{
	"id": "1078f177-31f4-417a-a819-818611dca195",
	"created_at": "2026-04-06T00:06:21.349858Z",
	"updated_at": "2026-04-10T03:20:39.838458Z",
	"deleted_at": null,
	"sha1_hash": "50aae935478839ac27ca40fb56b5eb7edeaf64a1",
	"title": "How to Protect Against FrostyGoop: ICS Malware Targeting Operational Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60119,
	"plain_text": "How to Protect Against FrostyGoop: ICS Malware Targeting\r\nOperational Technology\r\nBy Dragos, Inc.\r\nPublished: 2024-07-23 · Archived: 2026-04-05 18:08:42 UTC\r\nInformation provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and\r\nanalysts who conduct research on adversary operations and their tactics, techniques, and procedures\r\n(TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence\r\nreports and is also compiled into the Dragos Platform for threat detection and vulnerability management.\r\nDragos discovered the FrostyGoop ICS Malware in April 2024. FrostyGoop is the ninth known ICS malware. This\r\nmalware can interact directly with industrial control systems (ICS) in operational technology (OT) environments\r\nusing the Modbus protocol, a standard ICS protocol used across all industrial sectors and organizations\r\nworldwide.\r\nAdditionally, the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба\r\nбезпеки України), shared details with Dragos about a disruptive cyber attack on a district energy company in\r\nUkraine, which resulted in a two-day loss of heating to customers. The adversaries sent Modbus commands to\r\nENCO controllers, causing inaccurate measurements and system malfunctions – taking almost two days to\r\nremediate the issues. Dragos assesses that FrostyGoop was likely used in this attack. An associated FrostyGoop\r\nconfiguration file contained the IP address of an ENCO control device, leading Dragos to assess with moderate\r\nconfidence that FrostyGoop was used to target ENCO controllers through Modbus TCP port 502 open to the\r\ninternet.\r\nWe want to express our gratitude to the Cyber Security Situation Center (CSSC), a part of the Security Service of\r\nUkraine (Служба безпеки України), for its continued commitment to collaborative intelligence sharing and for\r\nallowing us to report on the disruptive OT incident impacting communities in Lviv, Ukraine.\r\nWhat Is the FrostyGoop ICS Malware?\r\nIn April 2024, Dragos discovered multiple FrostyGoop binaries. The FrostyGoop ICS malware is written in\r\nGolang that directly interacts with industrial control systems (ICS) using Modbus TCP over port 502. It is\r\ncompiled for Windows systems, and most antivirus vendors do not detect it as malicious.\r\nFrostyGoop’s ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across\r\nmultiple sectors. Given the ubiquity of the Modbus protocol in industrial environments, this operational\r\ntechnology malware can potentially cause disruptions across all industrial sectors by interacting with legacy and\r\nmodern systems.\r\nThe Ukraine cyber incident highlights the need for adequate security controls, including OT-native monitoring.\r\nAntivirus vendors’ lack of detection underscores the urgency of implementing continuous OT network security\r\nhttps://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/\r\nPage 1 of 3\n\nmonitoring with ICS protocol-aware analytics to inform operations of potential risks.\r\nThe investigation of the Ukraine cyber incident revealed that the adversaries possibly gained access to the victim\r\nnetwork through an undetermined vulnerability in an externally facing router. The network assets, including the\r\nrouter, management servers, and district heating system controllers, were not adequately segmented, facilitating\r\nthe cyber attack.\r\nDragos recommends that organizations implement the SANS 5 Critical Controls for World-Class OT\r\nCybersecurity, which include ICS incident response, defensible architecture, ICS network visibility and\r\nmonitoring, secure remote access, and risk-based vulnerability management.