{ "id": "4e2d964d-7361-40db-b8d7-432f970b708e", "created_at": "2026-04-29T02:21:08.956136Z", "updated_at": "2026-04-29T08:22:39.140143Z", "deleted_at": null, "sha1_hash": "8dbb11eb8dadb89c8d5bfaaedda99cb9611c998d", "title": "", "llm_title": "", "authors": "", "file_creation_date": "2026-02-17T12:29:23Z", "file_modification_date": "2026-02-17T12:30:26Z", "file_size": 13177395, "plain_text": "9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\n9TH ANNUAL | 2026\r\nYEAR IN REVIEW\r\nOT/ICS CYBERSECURITY REPORT\n\n2 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIntroduction 5\r\nNew Threat Group: AZURITE 11\r\nThreat Group Update: KAMACITE \u0026 ELECTRUM 33\r\nInsights From Dragos Intelligence Fabric 15\r\nInsights From Dragos Intelligence Fabric 34\r\nDefensive Recommendations and Mitigations 16\r\nTips for Hunting 17\r\nMethodology and Sourcing 8\r\nNew Threat Group: PYROXENE 18\r\nDragos Identifies Three New Threat Groups in 2025 10\r\nAdvancing Toward OT: Active Threat Group Operations 32\r\nHafia Bay Port Water-Hole Attacks 21\r\nTips for Hunting 23\r\nTips for Hunting 31\r\nIvanti Endpoint Manager Mobile (EPMM) Compromise 26\r\nA Series of Exploitation Campaigns 27\r\nPositioning for Future Disruptive Attacks 28\r\nDefensive Recommendations and Mitigations 30\r\nInsights From Dragos Intelligence Fabric 29\r\nEarly Signs of Future OT Capability Positioning 21\r\nDefensive Recommendations and Mitigations 22\r\nNew Threat Group: SYLVANITE 24\r\nTable of Contents\r\nExpansion of KAMACITE Targeting Across the ICS Supply Chain 36\r\nConsistent Tactics, But Expanded Operational Scale 37\r\nWhy This Campaign Matters 37\r\nU.S. Reconnaissance Campaign (March-July 2025): Expansion into\r\nDirect ICS Target Mapping in the U.S. 37\r\nFrom Access-Building to Control-Loop Mapping 38\r\nWhat Defenders Should Infer 39\r\nELECTRUM Activity in 2025: Destructive Operations Underscore\r\nWhy KAMACITE’s Access Matters 39\r\nJune 2025: Identification of New Destructive Malware (PathWiper) 39\r\nDefensive Recommendations and Mitigations 41\n\n3 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nTable of Contents (cont.) Threat Group Update: VOLTZITE 44\r\nThreat Group Update: BAUXITE 51\r\nSierra Wireless Airlink Targeting 46\r\nThreatening Email Campaign 54\r\nJDY Botnet Activity 46\r\nWiper Malware 54\r\nExploited Trimble Cityworks GIS Software 47\r\nInsights From Dragos Intelligence Fabric 48\r\nInsights From Dragos Intelligence Fabric 55\r\nInsights From Dragos Intelligence Fabric 69\r\nRansomware Groups Continue to Target Exposed FTP Servers 73\r\nInsights From Dragos Intelligence Fabric 79\r\nAdversaries Exploiting Exposed Perimeter Devices 74\r\nDefensive Recommendations and Mitigations 49\r\nDefensive Recommendations and Mitigations 56\r\nPLC_Controller.exe 59\r\nSuspicious PowerShell Modbus Tool 60\r\nAdversaries Stealing ICS Data 61\r\nHacktivists and Proven Claims 62\r\nRansomware Targeting Virtualization and OT Boundary Systems 66\r\nBattery Energy Storage System and Demand Energy Response Research 71\r\nExpansion and Fragmentation of the RaaS Ecosystem 67\r\nProduct-Specific Vulnerabilities 71\r\nFalse ICS Claims and Narrative-Driven Extortion 68\r\nExploitation of Vulnerabilities in ICS 72\r\n2025 Vulnerability Trends 74\r\nIncreased Targeting of OT-Adjacent and Supply-Chain Entities 67\r\nWider Industry Issues 71\r\nIdentity-Centric Intrusions Enabling IT-to-OT Operational Impacts 68\r\nICS-Adjacent Capabilities Research and Trends 58\r\nRansomware-as-a-Service (RaaS) Threats to Industrial Organizations 64\r\nVulnerabilities 70\n\n4 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nTable of Contents (cont.)\r\nIR Cases 82\r\nNetwork Segmentation 84\r\nIncident Response Plans 82\r\nDefault or Weak Credentials 85\r\nEndpoint Protection 85\r\nCall to Action 81\r\nCritical Control 01: OT/ICS Incident Response 82\r\nCritical Control 02: Defensible Architecture 84\r\nCritical Control 03: ICS Network Visibility \u0026 Monitoring 87\r\nCritical Control 04: Secure Remote Access 88\r\nCritical Control 05: Risk-based Vulnerability Management 89\r\nFindings from the Field: 2025 Lessons Learned 80\n\n5 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nA Message From Our Founder\r\nTen years ago, Jon Lavender, Justin Cavinee, and I founded Dragos\r\nwith a focused passion on protecting OT from those who meant it, and\r\nthe communities that depend on it, harm. When I started my career\r\nin this field there was no compendium of knowledge of the threats,\r\nvulnerabilities, and what insights could be shared from engagements\r\nlike incident response. There were anecdotal insights and hushed\r\nrumors with lots of claims of classified insights hidden away\r\nsomewhere. It is hard to build a professional community and have\r\nan understanding of what the right security efforts are on anecdotal\r\ninsights. With that in mind, I started the Year in Review 9 years ago as\r\na freely available report capturing the Dragos team’s knowledge on\r\nthe threat landscape. Our goal was simple, keep the product pitching\r\nout of it and share whatever we are legally and ethically allowed to\r\nshare that helps empower defenders. OT cybersecurity is obvious to\r\npeople as necessary now, but ten years ago it was not. I remember\r\ntelling the team early on that if Dragos failed it would at least be the\r\nYear in Review report we could leave behind; that every year we were\r\ncontributing something useful to the community that could outlast us.\r\nTen years later I’m proud that we are not at risk of going away and we\r\nare still sharing with this community we all love so much.\r\nI hope you enjoy the report, take insights from it to drive your security\r\nefforts, and are able to share the knowledge contained here to help\r\nothers understand that OT is the critical part of critical infrastructure.\r\nIt is worthy of protection and can be protected. It is not easy to be in\r\nthis field, you as the reader know that first hand. But OT cybersecurity\r\nisn’t a market, it isn’t a category, it’s a mission - focused on protecting\r\npeople against some of the worst adversaries imaginable. Adversaries\r\nthat target civilian infrastructure, go after our communities, and\r\nwillfully accept risk up to and including the loss of human life of our\r\nloved ones, families, of our children. Armed with knowledge you can\r\ngo from being the victim to being the hunter against these adversaries.\r\nIn this report my team professionally calls them Threat Groups.\r\nInternally to Dragos we just call them what they are, assholes.\r\nHappy Hunting,\r\nRobert M. Lee, CEO\n\n6 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIntroduction\r\nAdversaries Are\r\nMapping Control\r\nLoops to Cause\r\nPhysical Impact\r\nExploits Are\r\nWeaponized in 24\r\nDays But Mitigation\r\nTakes Longer\r\nRansomware\r\nShutdowns Are\r\nOperational\r\nIncidents Being\r\nMislabeled as IT\r\nIn 2025, adversaries targeting operational technology (OT) crossed a line that had previously\r\nbeen limited to a small number of well-known attacks impacting industrial control systems (ICS).\r\nThey are no longer simply gaining access and waiting. Multiple threat groups, independently and\r\nacross different geopolitical alignments, moved into actively mapping control loops: identifying\r\nengineering workstations, exfiltrating configuration files and alarm data, and learning how\r\nphysical processes operate well enough to disrupt them. This is the removal of the last practical\r\nbarrier between having access and being able to cause physical consequences. It indicates that\r\nthe teams behind these operations are being told to prepare to act, not just to maintain options.\r\nThis year’s report introduces three new threat groups - AZURITE, PYROXENE, and SYLVANITE\r\n- and documents significant evolution in established groups like VOLTZITE, KAMACITE,\r\nELECTRUM, and BAUXITE. Several of these groups now operate in paired models where one\r\nteam develops initial access and hands it off to a second team with ICS-specific capability. That\r\ndivision of labor compresses the timeline from compromise to operational readiness, in some\r\ncases from weeks to days, and lowers the barrier for the groups that ultimately cause impact.\r\nELECTRUM, the group responsible for the Ukrainian power outages in 2015 and 2016 and the\r\nmost operationally experienced infrastructure-attack group Dragos is aware of, expanded\r\nits targeting beyond Ukraine into Poland in late December 2025. That attack, which targeted\r\ndecentralized energy resources including combined heat and power facilities and renewable\r\nenergy management systems, was the first major coordinated cyberattack against DERs\r\nanywhere in the world.\r\nMeanwhile, KAMACITE, the access development team that feeds ELECTRUM, expanded from\r\nUkrainian targets into the European OT supply chain and conducted sustained reconnaissance\r\nof internet-exposed industrial devices across the United States between March and July\r\n2025. The scanning was not opportunistic. It targeted specific components in a sequence\r\nthat suggests intent to understand entire control loops, not isolated devices. The pattern is\r\nconsistent with what you would expect from a team being told to prepare for operations, not just\r\ncollect.\r\nAdversaries also moved faster on vulnerabilities in 2025. Median time from disclosure to public\r\nexploit: 24 days. Four percent of ICS vulnerabilities were actively exploited at disclosure and\r\nin multiple incident response cases, Dragos reported exploited vulnerabilities to vendors and\r\nwaited 90+ days for public advisories while attacks continued elsewhere. Meanwhile, 26 percent\r\nof advisories offered no patch, and 25 percent contained incorrect CVSS scores, leaving\r\ndefenders with incomplete or wrong guidance while adversaries operationalized exploits.\r\nRansomware continued to hit industrial organizations hard. Dragos tracked 119 ransomware\r\ngroups impacting over 3,300 industrial organizations in 2025, compared to 1693 attacks\r\nin 2024. But the numbers understate the problem. There is a persistent and significant\r\nmischaracterization of ransomware incidents as IT-only, driven by responders who see a\r\nWindows operating system and classify the incident without recognizing that the system was\r\nhosting SCADA software or functioning as an engineering workstation.\n\n7 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nGap Between\r\nAdversary Capability\r\nand Defender\r\nVisibility Is Widening\r\nOT Security\r\nFundamentals\r\nRemain the Most\r\nEffective Defense\r\nThe most concerning finding in this report may be the simplest one. Thirty percent of Dragos\r\nincident response cases in 2025 started not with a detected intrusion or a ransom note, but\r\nwith someone saying: something seems wrong. In the majority of those cases, the data needed\r\nto answer whether cyber was involved had never been collected. OT network telemetry is\r\ntransient. If you are not recording it when it happens, it is gone. You cannot investigate what\r\nyou cannot see, and in a growing number of cases, asset owners are making public statements\r\nthat incidents had nothing to do with cyber not because they determined that to be the case, but\r\nbecause they lacked the data to determine anything at all.\r\nDragos estimates that fewer than 10 percent of OT networks worldwide have network visibility\r\nand monitoring in place. Everything in this report is drawn from that fraction. The threats\r\ndocumented here are also operating in the environments that are not looking. The 26 threat\r\ngroups Dragos tracks, the 3,300+ ransomware incidents, the vulnerability findings, and the\r\nlessons from the field all represent the minimum view, not the maximum.\r\nThe fundamentals of OT security - knowing what is in your environment, monitoring what is\r\nhappening, controlling access, and being prepared to respond - remain the most effective\r\ndefense against every threat in this report. Ninety percent of the asset owners Dragos works\r\nwith still cannot detect the style of attack that ELECTRUM used a decade ago. As the threats get\r\nmore aggressive and infrastructure gets more complex, the gap between what adversaries can\r\ndo and what defenders can see is widening. The operational tempo of adversaries now outpaces\r\nthe detection capabilities of most defenders. Closing that gap is not a technology problem. It is a\r\nprioritization and investment problem, and the window to address it is getting smaller.\n\n8 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nMethodology and\r\nSourcing\r\nDragos focuses on Operational Technology (OT) environments only; therefore, this report covers\r\nonly that scope. To identify OT specific threat groups, Dragos aligns with the SANS ICS Cyber\r\nKill Chain paper and the Diamond Model paper.1,2 If a threat has targeted organizations with OT\r\nnetworks, that alone is not enough to be a Stage 1 adversary. The organization’s targeting must\r\nbe due to its OT networks, which support the assessment that it is a Stage 1 adversary. If the\r\nadversary gains access to OT networks and the activity appears intentional, the assessment\r\nis that they are a Stage 2 adversary. Furthermore, Dragos tracks Temporary Activity Threads\r\n(TATs) to gather and disseminate information about unidentified or emerging cyber threat groups\r\nor activity. TATs serve as a provisional classification for clusters of cyber threat activities that\r\nhave not yet reached a level of analytical rigor to be designated as an enduring Threat Group.\r\nIt is important to note that the level of insight and data collection in OT networks worldwide\r\nremains minimal, despite their criticality, and they remain an emerging area. Dragos estimates\r\nthat fewer than 10 percent of OT networks worldwide have visibility and monitoring. However,\r\nthe nature of threats and vulnerabilities yields insights that can be applied more broadly and\r\nare representative of the community as a whole. With enhanced visibility and monitoring, new\r\nthreats would be discovered, but not at a linear scale with the visibility gained. Despite this,\r\nDragos maintains the largest source of such insights into OT networks globally.