024 CISA advisory update extended documented targeting beyond the US to include international critical infrastructure — consistent with the group's stated mandate of targeting any Israeli-made equipment globally.

Tactics, Techniques & Procedures

CyberAv3ngers' TTPs span a wide capability range — from trivially simple (default credential exploitation) to nation-state level (IOCONTROL custom cyberweapon). The combination reflects a group with both opportunistic and deliberate capability streams operating simultaneously.

mitre id technique description
T1078.001 Default Credentials — Unitronics PLC Access The group's primary initial access method in the November 2023 water sector campaign. Unitronics Vision Series PLCs exposed to the internet on default TCP port 20256 used the manufacturer's default password or had no password set. CyberAv3ngers authenticated directly to these devices using the default credentials. CVE-2023-6448 was subsequently assigned to address the hardcoded/default credentials issue. Unitronics released VisiLogic 9.9.00 on December 12, 2023 to remediate. This is a T1110 (brute force) and T1078.001 (valid account — default credentials) combination.
T1561.001 Disk Wipe — Ladder Logic Erasure and Replacement Beyond defacement, CyberAv3ngers took destructive actions on compromised PLCs documented in the December 2024 CISA advisory update: erasing the original ladder logic file on compromised devices, deploying custom ladder logic files the group had developed for each device type, renaming devices (likely to forestall owner access), resetting software versions to older versions, disabling upload and download functions, and changing default port numbers. With this level of access, deeper device and network access becomes available and could cause physical process impacts.
T1565.001 Stored Data Manipulation — HMI Defacement Compromised Unitronics PLCs displayed the defacement message "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." The defacement was visible on HMI screens at affected facilities — creating a psychological impact for facility operators and providing a public demonstration of ICS access. Screenshots of the defacement were shared on CyberAv3ngers' Telegram channel.
T1571 Non-Standard Port — TCP 20256 (Unitronics Default) Unitronics Vision Series PLCs communicate by default on TCP port 20256 — a non-standard port that may not be monitored or blocked by organizations focused on standard TCP/UDP port filtering. The group specifically targeted devices accessible on this default port, which also served as a scanning indicator for identifying vulnerable Unitronics devices.
T1498 Network Denial of Service / Service Disruption The December 2024 CISA advisory update documented that CyberAv3ngers supplanted existing ladder logic with custom versions, disabled upload and download functions, and changed port numbers — actions that could deny legitimate operators access to their own devices and create service disruption without necessarily triggering physical process failures. With control of fuel management payment terminals, the group had the capability to shut down fuel dispensing services.
T1001.001 IOCONTROL — MQTT-Based Encrypted C2 IOCONTROL uses the MQTT protocol for C2 communications — a lightweight IoT messaging protocol that blends with legitimate IoT device traffic. The malware stored at /usr/bin/iocontrol uses a persistence script (S93InitSystemd.sh) to execute at boot, maintaining persistence across device restarts. C2 communications are encrypted over the MQTT channel, allowing the group to disguise traffic and maintain long-term access without disrupting normal device operations. Supported commands include arbitrary OS command execution, system information exfiltration, port scanning, and self-deletion for evasion.
T1059 ChatGPT-Assisted Exploit Development OpenAI documented that CyberAv3ngers used ChatGPT to assist with cracking PLCs, developing custom bash and Python exploit scripts, and planning post-compromise activity. This represents one of the first confirmed cases of an ICS-targeting group using AI assistance for exploit development — significantly lowering the technical barrier for developing device-specific exploitation scripts across diverse PLC families.

Known Campaigns

Documented operations from CyberAv3ngers' confirmed activity period, reflecting the shift from opportunistic PLC defacement to custom malware development.

Unitronics ICS Campaign — US Water and Multi-Sector Nov 2023–Jan 2024

Beginning November 22, 2023, CyberAv3ngers accessed multiple US water and wastewater facilities running Unitronics Vision Series PLCs via default credentials on internet-exposed devices communicating on default TCP port 20256. Four separate attack waves were documented through January 2024. At least 75 devices were compromised — 34 confirmed in the US water sector, with additional victims in energy, food and beverage manufacturing, transportation, and healthcare. The Aliquippa, Pennsylvania Municipal Water Authority was publicly disclosed as a victim. Defacement messages were displayed on HMI screens. The December 2024 CISA update added that the group also developed custom ladder logic files for each device type and erased original ladder logic — capabilities that could have caused physical process disruptions beyond defacement. Multiple US states reported affected facilities.