\r\nKey Protection Strategies for OT Systems\r\nFrostyGoop was first reported to Dragos WorldView subscribers in late May 2024. Dragos Platform detections\r\nwere assessed against the threat, and indicators of compromise (IOCs) were deployed. Using the Dragos Platform,\r\nOT Watch threat hunters have been hunting for FrostyGoop IOCs as part of regular sweeps across the fleet of\r\nsubscribers since the initial WorldView reporting to ensure appropriate coverage. OT Watch has also deployed a\r\ndashboard specific to FrostyGoop-related detections and IOCs for OT Watch customers, and an upcoming Dragos\r\nPlatform Knowledge Pack will include a FrostyGoop Playbook. Dragos continues to analyze FrostyGoop for\r\nfuture Knowledge Pack releases to ensure appropriate detections are created and deployed.\r\nThe Dragos Platform detects the FrostyGoop ICS malware with threat detections already in place. Still, it is\r\nrecommended that customers always deploy the latest Knowledge Pack, including IOCs specific to this threat. For\r\nDragos OT Watch customers, our team have conducted searches for signs of this activity on customers’ behalf –\r\nconsider a lack of communications on this subject as confirmation that there was no evidence of this activity\r\nfound within your network. Dragos analysts also continue to proactively hunt on behalf of those in the\r\nNeighborhood Keeper program, our collective defense platform. Any findings relating to this activity will be\r\nreported to you.\r\nWhat Dragos Customers Can Do\r\nA summary of recommended guidance:\r\nIdentify impacted assets. Access your Asset Inventory and search for ENCO control servers and devices\r\ncommunicating over Modbus.\r\nLook for potential malicious behavior. Review the FrostyGoop-specific dashboard to determine if related\r\ndetections and IOCs have been triggered.\r\nPerform a retrospective search for potential malicious behavior across your SiteStore forensics for\r\nsigns of past activity involving this malware.\r\nThe Dragos Platform has advanced OT-native threat detection capabilities to identify abnormal connections and\r\ncommunications over Modbus. It also incorporates threat-based behavioral analytics that are fine-tuned to\r\nrecognize attack patterns and behaviors that exploit the Modbus protocol. By continuously analyzing network\r\ntraffic and system interactions, the Dragos Platform can identify and enable a response to suspicious activities\r\nindicative of a Modbus-related attack, ensuring robust protection against both known and emerging threats.\r\nhttps://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/\r\nPage 2 of 3\n\nImplementing Industrial Cybersecurity Controls\r\nDragos WorldView OT cyber threat intelligence further enhances situational awareness by providing in-the-moment insights into the threat landscape. This intelligence includes data on the latest vulnerabilities, attack\r\nvectors, and malware targeting Modbus systems, empowering security teams to proactively hunt for malicious\r\nactivities and potential malware within the environment. This allows organizations to stay ahead of threats, rapidly\r\nidentify indicators of compromise, and respond effectively to detected incidents. Dragos Platform customers can\r\nuse the information in Dragos Worldview reports to start manual hunts for potential malicious activity in their\r\nenvironments.\r\nThe cyber threat characterized by deploying the FrostyGoop ICS malware underscores a significant vulnerability\r\nin operational technology infrastructure. The adversary exploited unsecured network points and inadequately\r\nprotected systems, disrupting municipal services that resulted in considerable discomfort and potential danger to\r\nthe affected population. Applying the SANS ICS 5 Critical Controls can mitigate such threats. Each control\r\naddresses specific aspects of cybersecurity readiness and resilience, each tailored to defend against the threats\r\nidentified in this report.\r\nSource: https://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/\r\nhttps://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/protect-against-frostygoop-ics-malware-targeting-operational-technology/"
	],
	"report_names": [
		"protect-against-frostygoop-ics-malware-targeting-operational-technology"
	],
	"threat_actors": [],
	"ts_created_at": 1775433981,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50aae935478839ac27ca40fb56b5eb7edeaf64a1.pdf",
		"text": "https://archive.orkl.eu/50aae935478839ac27ca40fb56b5eb7edeaf64a1.txt",
		"img": "https://archive.orkl.eu/50aae935478839ac27ca40fb56b5eb7edeaf64a1.jpg"
	}
}