\r\nThe Dragos Intelligence Fabric is the primary source for the Year in Review report. It is\r\ncomposed of numerous sources, including first-party data sets tied to the Dragos Platform\r\ntechnology, which is deployed at thousands of sites globally. Insights from the Dragos Platform\r\nare available when customers use the OT Watch and OT Watch Complete 24/7 monitoring\r\nservices, optionally opt in to Neighborhood Keeper, or take advantage of the Dragos Incident\r\nResponse services. The Dragos intelligence team leverages these sources, trusted second\r\nparties and partners, and third-party datasets, both commercially available and those\r\navailable only through unique collaborations. As part of intelligence reporting, Dragos’s\r\nVulnerability Analysts utilize the Now, Next, Never methodology.3 Now, Next, and Never are\r\nthe priorities we set for vulnerabilities in the Dragos Platform. These factors are considered in\r\nvulnerability assessments, and the determination is included in the database advisory as “Now”\r\nvulnerabilities. Dragos investigates each vulnerability and provides an assessment that typically\r\nincludes mitigation advice if a patch cannot be applied immediately or if the vendor doesn’t\r\nprovide a patch or alternative mitigation. The evaluation considers the vulnerable component\r\nand how that impacts the rest of the process. The “Next” vulnerabilities can be mitigated through\r\nproper network segmentation, returning us to the defensible architecture critical control. Often,\r\nnetwork segmentation can be implemented without disrupting the industrial process, whereas\r\npatching these devices may cause an outage. After the network is segmented, adversaries\r\nmust follow paths and chokepoints to penetrate deeply into the industrial network, where asset\r\nowners have the best visibility to monitor for exploitation. The “Never” vulnerabilities are items\r\nthat will not reduce the device’s inherent risk to your process, even if you fully remediate. These\r\nvulnerabilities are generally overhyped, challenging to exploit, and can be mitigated by the\r\navailable features.4\r\n1 The Diamond Model of Intrusion Analysis – US Department of Defense\r\nhttps://apps.dtic.mil/sti/pdfs/ADA586960.pdf\r\n2 The Industrial Control System Cyber Kill Chain – SANS\r\nhttps://www.sans.org/white-papers/36297\r\n3 Towards Improving CVSS – Carnegie Mellon University\r\nhttps://www.sei.cmu.edu/documents/574/2018_019_001_538372.pdf\r\n4 Risk-Based Vulnerability Management for Operational Technology – Dragos\r\nhttps://hub.dragos.com/hubfs/116-Datasheets/Dragos_Risk-Based_Vulnerability_\r\nManagement_OT_Cybersecurity.pdf?hsLang=en\n\n9 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nThese sources make the Dragos Intelligence Fabric the world’s largest dataset on OT security\r\ninsights, covering threats and vulnerabilities. However, it is not a complete view, and no\r\ngovernment, vendor, or other entity can have one. Therefore, it is important for readers to\r\ntake the assessments as the minimum, not the maximum, view. For example, if a threat group\r\nis known to target a specific industry or country, that will be stated, but it should not be taken\r\nto mean that no other industry or country is targeted. It is common for some industries and\r\ncountries to invest very little in OT network visibility and monitoring or in OT-specific services,\r\nleaving them with few insights. Throughout the report, where further sourcing is available, it\r\nwill be noted whether the insight comes from OT Watch, Neighborhood Keeper, the intelligence\r\nteam’s hunting, or Dragos Services, such as incident response or assessments.\r\nDragos\r\nIntelligence\r\nFabric\n\n10 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDragos Identifies\r\nThree New Threat\r\nGroups in 2025\r\n01.\r\nDragos now tracks 26 threat groups that target OT\r\nenvironments specifically because of their industrial\r\noperations. Eleven of those were active last year. In\r\n2025, Dragos identified three new groups demonstrating\r\na critical shift: adversaries moving from prepositioning\r\nfor future attacks to actively mapping control loops and\r\nunderstanding how to manipulate physical processes.\r\nAZURITE and PYROXENE operate inside OT\r\nenvironments, exfiltrating alarm data, configuration\r\nfiles, and operational intelligence from engineering\r\nworkstations. SYLVANITE operates as an initial\r\naccess provider, rapidly weaponizing edge device\r\nvulnerabilities and handing off compromised\r\nenvironments to Stage 2 adversaries like VOLTZITE\r\nwithin days. This division of labor compresses the\r\ntimeline from initial breach to operational impact.\n\n11 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAZURITE\r\nNew Threat Group:\r\nSINCE 2021\r\nAz\r\nICS IMPACT: Loss of confidentiality, and theft of operational information,\r\nlong-term access and offensive operations enablement.\r\nInfrastructure\r\n• Use of compromised SOHO networking equipment for communications\r\n• Multi-tiered management of controller nodes, proxy/relay notes, and\r\ninfector nodes\r\n• Usage of other multiuse ORBs associated with several threat groups\r\nAdversary\r\n• Overlap with Flax Typhoon, Ethereal Panda, UNC5923, Raptor Train,\r\nRed Dev 54, TAT-2023-35, TAT-2023-46, TAT-2025-16\r\n• Likely has the same adversary customer as VOLTZITE\r\nVictimology\r\n• Targets Taiwan, United States, Europe, Japan, South Korea, Australia\r\n• Targets Manufacturing, Defense, Automotive, Electric, Government, Oil and Gas\r\nCapabilities\r\n• Strong operational security practices\r\n• Heavily uses living off the land binaries and techniques\r\n• Exploits a wide array of vulnerabilities using public POCs\r\n• Initial reconnaissance of a target is conducted in a slow and steady fashion to\r\nevade detection, especially internally\r\n• Use of open-source offensive security tooling, e.g. Mimikatz, Metasploit,\r\nJuicyPotato\r\n• Use of multiple web shells - Chopper, AntSword, SuperShell, devilszshell, and\r\nGodzilla\r\n• Exploitation of internet-facing Ivanti, Fortinet, Cisco, and F5 assets\n\n12 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAbout AZURITE This year, Dragos introduced a new threat group, AZURITE, an ICS Kill Chain Stage 2 adversary\r\ntargeting OT engineering workstations and exfiltrating OT operational data. While Dragos\r\nassesses with moderate confidence that AZURITE does not possess a Stage 2 tool or malware\r\ncapability in its arsenal designed specifically to target OT processes, hardware, protocols,\r\nor software, they have demonstrated the capability to operate in OT environments using\r\nreconnaissance, lateral movement, and actions on objective. AZURITE’s interest in targeting\r\nand exfiltrating of OT operational data, project files, alarm data, process information, employee\r\noperator information, etc., versus typical intellectual property (IP) theft, is demonstrative\r\nof AZURITE’s intent and motivation to collect OT information that almost certainly assist in\r\ndeveloping OT specific tooling or malware capabilities for either the AZURITE operators or\r\nAZURITE’s adversary customer. AZURITE conducts interactive operations with engineering\r\nworkstation hosts to identify information of interest and stages the data outside of the OT\r\nnetwork for exfiltration. AZURITE demonstrates knowledge of OT-centric software for operating\r\nor monitoring OT processes. AZURITE has not been observed manipulating, stopping, or\r\nmodifying OT-specific software; it has only identified and exfiltrated information already on\r\ntarget assets. This activity is highly likely to support capability development, target designation,\r\nand environment awareness for the preparation of offensive operations in case of geopolitical\r\nconflict.\r\nAZURITE targets manufacturing, automotive, electric, oil and gas, pharmaceutical, defense\r\nindustrial base, and government organizations. From a regional perspective, AZURITE targets\r\nthe United States, Australia, Europe, Japan, South Korea, and Taiwan. AZURITE activity shares\r\ntechnical overlaps with Flax Typhoon. Assets targeted by AZURITE for initial access include\r\nremote access, edge devices, Small Office/Home Office (SOHO) routers, and web application\r\nfirewalls (WAFs). AZURITE’s likely intent is to gain and maintain access to victim networks as a\r\nsource of intelligence and persistent access to support socio-political or geopolitical taskings.\r\nDragos assesses with moderate confidence that AZURITE is not deterred from its operations by\r\npublic exposure, law enforcement infrastructure takedowns, or government sanctions based on\r\nAZURITE continuing its operations even after indictments and sanctions were leveled against the\r\nadversary operators.\r\nAZURITE uses a combination of purpose-built VPS Infrastructure and compromised SOHO\r\ndevices incorporated into adversary-controlled botnets for adversary operators to conduct\r\nautomated and interactive reconnaissance, capability staging, exploitation, command and\r\ncontrol, actions on the objective, and exfiltration.\r\nAZURITE focuses on exploiting vulnerabilities in public-facing infrastructure and administrative\r\nportals, which are often exposed to the internet and serve as entry points for attackers,\r\neliminating the need for phishing or user interaction. These include SSL-VPNs, firewalls, ADC/\r\nWAF appliances, NAS devices, and web applications with management interfaces. High-profile examples include Citrix NetScaler (CVE-2023-3519), Fortinet FortiOS SSL-VPN flaws\r\n(CVE-2024-21762, CVE-2023-27997), F5 BIG-IP TMUI/iControl (CVE-2023-46747, CVE-2022-\r\n1388), Cisco ASA/FTD web services (CVE-2020-3452), and Zyxel firewalls/NAS (CVE-2023-\r\n28771, CVE-2024-29973). Many of these vulnerabilities allow pre-authentication remote code\r\nexecution (RCE) or authentication bypass via a single HTTP(S) request, enabling mass scanning\r\nand rapid exploitation. Common attack classes include command injection, deserialization of\r\nRCE, template injection, buffer overflows in VPN daemons, and path traversal flaws.\n\n13 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nICS CYBER KILL CHAIN\r\nAZURITE: Stage 1 \u0026 Stage\r\n2 Attacks\r\nATTACK PATH\r\nAZURITE Attack\r\nPath 1: SOHO Device\r\nCompromise to Achieve\r\nOT Access\n\n14 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nATTACK PATH\r\nAZURITE Attack Paths:\r\nVPN Access to OT\r\nEnvironment and\r\nEngineer Workstation\n\n15 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n53 percent of Dragos Services assessments\r\nconducted included findings associated\r\nwith Internet connectivity or externally\r\nfacing issues. Severity rankings distributed:\r\nCritical – 20 percent, High – 31 percent,\r\nMedium – 34 percent, Low – 15 percent.\r\nThe industry breakdown of Internet or\r\nExternal facing issues: manufacturing\r\nis the leading contributing vertical at 29\r\npercent, oil and gas 26 percent, electric\r\nat 19 percent, Other – 26 percent.\r\nDRAGOS INTELLIGENCE DATA\r\nInternet Connectivity or\r\nExternal Facing Issues\n\n16 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nCritical Control 01: ICS Incident Response Plan\r\n• AZURITE exploits internet-facing devices to access engineering workstations and\r\nexfiltrate OT operational data. ICS incident response plans should address scenarios\r\nwhere adversaries establish persistence through memory-resident web shells and\r\nconduct data staging from OT-adjacent assets.\r\n• Response procedures should include validation of engineering workstation integrity,\r\ninvestigation of anomalous outbound data transfers, and credential rotation following\r\nsuspected remote access compromise.\r\nCritical Control 02: Defensible Architecture\r\n• Implement segmentation between IT and OT networks. AZURITE has demonstrated\r\nthe capability to operate from compromised edge devices, pivot deeper into victim\r\nnetworks, and exfiltrate data from compromised assets.\r\n• If available, regularly use manufacturer-provided system integrity checking tools to\r\nidentify any non-standard or unplanned changes to the operating system.\r\nCritical Control 03: ICS Network Visibility and Monitoring\r\n• AZURITE uses Remote Desktop Protocol (RDP) to access Engineering Workstations\r\nusing compromised credentials.\r\n• AZURITE uses NPS, Cobalt Strike, Sliver, and other offensive security capabilities to\r\nconduct command and control with non-application layer protocols, especially SOCKS/\r\nSOCKS5 protocol. Conduct regular threat hunts and monitor for anomalous SOCKS/\r\nSOCKS5 protocol usage within both IT and OT environments, especially if network\r\nassets do not use this protocol during normal operations or function.\r\nCritical Control 04: Secure Remote Access\r\n• AZURITE targets remote access devices like Citrix, Cisco, Ivanti, Palo Alto Networks\r\nGlobal Protect, and Fortinet for exploitation to gain and maintain access to victim OT\r\nnetworks.\r\n• MFA - Ensure credential access for internet-facing devices is protected by MFA\r\nmethods. AZURITE utilizes compromised, reused, or adversary-created credentials to\r\naccess and persist in the network using valid accounts.\r\n• Log Checks - Regularly check logs on internet-facing devices for new user accounts,\r\nespecially ones that have elevated privileges. Also, examine the source IP of user\r\naccounts with elevated privileges that have successfully authenticated to identify\r\npotential adversary credential reuse or compromise.\r\n• Restart internet-facing network devices – Some web shells deployed by AZURITE are\r\nmemory resident but do not persist through device reboots.