Israel Sector Targeting — Water, Energy, Shipping, Distribution Oct–Nov 2023

CyberAv3ngers targeted Israeli PLCs across the water, energy, shipping, and distribution sectors from October 2023 — consistent with the stated mandate of attacking "made in Israel" equipment. The majority of claims about successful Israeli infrastructure disruption during this period were assessed by analysts as false or exaggerated, but the targeting pattern and some confirmed incidents established the group's operational focus on Israeli-manufactured OT equipment across multiple economic sectors. The Telegram channel was used to post screenshots and claimed evidence of access.

Fuel Management Systems — Orpak and Gasboy Oct 2023–Jan 2024, relaunched Jul–Aug 2024

A parallel campaign targeting Orpak Systems fuel management devices (Israeli-manufactured, widely deployed at Israeli gas stations) and Gasboy fuel control systems (US-manufactured). CyberAv3ngers claimed 200 compromised gas stations in Israel and the US, sharing screenshots of management portals on Telegram. Claroty analyzed IOCONTROL extracted from a Gasboy payment terminal — finding the malware embedded inside the OrPT payment terminal component, giving the group potential control of fuel dispensing and access to payment card data. VirusTotal samples indicate the group relaunched the fuel management campaign in July and August 2024. Claroty also documented a CyberAv3ngers script specifically designed to brick Orpak systems.

IOCONTROL Global ICS/IoT Campaign 2024–ongoing

Claroty's Team82 documented IOCONTROL — a custom, modular ICS/IoT cyberweapon — deployed against a range of devices beyond Unitronics PLCs, including IP cameras, routers, HMIs, firewalls, and OT platforms from vendors including Baicells, D-Link, Hikvision, Red Lion, Phoenix Contact, Teltonika, and Unitronics. IOCONTROL uses MQTT for encrypted C2, boots persistently via S93InitSystemd.sh, and supports arbitrary OS command execution, port scanning, and self-deletion. As of December 10, 2024, IOCONTROL was undetected by all 66 VirusTotal antivirus engines — remaining essentially invisible to signature-based detection during its active deployment period. The December 2024 CISA advisory update incorporated new TTPs from these broader ICS-targeted campaigns.

Tools & Malware

CyberAv3ngers deployed both trivial credential exploitation techniques and purpose-built nation-state malware — reflecting a group with both opportunistic and deliberate capability streams.

  • IOCONTROL (custom ICS cyberweapon): Claroty's designation for the CyberAv3ngers custom malware extracted from Gasboy fuel management systems. The 10th ICS-specific malware family ever documented. Modular Linux-based binary stored in /usr/bin/iocontrol — designed to run on multiple IoT/OT device architectures using a single configurable codebase. Persistence via the S93InitSystemd.sh boot script (survives device restarts). MQTT protocol C2 with encrypted communications that blend with legitimate IoT device traffic. Supported commands: arbitrary OS command execution, system information exfiltration to C2, port scanning, self-deletion. Also known as OrpaCrab (QiAnXin XLab designation, first detected February 2024). Zero antivirus detections as of September 2024; 21 detections by December 10, 2024.
  • Custom ladder logic files (Unitronics PLC): The December 2024 CISA advisory documented that CyberAv3ngers developed custom ladder logic files for each Unitronics device type they compromised — replacing the original logic files. Ladder logic controls physical processes in PLCs. Replacement with attacker-controlled logic creates the potential for physical process manipulation beyond defacement.
  • CVE-2023-6448 (Unitronics default credentials): The assigned CVE number for the hardcoded/default credentials vulnerability in Unitronics Vision Series PLCs exploited during the November 2023 campaign. CISA added CVE-2023-6448 to its Known Exploited Vulnerabilities catalog on December 11, 2023. Unitronics released VisiLogic 9.9.00 on December 12, 2023 to address it.
  • Crucio ransomware (claimed): CyberAv3ngers claimed to use "Crucio" ransomware against webcam servers. Analysts assessed the majority of these claims as false — the ransomware capability was not confirmed in the same way as the PLC and fuel system compromises.
  • Orpak bricking script: Claroty documented a dedicated CyberAv3ngers script specifically designed to permanently brick Orpak fuel management systems — rendering them inoperable rather than merely accessing or exfiltrating data. This destructive capability represents a significant escalation beyond reconnaissance or defacement.
  • ChatGPT (AI-assisted development): OpenAI documented CyberAv3ngers using ChatGPT for PLC cracking research, developing bash and Python exploit scripts for specific device types, and planning post-compromise activity sequences. This AI-assisted development approach accelerates the group's ability to develop device-specific exploitation capability across diverse OT device families without deep per-device expertise.

