The digital battleground between Iran and the alliance of Israel and the United States has evolved into a phase of targeting civilian psychological resilience through the weaponization of emergency warning and public address (PA) systems. These operations are strategically designed to weaken public trust in government protective measures, such as early-warning systems.
In such operations, threat actors have claimed unauthorized access to often insecure legacy broadcast equipment. In this case, Iran-affiliated actors linked to the Islamic Revolutionary Guard Corps (IRGC) and The Ministry of Intelligence of the Islamic Republic of Iran (MOIS) said they have hijacked emergency alerts and announcement systems to project a level of domestic reach that far exceeds the technical complexity of their intrusions. These operations are strategically designed to weaken public trust in government protective measures.
The targeting of PA and siren systems is the result of a decade-long evolution in Iranian cyber doctrine. While historical groups such as APT33 focused on espionage and data exfiltration, the start of the Israel-Hamas war in 2023 and subsequent regional escalations, catalyzed a pivot toward operations with immediate physical-world sensory impacts.
A critical turning point occurred on March 30, when the IRGC-affiliated group CyberAv3ngers claimed to have successfully silenced Israeli air-raid sirens during an Iranian missile attack. The group posted a video as alleged proof—a self-reported claim that has not been definitively confirmed—warning residents that alarms would not sound in future strikes, below. Israeli authorities have not publicly confirmed these attacks.
This "silent-siren" tactic represents a catastrophic escalation in cognitive warfare: by neutralizing systems meant to provide life-saving warnings, the actors aim to maximize civilian disorientation and casualties during kinetic hostilities.
On April 8, the CyberAv3ngers released a technical video claiming successful unauthorized access to a series of internet-exposed Barix endpoints. Barix is a Swiss company that sells hardware that transmits audio over IP networks. A forensic reconstruction of the video's logs reveals an exploitation path centered on CVE-2024-41700, a high-severity information exposure vulnerability affecting Barix SIP client firmware. This CVE has been patched by the vendor, but the updates must be applied manually, which could mean many devices may remain exposed.
The video demonstrates a systematic exploit chain, as evidenced by the terminal logs, which shows how the attackers claim to have compromised the Barix devices in order to disrupt critical early-warning systems:
Initial Execution: The attacker operates from a root shell on Kali Linux, executing a custom tool named ./minab_school. This tool targets a list of nodes (list.txt) and is configured for a reboot mode with multiple retry attempts (see screenshot below). The naming convention likely references the Minab school bombing, a frequent theme in Iranian retaliatory narratives.
Vulnerability Processing: The logs show the tool processing multiple nodes (e.g., node-9482, node-8521). The log explicitly states: response anomaly detected during CVE-2024-41700 processing path (see screenshot below). This confirms the exploitation of the CWE-200 flaw to harvest sensitive internal state information.
Configuration Exposure: Following the anomaly, the tool successfully exfiltrates configuration data: config fragment exposed (stream.cfg, dest.addr). Crucially, the logs note authentication challenge not enforced, allowing the attacker to gain system-level access by establishing an implicit context (mode=implicit, level=system) without valid credentials.
Stream Hijacking: Once system context is achieved, a command interface channel is opened via UDP. The logs then show: RTP stream override detected (priority=high). This is the moment the legitimate audio source is replaced by the attacker's stream.
Hardware Impact: The final stage of the attack causes significant hardware-level disruption. Logs show stream handler desync and jitter buffer underrun, eventually triggering a watchdog event (audio thread unresponsive). This indicates that the forced RTP override overwhelmed the device's processing capacity, leading to a system restart sequence.
ATTACK PHASE | OBSERVED MECHANISM | RELEVANT INDICATOR |
Reconnaissance | HTTP GET /status | Service fingerprinting of Barix SIP Clients |
Exploitation | CVE-2024-41700 | Information exposure of stream.cfg |
Access | Auth Bypass | "Authentication challenge not enforced" |
Action on Objective | RTP Stream Override | Forcible redirection of audio to high-priority stream |
System Failure | Watchdog Event | Audio thread unresponsive due to stream desync |
The 2026 CyberAv3ngers’ attack shares a deep technical parallel with the January 2025 operation conducted by the MOIS-linked group Handala, though the two actors utilized different entry points. Handala has been linked to a March attack against healthcare supply chain provider Stryker, also allegedly in retaliation for the Minab school bombing.