\r\nCritical Control 05: Risk-Based Vulnerability Management\r\n• Internet Facing Devices - ensure internet-facing devices, especially those that serve as\r\nVPN gateways or firewalls, are adequately patched for the latest security vulnerabilities\r\nas soon as possible.\r\n• Monitor threat intelligence - for adversary campaigns targeting the organization’s\r\ninternet-facing network devices, especially VPNs, firewalls, and web applications.\r\nAZURITE quickly implements publicly available proof of concept (POC) code into its\r\noperations, taking advantage of the lag time between POC availability and when most\r\norganizations have installed patches for the related vulnerability.\n\n17 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nHunting for AZURITE\r\nTips for Hunting: As part of threat hunting exercises, audit connections of valid sessions into the network via\r\ninternet-facing network devices such as VPN gateways and compare with baselines of normal\r\nusage. Investigate outliers in the number of sessions, IP addresses, user locations, bytes\r\ntransferred per session, access times, and any other properties of remote access sessions that\r\ncan be analyzed.\n\n18 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT\r\nSINCE 2017\r\nPy\r\nUPDATED FEBRUARY 2026\r\nPYROXENE\r\nNew Threat Group:\r\nICS IMPACT: Compromise of IT-to-OT pathways enabling lateral movement into industrial\r\nenvironments. Establishes footholds that support future operational disruption\r\nor targeted ICS manipulation.\r\nInfrastructure\r\n• Spoofed domains of legitimate entities\r\n• Azure and Cloudflare for C2\r\n• Compromised websites and email accounts\r\n• LIS for malware hosting\r\n• Bulletproof hosting providers\r\n• Controls privately owned VPSs and VPNs\r\nAdversary\r\n• Overlaps with APT35 cluster, associated with entities and operators sanctioned\r\nby US Government\r\n• Disruptive operations align with geopolitical tensions\r\n• Focus on strategic supply chain compromises\r\n• Employs misattribution tactics\r\nVictim\r\n• Confirmed critical infrastructure victims in United States, Europe, and Middle\r\nEast\r\n• Focus on transportation and logistics, defense, government, technology,\r\naerospace, and aviation\r\nCapabilities\r\n• Custom-developed malware and tooling\r\n• Obfuscates C2 using email, LIS, and Cloud hosting\r\n• Engages in long-term social engineering campaigns\r\n• Manages multiple campaigns concurrently\r\n• Strategic Website Compromises (SWC)\r\n• Creates destructive Wiper Malware\n\n19 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAbout PYROXENE Dragos designated PYROXENE as an active threat group in 2025 after observing a sustained\r\nfocus on supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial\r\nsectors, with operations expanding from the Middle East into North America and Western Europe\r\nsince 2023. Dragos observed PYROXENE activity aligning with Stage 2 Develop of the ICS\r\nCyber Kill Chain, including reconnaissance and assessment of pathways into OT environments.\r\nBetween 2024 and 2025, Dragos observed PYROXENE conducting multiple campaigns\r\ntargeting aviation, aerospace, defense, and maritime sectors across the United States, Western\r\nEurope, Israel, and the United Arab Emirates. In early 2025, Dragos identified an intrusion\r\ncollaboration between PYROXENE and PARISITE. Dragos assessed with high confidence that\r\nPARISITE functions as an initial access provider, handing off compromised access within\r\ncritical infrastructure networks to PYROXENE in early 2024. This access enabled PYROXENE to\r\nconduct internal network reconnaissance and establish pathways toward an OT environment.\r\nDragos assesses with low confidence PYROXENE intentionally pursued access to and surveyed\r\nan OT network for prepositioning and support of future effects operations, satisfying Stage\r\n2 Develop of the ICS Cyber Kill Chain. Collaboration with PARISITE, an initial access provider\r\nwith a demonstrated history of compromising critical infrastructure and conducting destructive\r\noperations, materially increases the likelihood that existing IT or OT-adjacent access could\r\nbe rapidly operationalized to cause loss of view, loss of control, or loss of availability in ICS\r\nenvironments. PYROXENE exhibits substantial technical overlap with activity tracked by the\r\nbroader threat activity commonly referred to as UNC1549. This activity is assessed by the U.S.\r\nGovernment to conduct espionage-driven operations aligned with the Islamic Revolutionary\r\nGuard Corps Cyber Electronic Command (IRGC-CEC) and has been subject to U.S. sanctions for\r\ntargeting U.S. critical infrastructure since at least 2017.\r\nDragos observed PYROXENE activity that leveraged recruitment-themed social engineering\r\nagainst targeted individuals. PYROXENE used extended interactions via fake social media\r\nprofiles prior to delivering tailored malware to establish stealth backdoors which leveraged a\r\nunique, victim-specific, Microsoft Azure-based command and control infrastructure.\r\nPYROXENE conducts extensive reconnaissance of trusted suppliers, contractors, and business\r\nrelationships to enumerate externally exposed systems, shared infrastructure, and human\r\naccess pathways, leveraged as indirect entry points into higher-value targets. Rather than\r\nconsistently targeting primary victims directly, the group focuses on weaknesses across the\r\nbroader ecosystem supporting critical operations, deliberately engaging lower-barrier entities as\r\naccess-enabling footholds.\n\n20 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nICS CYBER KILL CHAIN\r\nPYROXENE: Stage 1 \u0026\r\nStage 2 Attacks\r\nATTACK PATH\r\nPYROXENE Attack Path\n\n21 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nHaifa Bay Port\r\nWater-Hole Attacks\r\nCredential-Harvesting\r\nCampaigns\r\nEarly Signs of\r\nFuture OT Capability\r\nPositioning\r\nSince at least 2023, PYROXENE has compromised multiple public-facing websites of companies\r\nsupporting industrial-sector operations, including Utilities, Telecommunications, Technology,\r\nManufacturing, and Logistics, and has staged malicious fingerprinting JavaScript for visitor\r\ntracking. In October 2024, PYROXENE conducted watering-hole attacks against a local water\r\nutility company that manages the local water supply for the Haifa Bay Port on the coast of\r\nIsrael. Haifa Bay Port hosts several organizations of high strategic importance to Israel’s\r\nmaritime, industrial, and defense sectors, including Rafael Advanced Defense Systems, Haifa\r\nChemicals, Elbit Systems, the Haifa Naval Base, Bazan Group, and ZIM Shipping. These entities\r\nrepresent high-value targets for Iranian military and intelligence interests. Dragos has also\r\nobserved targeting of these organizations by TAT25-93, which has technical overlaps with\r\nCharming Kitten, and TAT25-12, as well as additional technical overlaps with Emennet Pasargad.\r\nStrategically positioned watering-hole activity targeting entities based in the Haifa Bay area\r\nare likely to support the identification and profiling of personnel associated with organizations\r\noperating in the region for potential subsequent targeting.\r\nSince 2024, PYROXENE has conducted credential-harvesting campaigns targeting industrial-sector organizations, using spoofed enterprise IT and remote-access login portals to capture\r\ncredentials and authentication tokens. PYROXENE has staged a credential-harvesting\r\ninfrastructure targeting European and defense and aerospace organizations. Stolen credentials\r\nenable initial access and lateral movement, increasing the likelihood that PYROXENE will\r\nprogress from IT compromise to OT networks via exposed pathways.\r\nIn June 2025, Dragos identified PYROXENE deploying wiper malware against multiple\r\nundisclosed organizations in Israel, occurring in immediate temporal proximity to the 12-\r\nday conflict between Iran and Israel. Dragos assesses with high confidence that this activity\r\nrepresented a geopolitically motivated effort to cause a severe impact on Israeli critical\r\ninfrastructure in direct response to the conflict, leveraging existing adversarial capabilities to\r\ndeliver destructive effects. Wiper malware targeting IT systems can have a severe downstream\r\nimpact on ICS operations. Destructive wiping of IT systems can render systems unbootable\r\nand disrupt operational dependencies, resulting in loss of availability. Even without direct PLC\r\ntargeting, the loss of supporting IT services can halt operations, delay recovery, and increase\r\nsafety risk across industrial environments. Dragos assesses with moderate confidence\r\nPYROXENE is actively positioning for future ICS-impacting operations by exploiting supply\r\nchains, trusted relationships, and IT–OT dependencies, creating a credible risk of disruption or\r\ndestruction even when OT networks are not directly targeted.\n\n22 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nControl 01: ICS Incident Response Plan\r\n• PYROXENE conducts supply chain compromises to preposition attacks toward higher-value targets. ICS incident response plans should account for social engineering\r\ncampaigns characterized by prolonged engagement driven by impersonation tactics,\r\nand for access pathways between IT and OT through trusted third-party account\r\ncompromise.\r\nControl 02: Defensible Architecture\r\n• Strict IT/OT segmentation, tightly governed contractor, vendor, and supplier access,\r\nand continuous monitoring of trusted access paths are critical to preventing PYROXENE\r\nfrom leveraging prepositioned footholds from within IT environments to enable\r\ndownstream intrusions toward OT.\r\nControl 03: ICS Network Visibility and Monitoring\r\n• PYROXENE leverages native system utilities and living-off-the-land (LOTL) techniques\r\nto enumerate OT assets, services, and configurations following access through IT.\r\nResulting operational data may be staged for exfiltration, underscoring the need\r\nto monitor OT and IT environments for anomalous use of legitimate administrative\r\ntools, unexpected data staging, and abnormal outbound transfers that deviate from\r\nestablished operational baselines.\r\nControl 04: Secure Remote Access\r\n• PYROXENE operations have been facilitated by prior initial access gained by PARISITE,\r\nwhich routinely exploits exposed and unpatched remote access infrastructure,\r\nparticularly VPN appliances. Enforcing strong remote access controls, including timely\r\npatching of internet-facing services, MFA across all remote access pathways, and strict\r\ngovernance of VPN and third-party access, is critical to disrupting PARISITE-enabled\r\nintrusions that support PYROXENE’s follow-on operations.\r\nControl 05: Risk-Based Vulnerability Management\r\n• PYROXENE conducts reconnaissance and data acquisition within OT environments\r\nto enumerate assets and network architecture, enabling identification of potentially\r\nvulnerable systems and access pathways. A risk-based vulnerability management\r\nprogram should prioritize remediation of OT assets and pathways identified as high risk\r\nto reduce the likelihood that observed weaknesses are assessed, prepositioned against,\r\nor leveraged in future operations.\n\n23 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nHunting for PYROXENE\r\nTips for Hunting: As part of threat hunting exercises, audit third-party and contractor access patterns, particularly\r\nthose with privileged access to IT-OT boundary systems such as jump servers and historian\r\ndatabases. Monitor for stolen credentials and proof-of-concept exploits used to access exposed\r\nservices including Citrix, VMware, and Azure VDI environments. Investigate the deployment\r\nof reconnaissance tooling in Level 4 and Level 5 DMZ environments, focusing on internal\r\nenumeration of system architecture, identity-connected services (SOC, SIEM), and privileged\r\nuser accounts. Establish baselines for normal IT-OT boundary traffic and investigate anomalous\r\nproxy tunnels using RDP or SMB protocols between IT and OT-adjacent servers. Review cloud-based command and control infrastructure, particularly Azure domains, for signs of malicious\r\ntraffic being blended with legitimate enterprise activity to evade detection.\n\n24 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT\r\nSINCE 2023\r\nSy\r\nUPDATED FEBRUARY 2026\r\nSYLVANITE\r\nNew Threat Group:\r\nICS IMPACT: Large-scale initial access operations targeting industrial organizations. Enables\r\ncredential theft, VPN exploitation, and sustained access that can be leveraged\r\nfor follow-on ICS-focused campaigns.\r\nInfrastructure\r\n• Virtual Private Servers (VPS)\r\n• Small Office Home Office (SOHO) routers\r\n• Favors Vultr, Linode, Kaopu Cloud, Forewin Telecom Group, and BGP Network\r\nLtd providers\r\nAdversary\r\n• Multiple entities working under the same overarching direction\r\n• Assessed intent is initial access and credential theft that is passed to other\r\nthreat groups, including VOLTZITE\r\n• Overlaps with UNC5221, UNC5174, UNC5291, UNC3236, HOUKEN, Red Dev 61,\r\nCL-STA-0048, and UTA0178\r\nVictim\r\n• Electric Power Generation, Transmission \u0026 Distribution (2211), Water, Sewage\r\nand Other Systems (2213), Oil and Gas (2111), Manufacturing (31-33), Public\r\nAdministration (92)\r\n• North America, United Kingdom, Europe, France, Japan, South Korea, Guam,\r\nPhilippines, Saudi Arabia\r\nCapabilities\r\n• N-day exploitation of internet0facing products from F5, Ivanti, SAP,\r\nConnectWise\r\n• Cobalt Strike C2, Silver C2, Supershell C2, Fast Reverse Proxy (frp), Fscan,\r\nVshell backdoor\r\n• Godzilla, LIGHTWIRE, THINSPOOL, WIREFIRE\r\n• WARPWIRE, ZIPLINE, SNOWLIGHT, GOREVERSE, GOHEAVY\n\n25 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAbout SYLVANITE SYLVANITE is an ICS Kill Chain Stage 1, initial access threat group that operates at scale,\r\noverlapping with multiple widespread campaigns designed to compromise internet-facing\r\nsystems. Dragos has previously observed SYLVANITE handing off initial access directly\r\nto VOLTZITE during intrusions. Because VOLTZITE has a history of stealing OT data and\r\nmanipulating OT systems, Dragos classifies it as a Stage 2 threat group. As a result,\r\nSYLVANITE’s initial access operations align with Stage 1 of the ICS Cyber Kill Chain. SYLVANITE\r\nactivity has been observed across multiple regions, including North America, Europe, the\r\nUnited Kingdom, France, Japan, South Korea, Guam, the Philippines, and Saudi Arabia.\r\nTargeted sectors include Electric Power Generation, Transmission, and Distribution; Water\r\nand Wastewater; Oil and Gas; Manufacturing; and Public Administration. According to the ICS\r\nCyber Kill Chain, SYLVANITE has not yet shown evidence of moving into OT networks, their\r\nfocus remains on OT network information and operating procedures. This enables SYLVANITE\r\nto significantly enhance the ability of ICS-focused adversaries, such as VOLTZITE, to whom\r\nSYLVANITE has previously provided ICS victim footholds, to develop highly targeted and\r\nsophisticated ICS-capable malware. SYLVANITE’s observed use of Stage 1 capabilities lead\r\nDragos to assess SYLVANITE as a Stage 1 threat group. SYLVANITE shares technical overlaps\r\nwith UNC5221, UNC5174, UNC5291, UNC3236, HOUKEN, Red Dev 61, CL-STA-0048 and\r\nUTA0178. In 2025, Dragos directly observed SYLVANITE activity within the United States electric\r\nand water utility sector during an incident response.\r\nICS CYBER KILL CHAIN\r\nSYLVANITE: Stage 1\r\nAttacks\n\n26 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nATTACK PATH\r\nSYLVANITE Attack Path\r\nIvanti Endpoint\r\nManager Mobile\r\n(EPMM) Compromise\r\nSYLVANITE closely monitors exploit research and rapidly weaponizes it. If an active, public\r\nPOC exists and vulnerable assets are exposed on the internet, adversaries like SYLVANITE will\r\ntake advantage of them. In May 2025, Dragos responded to an incident in which an adversary\r\ncompromised an Ivanti Endpoint Manager Mobile (EPMM) instance of a United States utility\r\nby exploiting CVE-2025-4427 and CVE-2025-4428. Dragos designated the set of activities\r\nperpetrated by this adversary as TAT25-43, and additional analysis later confirmed that TAT25-\r\n43 was attributed to SYLVANITE. The Ivanti EPMM instance was located in the utility’s DMZ, and\r\nincident response procedures were initiated to determine whether the adversary had pivoted\r\ninto the organization’s adjacent OT networks from the compromised Ivanti EPMM server. Dragos\r\nobserved the adversary efficiently using Stage 1 capabilities within the DMZ; however, due to the\r\nlack of telemetry in adjacent networks, Dragos could not use network monitoring and visibility\r\nthat would have supported the detection of any Stage 2 activity. TAT25-43 rapidly enumerates\r\nand compromises Ivanti EPMM servers using an exploitation proof of concept shared on\r\nthe Internet before Ivanti issued a patch to remediate the vulnerability. Exploitation of Ivanti\r\nEPMM devices allows adversaries to establish a foothold in victim networks, steal personally\r\nidentifiable information (PII) and authentication tokens for connected LDAP users, and remotely\r\nmanage mobile devices. During the Ivanti EPMM campaign conducted by TAT25-43, SYLVANITE\r\naccessed the backend MySQL database using hardcoded credentials stored in /mi/files/system/.\r\nmifpp. They then executed mysqldump to extract tables such as mi_user, mifs_ldap_users, and\r\nmifs_ldap_server_config, which contained LDAP user details and Office 365 tokens. These\r\ncredentials were replayed across other internal systems, enabling lateral movement without\r\ntriggering alerts associated with account creation or password spraying.\r\nOnce inside, SYLVANITE utilizes tunnelling and proxy tools to maintain connectivity and\r\npivot deeper into the network. Tools like Fast Reverse Proxy (FRP) and GoHeavy establish\r\ncovert channels, while GoReverse provides SSH-based reverse shells for remote access.\r\nThese methods enable SYLVANITE to bypass traditional egress points and move laterally\r\nwithout relying solely on standard remote administration protocols. SYLVANITE also deploys\r\nreconnaissance utilities such as fscan to map internal network services and identify exploitable\r\nsystems. This scanning phase enables the identification of targets for credential reuse and\n\n27 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nsubsequent exploitation. In Windows environments, SYLVANITE leverages built-in remote\r\nexecution mechanisms, including PsExec, WMIExec, and SMBExec, as well as WinRM (TCP\r\nports 5985/5986), to execute commands remotely and propagate laterally. These techniques\r\nalign with MITRE ATT\u0026CK tactics for lateral movement and are often combined with LOTL\r\napproaches to minimize detection.\r\nOnce inside a victim network, SYLVANITE establishes multiple command-and-control\r\nand persistence mechanisms within exploited devices and passes control to other threat\r\ngroups, including VOLTZITE. This approach positions SYLVANITE as a significant risk to OT\r\nenvironments, where exploitation can have severe safety and operational impacts. Dragos\r\nassesses with moderate confidence that SYLVANITE consists of multiple entities contracted by\r\nvarious upstream threat groups under a common alignment, including those with ICS-disruptive\r\ncapabilities, to exploit emerging, novel initial access techniques and steal credentials, enabling\r\nlong-term persistence in victim networks. SYLVANITE utilizes adversary-controlled or rented\r\ninfrastructure, such as VPS and compromised SOHO routers. SYLVANITE favors ISPs and cloud\r\nservices such as Vultr, Linode, Kaopu Cloud, Forewin Telecom Group, and BGP Network Ltd.\r\nDragos assesses with moderate confidence that SYLVANITE is primarily an initial access group\r\nfocused on espionage and data harvesting to inform and provide access to more ICS-capable\r\nadversaries, as evidenced by SYLVANITE previously handing over access points to VOLTZITE.\r\nA Series of\r\nExploitation\r\nCampaigns\r\nIn December 2023, SYLVANITE exploited Ivanti Connect Secure VPN vulnerabilities (CVE-2023-\r\n46805, CVE-2024-21887), deploying web shells such as GLASSTOKEN, disabling logging,\r\nand modifying appliance components to evade integrity checks. They also altered JavaScript\r\nfiles to capture credentials and embedded backdoors for persistent command-and-control\r\ncommunication. Later campaigns included F5 BIG-IP (CVE-2023-46747) and ConnectWise\r\nScreenConnect (CVE-2024-1709), where custom tooling and the Supershell C2 framework were\r\nused to establish access.\r\nIn April 2025, SYLVANITE exploited a SAP NetWeaver zero-day vulnerability (CVE-2025-\r\n31324), deploying the KrustyLoader malware loader to deliver Sliver C2 and the SNOWLIGHT\r\nmalware downloader, followed by the VSHELL Remote Access Trojan (RAT) for remote access.\r\nMost recently, Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) were exploited\r\nusing Java Reflection payloads embedded in HTTP GET requests, resulting in the creation\r\nof interactive shells linked to SYLVANITE-controlled infrastructure. SYLVANITE achieves\r\npersistence through the deployment of advanced web shells, such as Godzilla, LIGHTWIRE,\r\nand WIREFIRE, which are often memory-resident and deeply integrated into application\r\nframeworks like Apache Tomcat, thereby more likely to evade detection. Credential harvesting\r\nis a core tactic employed by SYLVANITE. SYLVANITE extracts data from backend databases on\r\ncompromised devices, including Lightweight Directory Access Protocol (LDAP) information and\r\nOffice 365 tokens, enabling lateral movement.\n\n28 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nPositioning for\r\nFuture Disruptive\r\nAttacks\r\nSYLVANITE’s established initial access points could be leveraged for future disruptive\r\noperations that may directly or indirectly affect OT networks. In environments where IT and OT\r\nnetworks lack proper segmentation, compromising the IT network could allow adversaries to\r\npivot into OT systems with minimal difficulty. These intrusions could disrupt critical processes\r\nin OT environments if access is handed over to Stage 2 threat groups, as SYLVANITE has\r\npreviously demonstrated. SYLVANITE’s initial access activities involve port scanning across\r\nIT and OT networks. Port scanning can unintentionally impact OT networks by reducing asset\r\navailability. Many OT devices are not designed to handle sudden surges in network traffic and\r\nmay become unresponsive or enter a degraded state. This can lead to an unintended denial-of-service condition, potentially triggering cascading failures that disrupt operational continuity.\r\nSYLVANITE exfiltrates sensitive operating data and user credentials. Data exfiltrated from victim\r\nnetworks, especially OT network information or operating procedures, significantly enhances\r\nthe ability of an upstream ICS-focused adversary, such as VOLTZITE, which SYLVANITE has\r\ndemonstrated working collaboratively with in previous intrusions, to develop highly targeted and\r\nsophisticated ICS-capable malware.\r\nIn short, SYLVANITE lowers the barrier for ICS-focused adversaries to achieve their objectives,\r\nmaking timely patching, segmentation, and monitoring of internet-facing assets essential for\r\nICS asset owners. Asset owners should harden and monitor internet-facing devices, because\r\nSYLVANITE’s entire tradecraft revolves around exploiting these systems before patches are\r\nwidely applied.\n\n29 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n• 73 percent of Dragos IR cases (all time)\r\nincluded active exploitation or valid\r\ncredential reuse of VPN/jumphosts.\r\n• 56 percent of Dragos Network\r\nPenetration Tests conducted included\r\nfindings associated with abusing\r\nLOTL tools, such as WinRM. WinRM\r\nis routinely leveraged by Dragos Red\r\nTeam in ICS DMZs to enable Domain\r\nController access and lateral movement.\r\n• 10 percent of Dragos Network\r\nPenetration Tests conducted\r\nincluded findings associated with\r\nthe abuse of Insecure Protocols,\r\nsuch as LDAP, further escalation of\r\nprivileges and lateral movement.\r\n• 58 percent of Dragos Architecture\r\nReviews conducted included\r\nfindings associated with the use of\r\nInsecure Protocols, such as LDAP.\n\n30 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nControl 01: ICS Incident Response Plan\r\n• SYLVANITE exploits network edge devices to move deeper into victim networks and\r\nthen hand over access to ICS-capable threat groups. ICS incident response plans\r\nshould address scenarios in which an adversary exploits an emerging vulnerability in\r\ninternet-facing network devices and then establishes multiple long-term persistence\r\nmechanisms.\r\nControl 02: Defensible Architecture\r\n• Strict IT/OT segmentation and monitoring of network edge devices, and continuous\r\nmonitoring of trusted access paths are critical to preventing SYLVANITE from leveraging\r\nfootholds from within IT environments to enable downstream intrusions toward OT. The\r\nuse of jump hosts between IT and OT networks, as well as strong MFA implementation,\r\nis vital for mitigating SYLVANITE intrusions.\r\nControl 03: ICS Network Visibility and Monitoring\r\n• SYLVANITE leverages native system utilities and LOTL techniques to enumerate assets,\r\nservices, and configurations across IT networks. Resulting data may be staged for\r\nexfiltration, underscoring the need to monitor OT and IT environments for anomalous\r\nuse of legitimate administrative tools, unexpected data staging, and abnormal outbound\r\ntransfers that deviate from established operational baselines.\r\nControl 04: Secure Remote Access\r\n• SYLVANITE operations routinely exploit exposed and unpatched remote access\r\ninfrastructure, particularly VPN appliances. Enforcing strong remote access controls,\r\nincluding timely patching of internet-facing services, MFA across all remote access\r\npathways, and strict governance of VPN and third-party access, is critical to disrupting\r\nSYLVANITE-enabled intrusions that may support VOLTZITE’s follow-on operations.\r\nControl 05: Risk-Based Vulnerability Management\r\n• SYLVANITE conducts exploitation efforts against internet-facing remote gateways. A\r\nrisk-based vulnerability management program should prioritize remediation of assets\r\nand pathways identified as high risk to reduce the likelihood that observed weaknesses\r\nare assessed, prepositioned against, or leveraged in future operations.\n\n31 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nHunting for SYLVANITE \u0026\r\nVOLTZITE\r\nTips for Hunting: As part of threat hunting exercises, audit connections of valid sessions into the network via\r\ninternet-facing network devices such as VPN gateways and edge devices, and compare with\r\nbaselines of normal usage. Investigate outliers in the number of sessions, IP addresses, user\r\nlocations, bytes transferred per session, access times, and any other properties of remote\r\naccess sessions that can be analyzed. Monitor for lateral movement from compromised edge\r\ndevices to GIS servers, Engineering Workstations (EWS), and historian databases within Level 3\r\nand Level 4 environments. Establish baselines for normal industrial software behavior on EWS\r\nand investigate anomalous manipulation attempts that could enable VOLTZITE to extract Level\r\n2 data from OT networks, including SCADA systems, HMI interfaces, and host log collectors.\r\nReview bidirectional command and control communications to VOLTZITE or SYLVANITE C2\r\nservers, particularly focusing on traffic patterns between Level 3.5 DMZ jump servers and\r\nexternal infrastructure that may indicate handoff activities between the two threat groups.\n\n32 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAdvancing Toward\r\nOT: Active Threat\r\nGroup Operations\r\n02.