![T-Mobile says it didn't compromise its values to get FCC to approve fiber deal [UPDATED]](https://m-cdn.phonearena.com/images/article/169088-two/T-Mobile-says-it-didnt-compromise-its-values-to-get-FCC-to-approve-fiber-deal-UPDATED.jpg?#)
![Nomad Goods Launches 15% Sitewide Sale for 48 Hours Only [Deal]](https://www.iclarified.com/images/news/96899/96899/96899-640.jpg)
![Apple Watch Series 10 Prototype with Mystery Sensor Surfaces [Images]](https://www.iclarified.com/images/news/96892/96892/96892-640.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![Is this a suitable approach to architect a flutter app? [closed]](https://i.sstatic.net/4hMHGb1L.png)
![From broke musician to working dev. How college drop-out Ryan Furrer taught himself to code [Podcast #166]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743189826063/2080cde4-6fc0-46fb-b98d-b3d59841e8c4.png?#)
New IOCONTROL Malware Attacking Critical Infrastructure to Gain Remote Access and Control
A newly identified malware strain dubbed “IOCONTROL” has emerged as a critical threat to operational technology (OT) and Internet of Things (IoT) systems, particularly targeting fuel-management infrastructure in the United States and Israel. First observed in December 2024, this Linux-based malware has been linked to the pro-Iranian hacktivist group Cyber Av3ngers, which has historically pursued […] The post New IOCONTROL Malware Attacking Critical Infrastructure to Gain Remote Access and Control appeared first on Cyber Security News.
A newly identified malware strain dubbed “IOCONTROL” has emerged as a critical threat to operational technology (OT) and Internet of Things (IoT) systems, particularly targeting fuel-management infrastructure in the United States and Israel.
First observed in December 2024, this Linux-based malware has been linked to the pro-Iranian hacktivist group Cyber Av3ngers, which has historically pursued anti-Israeli cyber campaigns.
Initial attacks leveraged compromised credentials—part of a broader 33% year-over-year surge in credential theft—to infiltrate critical systems, enabling threat actors to establish persistent remote access, manipulate industrial processes, and exfiltrate sensitive operational data.
Flashpoint analysts identified IOCONTROL’s modular architecture, which combines UPX-packed binaries, encrypted command-and-control (C2) communications, and surveillance capabilities tailored for resource-constrained IoT environments.
The malware primarily exploits vulnerabilities in internet-exposed industrial control systems (ICS), using the MQTT protocol—a lightweight messaging standard common in IoT ecosystems—to bypass traditional network monitoring tools.
Its deployment in attacks against fuel distribution networks underscores escalating risks to critical infrastructure amid heightened geopolitical tensions in the Middle East.
Technical Overview and Persistence Mechanisms
IOCONTROL employs sophisticated evasion tactics, starting with a modified UPX packer that alters binary magic values to hinder static analysis.
.webp)
While standard UPX utilities fail to unpack the malware due to these alterations, Flashpoint researchers demonstrated that restoring the magic bytes (00 00 00 00 00 00 00 02 00 34 00 20 00 02 00 34) enables successful decompression.
Once executed, the malware unpacks itself in memory and establishes persistence through a multi-stage process:-
- Directory Creation: IOCONTROL creates two directories—
/tmp/iocontrol/and/etc/rc3.d—with full read, write, and execute permissions. These serve as operational hubs for staging payloads and maintaining persistence across reboots. - Startup Script Injection: A bash script is written to
/etc/rc3.d/S99iocontrol, ensuring execution at system startup. The script includes watchdog functionality to restart the malware if terminated:
#!/bin/sh
/usr/bin/iocontrol >/dev/null 2>&1 &
while true; do
if ! pgrep -x "iocontrol" >/dev/null; then
/usr/bin/iocontrol >/dev/null 2>&1 &
fi
sleep 60
doneThis mechanism ensures continuous operation even if security tools interrupt initial execution.
- C2 Communication: The malware resolves its C2 server’s IP via a DNS query to CloudFlare, extracting the
Answer[data]field from the response. It then establishes an MQTT connection to the broker, transmitting beacon packets containing system metadata (kernel version, hostname, time zone) encrypted using AES-256-CBC. The encryption key derives from environment variables0_0and0_1, set during execution, which store hashed GUID values split into key and initialization vector (IV) components.
IOCONTROL’s blend of IoT-focused protocols and credential-based initial access vectors presents unique challenges for defenders.
Flashpoint’s investigation revealed attempts by the malware’s developer to sell it on underground forums like BreachForums, signaling potential proliferation across threat actor groups.
Organizations managing OT environments must prioritize firmware patching, network segmentation, and anomaly detection for MQTT traffic to mitigate risks posed by this evolving threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post New IOCONTROL Malware Attacking Critical Infrastructure to Gain Remote Access and Control appeared first on Cyber Security News.
