{
	"id": "ce7ffddd-2b4b-48e5-ac0c-3540c1520345",
	"created_at": "2026-04-10T03:20:05.833436Z",
	"updated_at": "2026-04-10T03:22:17.959189Z",
	"deleted_at": null,
	"sha1_hash": "803bb7049e9ecc4b17241ee0751ea0ac7a901b36",
	"title": "New ICS Threat Activity Group: TALONITE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 952669,
	"plain_text": "New ICS Threat Activity Group: TALONITE\r\nBy Dragos, Inc.\r\nPublished: 2021-04-26 · Archived: 2026-04-10 03:17:43 UTC\r\nDragos first disclosed four new threat activity groups targeting ICS/OT in the ICS Cybersecurity 2020 Year in\r\nReview report. In this blog post, we will provide more information on one of the new groups: TALONITE. The\r\nfundamental assessment of threats tracked by Dragos is that they are explicitly attempting to gain access to ICS\r\nnetworks and operations or are successful in achieving access, not simply trying to gain access to an industrial\r\norganization. To learn more about ICS threat activity groups and how they’re created, we invite you to read our\r\nblog post “Uncovering ICS Threat Activity Groups.”\r\nThreat Activity Group: a set of intrusion events related with varying degrees of confidence by\r\nsimilarities in their features or processes used to answer analytic questions and develop broad\r\nmitigation strategies that achieve effects beyond the immediate threat.\r\nTALONITE Activity Group Overview\r\nDragos began tracking the TALONITE activity group in July 2019 with operations focusing on initial access\r\ncompromises in the United States (U.S.) electric sector. The group uses phishing techniques with either malicious\r\ndocuments or executables. TALONITE uses two custom malware families that both feature multiple components\r\nknown as LookBack and FlowCloud.\r\nTALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to\r\ninclude additional functionality , and a combination of owned and compromised network infrastructure. This\r\nactivity is difficult to track and contain given the group’s propensity to blend techniques and tactics in order to\r\nensure a successful intrusion. There is behavioral and tooling overlap between TALONITE and activity known by\r\nsome as APT10. Alleged members of APT10 were indicted in 2018.\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/\r\nPage 1 of 4\n\nFigure 1: Diamond Model representation of TALONITE\r\nDetecting and Mitigating TALONITE Activity\r\nTALONITE gains initial enterprise network access via spearphishing activity that leverages malicious documents\r\nand executables. The lures (Figure 2) focus on engineering-specific themes and concepts, and distributed malware\r\nknown as FlowCloud and LookBack.\r\nFigure 2: TALONITE phishing engineering-themed email\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/\r\nPage 2 of 4\n\nThe malware incorporates multiple components including legitimate items such as certutil.exe from Microsoft that\r\nthe malware abuses, or malware components items masquerading as legitimate utilities such as the malicious\r\nproxy tool GUP.exe , named after a legitimate Notepad++ executable.\r\nThe infrastructure appears to be shared or reused through the overlapping LookBack and FlowCloud campaigns.\r\nDragos previously identified infrastructure associated with LookBack and concurrently used in FlowCloud\r\nactivity. Most items indicate an adversary registering, hosting, and maintaining infrastructure on controlled\r\nservers. TALONITE registers domains masquerading as legitimate engineering or regulatory bodies and uses\r\nmostly adversary-owned and -controlled domains and servers, occasionally using legitimate but compromised\r\ninfrastructure.\r\nDragos did not observe any lateral movement for TALONITE. Based on the capabilities of LookBack and\r\nFlowCloud, both of which facilitate various means of credential capture, Dragos assesses with high confidence\r\nthat TALONITE lateral movement incorporates credential reuse. Both malware types are Remote Access Trojans\r\n(RAT) that contain capabilities to establish persistence within the environment. LookBack malware contains\r\npersistence mechanisms that add two Windows registry keys to execute legitimate but maliciously modified files\r\nwhen the infected user next logs in.\r\nTo obtain persistence, FlowCloud performs minor operations on the system then launches a renamed copy of the\r\nlegitimate HTML Help Workshop (hhw.exe) utility from Microsoft. Extensive database and related processes are\r\nused to capture host data that is stored in those database files in a subdirectory of the legitimate but renamed\r\nutility.\r\nThe Dragos Platform incorporates multiple detections and analytics designed specifically to detect credential reuse\r\nand malicious logon activity. Such tactics are deployed by multiple activity groups tracked by Dragos, making\r\ncoverage of such abuse vital for ICS network protection. In the ICS Cybersecurity 2020 Year in Review, Dragos\r\nfound that 90 percent of its services customers lacked fundamental visibility into ICS environments. This means\r\nmost ICS asset owners and operators will be blind to threats and lack critical cybersecurity data.\r\nDetections for all TALONITE behaviors are available in the Dragos Platform.\r\nICS Considerations for the Future\r\nThere is no evidence indicating TALONITE has executed a disruptive ICS attack or penetrated control system\r\nnetworks in a victim environment. Targeting behavior from July 2019 through the present strongly indicates that\r\nTALONITE is exclusively focused on the electric sector, especially within the United States. TALONITE at\r\nminimum represents an initial access and information gathering capability leveraged against multiple entities\r\nwithin the U.S. electric sector over an extended period of time. TALONITE focuses on U.S. electric utilities, with\r\nsome evidence of capabilities targeting unknown entities in Japan and Taiwan prior to 2019.\r\nDragos cannot definitively link TALONITE to any known intrusion set or state interest, despite behaviors and\r\ntooling that suggest an overlap with APT10 (also referred to as menuPass and STONE PANDA). TALONITE’s\r\ntargeting focus on critical engineering, and power generation and distribution know-how within electric utilities is\r\nconsistent with a well-resourced adversary with strong long-term interests in industrial control and grid\r\noperations.\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/\r\nPage 3 of 4\n\nTALONITE targets U.S. electric utilities for initial access and information gathering. Although TALONITE is not\r\nassociated with any known and deliberate ICS disruptive event, TALONITE’s identified behaviors and capabilities\r\ndo not rule out future ICS-targeting operations. While TALONITE’s relationship to People’s Republic of China\r\n(PRC) strategic interests is unknown, sufficient information identifies this group as an emerging and serious threat\r\nto security in the electric sector.\r\nSource: https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/"
	],
	"report_names": [
		"new-ics-threat-activity-group-talonite"
	],
	"threat_actors": [],
	"ts_created_at": 1775791205,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/803bb7049e9ecc4b17241ee0751ea0ac7a901b36.pdf",
		"text": "https://archive.orkl.eu/803bb7049e9ecc4b17241ee0751ea0ac7a901b36.txt",
		"img": "https://archive.orkl.eu/803bb7049e9ecc4b17241ee0751ea0ac7a901b36.jpg"
	}
}