3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
CyberAv3ngers

CyberAv3ngers

ID: 2833df69906a2ea5d05283ca4f837bd432121
Cybercrime State-Sponsored
Threat types: Critical Infrastructure Attack, ICS Compromise, State-linked, Defacement, Intrusion, Pro-Palestine
Iran IRN, IRL, ISR, JOR, USA
Updated: 2026-03-21
Created: 2025-10-18
Progress: 89% Completeness: 89% Freshness: 90%
Operation zone: Iran, Ireland, Israel, Jordan, United States
Aliases Limited alias preview
Av3ngers Cyber Av3ng3rs Cy************ Cy************
Cy************ So***************** Ve*********************
Showing 2 of 7 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

CyberAv3ngers is an IRGC-CEC-linked disruptive cyber persona associated with compromises of exposed OT/ICS devices, especially Unitronics PLC/HMI environments, and with broader Iran-linked OT/IoT malware activity. The actor blends real disruption with propaganda and claim amplification against Israel-linked and U.S./allied critical infrastructure targets.


Technique Technique name Tactics Evidence
T1110 Brute Force TA0006
  • 2024-12-18 — Updated joint advisory states actors authenticated to internet-connected Unitronics devices using default passwords or no passwords over the default communications port. · ref
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-01 — Joint advisory states the actors compromised publicly exposed Unitronics devices using default credentials; this aligns with use of valid default accounts. · ref
  • 2024-12-18 — Updated advisory reiterates default or absent passwords as the most reliable access condition in the documented Unitronics campaign. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-01 — IRGC-affiliated actors left a defacement message on compromised HMIs: 'You have been hacked, down with Israel. Every equipment made in Israel is CyberAv3ngers legal target.' · ref
T1565.001 Stored Data Manipulation TA0040
  • 2024-12-18 — Updated advisory states actors erased the original ladder logic file and downloaded their own, preventing compromised devices from operating as intended. · ref
T1531 Account Access Removal TA0040
  • 2024-12-18 — Updated advisory states the actors renamed compromised devices, delaying remote access and remediation by operators. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-10-01 — INFERENCE (confidence: medium): OpenAI reporting shows the actor researching vulnerabilities and OT-related technologies beyond Unitronics defaults, supporting a broader public-facing exploitation interest. · ref
  • 2024-12-10 — INFERENCE (confidence: medium): Claroty's IOCONTROL reporting indicates the broader actor ecosystem can target multiple IoT/OT products, supporting public-facing exploitation opportunities beyond default credentials alone. · ref
T1071 Application Layer Protocol TA0011
  • 2024-12-10 — Claroty reported that IOCONTROL leveraged MQTT as a command-and-control channel in an OT/IoT-focused campaign associated with CyberAv3ngers. · ref
T1583.001 Domains TA0042
  • 2024-10-01 — INFERENCE (confidence: medium): OpenAI reporting documents requests about lists of industrial routers, protocols, and internet-connectable OT technologies consistent with infrastructure reconnaissance and target-environment preparation. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-19T21:30:29+00:00

CyberAv3ngers — IRGC-affiliated OT-targeting persona / critical infrastructure disruption label

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Cyber / State-linked “faketivist” / OT-targeting disruptive persona — Origin: Iran

Author: iQBlack CTI Team


Executive Summary

CyberAv3ngers is an Iranian state-linked cyber persona publicly associated by U.S. and allied authorities with the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Although branded like a hacktivist or patriotic pressure group, public government reporting indicates that the persona has been used to claim and amplify disruptive cyber activity against operational technology (OT) and critical infrastructure, particularly where Israeli-made technology or Israel-linked political narratives can be exploited.


The actor became globally prominent during late 2023 after compromises of internet-exposed Unitronics Vision series PLC/HMI devices in multiple sectors, including U.S. water and wastewater systems. Public advisories assessed that the compromises relied primarily on insecure exposure, default credentials or no passwords, and default communications settings rather than a complex zero-day chain. The actor’s operational effect was therefore not “advanced stealth” so much as the weaponization of weak OT hygiene for strategic messaging, disruption, and intimidation.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — CyberAv3ngers

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — CyberAv3ngers (IRGC-linked OT-targeting persona / exposed PLC-HMI disruption pattern)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-19T21:34:36+00:00

IOC Appendix — CyberAv3ngers


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-19T21:34:51+00:00

OSINT Library — CyberAv3ngers


2023-11-28 — CISA Alert — “Exploitation of Unitronics PLCs used in Water and Wastewater Systems”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/9
Address Verification SOCMINT
twitter.com/Cyb********** Restricted Not integrated
Address Verification SOCMINT
t.me/Cyb********** Restricted Not integrated
t.me/Cyb********** Restricted Not integrated
t.me/Cyb********** Restricted Not integrated
t.me/av3********* Restricted Not integrated
t.me/Av3********** Restricted Not integrated
t.me/ave********** Restricted Not integrated
t.me/get**** Restricted Not integrated
t.me/+0_************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.