Cyber Avengers

Cyber Avengers is an Iranian threat actor active since at least 2020. The provided reporting describes it as an IRGC-linked or IRGC-associated persona/group and, in some sources, as an Iranian state-backed actor rather than a mere hacktivist entity. Microsoft reporting cited in the content assesses a persona called Cyber Avengers as linked to the IRGC and targeting Israeli water infrastructure, and states that Microsoft tracks Storm-784 as operating personas including Cyber Avengers and Soldiers of Solomon, with a focus on industrial control systems and IoT devices. Other reporting in the content places Cyber Avengers in Iran’s broader proxy cyber ecosystem alongside groups such as Bavar373 and Cyber Fattah Team. The group primarily targets Israeli organizations and critical infrastructure, with emphasis on water, power, industrial, and other OT/ICS environments. The content also states that U.S. authorities warned that Iranian state-backed actors including Cyber Avengers target U.S. networks, especially OT, IoT, water, and aviation systems. Reported activity includes targeting Unitronics PLCs used in water and industrial facilities, attacks against Israeli water infrastructure, claims of attacks on power and railway infrastructure, compromise of webcams later exaggerated for propaganda purposes, and broader psychological operations and SMS spoofing campaigns during regional escalation. A recurring theme in the content is cyber-enabled influence and propaganda: Iran-linked operators use limited or opportunistic cyber access, then amplify or exaggerate impact through Telegram, state-media amplification, and psychological operations. Examples in the content include Cyber Avengers claiming breaches of Israeli critical infrastructure, publishing alleged SCADA screenshots and PLC-related material, and making unverified claims regarding BAZAN, Israeli railway stations, and the 2021 Haifa Bay petrochemical plant fires. The content notes that some claims could not be independently verified, and in one case BAZAN said leaked materials were fabricated and that the incident was only a brief DDoS against its image website. Known aliases directly mentioned in the content include CyberAv3ngers and Cyber Av3ngers, although the content also states there is little evidence connecting the similarly named Cyber Avengers with Cyber Av3ngers/Cyber Aveng3rs. Because of that ambiguity, those names should be treated as reported aliases/personas in the source material rather than definitively the same entity. Related groups/personas mentioned in the content include Soldiers of Solomon and Storm-784.