3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Reza Mohammad Amin Saberian

Reza Mohammad Amin Saberian

ID: 8e1b51115cf9f23a27dc1e40755faace18409
Cybercrime Cyber Espionage Cybercriminal Hacktivist
Threat types: Hacktivism, OT/ICS Targeting
Iran IRL, ISR, USA
Updated: 2026-03-21
Created: 2026-03-20
Progress: 82% Completeness: 78% Freshness: 90%
Operation zone: Ireland, Israel, United States
Aliases Limited alias preview
Saberian
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Reza Mohammad Amin Saberian is a publicly named senior official of Iran's IRGC-CEC. Public reporting ties him to the command environment behind CyberAv3ngers-linked critical infrastructure activity, but does not provide strong evidence of him as an individually documented hands-on operator.


Technique Technique name Tactics Evidence
T1078.001 Default Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-12-01 — Joint advisory on CyberAv3ngers activity states that exposed Unitronics PLCs were compromised through default passwords. INFERENCE (confidence: medium-high): As a named senior IRGC-CEC official, Saberian is relevant to the command structure associated with this tradecraft. · ref
  • 2024-05-30 — Microsoft described a repeated OT attack methodology centered on internet-exposed devices and weak/default credentials in the Storm-0784 / CyberAv3ngers ecosystem. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-05-30 — Microsoft highlighted focus on internet-exposed OT devices and reachable management surfaces. INFERENCE (confidence: medium): Ecosystem activity around Saberian includes exploitation or abuse of public-facing OT/IoT access paths. · ref
  • 2025-06-05 — OpenAI reported CyberAv3ngers-linked accounts researching vulnerabilities, industrial protocols, public-facing technologies, and scripting for vulnerable infrastructure discovery. · ref
T1491.001 Internal Defacement TA0040
  • 2023-12-01 — Joint advisory documented hostile messaging displayed on compromised Unitronics HMIs. INFERENCE (confidence: medium-high): Visible interface defacement is part of the operational environment tied to Saberian's command ecosystem. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-12-01 — Advisory described controller renaming and manipulation of device-side content/behavior. This aligns with stored data or configuration manipulation on compromised devices. · ref
T1587.001 Malware TA0042
  • 2024-12-10 — Claroty linked IOCONTROL malware to the CyberAv3ngers ecosystem. INFERENCE (confidence: medium): As a named IRGC-CEC senior official, Saberian is relevant to a command structure associated with internally developed or maintained malware capabilities. · ref
T1583.001 Domains TA0042
  • 2024-02-26 — Microsoft described public personas and influence-linked branding in the wider Storm-0784 ecosystem. INFERENCE (confidence: low-medium): The underlying command environment likely acquires or maintains supporting domains/infrastructure for campaign operations and public messaging. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-21T02:57:16+00:00

Reza Mohammad Amin Saberian — IRGC-CEC senior official linked to CyberAv3ngers

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: State cyber official / command-enablement profile - Origin: Iran

Author: iQBlack CTI Team


Executive Summary

Reza Mohammad Amin Saberian is publicly identified by the U.S. Department of the Treasury as a senior official of the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Public U.S. government material does not provide a detailed biography, role title, or individually attributed intrusion history for Saberian. The strongest defensible assessment is therefore institutional rather than personal: he is part of the command structure publicly linked to malicious cyber operations against critical infrastructure through the CyberAv3ngers persona.


The operational significance of Saberian comes from his location inside the IRGC-CEC ecosystem at the time that CyberAv3ngers activity became a major public concern, particularly the compromise of internet-exposed Unitronics PLCs and the broader Iran-linked OT/ICS targeting narrative that followed. Public reporting and later research tie that ecosystem to weak/default credential abuse, public defacement and intimidation, and, in later reporting, the IOCONTROL malware family targeting OT/IoT/Linux-based platforms.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Reza Mohammad Amin Saberian


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Reza Mohammad Amin Saberian


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-21T03:04:53+00:00

IOC Appendix — Reza Mohammad Amin Saberian

Scope & Caveats. This appendix is intentionally conservative. Publicly available information on Reza Mohammad Amin Saberian is primarily institutional and sanctions-oriented, not sample-rich or personally infrastructure-rich. As a result, most hard indicators below are linked to the IRGC-CEC / CyberAv3ngers operational ecosystem rather than to Saberian as an individually observed operator.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-21T03:05:06+00:00

OSINT Library — Reza Mohammad Amin Saberian


2024-02-02 — U.S. Department of the Treasury — “Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.