Iran-Linked PLC Exploitation Expands Across US Critical Infrastructure

Verticals Targeted: Critical Infrastructure, ONG, Electricity, Water, Government
Regions Targeted: US
Related Threat Actors: CyberAv3ngers, Static Kitten, Refined Kitten, Helix Kitten, Banished Kitten

Executive Summary

A joint US government advisory confirmed that Iran-affiliated cyber actors are actively exploiting internet-facing industrial control systems, particularly Rockwell Automation/Allen-Bradley PLCs, across US critical infrastructure. The activity has resulted in operational disruption, manipulation of HMI/SCADA data, and financial loss in sectors including water, energy, and government facilities. The campaign reflects a continuation of Iran’s established OT targeting playbook, prioritizing exposed industrial assets over sophisticated intrusion chains. Recent activity indicates a shift from defacement and signaling toward direct process interference, increasing the risk of real-world operational impact during periods of geopolitical tension.

Key Takeaways

• Iran-affiliated actors are exploiting internet-exposed PLCs across US critical infrastructure with confirmed disruptive outcomes.
• Targeting includes Rockwell Automation/Allen-Bradley devices and likely extends to other exposed industrial systems.
• Activity includes manipulation of HMI/SCADA data and theft of PLC project files.
• The campaign reflects the evolution of prior Iranian OT operations, including CyberAv3ngers-linked Unitronics activity.
• Exposure of OT assets remains the primary enabling condition rather than advanced exploitation techniques.

Active Exploitation Underway

An April 7, 2026 joint advisory (AA26-097A) from US cybersecurity and intelligence agencies confirms active exploitation of operational technology environments by Iran-affiliated actors. The activity targets internet-facing programmable logic controllers (PLCs), with specific emphasis on Rockwell Automation/Allen-Bradley devices deployed across US critical infrastructure.

Observed impacts include diminished PLC functionality, unauthorized manipulation of HMI/SCADA display data, and extraction of project configuration files. These actions have already resulted in operational disruption and financial loss, confirming that the activity has progressed beyond reconnaissance into active interference with industrial processes.

The sectors explicitly identified include Government Services and Facilities, Water and Wastewater Systems, and Energy. This targeting aligns with longstanding Iranian strategic priorities, particularly sectors where disruption can produce cascading societal and economic effects.

The campaign is notable for its reliance on accessible attack surfaces rather than advanced intrusion techniques. The advisory emphasizes monitoring for suspicious activity on industrial protocols and ports, including 44818 (EtherNet/IP), 2222, 102, and 502 (Modbus), and recommends removing PLCs from direct internet exposure. This reinforces that the primary vulnerability is architectural rather than exploit-driven.

Recent developments within the past few weeks support a broader escalation environment. Iran-linked activity attributed to the Handala persona disrupted operations at a US-based medical device manufacturer, affecting manufacturing and logistics workflows. Additionally, reporting indicates MuddyWater activity targeting US financial institutions, transportation infrastructure, and defense supply chains, suggesting ongoing access operations that could enable follow-on disruption.

Strategically, the current campaign represents a continuation and evolution of Iranian cyber operations against industrial systems. Earlier campaigns, particularly those linked to CyberAv3ngers, focused on Unitronics PLC defacement and disruption in water systems. The present activity demonstrates a shift toward more direct manipulation of industrial processes and operational data, increasing the likelihood of real-world impact.

This pattern reflects a broader Iranian cyber doctrine emphasizing asymmetric disruption, plausible deniability, and rapid operational effects achieved through exploitation of exposed infrastructure rather than reliance on complex or novel capabilities. The convergence of these layers increases the likelihood of both opportunistic and coordinated disruptive activity, particularly during periods of geopolitical escalation.

