{
  "type": "bundle",
  "id": "bundle--52ebd08e-e829-4bdd-be44-4e3c9b9e1af2",
  "objects": [
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--acd39114-23ec-4c39-b2b5-9d69abf62ce6",
      "created": "2026-04-20T09:05:57.000Z",
      "modified": "2026-04-20T09:05:57.000Z",
      "name": "What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure",
      "description": "An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S.",
      "published": "2026-04-09T20:28:27.000Z",
      "report_types": [
        "threat-report"
      ],
      "object_refs": [
        "vulnerability--f06c5dd0-8695-48b4-ba34-ed811ada9554",
        "attack-pattern--aafc08c9-fe6a-46af-ad35-e2a5fea9df2b"
      ],
      "external_references": [
        {
          "source_name": "Tenable Blog",
          "url": "https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure",
          "description": "What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure"
        }
      ],
      "labels": [
        "Finance",
        "Energy",
        "Government",
        "Technology",
        "Telecommunications",
        "Critical Infrastructure"
      ]
    },
    {
      "type": "vulnerability",
      "spec_version": "2.1",
      "id": "vulnerability--f06c5dd0-8695-48b4-ba34-ed811ada9554",
      "created": "2026-04-20T09:05:57.000Z",
      "modified": "2026-04-20T09:05:57.000Z",
      "name": "CVE-2021-22681",
      "external_references": [
        {
          "source_name": "cve",
          "external_id": "CVE-2021-22681",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22681"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--aafc08c9-fe6a-46af-ad35-e2a5fea9df2b",
      "created": "2026-04-20T09:05:57.000Z",
      "modified": "2026-04-20T09:05:57.000Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059/"
        }
      ],
      "kill_chain_phases": [
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "execution"
        }
      ]
    }
  ]
}