Indicators of Compromise

ioc currency — original cisa iocs removed as outdated

The December 2024 CISA advisory update explicitly removed the original December 2023 IOCs as outdated. Organizations should consult the current CISA advisory AA23-335A for the most current indicators. The behavioral IOCs below are persistent detection patterns independent of specific IP or hash rotation.

indicators of compromise — iocontrol and unitronics campaigns
file path /usr/bin/iocontrol — IOCONTROL binary on compromised Linux-based IoT/OT devices
persistence S93InitSystemd.sh — boot persistence script deployed with IOCONTROL to survive device restarts
protocol MQTT protocol traffic from OT/IoT devices to external IP — IOCONTROL C2 channel
defacement "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." — PLC/HMI screen text
network Unitronics Vision Series PLC accessible externally on TCP port 20256 — default exposed port
c2 domain tylarion867mino[.]com — domain registered in conjunction with Orpak attack infrastructure (Claroty)
behavior PLC ladder logic file erasure/replacement + device renaming + software version downgrade on Unitronics devices
behavior Upload/download functions disabled + default port numbers changed on compromised Unitronics PLCs

Mitigation & Defense

The primary defensive control against the CyberAv3ngers Unitronics campaign was straightforward — remove default credentials and eliminate internet exposure of OT devices. The IOCONTROL campaign requires more sophisticated OT network monitoring.

  • Change all PLC and HMI default credentials immediately: The November 2023 campaign succeeded because Unitronics PLCs were deployed with the manufacturer's default password or no password. Every OT device connected to a network — including air-gapped-adjacent devices — must have unique, strong credentials. CISA strongly urges replacing all default passwords on PLCs and HMIs as a non-negotiable baseline. CVE-2023-6448 was the assigned vulnerability for the hardcoded credentials issue; update Unitronics devices to VisiLogic 9.9.00 or later.
  • Eliminate direct internet exposure for all OT devices: PLCs, HMIs, and other OT devices should never be directly reachable from the public internet. Place OT devices behind firewalls, NAT, or dedicated OT security platforms. Restrict access to engineering and operator stations via VPN or jumpbox with MFA. Verify that OT device management interfaces are not accessible externally by scanning your own infrastructure with tools like Shodan.
  • Block non-standard ports at the perimeter: Unitronics PLCs communicate on TCP port 20256 by default. Blocking outbound and inbound connections on non-standard ports used by OT devices at the network perimeter prevents external scanning and access attempts. Change the default port on deployed Unitronics devices and ensure the new port is similarly restricted.
  • Monitor for MQTT traffic from OT devices: IOCONTROL uses MQTT for C2 — a protocol that OT devices and IoT sensors may legitimately use but that warrants monitoring when used for external communications. Alert on any OT device establishing MQTT connections to external internet addresses not in an approved allowlist. Inventory all legitimate external MQTT endpoints for your deployed OT environment as a baseline.
  • Integrity monitoring for PLC ladder logic: Implement baseline captures of current ladder logic files on all deployed PLCs. Alert on any unauthorized changes to ladder logic — including file erasure, replacement, or version changes. OT security platforms (Claroty, Dragos, Nozomi Networks) provide this capability at scale for complex OT environments. For smaller deployments, regular manual verification schedules are preferable to no verification.
  • Monitor Telegram and open-source intelligence: CyberAv3ngers announced attacks on Telegram before and after compromising devices, posting screenshots of management portals. Organizations in the water, energy, fuel, and manufacturing sectors with Unitronics or Israeli-manufactured OT components should monitor relevant Telegram channels and threat intelligence feeds for early warning of targeting. The group's operational announcements have preceded confirmed compromises in documented cases.
  • Apply the CISA AA23-335A mitigations: The December 2024 update to CISA advisory AA23-335A includes comprehensive, current mitigations updated with newly observed TTPs. Organizations in water, energy, food and beverage, transportation, or healthcare with internet-connected OT devices should treat this advisory as a mandatory reference document, not advisory guidance. The advisory is jointly sealed by CISA, FBI, NSA, EPA, and allied international cyber agencies.
analyst note

The CyberAv3ngers case is significant not primarily for the sophistication of the attacks — exploiting default credentials is technically trivial — but for what it confirms about Iran's cyber strategy. The US government's rapid attribution and sanction of named IRGC-CEC officials establishes that state responsibility for "hacktivist" OT attacks is documentable and actionable. Google Mandiant's John Hultquist framed the strategic intent clearly: the primary goal of these attacks is psychological — to create fear about the reliability of critical infrastructure — and they achieve that effect even when they fail to cause operational disruption. IOCONTROL's development as a custom, modular ICS cyberweapon (the 10th such family in history) demonstrates that the IRGC-CEC is investing in durable OT attack capability beyond opportunistic credential exploitation. The group's use of ChatGPT for exploit scripting and device research is a documented, confirmed case of adversarial AI use for ICS targeting — a precedent that industrial defenders need to plan for as a normalized capability rather than an emerging concern.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile