An Iran-linked cyber threat group known as CyberAv3ngers has escalated its capabilities, evolving from a disruptive hacktivist entity to a significant threat targeting critical infrastructure across the United States. Officially associated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), the group has been active since at least 2020, demonstrating a consistent improvement in its operational tools and techniques with each new campaign.
Confirmation of these activities arrived on April 7, 2026, through a joint advisory issued by six major U.S. agencies, including the FBI, CISA, NSA, EPA, Department of Energy, and Cyber Command. The advisory, designated AA26-097A, explicitly stated that Iranian-affiliated actors are actively exploiting internet-facing programmable logic controllers (PLCs) within vital sectors such as water and wastewater systems, energy infrastructure, and government facilities. The report detailed documented instances of real operational disruptions and associated financial losses experienced by multiple U.S. organizations, directly attributing this malicious activity to CyberAv3ngers. The group is also tracked by other cybersecurity entities under different monikers, including Storm-0784 by Microsoft, Bauxite by Dragos, and UNC5691 by Mandiant.
Tenable researchers have observed CyberAv3ngers’ progression as a calculated, phased development of capabilities. In late 2023, the group successfully compromised at least 75 Unitronics Vision Series PLCs located in the U.S., United Kingdom, and Ireland. This was achieved by exploiting readily available factory-default passwords on devices accessible via the internet. The Municipal Water Authority of Aliquippa, Pennsylvania, emerged as one of the more prominent victims, with its PLC reportedly exposed to the open internet without any authentication gateway in place. In a separate incident in Ireland, a similar attack led to a prolonged disruption of water services for residents, lasting several days.
By mid-2024, CyberAv3ngers introduced IOCONTROL, a custom-developed malware platform specifically engineered for Linux-based Internet of Things (IoT) and operational technology (OT) environments. This marked a significant advancement in their toolkit. Most recently, in early 2026, the group shifted its focus to Rockwell Automation Logix controllers. Exploiting CVE-2021-22681, a critical authentication bypass vulnerability with a high CVSS score of 9.8, allowed attackers to connect to affected PLCs without requiring valid credentials by intercepting a single cryptographic key. Rockwell Automation has verified that no software patch is available for this specific vulnerability, impacting controller families such as CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.
In response to these escalating threats, the U.S. Treasury sanctioned six IRGC-CEC officials linked to CyberAv3ngers in February 2024. The State Department has also announced a reward of up to ten million dollars for information leading to the disruption of the group’s operations. Despite these measures, CyberAv3ngers continues to operate. A new communication channel under the name “Cyber4vengers” surfaced in January 2026, following the removal of a previous channel. Furthermore, the group’s methods for exploiting industrial control systems (ICS) have reportedly been diffused among approximately 60 affiliated hacktivist groups, creating a complex threat landscape that is difficult to neutralize through single actions.
IOCONTROL: Built to Hide Inside Industrial Networks
IOCONTROL represents the most technically sophisticated tool currently in CyberAv3ngers’ arsenal. This modular malware is designed to operate on a broad spectrum of Linux-based devices, including routers, Human-Machine Interfaces (HMIs), IP cameras, firewalls, and fuel management systems from various vendors such as D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. Claroty’s Team82 has characterized IOCONTROL as a nation-state cyberweapon specifically developed to target civilian critical infrastructure. Prior to its formal designation as IOCONTROL in 2024, it was tracked under the names OrpraCab and QueueCat.
A key attribute of IOCONTROL’s effectiveness lies in its ability to blend seamlessly with legitimate network traffic, making it exceptionally challenging to detect. The malware employs the MQTT protocol over TLS on port 8883, a common communication channel for IoT devices, to establish a connection with its command-and-control (C2) server. Additionally, it utilizes DNS-over-HTTPS for resolving C2 domain names, thereby circumventing standard network monitoring tools. Its configuration data is safeguarded through AES-256-CBC encryption, and it installs itself as a systemd boot script to ensure persistence across device reboots. The malware possesses the capability to execute system commands, perform port scanning, and self-delete upon command.
Organizations that utilize Rockwell Automation Logix or Unitronics PLCs are strongly advised to immediately disconnect these devices from the public internet. As no patch is available for the CVE-2021-22681 vulnerability, primary defenses should focus on network segmentation and isolating engineering workstations. Implementing physical mode switches set to “Run” can help prevent unauthorized remote logic modifications. It is imperative that all PLC configurations are backed up offline on secure media. Remote access tools like TeamViewer or AnyDesk should be replaced with enterprise VPN solutions that enforce multifactor authentication. Security teams are urged to monitor for MQTT over TLS traffic on port 8883 and DNS-over-HTTPS activity originating from OT network segments. Ingesting all indicators of compromise from CISA Advisory AA26-097A into SIEM and firewall platforms without delay is a critical step in bolstering defenses against these ongoing threats.