High

CyberAv3ngers is an Iran-linked cyber threat group associated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Active since at least 2020, the group has evolved from a hacktivist-style entity into a highly capable threat actor targeting critical infrastructure. A joint U.S. advisory issued on April 7, 2026 (AA26-097A) by agencies including the FBI, CISA, NSA, EPA, Department of Energy, and Cyber Command confirmed that the group is actively exploiting internet-facing operational technology (OT) systems across water, energy, and government sectors, causing real-world disruption and financial damage across multiple organizations.

The group has progressively refined its tactics through multiple campaigns. In 2023, CyberAv3ngers compromised at least 75 Unitronics Vision Series PLCs across the U.S., U.K., and Ireland by exploiting factory-default credentials on internet-exposed devices. One of the most notable incidents involved the Municipal Water Authority of Aliquippa in Pennsylvania, where exposed PLCs lacked proper authentication controls. Around the same period, similar attacks in Ireland resulted in temporary water supply disruptions, highlighting the real-world impact of insecure industrial systems.

By 2024, CyberAv3ngers introduced a custom malware framework known as IOCONTROL, specifically designed for Linux-based IoT and industrial environments. This malware expanded their capabilities across devices such as routers, HMIs, IP cameras, and industrial controllers from vendors including D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. IOCONTROL marked a shift toward a more structured nation-state cyber capability, enabling stealthy control and persistence within operational technology networks.

According to the Reseacher, In early 2026, the group escalated its operations by targeting Rockwell Automation Logix controllers using CVE-2021-22681, a critical authentication bypass vulnerability with a CVSS score of high. This flaw allows attackers who obtain a single cryptographic key to access PLC systems without valid credentials. Since no official patch exists, defenders are urged to rely on network segmentation, disabling internet exposure of PLCs, enforcing MFA-based remote access, monitoring MQTT (port 8883) and DNS-over-HTTPS traffic, and isolating engineering workstations. Despite sanctions and law enforcement pressure, CyberAv3ngers continues operations and has inspired or influenced roughly 60 affiliated hacktivist groups, making containment significantly more difficult.