{
	"id": "6a4a7801-b1a2-4557-9499-06dbf4313768",
	"created_at": "2026-04-06T00:16:52.336883Z",
	"updated_at": "2026-04-10T03:34:42.426046Z",
	"deleted_at": null,
	"sha1_hash": "72479c231e612cbd1c998d818767711f3d695fe7",
	"title": "Xenotime Threat Group | Dragos",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32957,
	"plain_text": "Xenotime Threat Group | Dragos\r\nBy September 4, 2025 11:25 AM\r\nArchived: 2026-04-05 14:18:08 UTC\r\nXENOTIME is easily the most dangerous threat activity publicly known. It is the only activity group intentionally\r\ncompromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of\r\nlife and environmental damage.\r\nDragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with\r\nXENOTIME, providing potential supply chain threat opportunities and vendor-enabled access to asset owner and\r\noperator ICS networks.\r\nXENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS\r\n(also known as TRITON, the focus of the MITRE Engenuity ATT\u0026CK® Evaluations for ICS) destructive\r\nmalware targeting Schneider Electric’s Triconex safety instrumented system. The multi-step malware framework\r\ncaused industrial systems in a Middle Eastern industrial facility to shut down. The incident represented a shift in\r\nthe capabilities and consequences of ICS malware.\r\nTRISIS was an escalation of the type of attacks historically targeting ICS systems. Targeting a safety system\r\nindicates significant damage and loss of human life were either intentional or acceptable goals of the attack, a\r\nconsequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a\r\npower loss in Ukraine.\r\nNote: Industrial safety instrumented systems comprise part of a multi-layer engineered process control framework\r\nto protect life and environment. Industrial safety systems are highly redundant and separate controls which\r\noverride and manage industrial processes if they approach unsafe conditions such as over-pressurization,\r\noverspeed, or over-heating. They enable engineers and operators to safely control and possibly shutdown\r\nprocesses before a major incident occurs. They’re a critical component of many dangerous industrial\r\nenvironments such as electric power generation and oil and gas processing.\r\nXENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial\r\ncontrol (ICS) environment. XENOTIME used credential capture and replay to move between networks, Windows\r\ncommands, standard command-line tools such as PSExec, and proprietary tools for operations on victim hosts.\r\n(Full reports detailing XENOTIME’s tool techniques, and procedures are available to Dragos WorldView\r\ncustomers.)\r\nBecause the TRISIS malware framework was highly tailored, it would have required specific knowledge of the\r\nTriconex’s infrastructure and processes within a specific plant. This means it’s not easy to scale—however, the\r\nmalware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and\r\navailable to others even if the malware itself changes. Dragos’ data indicates XENOTIME remains active.\r\nFurthermore, Dragos’ analysis of the TRISIS event continues as we recover additional data surrounding the\r\nincident.\r\nhttps://www.dragos.com/threat/xenotime/\r\nPage 1 of 2\n\nDragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to\r\ncause a potential, future disruptive—or event. Compromising safety systems provides little value outside of\r\ndisrupting operations. The group created a custom malware framework and tailormade credential gathering tools,\r\nbut an apparent misconfiguration prevented the attack from executing properly. As XENOTIME matures, it is less\r\nlikely that the group will make this mistake in the future.\r\nXENOTIME operates globally, impacting regions far outside of the Middle East, their initial target. Intelligence\r\nsuggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting\r\nsafety systems beyond Triconex. This group has no known associations to other activity groups.\r\nSource: https://www.dragos.com/threat/xenotime/\r\nhttps://www.dragos.com/threat/xenotime/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/threat/xenotime/"
	],
	"report_names": [
		"xenotime"
	],
	"threat_actors": [
		{
			"id": "5fb9f77b-1273-4658-884e-49f5f511dcd7",
			"created_at": "2022-10-25T15:50:23.591795Z",
			"updated_at": "2026-04-10T02:00:05.383475Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"TEMP.Veles",
				"XENOTIME"
			],
			"source_name": "MITRE:TEMP.Veles",
			"tools": [
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c",
			"created_at": "2023-01-06T13:46:39.001286Z",
			"updated_at": "2026-04-10T02:00:03.1772Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"Xenotime",
				"G0088",
				"ATK91"
			],
			"source_name": "MISPGALAXY:TEMP.Veles",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20012494-3f05-48ce-8c0f-92455e46a4f9",
			"created_at": "2022-10-25T16:07:24.319939Z",
			"updated_at": "2026-04-10T02:00:04.934107Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"ATK 91",
				"G0088",
				"Xenotime"
			],
			"source_name": "ETDA:TEMP.Veles",
			"tools": [
				"Cryptcat",
				"HatMan",
				"Mimikatz",
				"NetExec",
				"PsExec",
				"SecHack",
				"TRISIS",
				"TRITON",
				"Trisis",
				"Triton",
				"Wii"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775792082,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72479c231e612cbd1c998d818767711f3d695fe7.pdf",
		"text": "https://archive.orkl.eu/72479c231e612cbd1c998d818767711f3d695fe7.txt",
		"img": "https://archive.orkl.eu/72479c231e612cbd1c998d818767711f3d695fe7.jpg"
	}
}