Threat Actors to Watch

The following Iran-linked threat actor groups have historically targeted US critical infrastructure and are, therefore, more likely to engage in this activity in the future:

CyberAv3ngers

CyberAv3ngers is an Iranian threat actor group active since at least 2023. The group is assessed to operate under or in coordination with the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Cyber Electronic Command. The group emerged as a persona conducting operations targeting industrial control systems, particularly PLCs used in water and wastewater infrastructure. CyberAv3ngers represents Iran’s most direct publicly documented OT-focused threat actor, combining disruptive capability with messaging aligned to geopolitical narratives. The group has demonstrated the ability to manipulate industrial devices, deface systems, and interfere with operational processes, often leveraging exposed infrastructure rather than complex intrusion chains. Recent activity indicates a shift from defacement toward more direct operational disruption, consistent with the current Rockwell PLC targeting campaign.

TTPs


CyberAv3ngers conducts operations focused on direct OT disruption. The group:

• Exploits internet-exposed PLCs and industrial control devices
• Manipulates HMI/SCADA data and system outputs
• Conducts disruptive operations against water and energy systems
• Uses public-facing personas to amplify messaging and psychological impact
• Leverages weak or default configurations in industrial environments

Targeting

• Water and wastewater systems
• Energy and utilities
• Government-operated infrastructure
• Industrial environments using exposed PLCs

Regions Targeted


United States, Israel, and allied infrastructure environments

MuddyWater (Static Kitten)

MuddyWater, also known as Seedworm, TEMP.Zagros, and Static Kitten, is an Iranian threat actor group active since at least 2017. The group is assessed to operate under the Ministry of Intelligence and Security (MOIS). MuddyWater has historically focused on espionage and access operations but plays a critical role in enabling broader Iranian cyber campaigns. MuddyWater represents an access-focused threat actor that enables disruption by establishing footholds across critical and adjacent infrastructure. Recent reporting indicates activity targeting US financial institutions, airports, and defense supply chains, suggesting potential pre-positioning for future operations. While not primarily an OT disruption actor, its access operations create conditions that can support downstream interference.

TTPs


MuddyWater conducts operations centered on persistence and access. The group:

• Conducts spearphishing and credential harvesting campaigns
• Uses PowerShell and living-off-the-land techniques
• Deploys custom and commodity backdoors
• Maintains persistence via legitimate administrative tools
• Conducts reconnaissance and lateral movement within enterprise environments

Targeting

• Government and public sector
• Energy and ONG
• Telecommunications
• Financial institutions
• Defense and supply chain organizations

Regions Targeted


Middle East, United States, Europe, Asia, and Africa

APT33 (Refined Kitten)

APT33, also known as Elfin, Refined Kitten, and Magnallium, is an Iranian threat actor group active since at least 2013. The group is associated with Iranian state interests and has historically targeted aerospace, defense, and energy sectors. APT33 represents a strategic targeting actor focused on industries where disruption or intelligence collection can support military and economic objectives. The group has demonstrated capabilities including destructive malware deployment and credential-based intrusion operations. Its consistent focus on energy infrastructure makes it relevant in the context of Iranian cyber operations against critical infrastructure.

TTPs


APT33 conducts operations combining espionage and disruption. The group:

• Uses spearphishing and credential harvesting for initial access
• Conducts password spraying against enterprise accounts
• Deploys malware for persistence and potential destructive impact
• Targets enterprise environments supporting industrial operations
• Conducts reconnaissance and long-term access operations

Targeting

• Energy and utilities
• Aerospace and aviation
• Defense contractors
• Industrial and manufacturing sectors

Regions Targeted


United States, Middle East, Europe, and Asia

APT34 (Helix Kitten)

APT34, also known as OilRig and Helix Kitten, is an Iranian threat actor group active since at least 2014. The group is assessed to operate under the Ministry of Intelligence and Security (MOIS). OilRig is one of Iran’s most persistent cyber espionage actors, with a focus on long-term access and intelligence collection. APT34 represents a pre-positioning threat actor that targets infrastructure-adjacent organizations, particularly in the energy sector. While not primarily associated with direct OT disruption, its sustained access to strategic environments increases the risk of follow-on operations that could impact industrial systems.

