{ "id": "a56278c6-5e68-46d4-9693-e6c993184d87", "created_at": "2026-04-06T00:21:25.264061Z", "updated_at": "2026-04-10T03:27:54.43716Z", "deleted_at": null, "sha1_hash": "9a179c9c4b655375808278169fcfa18205479dd4", "title": "New IOCONTROL malware used in critical infrastructure attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3703302, "plain_text": "New IOCONTROL malware used in critical infrastructure attacks\r\nBy Bill Toulas\r\nPublished: 2024-12-12 · Archived: 2026-04-05 17:39:41 UTC\r\nIranian threat actors are utilizing a new malware named IOCONTROL to compromise Internet of Things (IoT) devices and\r\nOT/SCADA systems used by critical infrastructure in Israel and the United States.\r\nTargeted devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), IP cameras,\r\nfirewalls, and fuel management systems.\r\nThe malware's modular nature makes it capable of compromising a broad spectrum of devices from various manufacturers,\r\nincluding D-Link, Hikvision, Baicells,  Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.\r\nhttps://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nClaroty's Team82 researchers, who have discovered and sampled IOCONTROL for analysis, report that it's a nation-state\r\ncyberweapon that can cause significant disruptions in critical infrastructure.\r\nGiven the ongoing geopolitical conflict, IOCONTROL is currently used to target Israel and U.S. systems, like Orpak and\r\nGasboy fuel management systems.\r\nThe tool is reportedly linked to an Iranian hacking group known as CyberAv3ngers, who have shown interest in attacking\r\nindustrial systems in the past. OpenAI also recently reported that the threat group uses ChatGPT to crack PLCs, develop\r\ncustom bash and Python exploit scripts, and plan its post-compromise activity.\r\nIOCONTROL attacks\r\nClaroty extracted malware samples from a Gasboy fuel control system, specifically the device's payment terminal (OrPT),\r\nbut the researchers do not know precisely how the hackers infected it with IOCONTROL.\r\nInside those devices, IOCONTROL could control pumps, payment terminals, and other peripheral systems, potentially\r\ncausing disruption or data theft.\r\nThe threat actors have claimed to compromise 200 gas stations in Israel and the U.S. on Telegram, which aligns with\r\nClaroty's findings.\r\nThese attacks occurred in late 2023, around the same time as the defacement of Unitronics Vision PLC/HMI devices in\r\nwater treatment facilities, but the researchers report that new campaigns emerged in mid-2024.\r\nAs of December 10, 2024, the UPX-packed malware binary is detected by none of the 66 VirusTotal antivirus engines.\r\nGasboy fuel control system from where the malware was extracted\r\nSource: Claroty\r\nMalware capabilities\r\nThe malware, which is stored in the '/usr/bin/' directory under the name 'iocontrol.' uses a modular configuration to adapt to\r\ndifferent vendors and device types, targeting a broad spectrum of system architectures.\r\nIt uses a persistence script ('S93InitSystemd.sh') to execute the malware process ('iocontrol') upon system boot, so restarting\r\nthe device does not deactivate it.\r\nhttps://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nPage 3 of 5\n\nIt uses the MQTT protocol through port 8883 to communicate with its command and control (C2) server, which is a standard\r\nchannel and protocol for IoT devices. Unique device IDs are embedded into the MQTT credentials for better control.\r\nDNS over HTTPS (DoH) is used to resolve the C2 domains while evading network traffic monitoring tools, and the\r\nmalware's configuration is encrypted using AES-256-CBC.\r\nThe commands IOCONTROL supports are the following:\r\nSend \"hello\": Reports detailed system information (e.g., hostname, current user, device model) to the C2.\r\nCheck exec: Confirms the malware binary is properly installed and executable.\r\nExecute command: Runs arbitrary OS commands via system calls and reports output.\r\nSelf-delete: Removes its own binaries, scripts, and logs to evade detection.\r\nPort scan: Scans specified IP ranges and ports to identify other potential targets.\r\nThe above commands are executed using system calls retrieved dynamically from the 'libc' library, and the outputs are\r\nwritten to temporary files for reporting.\r\nSimplified attack flow\r\nSource: Claroty\r\nGiven IOCONTROL targets' role in critical infrastructure and the group's continuous activity, Claroty's report constitutes a\r\nvaluable resource for defenders to help identify and block the threat.\r\nThe complete indicators of compromise (IoC) are listed at the bottom of the report.\r\nhttps://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-iocontrol-malware-used-in-critical-infrastructure-attacks/" ], "report_names": [ "new-iocontrol-malware-used-in-critical-infrastructure-attacks" ], "threat_actors": [ { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434885, "ts_updated_at": 1775791674, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a179c9c4b655375808278169fcfa18205479dd4.pdf", "text": "https://archive.orkl.eu/9a179c9c4b655375808278169fcfa18205479dd4.txt", "img": "https://archive.orkl.eu/9a179c9c4b655375808278169fcfa18205479dd4.jpg" } }