\r\nWhile new groups emerged in 2025, established\r\nadversaries demonstrated that operational experience\r\nmatters—and that years of access-building in one region\r\ncan rapidly translate to disruptive capability in another.\r\nKAMACITE and ELECTRUM, responsible for Ukraine’s\r\n2015 and 2016 power outages, are the most experienced\r\ninfrastructure-disrupting adversaries in the world.\r\nAfter years focused exclusively on Ukrainian targets,\r\nthey expanded operations back into Europe and the\r\nUnited States in 2025. VOLTZITE achieved Stage 2\r\ncapability by moving beyond data exfiltration to direct\r\nmanipulation of engineering workstations. BAUXITE\r\nescalated from hacktivist defacements to deploying\r\ncustom wiper malware during regional conflicts.\n\n33 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nKAMACITE\r\n\u0026\r\nELECTRUM\r\nThreat Group Update:\r\nSINCE 2014\r\nKa\r\nSINCE 2016\r\nEl\n\n34 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n• In late December 2025, a coordinated\r\ncyberattack against Polish energy infrastructure\r\noccurred, which included combined heat\r\nand power (CHP) facilities and systems\r\nsupporting renewable energy generation\r\nmanagement. Public statements from\r\nPolish authorities indicated the activity was\r\nassessed as originating from actors linked\r\nto Russian state services and that defensive\r\nmeasures prevented any disruption to\r\nnational power delivery or grid stability.\r\n• While no customer-facing outages were\r\nreported, the targeting demonstrates continued\r\nadversary focus on operational environments\r\nthat directly support power generation, grid\r\ncoordination, and regional energy stability.\r\n• Dragos has been tracking this activity through\r\na combination of incident response, internal\r\nanalysis, and sensitive source reporting,\r\nthough specific technical details cannot be\r\ndisclosed at this time due to source handling\r\nconstraints. Available information indicates\r\nthat the activity included deliberate attempts\r\nto directly impact operational assets rather\r\nthan remaining confined to enterprise\r\nreconnaissance or access operations.\r\n• Dragos assesses with moderate confidence that\r\nthe activity reflects tradecraft and operational\r\nobjectives consistent with the ELECTRUM threat\r\ngroup. This assessment remains preliminary\r\nand subject to refinement as additional\r\ninformation becomes available. Dragos is also\r\naware that national cybersecurity authorities\r\nhave been proactively engaging with energy-sector organizations to provide restricted\r\ntechnical information related to this activity.\r\n• CHP facilities and renewable energy aggregation\r\nplatforms represent operationally meaningful\r\nleverage points within modern energy systems.\r\nCHP plants provide localized thermal and\r\nelectrical stability for municipal or industrial\r\ncustomers, while renewable management\r\nsystems increasingly coordinate dispatch,\r\ncurtailment, telemetry, and grid balancing\r\nfunctions across geographically distributed\r\nassets. Disruption or manipulation of these\r\nsystems, even if localized, can introduce\r\ncascading operational complexity, operator\r\nworkload stress, and recovery challenges,\r\nparticularly during seasonal demand peaks.\n\n35 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nNotable Timing of\r\nActivity\r\nThe attacks occurred approximately six days after the 10th anniversary of the December 2015\r\ncyber-induced power outage in Ukraine, widely regarded as the first publicly confirmed cyber\r\noperation to successfully disrupt electric power operations, endangering civilian infrastructure\r\nand life in the middle of Eastern European winter. That activity was subsequently attributed by\r\nmultiple governments to the same Russian threat ecosystem now associated with ELECTRUM,\r\nwhich has technical overlaps with Sandworm, which the U.S. government has attributed to the\r\nRussian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special\r\nTechnologies (GTsST). While anniversaries alone should not be over-weighted as causal\r\nindicators, Russian cyber operations have historically demonstrated sensitivity to symbolic\r\ntiming, messaging value, and operational signaling during periods of geopolitical tension.\r\nThe proximity of this activity to a milestone in the evolution of cyber-enabled infrastructure\r\ndisruption reinforces the strategic context for assessing it. Over the past year, both KAMACITE\r\nand ELECTRUM have executed destructive attacks against ISPs in Ukraine and widespread,\r\npersistent scanning of exposed industrial devices in the United States, signaling a significant\r\nand potentially alarming shift in targeting from recent years.\r\nICS CYBER KILL CHAIN\r\nELECTRUM: Stage 1 \u0026\r\nStage 2 Attacks\n\n36 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nATTACK PATH\r\nKAMACITE Attack Path\r\nExpansion of\r\nKAMACITE Targeting\r\nAcross the ICS\r\nSupply Chain\r\nBeginning in late 2024 and extending into early 2025, Dragos observed a significant escalation\r\nin KAMACITE activity targeting organizations across the European OT/ICS supply chain, a\r\ndeparture from prior years, when the group largely focused on Ukrainian critical infrastructure\r\nand government entities. This shift became clearer following a February 2025 CERT-UA report\r\non threat activity designated UAC-0212, which detailed a multi-stage campaign impacting\r\nenergy, water, and heating organizations across ten Ukrainian regions and more than 20 firms\r\nsupporting industrial operations. Dragos had previously observed portions of this campaign in\r\nthe Dragos Intelligence Fabric, where KAMACITE had specifically targeted attendees of the Gas\r\nInfrastructure Europe (GIE) conference hosted in Munich, Germany. CERT-UA also identified\r\nattempts to compromise at least 25 Ukrainian companies involved in developing or supplying\r\nindustrial process control technologies widely deployed across Ukraine. Dragos assesses,\r\nwith moderate confidence, that UAC-0212 represents the same activity tracked as KAMACITE,\r\nsupported by extensive 1:1 technical overlap across infrastructure, malware, and targeting\r\npatterns. Dragos observed KAMACITE execute in late 2024. CERT-UA’s findings confirmed\r\nthat KAMACITE’s spear-phishing activity against attendees of the 2024 GIE conference, which\r\nDragos initially assessed as a standalone campaign, was likely part of a broader and more\r\nambitious effort to exploit trusted relationships across the European industrial ecosystem.\r\nDragos’ analysis indicates the campaign continued at least through March 2025, after which\r\nKAMACITE likely abandoned the infrastructure dedicated to the campaign.\n\n37 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nConsistent Tactics,\r\nBut Expanded\r\nOperational Scale\r\nWhy This Campaign\r\nMatters\r\nU.S. Reconnaissance\r\nCampaign (March–\r\nJuly 2025):\r\nExpansion into\r\nDirect ICS Target\r\nMapping in the U.S.\r\nStarting in late 2024 and extending through early 2025, the scope and ambition of KAMACITE’s\r\naccess-building efforts changed. Rather than focusing only on direct critical-infrastructure\r\noperators, the group expanded upstream, attempting to compromise suppliers, integrators,\r\nand vendors whose technologies shape Ukraine’s industrial environment. This represents\r\na meaningful evolution, not in techniques, but in operational design and campaign intent.\r\nDragos’s analysis indicates that the campaign did not introduce radically new tactics. Instead, it\r\nshowcased KAMACITE’s ability to apply its well-established playbook at a much larger scale and\r\nacross a wider range of victims than previously observed.\r\nKey elements included:\r\n• Highly tailored spear-phishing to compromise engineering, operations, and vendor\r\npersonnel.\r\n• Long-term, multi-day conversations with key personnel at targeted organizations in\r\nnative language using industry-specific terms.\r\n• Infrastructure use patterns consistent with historic campaigns.\r\nKAMACITE’s upstream supply chain focus represents a meaningful risk to industrial defenders.\r\nBy compromising vendors and integrators rather than only operators, the group increases:\r\n• Its potential reach across entire sectors,\r\n• Its ability to pre-position access deep in trusted relationships, and\r\n• The potential future workload of ELECTRUM, should destructive or ICS-specific\r\noperations be initiated.\r\nDragos assesses with high confidence that KAMACITE’s core mission remains unchanged: to\r\nprovide ELECTRUM with persistent access to high-value industrial targets. The supply chain\r\n2024–2025 campaign demonstrates that the group can conduct long-duration, multi-vector\r\naccess operations against entire industrial ecosystems, not just single organizations.\r\nShortly after concluding its 2024–2025 supply-chain campaign in Europe, KAMACITE shifted\r\nto a new phase of activity: sustained, infrastructure-linked reconnaissance against internet-exposed industrial devices located exclusively within the United States. Dragos analysis of\r\ninternet telemetry indicated this activity began as early as March 2025 and continued through\r\nlate July 2025. While Dragos found no evidence of successful exploitation during this period, the\r\nscope and precision of the scanning reveal a meaningful evolution in KAMACITE’s operational\r\nposture. While the European campaign was designed to infiltrate trusted vendors and upstream\r\nservice providers, this activity directly probed U.S.-based edge-exposed ICS assets, including\r\nSchneider Electric Altivar variable-frequency drives, Smart HMIs, Accuenergy AXM modules,\r\nand Sierra Wireless Airlink gateways. These technologies underpin routine industrial operations\r\nacross a variety of industrial sectors, including Water and Wastewater, Manufacturing, Energy,\r\nand Building Automation, making them attractive as pivot points, disruption targets, or sources\r\nof process intelligence.\n\n38 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nFrom Access-Building to Control-Loop Mapping\r\nThe key development is not the act of scanning itself; multiple adversaries routinely search for\r\nexposed ICS equipment, but the specific selection of components and the sequencing of the\r\nreconnaissance.\r\nAcross the four-month period, KAMACITE appeared to:\r\n• Enumerate operator interfaces (Smart HMIs)\r\n• Identify actuators capable of directly influencing physical processes (Altivar variable\r\nfrequency drives (VFDs))\r\n• Map metering and process-visibility points (Accuenergy AXM modules)\r\n• Target remote-access gateways that bridge ICS assets back to corporate or vendor\r\nnetworks (Sierra Wireless Airlink)\r\nTaken together, the scanning pattern suggests an intent to understand entire control loops rather\r\nthan isolated devices. By correlating HMIs, VFDs, meters, and gateways, an adversary can build\r\na detailed operational view of exposed industrial environments, including where commands\r\noriginate, how they propagate, and where physical effects could be induced. This marks a\r\nsubtle but significant shift from prior KAMACITE activity. Rather than building access through\r\ntrusted corporate chains (as in the European campaign), KAMACITE appears to have spent\r\nseveral months in mid-2025 constructing targeted intelligence at the edge of U.S. operational\r\nenvironments, where security practices remain uneven, and internet exposure is common.\r\nThe campaign introduced several concerning signals:\r\n• A rapid pivot to U.S. ICS exposure immediately after retiring European campaign\r\ninfrastructure. The timing suggests reconnaissance was not opportunistic. It followed\r\ndirectly on the heels of KAMACITE’s access-building efforts in Europe, indicating a\r\npotential new phase of targeting rather than a one-off exploratory effort.\r\n• A focus on components with known security debt and broad deployment. Schneider\r\nElectric Altivar VFDs were included a CISA advisory (CVE-2025-7746) in September\r\n2025.\r\n• While Dragos cannot confirm the scanning was vulnerability-driven, the prevalence\r\nof Altivar devices in U.S. critical manufacturing underscores why they may attract\r\nadversary attention.\r\n• Targeting industrial cellular gateways mirrors past disruptive incidents. Sierra Wireless\r\nAirLink devices have previously been compromised to enable lateral movement into\r\nICS environments, including by Dragos-tracked threat group VOLTZITE in 2025. Their\r\npresence in this scanning sequence is notable: these gateways often sit at unmonitored\r\nOT edges and provide direct ingress into isolated field assets.\r\nThe scanning mirrored known real-world disruptions caused by other adversaries abusing\r\nexposed devices. The tactic aligns with historical campaigns such as the targeting of exposed\r\nof Unitronics PLCs (BAUXITE) and poorly secured HMIs (TAT24-22; shares technical overlaps\r\nwith CyberArmyofRussia_Reborn), both of which led to tangible operational consequences\r\nin some cases, including water-system outages and unauthorized parameter changes at U.S.\r\nwater facilities. While KAMACITE’s campaigns across Europe and the U.S. dominated much of\r\nthe first half of 2025, Dragos continued to observe ELECTRUM conducting destructive cyber\r\noperations in Ukraine, reinforcing that KAMACITE’s access-building is not an abstract concern\r\nbut a prerequisite for real-world impact. Every ELECTRUM operation observed in 2025 required\r\na foothold inside targeted networks, and Dragos assesses with moderate confidence that\r\nKAMACITE facilitated at least part of the initial access used in these incidents.