TTPs


APT34 conducts long-term intrusion operations. The group:

• Uses spearphishing and web shell deployment
• Conducts credential theft and privilege escalation
• Maintains persistence through custom malware and legitimate tools
• Performs lateral movement across enterprise networks
• Collects intelligence to support strategic objectives

Targeting

• Energy sector organizations
• Government entities
• Defense and intelligence-related organizations
• Telecommunications and infrastructure-adjacent sectors

Regions Targeted


Middle East, United States, Europe, and regional strategic targets

Banished Kitten

Banished Kitten, also known as Dune, Void Manticore, Red Sandstorm, and Storm-0842, is an Iranian threat actor group active since at least 2008. The group is assessed to operate under or in coordination with the Ministry of Intelligence and Security. The group has evolved from primarily espionage-focused operations into a hybrid actor capable of conducting disruption, data leakage, and influence campaigns. Banished Kitten represents a hybrid cyber threat actor combining state-backed capability with hacktivist-style execution and messaging. Its use of front personas enables plausible deniability while amplifying psychological and reputational impact. Recent activity linked to Handala indicates a shift toward rapid, disruptive operations aligned with geopolitical events, increasing the relevance of this actor to healthcare and other critical infrastructure sectors.

TTPs


Banished Kitten conducts operations combining intrusion, disruption, and psychological impact. The group:

• Conducts targeted intrusions via spearphishing, credential harvesting, and exploitation of exposed services
• Executes destructive operations including data wiping and system disruption
• Exfiltrates and leaks data to amplify reputational and operational impact
• Operates influence personas such as Handala and Homeland Justice
• Maintains persistence using remote access tools, tunneling, and abuse of legitimate administrative pathways

Targeting

• Government and public sector entities
• Critical infrastructure and industrial environments
• Private sector organizations supporting national resilience, including healthcare and manufacturing
• Media organizations and dissidents

Regions Targeted


Middle East, United States, Europe, and allied nations

Analyst Commentary

Recent diplomatic efforts toward a ceasefire have stalled, with negotiations failing to produce a durable agreement as regional tensions continue to escalate. In parallel, the United States has signaled an increased security posture around the Strait of Hormuz, alongside explicit threats to Iranian energy infrastructure. This dynamic introduces a historically consistent risk pattern, in which Iranian cyber operations target energy-sector assets in response to perceived or actual threats against its own oil and gas capabilities. Given the strategic importance of the Strait as a global energy chokepoint, further kinetic or economic pressure in this region increases the likelihood of retaliatory cyber activity directed at US and allied energy infrastructure, particularly through asymmetric means such as disruption of operational technology environments or attacks on supporting service providers.

Iran’s current operations against US infrastructure reflect a layered threat model:

• Access Layer: Groups like MuddyWater and OilRig establish footholds across enterprise and infrastructure-adjacent environments
• Targeting Layer: APT33 and similar actors focus on energy, aerospace, and strategic industries
• Disruption Layer: CyberAv3ngers-style operations directly target OT systems for immediate operational impact

The convergence of these layers increases the likelihood of both opportunistic and coordinated disruptive activity, particularly during periods of geopolitical escalation. While the current campaign relies heavily on exposed infrastructure rather than advanced exploitation, detection challenges persist due to the blending of commodity access techniques with operational technology environments. Early-stage tooling, scripts, and payloads used in these operations often exhibit low or inconsistent detection across traditional security engines, particularly before widespread signature propagation.

PolySwarm enables defenders to identify these threats earlier in the detection lifecycle by aggregating multi-engine malware analysis and exposing low-consensus detections that traditional single-engine tools may miss. Analysts can submit samples, compare detection results across engines, and analyze suspicious payloads with broader coverage and context, increasing the likelihood of detection and improving visibility into emerging threats as they are first observed.

IOCs

PolySwarm has multiple samples associated with the Iranian APT groups mentioned in this report. Below is a selection of hashes for those samples.

