🇮🇷

Cyber Av3ngers

APT Group Sabotage and destruction 6 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 7

Countries highlighted in red

Czech Republic Germany United Kingdom Israel Romania Ukraine United States

Sectors Targeted

Public Administration 92 Grantmaking and Giving Services 8132 NAICS:48 48 Food Manufacturing 311 Internet Publishing and Broadcasting and Web Search Portals 51913 Health Care and Social Assistance 62 Oil and Gas Extraction 211 Utilities 22 Other Services (except Public Administration) 81 NAICS:31 31 National Security and International Affairs 9281

Details

Origin 🇮🇷 IR

Last Updated 13 Apr 2026

Malware Families 1

elf.iocontrol

MITRE ATT&CK 58

T1005 - Data from Local System T1016 - System Network Configuration Discovery T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1036 - Masquerading T1046 - Network Service Scanning T1053.003 - Cron T1056 - Input Capture T1056.001 - Keylogging T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 T1074 T1078 - Valid Accounts T1082 - System Information Discovery T1083 - File and Directory Discovery T1102 - Web Service T1102.002 - Bidirectional Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1110 - Brute Force T1113 - Screen Capture T1114 - Email Collection T1132 - Data Encoding T1133 - External Remote Services T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1204 - User Execution T1491 - Defacement T1497 - Virtualization/Sandbox Evasion T1499 - Endpoint Denial of Service T1547.006 - Kernel Modules and Extensions T1555 - Credentials from Password Stores T1555.001 - Keychain T1555.003 - Credentials from Web Browsers T1560 - Archive Collected Data T1566 - Phishing T1566.002 T1571 - Non-Standard Port T1572 - Protocol Tunneling T1583 - Acquire Infrastructure T1583.001 - Domains T1583.003 - Virtual Private Server T1584 - Compromise Infrastructure T1587 - Develop Capabilities T1587.001 - Malware T1588 - Obtain Capabilities T1589 - Gather Victim Identity Information T1590 - Gather Victim Network Information T1591 - Gather Victim Org Information T1592 - Gather Victim Host Information T1595 - Active Scanning

Related Zero-Days 6

CVE-2024-50302 CVE-2025-1316 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-2783

Known Names 1 entries

CyberAv3ngers self given

Observed Target Countries 3

Based on ETDA data — countries highlighted in red

Ireland Israel USA

Description

(CISA) The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as 'the authoring agencies'—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors. The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies.

Operations 2

2023-11 Pennsylvania water authority hit with cyberattack allegedly tied to pro-Iran group https://therecord.media/water-authority-pennsylvania-cyberattack-pro-iran-group

2023-12 Two-day water outage in remote Irish region caused by pro-Iran hackers https://therecord.media/water-outage-in-ireland-county-mayo

Reports & References 1

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

ETDA Profile

CyberAv3ngers

Origin

Iran

First Seen 2019

Sponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)

Motivation

Sabotage and destruction

View on ETDA APT Groups ↗