\n\n39 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nWhat Defenders\r\nShould Infer\r\nELECTRUM Activity\r\nin 2025: Destructive\r\nOperations\r\nUnderscore Why\r\nKAMACITE’s Access\r\nMatters\r\nJune 2025:\r\nIdentification of New\r\nDestructive Malware\r\n(PathWiper)\r\nThe scanning activity demonstrates that KAMACITE is now willing to:\r\n• Conduct broad-spectrum reconnaissance across the U.S. industrial footprint,\r\n• Integrate infrastructure knowledge into the development of initial access methods to\r\nsupport ELECTRUM’s operations, and\r\n• Explore direct OT-edge entry points, rather than focusing on enterprise or supply-chain\r\ncompromise.\r\nThis expansion increases the likelihood that future destructive or disruptive campaigns could\r\ndraw on previously identified exposed U.S. operational environments, control-loop layouts,\r\ndevice capabilities, and exposed ingress routes. These insights reinforce the view that internet-exposed ICS devices are not merely “low-hanging fruit” but continue to be strategically\r\nmeaningful reconnaissance targets.\r\nIn late May 2025, ELECTRUM conducted a coordinated destructive operation targeting eight\r\nUkrainian ISPs. As in previous incidents, ELECTRUM obfuscated its involvement by operating\r\nthrough the hacktivist persona Solntsepek (tracked by Dragos as TAT25-41), a pro-Russian\r\nhacktivist persona typically associated with doxing but repeatedly co-opted as a deniable front\r\nfor ELECTRUM campaigns. On 26 May 2025, Solntsepek claimed responsibility for disruptions\r\nat Interlink, ActiveNet, Svit-Net LLC, Palvi Telecom, NPO Orikhiv, ISP Aries, Corbina, and D-Lan.\r\nDragos independently verified outages affecting several of these ISPs, including a four-hour\r\ndisruption to Corbina’s autonomous system, as shownin historical internet telemetry. This\r\nrepresents the third observed instance of ELECTRUM pairing destructive operations with the\r\nSolntsepek persona to mask attribution. The targeting focus, ISPs supporting Ukrainian call\r\ncenters and communications infrastructure, aligns with ELECTRUM’s long-standing pattern of\r\ndegrading civilian and military coordination capacity during periods of elevated conflict intensity.\r\nIn parallel with the ISP attacks, Cisco Talos identified PathWiper, which Dragos has previously\r\nlinked to ELECTRUM with moderate confidence. PathWiper appeared in the wild beginning\r\nMarch 2025 and submitted independently by several Ukrainian entities to online malware\r\nrepositories over the following week, suggesting multiple victim environments.\r\nTechnical analysis indicates PathWiper:\r\n• Overwrites critical filesystem structures (MBR, NTFS metadata)\r\n• Enumerates mounted volumes systematically\r\n• Targets all accessible storage media to inflict irreversible data loss\r\n• Reflects a more deliberate, volume-aware methodology than HermeticWiper.\r\nWhile still under active assessment, the malware’s destructive purpose, code lineage indicators,\r\nand timing relative to the ISP incident align with known ELECTRUM tradecraft. Dragos assesses\r\nwith low confidence PathWiper may have been deployed as part of a broader, still-unmapped\r\ncampaign across Ukrainian critical infrastructure. Dragos also identified another destructive\r\nwiper variant in December 2025, reinforcing that ELECTRUM continues to iterate, refine, and\r\nexpand its destructive toolkit. The discovery confirms that ELECTRUM’s development pipeline\r\nremains active, and its destructive capability set continues to evolve.\n\n40 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nTimeline of ELECTRUM\r\nWiper Capabilities\r\nThe ISP attacks, the emergence of PathWiper, and the December 2025 destructive malware\r\ndiscovery collectively demonstrate that ELECTRUM remains one of the most aggressive and\r\ncapable OT/ICS-adjacent threat actors in the world. Even when targeting IT infrastructure,\r\nELECTRUM’s destructive malware often affects organizations that provide critical operational\r\nservices, telecommunications, logistics, and infrastructure support, blurring the traditional\r\nboundary between IT and OT. KAMACITE’s continuous reconnaissance and access-development directly enable ELECTRUM’s destructive operations. These activities are neither\r\ntheoretical nor preparatory, they are part of active campaigns culminating in real-world outages,\r\ndata destruction, and coordinated destabilization campaigns.\n\n41 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nControl 01: ICS Incident Response Plan\r\n• ELECTRUM’s activity targeting Polish energy infrastructure again demonstrated\r\nadversary willingness to directly engage operational environments supporting power\r\ngeneration, grid coordination, and energy aggregation. ELECTRUM made deliberate\r\nattempts to affect operational assets rather than remaining confined to reconnaissance\r\nor access validation, reinforcing that future incidents may involve loss of view, degraded\r\ndevice integrity, unexpected control behavior, or loss of confidence in operational\r\ntelemetry rather than clean system outages alone.\r\n• ICS incident response plans should explicitly address how organizations will operate\r\nwhen the integrity of field devices, control logic, or command pathways cannot\r\nbe assumed. Plans should define decision authority and escalation thresholds for\r\ntransitioning from automated or remote control to local or manual operations, isolating\r\naffected control segments, validating sensor accuracy, and maintaining safe operating\r\nstates while investigations are underway.\r\n• Tabletop exercises (TTXs) should be used to identify the specific operational and\r\ncybersecurity questions that must be answered during a suspected OT-impacting\r\nincident, such as whether unauthorized control commands were issued, where those\r\ncommands originated, which assets were affected, and whether current telemetry can\r\nbe trusted, and ensure the data required to answer those questions is collected and\r\nretained ahead of time. This includes defining requirements for OT command logging,\r\nnetwork traffic visibility across IT–OT boundaries, remote access audit trails, and\r\ntelemetry that can support rapid reconstruction of events during response.\r\n• Response playbooks should integrate engineering, operations, safety, and cybersecurity\r\nfunctions to ensure coordinated actions prioritize physical safety, process stability, and\r\ncontrolled recovery over rapid restoration of connectivity. Procedures should include\r\nvalidation of controller and protection logic state prior to re-energization, staged\r\nrestoration of automation, and clear criteria for returning systems to normal operation\r\nfollowing suspected manipulation. Organizations supporting generation, dispatch, or\r\naggregation functions should regularly exercise these scenarios to ensure personnel are\r\nprepared to manage operational disruption, not solely IT service degradation.\r\nControl 02: Defensible Architecture\r\n• KAMACITE’s expansion into upstream supply-chain compromise and its subsequent\r\nreconnaissance of exposed OT edge assets highlight the need for defensible\r\narchitectures that eliminate implicit trust and constrain adversary movement toward\r\noperational systems. ELECTRUM’s demonstrated interest in operational leverage points,\r\nincluding CHP facilities and renewable management platforms, further elevates the\r\nimportance of strong architectural separation between enterprise environments, vendor\r\naccess zones, and control networks.\r\n• Strict IT/OT segmentation, tightly governed vendor access, and explicit allow-listing\r\nof communication pathways are critical to preventing prepositioned access from\r\npropagating into environments where operational disruption could be attempted. Field\r\ndevices, gateways, HMIs, and telemetry infrastructure should not be directly exposed\r\nto the internet. Where remote connectivity is operationally necessary, access should\r\nterminate in monitored DMZs with controlled routing and inspection before reaching\r\ncontrol systems.\r\n• Architectural reviews should explicitly evaluate whether remote access pathways,\r\ncellular gateways, or vendor-maintained systems bypass segmentation controls\n\n42 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nor introduce unintended trust relationships that could enable rapid escalation from\r\nreconnaissance to operational impact.\r\nControl 03: ICS Network Visibility and Monitoring\r\n• Observed KAMACITE scanning activity between March and July 2025 indicates\r\ndeliberate attempts at mapping of control loops, device roles, and ingress pathways\r\nrather than indiscriminate discovery. This type of reconnaissance enables adversaries\r\nto understand where commands originate, how they propagate, and where physical\r\neffects could be induced, a prerequisite for operational manipulation observed in recent\r\nELECTRUM activity.\r\n• Visibility programs should prioritize detection of reconnaissance behaviors against\r\nOT assets, including abnormal enumeration of HMIs, drives, controllers, meters, and\r\nindustrial gateways, as well as unexpected inbound traffic originating from external\r\nnetworks or vendor access points. Monitoring should extend across IT–OT boundaries\r\nto correlate external scanning, vendor authentication events, configuration changes,\r\nand deviations from established OT traffic baselines.\r\n• Telemetry capable of identifying abnormal protocol usage, repeated connection\r\nattempts, unauthorized service exposure, and unusual data flows is critical for detecting\r\nearly-stage adversary positioning before access transitions into attempted disruption\r\nof operational workflows or control systems. Visibility capabilities should be designed\r\nnot only to detect anomalous activity, but to preserve the forensic and operational data\r\nrequired to answer time-critical incident response questions identified through ICS\r\ntabletop exercises, including command provenance, asset interaction sequencing, and\r\nchanges to operational state.\r\nControl 04: Secure Remote Access\r\n• Both KAMACITE and ELECTRUM’s operations through 2025 demonstrate that both\r\ntrusted relationships and internet-exposed OT edge assets are viable access pathways.\r\nELECTRUM’s recent activity confirms that once access is established, adversaries\r\nmay attempt to directly affect operational assets rather than remaining confined to\r\nreconnaissance or staging.\r\n• All remote access pathways, including vendor connections, VPN infrastructure, cellular\r\ngateways, and remote management services, should enforce strong authentication,\r\nmulti-factor controls, and least-privilege access policies. Internet-facing services\r\nshould be minimized wherever feasible and continuously assessed for unauthorized\r\nexposure or misconfiguration.\r\n• Organizations should ensure remote access infrastructure is monitored, patched,\r\nand included in vulnerability management programs, recognizing that compromise\r\nof gateways or VPN appliances can provide direct ingress into OT environments that\r\nsupport power generation, dispatch, or grid coordination functions. Vendor access\r\nshould be tightly governed, time-bound, logged, and routinely reviewed to prevent\r\npersistent footholds from being leveraged for operational activity.\r\nControl 05: Risk-Based Vulnerability Management\r\n• The targeted selection by KAMACITE of widely deployed industrial components and\r\ndevices, some with known security debt, demonstrates how adversaries prioritize\r\nvulnerabilities that provide scale, operational leverage, and access into control\n\n43 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nenvironments. Recent attempts by ELECTRUM to affect operational assets reinforce that\r\nexposure of vulnerable devices is no longer a theoretical risk but a potential enabler of\r\nreal-world operational disruption.\r\n• Risk-based vulnerability management programs should prioritize remediation of\r\nexternally reachable field devices, remote access infrastructure, and systems that\r\ndirectly influence physical processes or bridge enterprise and OT networks. Asset\r\ninventories should explicitly track internet-exposed devices, cellular gateways, remote\r\nmanagement interfaces, and vendor-managed systems.\r\n• Vulnerability prioritization should incorporate exploitability, exposure, operational\r\nconsequence, and observed adversary targeting patterns rather than relying solely on\r\nseverity scoring. Remediation planning should focus on eliminating externally reachable\r\nattack surfaces and reducing the feasibility of control-loop mapping, unauthorized\r\naccess, and downstream operational manipulation.\n\n44 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nSINCE 2023\r\nVz VOLTZITE\r\nThreat Group Update:\n\n45 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAbout VOLTZITE As seen in last year’s coverage of VOLTZITE, it maintains a dedicated focus on OT data, with\r\na history of OT network intrusions and heavy usage of LOTL techniques. VOLTZITE maintains\r\na dedicated focus on OT data, with a history of OT network intrusions, and leverages proxy\r\nnetworks to steal Geographic Information System (GIS) data, OT network diagrams, and OT\r\noperating instructions from its victims. Aided by this ICS-focused data, VOLTZITE could craft a\r\nmalicious OT-specific tool capable of operational disruption. VOLTZITE has previously exfiltrated\r\nGIS data containing critical information about the layout and architecture of energy systems.