CyberAv3ngers

1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498

Static Kitten

fe7de7efcee88532e66c6fb8c065c986aaa7fa3793ed03a296ff1c76edffc250

deb3ebba2541fa7de3d6262bf8a757f35128a028d02ccbf4ee33a2496d25b9c4

46a56ffbe3a8378bf48be43434a41b064aa66e9c33ccf3b4fb6841e8316c7f4c

13a389493c157668d969585706c364dce8cac6ee6a01a6165950ef03b70fa87b

48f11abab3b6bff988f473f0c5d9f4ee892a3e850873d981b77ed7eca0fec598

eaeb5d35b72124f26d737fcc7b6e1632a6fdfc255c7c697670a09ffd248f1fee

831904199944bc80db1607fea03a4b43790bfe712ca60773c2c74d5153ced561

139b32bd5f3372766f2448313d7b04c7813fee428f80988da918c971f441cf78

97ec5014671dfdd6262812205b2130fcc8ff329c96f2907be86f7c2f3b721c3d

a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0

5cd94a1f0290624c2454ab7fde5e9a120a9d52cbb9e14a844aada31f488dc886

d56dbd5cf5a1012021be97c337dad8d14e510c0d24d4bdb1fe3540c57b62e834

b5484990d162391159926dd46e1fd110b75030367a50c828d5756ae4a99f1895

c0ed55e49249f4ef51c4c26f389f88a3d09fb8f3d850469ae1b0825c6d420571

c0b42595868cef57dd5bdce14ea234ceec7a971316fe57f3732a2430757e731e

dfca5bc52cd1f08220bb45efdcfb68a9672f20dcf4c1ed542f7f055e8d4e2887

812a928d73fd076f0920a9dd80c54cb6a7c0185b97576a0d9d7ff66d0a53f7c7

2f447e1220e03b05303c4fbe42b3d126eacc97edda42734261a15fb530a596c6

8fb52fa62541c16519520d305d5d4ec7ac3fe2e09156c1011a05ebc9dc05707e

a088a3ae55ad6911227f92580c7853c0a71bcd38b737b856284c8baaef1a7672

Refined Kitten

e7bea41981fbfa81186eba50b182e656bed66acb1103df1b85324b5a40567dae

84b24f76f9fafcda438d8971ebbe68354e3f83f871faa5d20e896b9ac66198b0

e0927806ab5820d9cf1f11d3d45ba7ddef51b91a474da7d9a47c327e1241367d

0f1d2eebcd34d77a6e4938578c7ab6b95c243e87dd20f09adedf40b8ed258e70

ea463dd003087dded83ab8483d43a6062bda20f934bd0291ee0ead0ff5c0f479

1f0c9ce9dbd9574b0a869ee201cfa255fc6dde05b80b1d903e2217609eb77ff2

fe4df0f5c11c6968703183fe517b2ea41cee762ac0ab5729cb9e084c00a0fe1c

5965b638e6c7891d785bd030cd281b5ffc30d190507bab9e8970928ea7f19570

648419d08b7a05f8b32692e346d6a0c789462efeb9bf800ac5b186992d051593

561d5036a1ecb3f12f2a0e9a439106b794993273f5775fe801717cd13ceb7631

5782bce800d721b1380f87727da4d767c31c70b981a936b0ab2106219a91165e

55a72b15f478b8c3092a454b3664424b765b469a4340621b5593411d76d4fe88

21e3dba05111c86468bd060a51e6884c0954940d7b2d8f0ca3f72687e2d5fbac

fd84c206b6bbdd6cf04fd9310b4b298ef0a429baa2174cecb375c8c2164def54

94842d25397a635d603ed8a6fa0493286ad4a341a668bd9b1e2c1e24daf4f7ba

67f74b1908055fe995b9a5e92a914fdb99cd345200579b11c3ff1e24b45e1b31

6d39974e149162e28e9df6bf6e3c5c9ba75e6bcdcd0a681c774e6075616ce98c

5288353d7946566a1247f78239a98b2c859071c1547ce3f6db88ebae43db5f40

e1763c22d4a4bad7987552d0327c83c850358f207c7b22d3af67a6af887a9870

