{ "id": "fb24ad99-7ac6-4e16-838e-9df20778c41a", "created_at": "2026-04-06T00:21:05.521937Z", "updated_at": "2026-04-10T03:31:51.282608Z", "deleted_at": null, "sha1_hash": "1e5b6f7cd1ce0f9cdb7b15d134f9165011c59ec3", "title": "Detecting CHERNOVITE’s PIPEDREAM with the Dragos Platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 889401, "plain_text": "Detecting CHERNOVITE’s PIPEDREAM with the Dragos\r\nPlatform\r\nBy Dragos, Inc.\r\nPublished: 2022-04-28 · Archived: 2026-04-02 11:12:24 UTC\r\nAs referenced in the original blog post, “CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control\r\nSystems,” and the detailed whitepaper, PIPEDREAM is the seventh known ICS-specific malware. Developed by\r\nthe Activity Group (AG) which Dragos has designated as CHERNOVITE, PIPEDREAM malware can disrupt,\r\ndegrade, and potentially destroy industrial environments and processes.\r\nPIPEDREAM can manipulate a wide variety of programmable logic controllers (PLCs) and other industrial\r\nequipment including Omron and Schneider Electric hardware. It can also execute attacks against the ubiquitous\r\nindustrial technologies CODESYS, Modbus, and OPC UA. It is believed to have the potential to execute at least\r\n38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.1 PIPEDREAM impacts its\r\ntargets by way of five integrated utilities Dragos has labeled: EVILSCHOLAR, BADOMEN, MOUSEHOLE,\r\nDUSTTUNNEL, and LAZYCARGO.\r\n[PIPEDREAM] is believed to have the potential to enable at least 38 percent of known ICS attack\r\ntechniques and 83 percent of known ICS attack tactics.\r\nIn addition to the Dragos Intel blog and whitepaper referenced above, further technical details on PIPEDREAM\r\nare available to customers with a Dragos WorldView Threat Intelligence Subscription. A companion blog from the\r\nDragos Global Services team provides guidance for review of incident response plans, activating components of\r\nthose plans to proactively address impacted assets, manual search methods to look for potential malicious\r\nbehaviors for customers without the Dragos Platform, as well as a reminder for “best practices” for building an\r\neffective ICS/OT cybersecurity program.\r\nThis blog post provides Dragos Platform customers with summary guidance for how to leverage the Platform to\r\nquickly identify and mitigate risk from PIPEDREAM. A more detailed version and instructions about the new\r\ndashboard is available in the Dragos customer portal.\r\nDragos Platform Detections\r\nGeneral Detections: These are general detections that would fire in the Dragos Platform, covering most related\r\nthreats. They will fire but are not specific to CHERNOVITE:\r\nCompiled Python Executable Yara Rules, Compiled Python Transfer, Compiled Python Transfer to OT\r\nAsset\r\nWindows Python Compiled Executable\r\nCommand and Control after Exploitable File Download; Windows cmd.exe file download; File\r\nDownloads, File Download then New Comms\r\nhttps://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\r\nPage 1 of 4\n\nCommand and Control after Exploitable File Download; Windows cmd.exe file download; File\r\nDownloads, File Download then New Comms\r\nWindows Python Execution with Network Connection\r\nC2 Backdoor via SSL\r\nSpecific Detections Related to CHERNOVITE\r\nDragos Platform Detection(s) MITRE ATT\u0026CK for ICS Technique\r\nCompiled Python Transfer, C2 After File Download \r\nT1544 Remote File Copy; T1105 Ingress Tool\r\nTransfer \r\nWindows Python Execution with Network Connection  T1059 Command and Scripting Interpreter \r\nWinRM Enable, Windows Lateral Movement  T1047 Windows Management Instrumentation \r\nOmron PLC Hardcoded Telnet Username and Password\r\nUsed \r\nT1552.001 Unsecured Credentials: Credentials in\r\nFiles \r\nOmron PLC Hardcoded HTTP Username Used \r\nT1552.001 