In January 2025, Handala successfully weaponized Barix-based infrastructure for a coordinated psychological operation. However, while CyberAv3ngers uses direct, firmware-level device exploitation (CVE-2024-41700), Handala utilized a supply chain breach. They compromised the central management interface of Maagar-Tec, an Israel-based security vendor responsible for the PA and siren systems, including those in approximately 20 Israeli kindergartens.
By gaining administrative control over Maagar-Tec’s central management server, Handala utilized the Barix Remote URL Injection command to "push" audio streams to all connected endpoints simultaneously, playing fake "Red Alert" sirens and propaganda messages to children.
The fundamental technical link between the CyberAv3ngers framework and the Handala attack is the exploitation of the Barix "Priority Stream" logic. Whether the intent is to silence the hardware (null data) or cause terror (fake air raid sirens), both operations rely on the hardware's inability to authenticate the source of a high-priority stream once the management layer or firmware is breached.
FEATURE | CYBERAV3NGERS (2026) | HANDALA (2025) |
Target Infrastructure | Individual Barix Endpoints | Centralized Barix Management (Maagar-Tec) |
Vector | CVE-2024-41700 (Info Disclosure) | Supply Chain / Administrative Access |
Command Method | Direct UDP Command Interface | Remote URL Injection |
Overriding Logic | RTP Priority=High | Priority Stream Logic |
Psychological Payload | Siren Disruption / Mockery | Fake "Red Alert" Sirens in Kindergartens |
The persistent vulnerability of these systems was underscored in November 2025 when the Federal Communications Commission (FCC) issued Public Notice DA 25-996. The advisory followed a string of cyber intrusions targeting radio broadcasters in Texas and Virginia. Threat actors accessed improperly secured Barix studio-to-transmitter link (STL) equipment and reconfigured it to receive attacker-controlled audio. These hijacked streams included fake Emergency Alert System (EAS) tones and offensive messages, which is the same type of "sensory sabotage" seen in the Iranian campaigns.
The analysis of the CyberAv3ngers and Handala operations confirms that Iranian threat actors have identified Barix devices as a critical point of failure in public safety infrastructure. By weaponizing flaws like CVE-2024-41700 and leveraging the inherent trust logic of AoIP priority streams, they have transformed simple broadcast tools into powerful instruments of strategic influence.
This new front in the Iran war demonstrates the risks that legacy technology within critical infrastructure poses, in particular now that Iran has apparently added psychological warfare to its strategy. Iran’s access to several legacy Barix devices and the resulting psychological impact on Israeli citizens were tools used to sow uncertainty and potential chaos among the public.
There have long been fears about the role of cyberattacks in unison with kinetic fighting. These attacks carried out by the CyberAv3ngers demonstrate the damaging possibilities, presenting not only a physical impact but also psychological effects on the morale of citizens in concert with a cyberattack on IoT in this case.
The CyberAv3ngers, meanwhile, continue to play a prominent role in Iran’s offensive cyber strategy. The group’s past activity, most notably through the development of a custom malware framework known as IOCONTROL, focuses on operational technology and connected IoT devices and systems. IOCONTROL, for example, was used to attack Linux-based SCADA and OT devices found within civilian infrastructure. Some of the devices targeted by the CyberAv3ngers in various campaigns include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based platforms. While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration.
The CyberAv3ngers are also linked to the attacks against Unitronics integrated PLC/HMI devices in the U.S. and Israel. Disruptive attacks were carried out that included defacements of the device screens that promised future attacks against Israeli technology. The Unitronics attacks demonstrated the threat actors’ ability to access the devices and possibly carry out additional, more destructive intrusions.
The reachability of legacy technology online presents a major problem for critical infrastructure operators. A recent Team82 report demonstrates that low-skilled hacktivists groups can easily enumerate OT assets that are insecurely connected to the internet and leverage weak or default credentials to access devices. Legacy protocols are also often abused because they lack authentication and other basic security capabilities, allowing attackers to access assets at scale and disrupt devices found in particular organizations or regions.
In this case, the vulnerable Barix technology has been updated by the vendor. However, as is the case with many flavors of cyber-physical systems, updates are manual and many assets could remain running vulnerable firmware. Furthermore, without full visibility into an environment, or poorly secured internet connections on internet-facing devices, these assets are easily enumerated and exploited—even by low-skilled actors in parallel with more advanced threat actor groups.
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 6.8
A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 5.8
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 7.5
A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product.
The following versions of Trane Tracer SC, Tracer SC+, and Tracer Concierge are affected:
Trane asks Tracer SC+ users to upgrade to version v6.30.2313
CVSS v3: 8.1
