IOCONTROL
IOCONTROL is a custom-built Linux-based backdoor and malware platform designed for IoT, OT, and SCADA environments. Reporting attributes it to the Iran-linked CyberAv3ngers group, which is tied to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). Claroty Team82 described it as a modular cyberweapon used against civilian critical infrastructure, and multiple sources state it has been used to target Israeli and U.S.-based IoT and ICS devices.
The malware is described as infecting Linux-based IoT and OT systems and as being configurable to target a broad range of device types, including routers, IP cameras, firewalls, PLCs, HMIs, fuel management systems, and other industrial devices. Named affected or targeted vendors and platforms in the reporting include Red Lion, Orpak, Gasboy, Baicells, D-Link, Hikvision, Phoenix Contact, Teltonika, and Unitronics. Team82 reported that IOCONTROL was extracted from a compromised fuel management system and linked it to campaigns affecting several hundred Orpak Systems and Gasboy fuel management systems in Israel and the United States.
IOCONTROL uses MQTT for command-and-control, including MQTT over TLS on port 8883, and uses DNS-over-HTTPS for domain resolution to evade traditional monitoring. Reporting states it performs DNS queries to resolve the MQTT broker, may use cloud-hosted broker infrastructure, embeds unique device IDs into MQTT credentials, and exchanges structured JSON beacon and command messages. It can collect host information including kernel version, hostname, user identity, and timezone, maintain persistent communications with its C2, execute commands remotely, scan ports, exfiltrate data, delete itself on demand, and store encrypted configuration data using AES-256-CBC. Persistence has been reported via a systemd boot script.
The malware has been characterized as purpose-built for Linux-based IoT and OT environments but generic enough to affect broader OT platforms, including fuel pump systems used at gas stations. Reporting associates IOCONTROL with CyberAv3ngers’ broader critical infrastructure activity against water, wastewater, energy, government, and fuel-sector environments, and with attacks on U.S. and Israeli civilian infrastructure. High-confidence indicators and behaviors mentioned in the content include MQTT traffic on port 8883 from OT devices, DNS-over-HTTPS from OT environments, and use against internet-exposed devices and systems, including those protected by weak or default credentials in related CyberAv3ngers operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
By mid-2024, the group introduced IOCONTROL, a custom-built malware platform designed for Linux-based IoT and operational technology environments.
Team82, Claroty’s threat intelligence research team, obtained a sample of IOCONTROL, custom-built malware that infects Internet of Things (IoT) and operational technology (OT) systems.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniqueThe malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.
Persistence
2 techniquesThe malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.
Privilege Escalation
2 techniquesThe malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.
Stealth
3 techniquesThe malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.
"Default credential login on internet-exposed Unitronics PLCs via TCP port 20256 (default password: 1111)"; "No software vulnerability exploitation required"
Defense evasion has remained a critical phase, where threat actors employ multiple obfuscation techniques (T1140)
Discovery
2 techniquesThe malware stores its configuration data encrypted with AES-256-CBC, installs itself as a systemd boot script so it survives reboots, and can execute system commands, scan ports, or delete itself on demand.
Once the IP is resolved, the malware establishes an MQTT connection to the broker and begins sending system information back to the attacker. The data includes details like the kernel version, hostname, and user identity.
Command and Control
6 techniquesIOCONTROL’s command-and-control architecture showing MQTT over TLS on port 8883 and DNS-over-HTTPS for domain resolution, enabling the malware to blend into legitimate IoT network traffic.
It also uses DNS-over-HTTPS to resolve command-and-control domains, bypassing standard network monitoring tools entirely.
T1071.005 Publish/Subscribe Protocols is a sub-technique of Application Layer Protocols (T1071) in the MITRE ATT&CK framework, under the Command and Control tactic.
Examples include “(Invoke-WebRequest …).content | Invoke-Expression”, “curl … -o …”, and downloading fake Webex binary.
After compromising a system, IOCONTROL first establishes a connection to the C2 server by querying DNS to resolve the IP address of a broker, typically hosted via cloud services.
It uses the MQTT protocol over TLS on port 8883 — a standard IoT communication channel — to reach its command-and-control server.
Exfiltration
1 techniqueThis allows attackers to not only exfiltrate critical data but also execute arbitrary commands remotely.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular malware platform targeting Linux-based IoT and OT devices. It uses MQTT over TLS on port 8883 for command-and-control, DNS-over-HTTPS for domain resolution, stores configuration encrypted with AES-256-CBC, persists via a systemd boot script, and can execute system commands, scan ports, or delete itself on demand.
A nation-state malware platform used against civilian critical infrastructure. It uses MQTT for command-and-control, routes DNS lookups over HTTPS to evade monitoring, and targets PLCs, fuel management systems, IP cameras, routers, firewalls, and other industrial devices.
A custom IoT/ICS malware reportedly leveraged by Iran to target Israeli and U.S.-based IoT and ICS devices, including devices from Red Lion.
Custom malware targeting IoT and OT devices such as routers and fuel management systems, with potential physical infrastructure impact.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.