Unsecured Credentials: Credentials in\r\nFiles \r\nOmron Shell Unauthorized PLC Manipulation  T0868 Detect Operating Mode \r\nOmron Shell Unauthorized PLC Manipulation  T0888 Remote System Information Discovery \r\nOmron Shell Unauthorized PLC Manipulation  T1573 Encrypted Channel \r\nOmron Shell Unauthorized PLC Manipulation  T1021 Remote Services \r\nOmron Shell Unauthorized PLC Manipulation  T1544 Remote File Copy \r\nAuthentication Brute Force Attempts  T1110 Brute Force \r\nSchneider Modicon Modbus Denial of Service  T0814 Denial of Service \r\nSchneider Electric PLC Corruption Framework  T0869 Standard Application Layer Protocol \r\nSchneider Electric PLC Corruption Framework  T1078 Valid Accounts \r\nAsRock SignSploit, File Downloads  T1544 Remote File Copy \r\nScan Sequential, Port Sweep ICS Ports  T1046 Network Service Scanning \r\nOPC UA Python Library Initial Connection  T0869 Standard Application Layer Protocol \r\nhttps://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\r\nPage 2 of 4\n\nMapping CHERNOVITE PIPEDREAM Behaviors to MITRE ATT\u0026CK for ICS Matrix\r\nDragos Platform Search for Omron PLCs\r\nRetrospective Search for Potential Malware Activity\r\nIf they haven’t yet applied KP-2022-004, Dragos Platform customers can start manual hunts for potential\r\nmalicious activity in their environments using the information included in Dragos Worldview Threat Report TR-2022-10. Identifiers for potential target devices including manufacturers, models, ports, and URI strings are\r\nincluded along with information contained in AA-2022-25.\r\nDragos continues to perform analysis of PIPEDREAM and several additional detections are under development\r\nfor future Dragos Platform Knowledge Pack (KP) releases. These will be announced when available and included\r\nhttps://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\r\nPage 3 of 4\n\nin release update communications.\r\nSummary Guidance for Dragos Platform Customers\r\n1. Deploy the latest Knowledge Pack: Knowledge Pack KP-2022-004 and above contains detections for\r\nEVILSCHOLAR, BADOMEN, MOUSEHOLE, and LAZYCARGO\r\n2. Identify impacted assets: Access your Asset Inventory and search for Schneider PLCs, Omron PLCs, and\r\nOPC UA Servers\r\n3. Look for current potential malicious behavior: Review your dashboards to determine if any general\r\ndetections have been triggered (see above for both general and specific detections that could be triggered)\r\n4. Perform a retrospective search for potential malicious behavior: across your SiteStore forensics for signs of\r\npast activity involving this malware. See above for “Retrospective Search for Potential Malware Activity”\r\nGet the complete analysis Read the complete analysis on CHERNOVITE and the PIPEDREAM malware targeting\r\nICS, with defensive recommendations on what to do to protect against possible cyber attack.\r\nDownload Whitepaper\r\nReferences\r\n1 As measured against the MITRE ATT\u0026CK for ICS malicious behavior matrix.\r\nSource: https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\r\nhttps://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/" ], "report_names": [ "chernovite-pipedream-malware-targeting-industrial-control-systems" ], "threat_actors": [ { "id": "091dc6fb-2650-4646-894a-41de0d463f94", "created_at": "2023-11-17T02:00:07.594612Z", "updated_at": "2026-04-10T02:00:03.455179Z", "deleted_at": null, "main_name": "Chernovite", "aliases": [], "source_name": "MISPGALAXY:Chernovite", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434865, "ts_updated_at": 1775791911, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e5b6f7cd1ce0f9cdb7b15d134f9165011c59ec3.pdf", "text": "https://archive.orkl.eu/1e5b6f7cd1ce0f9cdb7b15d134f9165011c59ec3.txt", "img": "https://archive.orkl.eu/1e5b6f7cd1ce0f9cdb7b15d134f9165011c59ec3.jpg" } }