Iran-Linked IOCONTROL Malware Threatens IoT and OT Systems

Iranian-affiliated threat actors have unveiled a new custom malware named IOCONTROL, which targets IoT and operational technology (OT) systems in the United States and Israel. This alarming development underscores the growing risks to critical infrastructure worldwide.

The malware focuses on compromising IoT devices and SCADA systems, such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), and firewalls. Designed with a modular configuration, IOCONTROL operates on diverse platforms and hardware, making it a significant threat to Linux-based IoT and OT environments.

A Versatile Cyber Weapon

Claroty, a leading OT cybersecurity firm, revealed that IOCONTROL originates from a sample embedded within a compromised Gasboy fuel management system. Unlike typical malware, this cyber weapon can execute commands, scan networks, and leverage MQTT—a widely used IoT messaging protocol—to conceal malicious activity. By disguising its traffic, the malware becomes harder to detect, increasing its potential for disruption.

In particular, IOCONTROL was used to control payment terminals in fuel management systems, enabling attackers to disrupt fuel services or steal sensitive customer information, such as credit card data. Through these capabilities, the attackers demonstrate their focus on targeting civilian critical infrastructure.

Advanced Evasion Tactics

To avoid detection, IOCONTROL employs modern techniques, including DNS-over-HTTPS (DoH), for its command-and-control (C2) operations. Using Cloudflare’s DoH service, the malware ensures its DNS queries remain encrypted, evading traditional monitoring tools. Once connected to its C2 server, IOCONTROL collects detailed device information, such as firmware versions, hostnames, and physical locations, before executing further commands.

Additionally, the malware incorporates features to check installation directories, terminate operations, or initiate network scans. These capabilities highlight its adaptability and the high level of sophistication behind its design.

A Broader Context of Threats

This marks IOCONTROL as the tenth malware family specifically targeting Industrial Control Systems (ICS), joining the ranks of previous threats like Stuxnet, Industroyer, and Triton. The increasing frequency of such attacks demonstrates how nation-states continue to weaponize malware against critical infrastructure.

According to cybersecurity experts, these tools not only aim to disrupt services but also pose risks to public safety. Consequently, organizations must strengthen their defenses and remain vigilant against emerging threats.

Conclusion

IOCONTROL exemplifies the growing complexity of cyber warfare, especially as attackers target IoT and OT systems integral to critical infrastructure. To mitigate risks, enterprises must invest in advanced threat detection, secure configurations, and continuous monitoring. By understanding such threats, businesses can take proactive steps to safeguard their operations and maintain resilience.

 

Click here for more articles…………

Click below and ‘share’ this article!