Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers

An Iran-backed cyber threat group called CyberAv3ngers has grown from a noise-making hacktivist outfit into a serious threat targeting critical infrastructure across the United States.

The group, formally connected to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has been operating since at least 2020 and has steadily sharpened its tools and techniques with each new campaign.

On April 7, 2026, a joint advisory signed by six U.S. agencies — including the FBI, CISA, NSA, EPA, Department of Energy, and Cyber Command — confirmed that Iranian-affiliated actors are actively exploiting internet-facing programmable logic controllers (PLCs) across water and wastewater systems, energy infrastructure, and government facilities.

The advisory, designated AA26-097A, documented real operational disruption and financial losses at multiple U.S. organizations.

The agencies directly linked this activity to CyberAv3ngers, also tracked as Storm-0784 by Microsoft, Bauxite by Dragos, and UNC5691 by Mandiant.

CyberAv3ngers’ formal attribution to Iran’s IRGC-CEC, illustrating the group’s state-directed operational structure and sanctioned leadership.

Tenable researchers noted that the group’s progression reflects a calculated, step-by-step capability build-up. In late 2023, CyberAv3ngers compromised at least 75 Unitronics Vision Series PLCs across the U.S., United Kingdom, and Ireland by exploiting factory-default passwords on internet-exposed devices.

The Municipal Water Authority of Aliquippa, Pennsylvania became one of the most visible victims — its PLC was reachable from the open internet with no authentication gateway protecting it. In Ireland, a separate attack left residents without running water for several days.

By mid-2024, the group introduced IOCONTROL, a custom-built malware platform designed for Linux-based IoT and operational technology environments.

Then in early 2026, CyberAv3ngers shifted to Rockwell Automation Logix controllers, exploiting CVE-2021-22681 — a critical authentication bypass flaw with a CVSS score of 9.8.

This vulnerability lets an attacker who intercepts a single cryptographic key connect to affected PLCs without valid credentials.

Rockwell Automation has confirmed that no software patch exists for it, and affected controller families include CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.

In February 2024, the U.S. Treasury sanctioned six IRGC-CEC officials tied to CyberAv3ngers, and the State Department is offering up to ten million dollars for information on the group.

Despite this, the group keeps operating — a new channel called “Cyber4vengers” surfaced in January 2026 after a prior one was removed.

The group’s ICS exploitation techniques have since spread to roughly 60 affiliated hacktivist groups, creating a threat that no single takedown can neutralize.

IOCONTROL is the most technically advanced tool in CyberAv3ngers’ current arsenal. The malware is modular and runs on a wide range of Linux-based devices — routers, HMIs, IP cameras, firewalls, and fuel management systems from vendors including D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Claroty’s Team82 described it as a nation-state cyberweapon built to target civilian critical infrastructure. It was previously tracked as OrpraCab and QueueCat before being formally identified under the IOCONTROL designation in 2024.

IOCONTROL’s command-and-control architecture showing MQTT over TLS on port 8883 and DNS-over-HTTPS for domain resolution, enabling the malware to blend into legitimate IoT network traffic.

What makes IOCONTROL particularly hard to catch is how well it blends into normal network traffic. It uses the MQTT protocol over TLS on port 8883 — a standard IoT communication channel — to reach its command-and-control server.

It also uses DNS-over-HTTPS to resolve command-and-control domains, bypassing standard network monitoring tools entirely.

The malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.

Organizations running Rockwell Automation Logix or Unitronics PLCs should disconnect those devices from the public internet immediately. Since no patch exists for CVE-2021-22681, network segmentation and engineering workstation isolation are the primary defenses.

Physical mode switches should be set to “Run” to block remote logic changes. All PLC configurations must be backed up offline on secured media. Remote tools like TeamViewer or AnyDesk should be replaced with enterprise VPN solutions that enforce multifactor authentication.

Security teams should alert on MQTT over TLS traffic on port 8883 and DNS-over-HTTPS activity from OT network segments, and ingest all indicators of compromise from CISA Advisory AA26-097A into SIEM and firewall platforms without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.