\r\nICS CYBER KILL CHAIN\r\nVOLTZITE: Stage 1 \u0026\r\nStage 2 Attacks\r\nATTACK PATH\r\nVOLTZITE Attack Path\n\n46 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nSierra Wireless\r\nAirlink Targeting\r\nJDY Botnet Activity\r\nIn 2025, VOLTZITE continued its operations against critical infrastructure targets. The most\r\nimpactful campaign involved compromising Sierra Wireless Airlink RV50 and RV55 cellular\r\ngateways using their web interfaces (TCP/9191, TCP/9443) across Electric and Oil and Gas\r\norganizations. Sierra Wireless Airlink devices are industrial-grade cellular routers and gateways\r\ndesigned to provide reliable wireless connectivity for mission-critical applications. These cellular\r\nrouters enable remote monitoring, configuration, and management of connected equipment and\r\nnetworks. They also connect industrial IoT devices, vehicles, and critical infrastructure to cellular\r\nnetworks. Not all cellular gateways are created equal when it comes to interacting with industrial\r\nenvironments. The major risks with these cellular gateways are the following:\r\n• Bypassing Network Perimeter: Cellular connections can create unauthorized pathways\r\ninto OT networks, bypassing traditional security controls\r\n• Visibility Gaps: IT security teams may not even know cellular devices exist in OT\r\nenvironments\r\n• Legacy Integration: When connected to older OT equipment without security features,\r\nthe router becomes a critical attack vector\r\n• Physical Security: Devices in remote locations may be physically accessible to attackers\r\nThe activity analyzed against Sierra Wireless Airlink devices primarily targeted U.S. midstream\r\npipeline operations but also extended to upstream and downstream environments. Techniques\r\nobserved included exploitation of remote services, multi-hop proxying for command-and-control, and exfiltration of operational and sensor data, with potential implications for follow-on\r\ndisruptive actions. The Sierra Wireless devices served as entry points for lateral movement\r\ninto operational technology networks, allowing potential manipulation of control systems.\r\nVOLTZITE pivoted to engineering workstations, where they manipulated the software to dump\r\nconfiguration files and alarm data to investigate what would trigger operational processes\r\nto stop. This highlights an increase in VOLTZITE’s ICS-specific capability, leading Dragos to\r\ndesignate VOLTZITE as a Stage 2 threat group.\r\nAdditionally, Dragos observed VOLTZITE-linked activity leveraging the JDY botnet to conduct\r\nsystematic reconnaissance of public-facing Internet Protocol (IP) address ranges and remote\r\naccess gateways across the Energy, Oil and Gas, and Defense sectors. This scanning focused\r\non VPN appliances, including F5 Big-IP, Palo Alto GlobalProtect, and Citrix. While no exploitation\r\nwas confirmed during this phase, Dragos assesses with moderate confidence that the intent\r\nappeared to be pre-staging for future intrusions and exfiltration of operational data.\n\n47 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIn early 2025, TAT25-09 exploited a RCE vulnerability (CVE-2025-0994) in Trimble Cityworks\r\n(Cityworks) GIS asset management software via Microsoft Internet Information Services (IIS)\r\nservers. Dragos identified low confidence operational overlap between VOLTZITE and this\r\noperation. The vulnerability stems from unsafe deserialization in IIS when handling Cityworks\r\napplication data, allowing the adversary to craft malicious serialized objects that execute\r\narbitrary code without authentication. Attackers deployed JoJoLoader, an open-source Rust-based loader, to deliver payloads such as Cobalt Strike and VShell, enabling command execution\r\nand data exfiltration. GIS systems map physical assets and operational relationships. Stolen GIS\r\ndata can enable adversaries to plan precise, disruptive attacks on Electric and Water utilities.\r\nUS based utilities and municipalities often rely on GIS data for infrastructure operations, but this\r\ninformation can be weaponized by adversaries for future ICS intrusions. Asset owners should\r\nremove unnecessary internet exposure for GIS servers, prepare for adversaries to use stolen GIS\r\ndata in future ICS attacks, and assess other GIS vendors for similar vulnerabilities.\r\nOverall, VOLTZITE’s 2025 operations reflect a shift toward not only collecting and exfiltrating\r\ndata from IT networks but also directly interacting with OT network-connected devices and\r\nstealing sensor and operational data. Every VOLTZITE campaign in 2025 hinged on exploiting or\r\nenumerating the following devices: Sierra Wireless AirLink RV50/RV55 for direct ICS access and\r\nmanipulation, and VPN gateways (F5 Big-IP, Palo Alto GlobalProtect, Citrix, VMware Horizon). If\r\nthese assets are hardened, patched, and monitored for anomalous behavior, VOLTZITE loses its\r\neasiest and most reliable path into OT environments.\r\nExploited Trimble\r\nCityworks GIS\r\nSoftware\n\n48 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n• 32 percent of Dragos Network\r\nPenetration Tests included successful\r\npassword spraying over SSH or SMB,\r\ntechniques favored by VOLTZITE.\r\n• Less than 5 percent of Dragos Services\r\nengagements revealed PowerShell\r\nExecution Logging enabled, which is an\r\nessential piece of detecting VOLTZITE.\r\n• 95 percent of Services customers\r\nemployed MFA for remote access.\r\nVOLTZITE commonly leverages\r\ninsecure remote access to gain\r\ninitial access to OT environments.\n\n49 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nControl 01: ICS Incident Response Plan\r\n• VOLTZITE gains initial access via the exploitation of network edge devices or footholds\r\nestablished by SYLVANITE in a similar fashion. As it moves deeper into IT and OT\r\nnetworks, VOLTZITE exfiltrates Geographic Information System (GIS) data, OT network\r\ndiagrams, and OT operating instructions from its victims. ICS incident response plans\r\nshould address scenarios in which an adversary exploits an emerging vulnerability in\r\ninternet-facing network devices and then establishes multiple long-term persistence\r\nmechanisms, ultimately leading to the exfiltration of sensitive OT data.\r\nControl 02: Defensible Architecture\r\n• Asset owners should apply best-practice general and device-specific security\r\nhardening techniques on network edge devices, and continuously monitor remote\r\naccess, such as cellular gateways and VPN appliances, as they are VOLTZITE’s primary\r\nbeachhead into ICS networks.\r\nControl 03: ICS Network Visibility and Monitoring\r\n• With VOLTZITE’s tradecraft reliant on exploiting blind spots in edge devices and OT-adjacent systems, Dragos recommends visibility beyond standard perimeter monitoring.\r\nSpecifically, continuous telemetry from cellular and remote access gateways is\r\ncrucial for detecting anomalous web interface access, SSH/HTTP/TLS sessions, and\r\nunexpected admin account activity. Internal network monitoring for east-west traffic is\r\ncrucial for detecting lateral movement.\r\nControl 04: Secure Remote Access\r\n• VOLTZITE operations routinely exploit exposed, unpatched remote-access\r\ninfrastructure, particularly VPN appliances. Enforcing strong remote access controls,\r\nincluding timely patching of internet-facing services, MFA across all remote access\r\npathways, and strict governance of VPN and third-party access, is critical to disrupting\r\nVOLTZITE-enabled intrusions that may lead to follow-on Stage 2 activity.\r\nControl 05: Risk-Based Vulnerability Management\r\n• Either directly or through SYLVANITE operations as a proxy, VOLTZITE conducts\r\nexploitation efforts against internet-facing remote gateways. A risk-based vulnerability\r\nmanagement program should prioritize remediation of assets and pathways identified\r\nas high risk to reduce the likelihood that observed weaknesses are assessed,\r\nprepositioned against, or leveraged in future operations.\n\n50 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nHunting for VOLTZITE\n\n51 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nSINCE 2023\r\nBx BAUXITE\r\nThreat Group Update:\n\n52 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAbout BAUXITE Dragos has tracked BAUXITE campaigns targeting OT entities and devices globally since late\r\n2023. BAUXITE shares significant technical overlap with the CyberAv3ngers hacktivist persona,\r\nwhich first emerged in 2020, and demonstrates a direct operational focus on causing severe\r\nimpact on ICS. BAUXITE represents a credible operational risk to ICS asset owners as it has\r\ndemonstrated a convergence of hacktivist signaling, destructive malware deployment, and\r\ndirect ICS-focused targeting. BAUXITE has repeatedly carried out activities consistent with\r\nStage-2 ICS Kill Chain behaviors, including prior manipulation of Unitronics PLCs (November\r\n2023-January 2024), Sophos Firewall Attacks (April 2024-May 2024) and IOControl Campaign\r\n(2023-2024) compromising over 400 global OT devices and firewalls. In 2025, BAUXITE\r\nescalated its operations by deploying custom wiper malware against targets in Israel amid a\r\nregional conflict. This marked a shift from prior access and disruption to destructive intent,\r\nwith the malware designed to degrade system availability by wiping disks. Although these\r\nwipers were not ICS-specific, their use in campaigns that targeted industrial entities reflects\r\na willingness to impose operational downtime and aligns with BAUXITE’s broader geopolitical\r\nobjectives.\r\nBAUXITE also maintained an active hacktivist posture throughout 2025, sending threatening\r\nemails to ICS vendors, security researchers, and operational technology stakeholders. This\r\npsychological operation is notable because it increases operational and reputational pressure on\r\nindustrial operators, particularly during periods of heightened geopolitical tension.\r\nICS CYBER KILL CHAIN\r\nBAUXITE: Stage 1 \u0026 Stage\r\n2 Attacks\n\n53 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nATTACK PATH\r\nBAUXITE Attack Path\r\n2025 Activity\r\nATTACK PATH\r\nBAUXITE Attack Path\r\nIOControl\n\n54 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nWiper Malware In June 2025, Dragos conducted a technical analysis of wiper malware and, with high\r\nconfidence, assessed that BAUXITE had deployed two wiper variants against unspecified\r\ntargets in Israel in destructive cyber operations. Dragos further assesses with high confidence\r\nthat BAUXITE’s shift toward broader operational disruption activity was likely an adversarial\r\ncollective response to the conflict between Israel and Iran in June 2025.\r\nThreatening Email\r\nCampaign\r\nIn May 2025, the CyberAv3ngers hacktivist persona distributed politically charged threatening\r\nemails from an email address associated with a prior CyberAv3ngers Telegram contact profile.\r\nDragos assesses with high confidence that BAUXITE primarily distributed these emails to\r\npublic email accounts of cybersecurity and ICS vendors, to media organizations, and directly to\r\nindividuals who have publicly engaged in intelligence research or reporting on CyberAv3ngers’\r\nactivity. In some cases, an individual’s corporate and personal email addresses were targeted.\r\nDragos’ review of the email activity found that the distribution was broad and lacked any\r\nspecific threat or stated intent to attack, and that BAUXITE had likely sought to attract public\r\nattention through intimidation and to amplify their perceived notoriety within the cybersecurity\r\ncommunity.\n\n55 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n• Service accounts with SSH access\r\noften rely on shared keys, a\r\ncondition frequently observed by\r\nDragos Red Team, while Bauxite has\r\nindependently leveraged shared SSH\r\nkeys to access exposed devices.\r\n• Restricting service accounts from\r\ninteractive logon and monitoring\r\nfor interactive SSH use can\r\nsignificantly reduce this risk.\r\nIn 16 percent of service engagements,\r\nsignificant backup deficiencies were\r\nidentified, a critical concern for restoring\r\nsystems following wiper malware attacks.\r\n10 percent of Architecture Reviews and Network\r\nPenetration Tests identified Service Account\r\nand SSH Security issues such as excessive\r\nprivileges, interactive access, and weak\r\ncredentials that increase compromise potential.\r\n16% 10%\n\n56 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensive\r\nRecommendations\r\nand Mitigations\r\nControl 01: ICS Incident Response Plan\r\n• BAUXITE activity affecting OT has included unauthorized modification of controller\r\nlogic, interaction with engineering workstations, and destructive activity against IT\r\nsystems, which can impact operations. An OT-specific incident response plan should\r\ntherefore be structured around consequence-based scenarios such as loss of view, loss\r\nof control, or loss of availability, and support rapid identification of the intrusion root\r\ncause. Response procedures should include validating controller logic and device state,\r\nclearly defined decision points for isolating affected OT segments, and coordinated IT–\r\nOT response actions when disruption to IT systems affects operational continuity.\r\nControl 02: Defensible Architecture\r\n• BAUXITE access patterns demonstrate the risk posed by weakly defended pathways\r\ninto OT environments. Defensible architecture should minimize permitted ingress and\r\negress by enforcing segmentation boundaries, industrial DMZs, and tightly controlled\r\ncommunication paths. Asset owners should, where possible, eliminate direct internet\r\nexposure for controllers and OT management interfaces and restrict unnecessary\r\nservices and ports.\r\nControl 03: ICS Network Visibility and Monitoring\r\n• BAUXITE operations involve direct interaction with OT, and while specific techniques\r\nmay change over time, the effects remain consistent and observable at the network\r\nand process level. OT monitoring should prioritize detecting behaviors indicative of\r\noperational impact, including unauthorized changes to OT assets, atypical external\r\ncommunications originating from OT environments, and abnormal data movement.\r\nDetection should be based on deviations from established OT baselines rather than\r\ndependence on previously observed tools or protocols, enabling resilience as BAUXITE\r\nTTPs adapt.