3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Milad Mansuri

Milad Mansuri

ID: c81f42761d1b53a2d875a33ddfb8cdb764758
Cybercrime Cyber Espionage Cybercriminal
Threat types: Intrusion
Iran ISR, USA
Updated: 2026-03-21
Created: 2026-03-21
Progress: 72% Completeness: 73% Freshness: 70%
Operation zone: Israel, United States
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Milad Mansuri is a publicly named senior official of Iran's IRGC-CEC. Public reporting ties him to the command environment behind CyberAv3ngers-linked critical infrastructure activity, but does not provide strong evidence of him as an individually documented hands-on operator.


Technique Technique name Tactics Evidence
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-01 — Joint advisory on CyberAv3ngers activity states that exposed Unitronics PLCs were compromised through default passwords. INFERENCE (confidence: medium-high): As a named senior IRGC-CEC official, Mansuri is relevant to the command structure associated with this tradecraft. · ref
  • 2024-05-30 — Microsoft described a repeated OT attack methodology centered on internet-exposed devices and weak/default credentials in the Storm-0784 / CyberAv3ngers ecosystem. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-05-30 — Microsoft highlighted focus on internet-exposed OT devices and reachable management surfaces. INFERENCE (confidence: medium): Ecosystem activity around Mansuri includes exploitation or abuse of public-facing OT/IoT access paths. · ref
  • 2025-06-05 — OpenAI reported CyberAv3ngers-linked accounts researching vulnerabilities, industrial protocols, public-facing technologies, and scripting for vulnerable infrastructure discovery. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-01 — Joint advisory documented hostile messaging displayed on compromised Unitronics HMIs. INFERENCE (confidence: medium-high): Visible interface defacement is part of the operational environment tied to Mansuri's command ecosystem. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-01 — Compromised Unitronics devices were modified and renamed, demonstrating stored data or configuration manipulation as part of the ecosystem's impact pattern. · ref
T1595 Active Scanning TA0043
  • 2025-06-05 — OpenAI documented CyberAv3ngers-linked use of models for reconnaissance and research into PLCs, ICS vendors, and exposed infrastructure. INFERENCE (confidence: medium): This supports a broader ecosystem-level reconnaissance mapping relevant to Mansuri's command environment. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-21T03:26:58+00:00

Milad Mansuri — IRGC-CEC senior official linked to CyberAv3ngers

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: State cyber official / command-enablement profile - Origin: Iran

Author: iQBlack CTI Team


Executive Summary

Milad Mansuri is publicly identified by the U.S. Department of the Treasury as a senior official of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Public U.S. government material does not provide a detailed biography, formal job title, or individually attributed intrusion history for Mansuri. The strongest defensible assessment is therefore institutional rather than personal: he is part of the command environment publicly linked to malicious cyber operations against critical infrastructure through the CyberAv3ngers persona.


The operational significance of Mansuri comes from his location inside the IRGC-CEC ecosystem during the period when CyberAv3ngers activity became a major public concern, particularly the compromise of internet-exposed Unitronics PLCs and later reporting on broader OT/ICS and IoT targeting. Public government and vendor reporting tie that ecosystem to weak/default credential abuse, public intimidation and defacement, and, in later reporting, the IOCONTROL malware family targeting OT/IoT/Linux-based platforms.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Milad Mansuri

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Milad Mansuri


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-21T03:29:17+00:00

IOC Appendix — Milad Mansuri

Scope & Caveats. Milad Mansuri is an individual official profile, not a malware family or independently documented intrusion set. Accordingly, this appendix emphasizes cluster-level hard indicators and operationally useful observables from the IRGC-CEC / CyberAv3ngers ecosystem rather than pretending a personalized Mansuri-only IOC corpus exists. Items below should be treated as ecosystem-relevant and used with confidence labels and context.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-21T03:29:30+00:00

OSINT Library — Milad Mansuri


2024-02-02 — U.S. Department of the Treasury — “Treasury Sanctions Actors Responsible for Malicious Cyber Activity Against U.S. Critical Infrastructure”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.