CyberAv3ngers

Description

The CyberAv3ngers is an arm of the Iranian government's Islamic Revolutionary Guard Corps (IRGC). The modus operandi for this group is exploiting programmable logic controllers (PLC) commonly used in wastewater and irrigation, especially those made in Israel. The group appears to be focused on defacement, misinformation and ransomware campaigns.

In October 2024, a report by OpenAI highlighted that this group used ChatGPT to perform reconnaissance on targets and debug code.

Known Affiliates: IRGC-CEC

On March 2 2026, Operation Epic Fury a joint coordinated strike on Iran conducted by the United States and Israel commenced. We are monitoring for developments and will update the Threat Actor profile with rolling updates.

Added to Aliases
Bauxite

Added to Known Tools Used Section:
Custom wipers (unnamed), Brute force tools, Custom ladder logic files (Unitronics PLC), ChatGPT (recon/debugging)

Objectives

Web defacement, disinformation, ransomware (Crucio)

Known Infection Vectors

• Brute Force
• CVE-2023-28130 (Check Point Gaia Portal Hostname Command Injection vulnerability)
• CVE-2023-6448 (Vulnerability in the default use of the administrative password in VisiLogic)

References

IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

Influence and cyber operations: an update (OpenAI)
https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf

CyberAv3ngers (Rewards for Justice)
https://rewardsforjustice.net/rewards/cyberav3ngers/

CyberAv3ngers (MITRE) 
https://attack.mitre.org/groups/G1027/