{
	"id": "e3e08c3d-058b-4852-9320-b565c5e47be0",
	"created_at": "2026-04-06T00:08:04.253928Z",
	"updated_at": "2026-04-10T13:11:27.995641Z",
	"deleted_at": null,
	"sha1_hash": "5fbe538f4ba055927278986c868836021e1f930f",
	"title": "Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3353618,
	"plain_text": "Cyberwarfare Targeting OT: Protecting Against\r\nFrostyGoop/BUSTLEBERM Malware\r\nBy by Nozomi Networks Labs | July 24, 2024\r\nArchived: 2026-04-05 16:39:25 UTC\r\nYesterday, on July 23, 2024, the new OT malware called FrostyGoop aka BUSTLEBERM became known to the\r\ngeneral public. Linked to the ongoing war in Ukraine, where according to third-party reports, it was used as a\r\ncyber weapon to disrupt critical infrastructure. This threat once again signifies the importance of investing in OT\r\ncybersecurity in modern times. In this blog post, we explain how companies can protect themselves against this\r\nmalware by providing actionable signatures to detect it and share a technical deep dive to understand the main\r\nfunctionality of this malware and the associated impact.\r\nProtection and Detection Guidance for Nozomi Customers  \r\nThe Nozomi platform is equipped with a rich set of detection rules to detect both generic and precise attack\r\npatterns. The former ones are not specific to known threats and therefore can act proactively. For example, all our\r\ncustomers have already been protected against this threat with, among others, the following alert types:\r\nFigure 1. Examples of alerts produced on Nozomi Networks Guardian based on behavioral\r\ndetection of BUSTLEBERM/FrostyGoop\r\nFor more information about the types of threats Nozomi Networks’ platform can detect, we invite you to explore\r\nthe latest edition of our recently released bi-annual OT/IoT security report.\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 1 of 8\n\nIn addition, all Threat Intelligence customers benefit from a frequently updated database of YARA, packet, STIX\r\nand SIGMA rules detecting threats precisely based on their unique patterns. In this case, our customers already\r\nhave several alerting signatures in place:\r\nOT_HACKTOOL_BUSTLEBERM_ModBus.yar\r\nOT_HACKTOOL_BUSTLEBERM_indicators.json (BUSTLEBERM – HACKTOOL)\r\nFigure 2. Nozomi Networks’ rules triggering detection of BUSTLEBERM/FrostyGoop threat\r\nTo make sure as many companies as possible are protected, whether they are our customers or not, we will\r\nalso share the source code of the YARA rule and actual malicious indicators at the end of the article to\r\nmake the world a safer place for everyone.\r\nFinally, according to the original report, at least one of the victim organizations was likely compromised via a\r\nvulnerability in the Mikrotik router. In this case the Nozomi platform also provides a vast range of detections for\r\nvarious IoT threats.\r\nHow the FrostyGoop/BUSTLEBERM Malware Works\r\nThe malware is a Windows command-line tool written in Golang using open-source code that can be easily found\r\non GitHub. The https://github.com/rolfl/modbus library was used to add the Modbus functionality needed to\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 2 of 8\n\ninteract with OT devices. The executable accepts multiple arguments to be provided by a malicious actor (see\r\nFigure 3).\r\nFigure 3. List of arguments supported by the executable\r\nIt is possible to define the target and the Modbus functions to execute along with other options by passing\r\narguments to the executable (see Figure 3) or alternatively to pass a JSON file describing the operations to\r\nperform along with the relevant parameters (see Figure 4).\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 3 of 8\n\nFigure 4. Code parsing the input containing victim details\r\nThe following fields are supported in the input JSON file:\r\nCode\r\nCount\r\nState\r\nTasks\r\nValue\r\nIplist\r\nAddress\r\nWorkTime\r\nStartTime\r\nPeriodTime\r\nTargetlist\r\nIntervalTime\r\nFor example, with the following configuration file, the tool would interact with the Modbus server running on the\r\nspecified IP address and call the Modbus code 3 function “Read Holding Registers”, the code 6 “Write Single\r\nRegister” function or the code 16 “Write Multiple Registers” function for each of the specified addresses. “Value”\r\ncontains the value to be used in write operations and \"Count” controls how many times each function will be\r\ncalled per target.\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 4 of 8\n\nFigure 5. Example JSON task\r\nThe operators of the malware can also send read and write requests without knowing the number of each\r\noperation, by using the –mode parameter with the appropriate read/read-all/write option and setting the right\r\nvalues for code, address, count and value.