IOControl

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

Associated actor(s): CyberAv3ngers
Tool type(s): OT/IoT malware
Confidence level(s): High
Source ID(s): SRC-CLAROTY-IOCONTROL-2024

Behavior

Actor	Behavior Summary
CyberAv3ngers	Claroty Team82 reports IOCONTROL as custom OT/IoT malware linked to CyberAv3ngers-aligned IRGC activity; reported behavior includes Linux/ARM ELF deployment, device fingerprinting, MQTT over TLS on 8883, DoH use, router and fuel-management targeting, and command execution against OT/IoT devices.

Hash And IOC Status

Actor	Status	Reference
CyberAv3ngers	Claroty-published SHA256 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498; VT enrichment found an ELF with public detections and label trojan.iocontrol/multiverze.	`SRC-CLAROTY-IOCONTROL-2024`

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

Actor	Hunting Notes
CyberAv3ngers	Hunt OT/IoT devices with unusual MQTT/8883, DoH, unexpected ARM ELF execution, router persistence, and PLC/HMI/fuel-controller manipulation indicators.

Handling Notes

Actor	Handling Notes
CyberAv3ngers	Do not store samples; coordinate with OT owners and prioritize behavior over hash-only blocking.

Crosslinks

CyberAv3ngers: profile, workbench, tool matrix
Detection status: Detection Status Dashboard
Hunt workflow: Hunt Workflow

Mapped ATT&CK Techniques For Associated Actor(s)

Actor	Technique	Tactic	Mapping Quality	Source
CyberAv3ngers	T0883 Internet Accessible Device	Initial Access	M2	`SRC-CISA-AA23-335A`
CyberAv3ngers	T0836 Modify Parameter	Impact	M2	`SRC-CISA-AA26-097A`
CyberAv3ngers	T0832 Manipulation of View	Impact	M2	`SRC-CISA-AA23-335A`

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

Actor	Detection	Release Status	DRL	Rule
CyberAv3ngers	DET-003 - Unitronics PLC HMI Web Interface Access	Hunt	4	detections/sigma/unitronics-plc-hmi-web-access.yml

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

Actor	Hunt	Hypothesis	Query
CyberAv3ngers	HUNT-003	If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access	detections/sigma/unitronics-plc-hmi-web-access.yml

Source Review

Source	Publisher	Date	Reliability	Type	Last Reviewed
`SRC-CLAROTY-IOCONTROL-2024`	Claroty Team82	2024-12-10	A	Vendor CTI	2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.

Summary​

Behavior​

Hash And IOC Status​

Defensive Hunting Notes​

Handling Notes​

Crosslinks​

Mapped ATT&CK Techniques For Associated Actor(s)​

Related Actor-Level Repository Detections​

Related Actor-Level Hunts​

Source Review​