CyberAv3ngers
CyberAv3ngers is an Iranian threat actor active since at least 2023 and assessed in the provided content to operate under or in coordination with Iran’s Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Cyber-Electronic Command. The group is also tracked as Bauxite, Storm-0784, UNC5691, cyber_av3ngers, Shahid Kaveh Group, and Soldiers of Solomon; the content also notes Hydro Kitten as an additional tracking name. Multiple sources in the content describe the group as using hacktivist branding for deniability while conducting state-linked operations. The group is focused on industrial control systems and internet-connected OT/IoT devices, especially programmable logic controllers used in water, wastewater, energy, and municipal environments. The content states that CyberAv3ngers compromised at least 75 Israeli-made Unitronics Vision Series PLC devices across U.S. and allied critical infrastructure beginning in November 2023, including attacks on U.S. water facilities such as the Municipal Water Authority of Aliquippa, Pennsylvania. In those operations, the group used default factory credentials on internet-exposed Unitronics devices and defaced HMIs with anti-Israel messaging, including 'You have been hacked, down with Israel' and statements that equipment 'made in Israel' was a legal target. The content also links the group to a water-sector disruption in County Mayo, Ireland involving Unitronics equipment. The content further describes CyberAv3ngers as highly focused on accessing ICS and IoT devices and as the IRGC Cyber-Electronic Command’s industrial-control-system arm. It notes later activity resembling or attributed to the group against internet-exposed Rockwell Automation and Allen-Bradley PLC environments in U.S. critical infrastructure, including abuse of FactoryTalk software and manipulation of HMI/SCADA-related data. The group is described as part of a broader Iranian OT targeting pattern affecting water, energy, and government facilities. The content also records earlier hacktivist-style claims by CyberAv3ngers during the October 2023 Israel-Hamas conflict, including claimed attacks against Israel’s Noga Independent System Operator, the Dorad power station, Mekorot, and ORPAK. One analysis in the content concluded that the Dorad claim reused older leaked material rather than demonstrating new access. Overall, the provided material consistently portrays CyberAv3ngers as an IRGC-linked, OT-focused threat actor that evolved from public hacktivist messaging into confirmed state-linked operations against civilian critical infrastructure.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Utilities
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
Where they're from
Attributed origin per open-source reporting.
- IR
Tradecraft
38 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Then in early 2026, CyberAv3ngers shifted to Rockwell Automation Logix controllers, exploiting CVE-2021-22681 — a critical authentication bypass flaw with a CVSS score of 9.8. This vulnerability lets an attacker who intercepts a single cryptographic key connect to affected PLCs without valid credentials. Rockwell Automation has confirmed that no software patch exists for it, and affected controller families include CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency added the Unitronics bug to its Known Exploited Vulnerabilities catalog, assigning it CVE-2023-6448. The advisory warned that “Unitronics Vision Series PLCs and HMIs [Human Machine Interfaces] use default administrative passwords.” “An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system,” the agency said.
Observables
13 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iran-affiliated group targeting water and wastewater infrastructure by exploiting default factory credentials on internet-exposed PLCs; also active against water, energy, and government facilities.
Iran-affiliated actor discussed as part of the elevated risk to US-hosted event infrastructure, especially critical infrastructure and municipal services.
Claimed responsibility for disrupting electricity transmission lines and dispatching power plants in Tel Aviv.
Iran-linked threat actor assessed as maintaining pre-positioned OT/ICS access that may be activatable without real-time command and control, representing a dormant disruptive threat.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.