3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Islamic Revolutionary Guard Corps Cyber

Islamic Revolutionary Guard Corps Cyber

ID: d9d80d03cfe271e7a52c9a8768b0178c82621
Cybercrime Cyber Espionage Hacktivist State-Sponsored
Threat types: Espionage, Intrusion, Malware, OT/IoT devices
Iran ISR
Updated: 2026-04-06
Created: 2025-10-21
Progress: 87% Completeness: 85% Freshness: 90%
Operation zone: Israel
Aliases Limited alias preview
Cyber Defense Organization IRGC Electronic Warfare IR****** IR***************************
Is******************************************************** Is******************************************
Showing 2 of 6 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

IRGC-CEC is a state-linked Iranian cyber command organization publicly tied to critical-infrastructure targeting, front-company support activity, and proxy-style brands such as CyberAv3ngers. The strongest open-source evidence centers on exposed OT/ICS devices, default-credential abuse, HMI defacement, and later Linux/IoT/OT malware activity linked to IOCONTROL.


Technique Technique name Tactics Evidence
T1110 Brute Force TA0006
  • 2023-12-02 — Joint advisory states IRGC-affiliated actors compromised Unitronics devices by abusing default credentials and maps the activity to Brute Force / credential abuse leading to root-level access. · ref
  • 2024-10-01 — OpenAI reported CyberAv3ngers-linked accounts asking for default username/password combinations for PLCs and industrial routers. INFERENCE (confidence: high): this aligns with the organization’s documented reliance on weak/default credential paths. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-02 — The Unitronics campaign relied on successful login to exposed devices using weak/default credentials, functionally amounting to valid-account abuse on OT assets. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-02 — Compromised Unitronics HMI devices displayed the message: 'You have been hacked, down with Israel. Every equipment made in Israel is CyberAv3ngers legal target.' · ref
  • 2024-05-30 — Microsoft highlighted the Aliquippa case as including HMI defacement with CyberAv3ngers branding and imagery. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-02 — Joint advisory states the compromise centered around defacing the controller user interface and could include deeper device-level access. INFERENCE (confidence: medium-high): HMI project or display-state changes align with stored data manipulation. · ref
T1595 Active Scanning TA0043
  • 2024-10-01 — OpenAI reported CyberAv3ngers-linked accounts asking to list industrial routers, industrial protocols/ports, electricity companies, contractors, and common PLCs, consistent with active target-surface reconnaissance. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-05-30 — Microsoft described a recurring methodology focused on internet-exposed, poorly secured OT devices. INFERENCE (confidence: medium): while default credentials were central in documented cases, the broader target set included exposure-driven compromise of public-facing industrial systems. · ref
  • 2024-10-01 — OpenAI reported requests about recently disclosed vulnerabilities in products such as CrushFTP and Cisco Integrated Management Controller, suggesting continued interest in exploitation of public-facing systems. · ref
T1059.004 Unix Shell TA0002
  • 2024-10-01 — OpenAI described CyberAv3ngers-linked operators seeking support to create and refine bash scripts for reconnaissance and exploitation workflows. · ref
T1059.006 Python TA0002
  • 2024-10-01 — OpenAI described CyberAv3ngers-linked operators seeking Python scripting assistance, including code debugging and network scanning support. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-12-10 — Claroty described IOCONTROL as a modular Linux-based malware framework used against IoT/OT devices with communication to attacker C2 infrastructure. INFERENCE (confidence: medium): such modular control strongly suggests ingress/egress tool transfer behavior in at least some deployments. · ref
T1583.001 Domains TA0042
  • 2024-04-23 — Treasury reporting states IRGC-CEC uses front companies and affiliated personnel to support malicious cyber activity. INFERENCE (confidence: medium): the organizational model indicates resource acquisition and use of privately controlled infrastructure in support of state cyber operations. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-20T01:40:10+00:00

Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Author: iQBlack Team


Executive Summary

The Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), also referenced in public material as the IRGC Electronic Warfare and Cyber Defense Organization, is a state-linked Iranian cyber command structure tied to malicious cyber operations against critical infrastructure, government entities, and private-sector organizations in the United States, Israel, and other countries. Public reporting and sanctions actions indicate that the IRGC-CEC does not operate only through a single public-facing brand. Instead, it appears to use a layered operational model that includes official personnel, front companies, contractor-like cyber staff, and branded personas such as CyberAv3ngers to create distance between the state organization and the visible operation.


The most visible and best-documented IRGC-CEC-linked activity in open sources is the targeting of internet-exposed operational technology (OT) devices, especially Israeli-made Unitronics PLC/HMI systems, using weak or default credentials and public exposure to achieve defacement and operational impact. That campaign is strategically important not because it demonstrated exquisite stealth or novel exploitation, but because it showed willingness to touch civilian critical infrastructure and public services in a way that carried disruptive and psychological value disproportionate to the simplicity of the intrusion path.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC)


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-20T01:41:21+00:00

IOC Appendix — Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-20T01:41:41+00:00

OSINT Library — Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC)


2018-01-12 — U.S. Department of the Treasury — “Treasury Sanctions Iranian Entities for Human Rights Abuses and Censorship”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/APT**** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.