ac8be35f630f28d6e7b5d68571d0403466c88b13363e648f152478ef41ed1aef

Helix Kitten

27a74df534eb05042603676b1237da6abfd8505597be1858c5a161e8af4a313b

497d7e83b9a021f44699f5844018189421c0d429830995497a6e8352419a2330

95fd3f06689e7e279daf8c5ca636970a3c94d8cc04cc3a6bcfe58fe58f903dfc

40d32e87ea0ed02b060abde7be2c3de34dd369bb2da41b717cd804c92b48b34a

a8f39a7d116a57136f148ca5b0b64c1621d12e971d1484566b7ac3d0608dede9

6d40a9aea28570d2835c46ae78dc27d0986aabfce8277d8af178337831be137c

a37b33fe504370a41b7d2eefd33fbd97c5be5e9c2f94ea4a4d943cdffe177d61

014aa93767f2a9e007c45b04c1665fa466b6bd78a94f0456b87158546352c079

076ba910589bba4e03eb7cd2b769f5a8d4232f75e7b620be0e3cc03d08f6ddea

ab2294175edbfa71cb275dac49deac2ffaf1dce4d0bab3c7d95ccb4bef684128

d8b99e80f9f21e66aad6bcfed6322370838ffbfced2b61a3176071e4cbae8ee5

82aed306209000cf29553bafde905b901a973e18bdec008ef13e311b65def1e1

39dffe67bfa6e3a11dc12236d8fd7ddd294d7484b8d3811e39bb69b9c018ce9f

ed156bb13fbeed684bbfa684a80113b15a81268f9f11a46b821c58009d8ebf91

329a9dba11608e22a979657aa70a8eca51f8a5b27f6eb5d656cfc6719df11785

fbd3502ae51ab7d70fd2908e218588adc3818752cf3150bbd75fd1623ad18aa5

84fbdf8825bf51f91ad8f52f6d650718d72ecdd54b719b20dc1a1ca0caf09038

21c7489b76d116458aa39f6c11e6df5de1b7f9b62ee3bcdf6abc7cd788f91892

868ddffb91ca901aa746658fcf378a0170adefb665ea01ddaa7af11205dd4e63

7cb4912ed6334fe2b1ea5acd05ae14d55d2ac644644dbf0e0e0f4eb122655a4c

Banished Kitten

f0db6ec65d99e28b20be7e5852217d74cc31e7cfb6ca5b267988a7bcf640bceb

bbf576ed1837e891ca6822baaadba6e2dfd6f27decea7c4ce1fa19637bd9c18c

b004bbed136b5adb575f168abec41ea78764c74d195ba2ffc0adc11f0bd5d6b9

5b660a33f9c2ed707f652259dc9e14267673411b3ba82d5f1ffddbd4f911946f

3de323d20b42d59f554f4d0c66c27041ba97b3a083f2674e67b234c869e5d6a8

ae9253a1fbd24a5555c8b1e43f383808cac8414012877ddd0d2619c13bb894d9

e348eafc6560347cceb1b86e242db9ee6a87ba50328e5897741506ed56a28338

3ec8ad4d01ddfb46ae67871c585689610a9bf9c49e875bd5024aa0066c5fd974

e8af311c4b2fa648a31447487c9172e87511e394091aaa3733af328bc94a39b9

b5f4e3d23584fe9b3a5f745246f660859cbad630b6d857cf585a1a50526075ef

9635022b65fe37430d0d5b225453e884028f30ec860f5219d1f6fce9b135250f

4441a74be356426a24f2fe81806611f7d19e0cbc83020d283843383cf659dee9

f7d122ddbce110fbe0207e0a32f61f5074e920730f79bf7668278ac83f7a5a7f

ba9a8222354b8a2659d594c92477f4684ffde41fbb833c83a13fb609fee90f61

e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35

4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3

fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2

10d2b5f7d8966d5baeb06971dd154dc378496f4e5faf6d33e4861cd7a26c91d7

73c19eab8d2ae58db3968dd7de0e745db2d7709859305b113b748bb02494465e

21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.