\r\nThe tool communicates with the targets via the Modbus protocol, which is ubiquitous in the OT world. It can be\r\nused from both inside the compromised perimeter and from the outside if the target device is exposed to the\r\nInternet. The final goal here will be to cause the targeted system to malfunction and the subsequent denial of\r\nservice.\r\nFigure 6. Malicious BUSTLEBERM/FrostyGoop tool in action\r\nIn the above picture we can see an example of how to use the malicious executable to automate the read and write\r\nof different values using a JSON file like the one shown before.\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 5 of 8\n\nFigure 7. Dissected traffic produced by a malicious tool sending write requests\r\nThe analysis of the sample showed that it was possible for the malware operators to schedule read and write tasks\r\nto be executed at a specific point in time using the “–cycle” option and adding the scheduled task parameters\r\ninside a JSON file as we can see in the next picture.\r\nFigure 8. Execution using cycle mode with a delayed start\r\nWith the “StartTime”, “WorkTime” and “IntervalTime” JSON entries, it is possible to give the tool the specific\r\npoint in time where it should be automatically working using time of the day in UTC, limit how long it’s going to\r\nrun for and control how long to wait between interactions with its targets.\r\nResources for the Community\r\nWith tensions rising across different nations around the globe, cyberweapons have become increasingly used by\r\nvarious groups, from state-sponsored actors and hacktivists and financially motivated actors. Anticipating\r\npotential ways these attacks can be executed with proactive detections, ensuring adequate visibility into both OT\r\nand IoT assets and constantly staying on top of the game by promptly reacting to emerging threats are some of the\r\nmost important steps that all modern organizations should follow to minimize the chances or the impact of the\r\nattack.  \r\nHere at Nozomi we passionately believe that we are stronger together and are happy to share our knowledge with\r\nthe public in an effort to combat malicious actors more efficiently.\r\nIndicators of Compromise (IoCs) for FrostyGoop AKA BUSTLEBERM\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 6 of 8\n\n5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb\r\na63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c\r\nYARA Rules for FrostyGoop AKA BUSTLEBERM\r\n// Created by Nozomi Networks Labs\r\nrule Mal_Hacktool_Win64_Bustleberm\r\n{\r\nmeta:\r\n   name = \"BUSTLEBERM ICS Hacktool\"\r\n   author = \"Nozomi Networks Labs\"\r\n   description = \"Detects the BUSTLEBERM ICS Hacktool (also known as FrostyGoop)\"\r\n   date = \"2024-07-24\"\r\n   tlp = \"clear\"\r\n   x_threat_name = \"BUSTLEBERM\"\r\n   x_mitre_technique = \"T1007, T1012, T1033, T1112, T1543, T0869, T0855\"\r\n   reference = \"https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf\"\r\n   hash1 = \"5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb\"\r\n   hash2 = \"a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c\"\r\nstrings:\r\n   $go = \"Go build ID:\" ascii fullword\r\n   $modbus_1 = \"github.com/rolfl/modbus\" ascii fullword\r\n   $modbus_2 = \"\\x00main.MbConfig.writeMultiple\\x00\" ascii\r\n   $rtn_1 = \"\\x00main.TaskList.executeCommand\\x00\" ascii\r\n   $rtn_2 = \"\\x00main.TaskList.getTaskIpList\\x00\" ascii\r\n   $rtn_3 = \"\\x00main.TaskList.getIpList\\x00\" ascii\r\n   $rtn_4 = \"\\x00main.TargetList.getTargetIpList\\x00\" ascii\r\ncondition:\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 7 of 8\n\nuint16(0) == 0x5a4d and\r\n   filesize \u003c= 10MB and\r\n   $go and\r\n   any of ($modbus_*) and\r\n   2 of ($rtn_*)\r\n}\r\nIn addition, Florian Roth released another public rule to detect this threat, which can be found here:\r\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/mal_go_modbus.yar  \r\nTTPs\r\nT0855 - Unauthorized Command Message\r\nT0869 - Standard Application Layer Protocol\r\nT1007 - System Service Discovery\r\nT1012 - Query Registry\r\nT1033 - System Owner/User Discovery\r\nT1112 - Modify Registry\r\nT1543 - Create or Modify System Process\r\nReferences\r\nhttps://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf  \r\nhttps://x.com/DanWBlack/status/1815739135107199356\r\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/mal_go_modbus.yar  \r\nSource: https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nhttps://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware"
	],
	"report_names": [
		"protecting-against-frostygoop-bustleberm-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434084,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5fbe538f4ba055927278986c868836021e1f930f.pdf",
		"text": "https://archive.orkl.eu/5fbe538f4ba055927278986c868836021e1f930f.txt",
		"img": "https://archive.orkl.eu/5fbe538f4ba055927278986c868836021e1f930f.jpg"
	}
}