{ "id": "fb2d5de2-1b9a-4788-a755-a470e5772c5e", "created_at": "2026-04-06T03:37:05.297209Z", "updated_at": "2026-04-10T03:27:54.435772Z", "deleted_at": null, "sha1_hash": "8222e868245c2d12ad26867b5576faeb0fb3f580", "title": "US offering $10 million for info on Iranian hackers behind IOControl malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74065, "plain_text": "US offering $10 million for info on Iranian hackers behind\r\nIOControl malware\r\nBy Jonathan Greig\r\nPublished: 2025-06-16 · Archived: 2026-04-06 03:31:31 UTC\r\nThe U.S. State Department said they were seeking information on Iranian hackers who they accused of targeting\r\ncritical infrastructure using a strain of malware deployed against industrial control systems.\r\nU.S. officials are offering up to $10 million for details on a hacker affiliated with the group called CyberAv3ngers\r\nthat gained prominence in 2023 and 2024 for a string of cyberattacks on U.S. and Israeli water utilities. \r\nLaw enforcement agencies eventually tied CyberAv3ngers to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command, and in August offered a reward for information on at least six Iranian government hackers\r\nallegedly behind the effort and placing sanctions on the men. \r\nOn Thursday, the State Department issued a new reward centered around an online persona known as Mr. Soul or\r\nMr. Soll. The notice said CyberAv3ngers is associated with the persona and “has launched a series of malicious\r\ncyber activities against U.S. critical infrastructure on behalf of Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).” \r\n“CyberAv3ngers actors have utilized malware known as IOCONTROL to target [Industrial Control\r\nSystems/Supervisory Control and Data Acquisition (ICS/SCADA)] devices used by critical infrastructure sectors\r\nin the United States and worldwide,” the State Department said. \r\nThe State Department and Cybersecurity and Infrastructure Security Agency did not respond to requests for\r\ninformation about the most recent CyberAv3ngers attacks.\r\nMembers of CyberAv3ngers have boasted on Telegram of their attacks and compromises using IOControl.  \r\nIOControl is a strain of malware spotlighted by government officials in December 2024 that multiple\r\ncybersecurity firms said was being used by Iranian actors to attack Israel- and U.S.-based devices. Experts at\r\nClaroty said the malware was used to attack cameras, routers, firewalls and other industrial technology created by\r\npopular vendors like Unitronics, D-Link, Hikvision, Baicells and more. \r\nClaroty incident responders analyzed a sample of the malware taken from a popular gas station management\r\nsystem that was allegedly compromised by CyberAv3ngers.\r\nThe malware allows hackers to remotely control infected devices, move laterally within a victim’s system and\r\nmore. Cybersecurity firm Armis said the malware was first seen using other names over a year ago.\r\nThe State Department reward was posted amid a widening military conflict between Israel and Iran. On Friday,\r\nIsraeli missile strikes killed hundreds of Iranian citizens including several military leaders and nuclear scientists.\r\nhttps://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware\r\nPage 1 of 3\n\nIran has responded by firing hundreds of rockets at Israel, killing dozens in Tel Aviv and other cities.  \r\nJohn Hultquist, chief analyst at Google Threat Intelligence Group, warned that Iranian cyber threat actors would\r\nlikely “rededicate themselves” to attacks on Israel in light of the recent conflict. \r\n“Iranian cyber activity in Israel is already persistent and aggressive, and has been for several years. Iranian cyber\r\nactivity has not been as extensive outside of the Middle East but could shift in light of the military actions,” he\r\nsaid. \r\n“Targets in the United States could be reprioritized for action by Iran’s cyber threat capability. Iranian cyber\r\nespionage activity already targets the U.S. government, military, and political set, but new activity may threaten\r\nprivately owned critical infrastructure, or even private individuals.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware\r\nhttps://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware" ], "report_names": [ "us-offers-reward-for-iran-hacker-iocontrol-malware" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446625, "ts_updated_at": 1775791674, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8222e868245c2d12ad26867b5576faeb0fb3f580.pdf", "text": "https://archive.orkl.eu/8222e868245c2d12ad26867b5576faeb0fb3f580.txt", "img": "https://archive.orkl.eu/8222e868245c2d12ad26867b5576faeb0fb3f580.jpg" } }