🇮🇷 IR

CyberAg3ngers

Also known asCyberAg3ngers

CyberAv3ngers is an Iranian state-aligned or proxy threat actor linked in the reporting to activity targeting internet-exposed industrial control systems in the United States. In 2023, the group disrupted U.S.-based PLCs and human-machine interfaces, with at least 75 devices across multiple critical infrastructure sectors reportedly compromised. The described activity involves direct access to exposed PLCs using legitimate vendor software rather than zero-day exploitation, specifically Rockwell Studio 5000 Logix Designer. Confirmed targeted device families include Rockwell CompactLogix and Micro850, and the access method enabled interaction with project files and manipulation of HMI/SCADA display data. Reporting also notes probing of OT protocols including Modbus and S7/10, indicating interest in PLCs beyond Rockwell devices. The observed access path included Remote Desktop Protocol over TCP port 43589 from a workstation using a self-signed certificate with the common name DESKTOP-BOE5MUC. The exposed hosts also presented Windows services including DCERPC, MSMQ, and NetBIOS. Known alias in the provided content: cyberag3ngers.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

arstechnica securityNews

Apr 8, 2026

Iran-linked hackers disrupt operations at US critical infrastructure sites - Ars Technica

Disrupted US-based PLCs and HMIs, compromising at least 75 devices across multiple critical infrastructure sectors.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.