7 malware familiesExploits CVEs in the wild

CyberAv3ngers

Also known asBAUXITECyber Av3ngersCyberAv3ngersshahid_kaveh_groupSoldiers of Solomanstorm_0784unc5691

CyberAv3ngers is an Iranian threat actor active since at least 2023 and assessed to operate under or in coordination with the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Cyber Electronic Command (CEC). The group is also described as the IRGC Cyber-Electronic Command’s industrial-control-system arm and as operating under hacktivist branding for deniability. Known aliases in the provided content include Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691. The group focuses on operational technology and industrial control systems, particularly programmable logic controllers (PLCs), internet-exposed industrial devices, and HMI/SCADA environments. Reported targeting includes water and wastewater systems, energy facilities, government services and facilities, and other critical infrastructure in the United States, Israel, Ireland, and elsewhere. The content states that CyberAv3ngers previously compromised at least 75 Unitronics Vision Series PLCs, including U.S. water and wastewater entities, and that the group has been linked to exploitation of Rockwell Automation/Allen-Bradley PLCs since at least March 2026. Observed activity in the provided content includes defacement of Israeli-made digital control panels at multiple U.S. water treatment facilities in Pennsylvania in 2023; targeting of Unitronics devices using default administrative passwords; exploitation of internet-facing PLCs and industrial control devices; manipulation of HMI/SCADA display data; extraction of PLC project configuration files; and disruptive activity affecting water infrastructure. The content also notes abuse of Rockwell Automation FactoryTalk software and use of Rockwell Studio 5000 Logix Designer to connect to exposed PLCs. Multiple sources in the content characterize the group’s trajectory as moving from hacktivist posturing to confirmed state-linked OT-focused operations. The group has also publicly claimed operations against Israeli infrastructure, including Noga, Dorad, Mekorot, and ORPAK, though one analysis in the content concludes that the Dorad claim reused older leaked material and did not reflect new unauthorized access. The content further states that CyberAv3ngers has targeted water infrastructure across the region and that U.S. authorities linked similar PLC-targeting activity in 2026 to Iranian-affiliated actors previously tracked as CyberAv3ngers.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

37 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics43 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0001

Initial Access

4 techniques

T1078×5

Valid Accounts

T1078.001×4

Default Accounts

T1190×8

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1566

Phishing

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1106×2

Native API

TA0003

Persistence

2 techniques

T1037

Boot or Logon Initialization Scripts

T1078×5

Valid Accounts

T1078.001×4

Default Accounts

TA0004

Privilege Escalation

3 techniques

T1037

Boot or Logon Initialization Scripts

T1068

Exploitation for Privilege Escalation

T1078×5

Valid Accounts

T1078.001×4

Default Accounts

TA0005

Stealth

3 techniques

T1070

Indicator Removal

T1078×5

Valid Accounts

T1078.001×4

Default Accounts

T1140

Deobfuscate/Decode Files or Information

TA0006

Credential Access

1 technique

T1110×2

Brute Force

TA0007

Discovery

3 techniques

T1046×5

Network Service Discovery

T1082

System Information Discovery

T1654

Log Enumeration

TA0008

Lateral Movement

2 techniques

T1021×6

Remote Services

T1210

Exploitation of Remote Services

TA0011

Command and Control

4 techniques

T1071×4

Application Layer Protocol

T1071.004×3

DNS

T1071.005

Publish/Subscribe Protocols

T1105×2

Ingress Tool Transfer

T1571

Non-Standard Port

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1537

Transfer Data to Cloud Account

TA0040

Impact

9 techniques

T1485×4

Data Destruction

T1486

Data Encrypted for Impact

T1489

Service Stop

T1490

Inhibit System Recovery

T1491×5

Defacement

T1491.001×2

Internal Defacement

T1498×6

Network Denial of Service

T1499×5

Endpoint Denial of Service

T1531×2

Account Access Removal

T1565

Data Manipulation

T1565.001×2

Stored Data Manipulation

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IOCONTROLBy mid-2024, the group introduced IOCONTROL, a custom-built malware platform designed for Linux-based IoT and operational technology environments.6Apr 13, 2026

Av3ngersSignature Malware: Custom wipers (e.g. “Av3ngers” family), Industroyer-like ICS tools, Rust-enhanced payloads.1Mar 19, 2026

DropbearAdditionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].1Apr 7, 2026

Dropbear SSHAdditionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].1Apr 11, 2026

IndustroyerSignature Malware: Custom wipers (e.g. “Av3ngers” family), Industroyer-like ICS tools, Rust-enhanced payloads.1Mar 19, 2026

2 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2021-22681Authentication Bypass in Rockwell Automation Logix ControllersIn the wildEvidence1

Then in early 2026, CyberAv3ngers shifted to Rockwell Automation Logix controllers, exploiting CVE-2021-22681 — a critical authentication bypass flaw with a CVSS score of 9.8. This vulnerability lets an attacker who intercepts a single cryptographic key connect to affected PLCs without valid credentials. Rockwell Automation has confirmed that no software patch exists for it, and affected controller families include CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.

CVE-2023-6448Insecure Default Password in Unitronics Vision PLC and HMIIn the wildEvidence1

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency added the Unitronics bug to its Known Exploited Vulnerabilities catalog, assigning it CVE-2023-6448. The advisory warned that “Unitronics Vision Series PLCs and HMIs [Human Machine Interfaces] use default administrative passwords.” “An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system,” the agency said.

IOCS

Observables

7 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

7 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

palo alto networks unit 42 blogNews

May 28, 2026

2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface

Iranian IRGC-linked ICS-focused threat actor targeting internet-exposed PLCs and municipal critical infrastructure, especially water, wastewater, and energy systems relevant to host cities.

techcrunch com securityNews

May 8, 2026

Poland says hackers breached water treatment plants, and the U.S. is facing the same threat | TechCrunch

Targeting water and energy infrastructure, including programmable logic controllers and digital control panels at U.S. water treatment plants.

socradar blogNews

Apr 28, 2026

Handala Hack Targets U.S. Troops with Doxxing Threats in Bahrain

IRGC-linked Iranian cyber operations group referenced for contrast with Handala's MOIS affiliation.

cybersecurity diveNews

Apr 23, 2026

Iran-nexus threat groups refine attacks against critical infrastructure | Cybersecurity Dive

Iran-linked group targeting industrial control environments, particularly water utilities, energy facilities, and other industrial sites, including abuse of Rockwell Automation/Allen-Bradley and prior campaigns exploiting Unitronics PLC weaknesses.

+81 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping37

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables7

Domains, IPs, and hashes tied to this actor, refreshed continuously.

CyberAv3ngers

Know when an actor pivots toward your sector

Tradecraft

Associated malware families

Associated vulnerabilities

Observables

ip.v4

hash.sha256

Recent activity

The version that knows your environment.