{ "id": "969beb32-8fb8-411d-a48f-a4e4e7318138", "created_at": "2026-04-06T00:15:33.692854Z", "updated_at": "2026-04-10T03:33:49.421291Z", "deleted_at": null, "sha1_hash": "7aa04f0f9b496ef9340c6c8f09d09d162f773c15", "title": "CyberAv3ngers – Rewards For Justice", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34075, "plain_text": "CyberAv3ngers – Rewards For Justice\r\nArchived: 2026-04-05 18:03:57 UTC\r\nRewards for Justice is offering a reward of up to $10 million for information leading to the identification or\r\nlocation of any person who, while acting at the direction or under the control of a foreign government, participates\r\nin malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act\r\n(CFAA).\r\nHamid Homayunfal, Hamid Reza Lashgarian, Mahdi Lashgarian, Milad Mansuri, Mohammad Bagher Shirinkar,\r\nand Mohammad Amin Saberian are Iranian security officials linked to malicious cyber activities of Iran’s Islamic\r\nRevolutionary Guard Corps (IRGC) hacking groups.\r\nHamid Reza Lashgarian is the head of the IRGC’s Cyber-Electronic Command (IRGC-CEC) and is also a\r\ncommander in the IRGC-Qods Force, which is Iran’s primary mechanism for cultivating and supporting terrorist\r\ngroups abroad. He has been involved in various IRGC cyber and intelligence operations.\r\nHamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher\r\nShirinkar are senior officials of the IRGC-CEC.\r\nCyberAv3ngers, affiliated with the IRGC-CEC and Mahdi Lashgarian, utilized malware known as IOCONTROL\r\nto target worldwide industrial control system/supervisory control and data acquisition (ICS/SCADA) devices,\r\nincluding routers, PLCs, human machine interfaces (HMIs), firewalls, IP cameras, and Linux-based Internet of\r\nThings (IoT) and SCADA/Operational Technology platforms. IOCONTROL is a cyberweapon that has been used\r\nto attack vendors, including but not limited to Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact,\r\nTeltonika, Unitronics, and other civilian infrastructure in several countries worldwide.\r\nCyberAv3ngers has targeted and compromised the Vision series of programmable logic controllers (PLCs) made\r\nby Israel-based Unitronics. The PLCs are used by the water and wastewater, energy, food and beverage,\r\nmanufacturing, healthcare, and other industries, and may be re-branded as manufactured by other companies.\r\nIn October 2023, CyberAv3ngers actors claimed credit for cyberattacks against Israeli PLCs on their Telegram\r\nchannel.\r\nSince at least November 22, 2023, CyberAv3ngers actors have compromised the default credentials in these PLCs\r\nacross the United States and left a message on the devices’ digital screen stating, “You have been hacked, down\r\nwith Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The compromise of the device also\r\nmay render it inoperative.\r\nOn February 2, 2024, the U.S. Department of the Treasury announced sanctions against the six IRGC-CEC\r\nofficials for their malicious cyber activities. Hamid Homayunfal, Hamid Reza Lashgarian, Mahdi Lashgarian,\r\nMilad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher Shirinkar were named as Specially\r\nDesignated Nationals pursuant to the counterterrorism authority Executive Order (E.O.) 13224, as amended for\r\nbeing leaders or officials of the IRGC-CEC.\r\nhttps://rewardsforjustice.net/rewards/cyberav3ngers/\r\nPage 1 of 2\n\nAs a result of these designations, all property and interests in property of these IRGC-CEC officials that are in the\r\nUnited States or in the possession or control of U.S. persons are blocked. The designations generally prohibit all\r\ntransactions by U.S. persons or within (or transiting) the United States that involve any property or interests in\r\nproperty of designated or otherwise blocked persons.\r\nAnyone with information on CyberAv3ngers malicious cyberactivity, associated individuals, or entities should\r\ncontact Rewards for Justice via the Tor-based tips-reporting channel at:\r\nhe5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required)\r\nSource: https://rewardsforjustice.net/rewards/cyberav3ngers/\r\nhttps://rewardsforjustice.net/rewards/cyberav3ngers/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://rewardsforjustice.net/rewards/cyberav3ngers/" ], "report_names": [ "cyberav3ngers" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775792029, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7aa04f0f9b496ef9340c6c8f09d09d162f773c15.pdf", "text": "https://archive.orkl.eu/7aa04f0f9b496ef9340c6c8f09d09d162f773c15.txt", "img": "https://archive.orkl.eu/7aa04f0f9b496ef9340c6c8f09d09d162f773c15.jpg" } }