\r\nControl 04: Secure Remote Access\r\n• BAUXITE relies on poorly governed remote access into OT environments. Asset\r\nowners should maintain an accurate inventory of remote access paths, route remote\r\nand vendor access through monitored jump hosts, and enforce strong authentication\r\nand conditional access on externally reachable services. Unmanaged administrative\r\naccess should be removed by eliminating default or shared credentials, rotating keys\r\nwhere required, and disabling remote management interfaces when not operationally\r\nnecessary.\r\nControl 05: Risk-Based Vulnerability Management\r\n• A risk-based vulnerability management program should prioritize remediation of\r\nweaknesses that enable manipulation of OT assets, including exposed services,\r\nunauthenticated access paths, and firmware or configuration flaws. When remediation\r\nis not feasible, these conditions should be tracked and mitigated, as BAUXITE has\r\ndemonstrated the ability to exploit such weaknesses.\n\n57 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nHunting for BAUXITE\n\n58 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nICS-Adjacent\r\nCapabilities\r\nResearch \u0026 Trends\r\n03.\r\nThe threat groups covered in this report represent\r\nthe adversaries Dragos tracks with enough analytical\r\nconfidence to name and characterize. But the\r\nbroader ecosystem of ICS-relevant capability\r\ndevelopment extends well beyond those groups.\r\nThroughout 2025, Dragos identified new tools,\r\nscripts, and operational activity that demonstrate\r\na widening pool of actors acquiring the ability to\r\ninteract with and disrupt industrial control systems.\r\nWhat connects these discoveries is a common\r\ntheme: the tools are not sophisticated. ICS protocols\r\nwere designed for reliability in environments that\r\nwere never expected to be connected to outside\r\nnetworks, and they carried that design forward\r\ntoday. They lack authentication, they are well\r\ndocumented, and their protocol libraries are publicly\r\navailable. Building a tool that can send a command\r\nto a PLC or write to a Modbus register does not\r\nrequire the resources of a state program. It requires\r\ndocumentation and a reason to try. The discoveries\r\nin this section show that more actors have both.\n\n59 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nPLC_Controller.exe In July 2025, Dragos discovered an attack tool named PLC_Controller.exe, a compiled Python-based tool that can issue S7comm and Connection-Oriented Transport Protocol (COTP)\r\nrequests to force older Siemens S7 PLC models into “STOP” mode. The availability and\r\nfunctionality of this tool pose tangible risks to ICS asset owners, as a motivated adversary\r\ncould immediately operationalize the capabilities. If deployed with malicious intent against\r\noperational environments, PLC_Controller could cause a loss of control and operational\r\ndisruption. Dragos found that this capability is limited to older S7-300 and S7-400 models,\r\nmirroring the functionality of the Simatic S7 Metasploit modules. However, PLC_Controller.\r\nexe is a fully functional tool that could be leveraged to disrupt or degrade operations in an\r\nenvironment running vulnerable Siemens PLCs. Dragos identified 45 percent of S7 PLC devices\r\nas older S7-300 and S7-400 models through the Dragos Intelligence Fabric. Dragos assesses,\r\nwith moderate confidence, that PLC_Controller.exe was used in a national red team exercise\r\ncoordinated by China’s Ministry of Public Security. The availability and functionality of such a\r\ncapability pose a credible risk to ICS, as a motivated adversary could easily operationalize it. If\r\ndeployed with malicious intent against operational environments, PLC_Controller could cause\r\na Loss of Control and operational disruption, underscoring the importance of ensuring legacy\r\nPLCs are adequately secured and monitored.\r\nMain of PLC_Controller -\r\nStrings and Comments\r\nTranslated from\r\nSimplified Chinese\r\nATTACK PATH\r\nPLC_Controller.exe\r\nAttack Path\n\n60 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nATTACK PATH\r\nPLC_Controller.exe\r\nAttack Path\r\nSuspicious\r\nPowerShell Modbus\r\nTool\r\nIn November 2025, Dragos discovered and analyzed a PowerShell script named exploit.ps1 that\r\nscans for Modbus servers on a given subnet, identifies holding registers with values greater than\r\n400, and repeatedly writes 1,000 to the holding register. The script was discovered alongside\r\na customized version of a publicly accessible Slowloris HTTP DoS tool. The developers added\r\nbotnet functionality to Slowloris for coordinated DDoS attacks. Dragos assesses with high\r\nconfidenceexploit.ps1 is designed to be used as an offensive tool but remains a low-risk threat\r\nto OT environments, as it was seemingly developed for a specific environment. Dragos cannot\r\ndetermine whether exploit.ps1 is a legitimate offensive capability or a red-teaming tool used for\r\ndefensive testing. While exploit.ps1 appears tailored to a specific environment, it could easily be\r\nmodified to a more generic Modbus capability.\r\nInfinitely Writing to\r\nHolding Register via\r\nModbus\n\n61 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nAdversaries Stealing\r\nICS Data\r\nSeveral TATs in 2025 have been observed stealing ICS data, which is useful for mapping\r\nOT threats relevant to Stage 2 capabilities. TAT25-74 compromised an India-based metals\r\nmanufacturer, stealing HMI data from at least two steel and ferroalloy manufacturing plants. The\r\ndata, in Microsoft SQL Server backup files, included thousands of industrial process control\r\ntags and dozens of user credentials for the affected HMIs. After analyzing some of the control\r\ntags, Dragos assesses with high confidence information was obtained from a graphite-based arc\r\nfurnace process.\r\nTAT25-95 compromised a Pakistani state-owned power transmission company responsible\r\nfor operating and maintaining high-voltage power transmission networks. TAT25-95 used\r\nMetasploit and Impacket to abuse the Active Directory environment for privilege escalation\r\nand lateral movement, then subsequently exfiltrated user credentials, NTLM hashes, Kerberos\r\ntickets, private keys, and other sensitive data. TAT25-95 was observed searching for “SCADA”\r\nrelated exploits in Metasploit, then scanning for open ports on TCP/502. Further, TAT25-95\r\ngained access to the victim’s OwnCloud file storage and syncing server and enumerated the\r\nfile system, searching for files with “SCADA” in the name or path. TAT25-95 used Meterpreter\r\nto exfiltrate discovered files, including approximately 100 PowerPoint files. The information\r\nobtained provided details of the victim’s operational processes and could be used to develop\r\nand deploy an ICS capability designed to disrupt, degrade, or deny access to OT environments.\r\nSearching for SCADA-related Metasploit\r\nModules\r\nScanning the Modbus\r\nServers\n\n62 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nHacktivists and\r\nProven Claims\r\nIn 2025, Dragos observed hacktivism continue to evolve from symbolic website defacements\r\nand surface-level DDoS attacks into a more sophisticated, geopolitically influenced threat\r\necosystem. Hacktivist groups increasingly blend ideological messaging with state-aligned\r\ninterests, adopting tactics traditionally associated with financially motivated or nation-state\r\nthreat actors. Campaigns incorporate large-scale data leaks, synchronized information\r\noperations, and attempts to disrupt physical processes. Platforms like Telegram and X serve\r\nas command-and-amplification hubs, while accessible AI-driven reconnaissance tools and\r\nDDoS-for-hire marketplaces significantly expand operational reach. These groups increasingly\r\npublish intrusion walkthroughs, configuration files, or control-system screenshots to maximize\r\npsychological and/or geopolitical impact.\r\nAs expected, Dragos observed that the most abused exposure points include internet-facing\r\nHMIs; however, misconfigured engineering workstations, weak remote-access services\r\n(especially VNC, RDP, and SSH with default or reused credentials), and open field protocols\r\nsuch as Modbus/TCP, DNP3, and MQTT exploited in hacktivist operations were also observed.\r\nSeveral campaigns exploited OPC UA endpoints that lacked authentication and Internet-exposed BACnet devices. Groups such as Z-Pentest and Dark Engine leveraged broad scanning\r\nplatforms, often built on open-source tools, to identify vulnerabilities in HMIs, PLC gateways,\r\nand historian servers.\r\nOnce inside a victim’s network, hacktivist groups frequently demonstrated basic but effective\r\nlateral movement, including pivoting from a compromised Windows “jump host” to a domain\r\ncontroller via SMB or RDP before accessing file servers or engineering project repositories.\r\nIn environments with flat or poorly segmented IT/OT networks, attackers have accessed PLC\r\nmanagement interfaces or brokered communications servers (e.g., MQTT brokers, OPC UA\r\ngateways) by simply following broadcast traffic or conducting lightweight scans.\n\n63 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIn 2025, hacktivist groups also started adopting toolsets previously associated with advanced\r\nadversaries. For initial access, some campaigns referenced the use of Cobalt Strike beacons or\r\nopen-source equivalents (Brute Ratel-like frameworks, Sliver C2). For reconnaissance, operators\r\nfrequently relied on Advanced IP Scanner, Angry IP Scanner, various ‘netscan’ utilities, or\r\nbuilt-in capabilities such as Windows net commands, WMI queries, and PowerShell, which are\r\nconsidered LOTL techniques. Across Linux-based OT gateways, hacktivists have been observed\r\nabusing Dropbear SSH, BusyBox utilities, and default system binaries to maintain persistence\r\nor perform enumeration. While still opportunistic, the blending of C2 frameworks with LOTL\r\napproaches reflects a maturation of capability.\r\nTargeting specific hardware and firmware has also been publicly claimed. Examples include\r\nexploitation of outdated cellular gateways such as Sierra Wireless AirLink RV50/RV50X devices\r\nrunning older ALEOS firmware; attacks against exposed Moxa EDR and NPort units; and\r\nopportunistic targeting of industrial VPN appliances. In several cases, hacktivists exploited\r\nknown vulnerabilities in Fortinet FortiOS, taking advantage of organizations that had not yet\r\nupdated. Other incidents involved outdated HMI/SCADA web servers running legacy versions of\r\nIndusoft Web Studio, Ignition instances with unsecured MQTT brokers, and Siemens SIMATIC\r\npanels deployed with default credentials. While some claims cannot be fully validated, they align\r\nwith the well-documented presence of thousands of outdated OT devices online.\r\nThe single most crucial defensive action remains the elimination or hardening of external\r\nexposure. Minimizing internet-facing interfaces, enforcing strict network segmentation, enabling\r\nMFA for all remote access, and keeping OT gateways, HMIs, and VPN appliances fully patched\r\nfundamentally reduces the attack surface. Environments that layer segmentation with strong\r\nauthentication, continuous monitoring, and disciplined patch management are far less likely to\r\nexperience the opportunistic but increasingly capable campaigns that define hacktivism in 2025.\n\n64 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nRansomware-as-a-Service (RaaS)\r\nThreats to Industrial\r\nOrganizations\r\n04.\n\n65 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nOverview The persistent mischaracterization of ransomware as solely an IT problem obscures growing\r\nrisks to OT environments. While adversaries increasingly target industrial organizations—with\r\nattacks becoming more frequent and disruptive—they rely on basic tactics that exploit weak\r\nsecurity practices rather than sophisticated techniques. Additionally, Dragos has observed\r\nnumerous instances in which a ransomware case was classified as IT only because the victim\r\ncompany or its security firm misclassified OT devices, such as engineering workstations and\r\nHMIs, as IT devices because they ran on Windows Operating Systems. While exact numbers are\r\ndifficult to obtain, there are a considerable number of OT-specific ransomware incidents that\r\nare mischaracterized. Dragos tracked 119 ransomware groups targeting industrial organizations\r\nin 2025, a ~49 percent increase from 80 in 2024. These groups collectively impacted 3,300\r\nindustrial organizations, reflecting affiliate-driven volume and persistent targeting of industrial\r\nsectors. The actual number is likely higher, as many incidents go unreported or undetected.\r\nStrong OT detection maturity, underpinned by comprehensive visibility, remains foundational to\r\ndetecting ransomware in OT networks. This capability directly correlates with response success:\r\norganizations with solid OT detection contain faster, remediate more effectively, and minimize\r\ndamage to critical operations. Manufacturing accounted for more than two-thirds of all observed\r\nvictims, underscoring how deeply the sector depends on highly integrated IT–OT systems\r\nand how quickly ransomware-related outages can propagate into production and operational\r\nworkflows.\r\nRansomware by Sector\n\n66 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nRansomware Impact\r\nby Manufacturing\r\nSubsectors\r\nRansomware by Region\r\nRansomware\r\nTargeting\r\nVirtualization and OT\r\nBoundary Systems\r\nRansomware groups and affiliates in 2025 continued to rely on remote-access and virtualization\r\nabuse. Dragos consistently observed affiliates using valid credentials, commodity infostealers,\r\nor initial access broker (IAB)-provided access to authenticate into VPN portals, firewall\r\ninterfaces, or vendor tunnels before pivoting into OT boundary networks. Once inside, they\r\nleveraged RDP, SMB/PsExec, WinRM, WMI, and SSH to move laterally toward VMware ESXi\r\nhypervisors and OT-support servers hosting SCADA, HMI, historian, and engineering workloads.\r\nThe operational impact stemmed not from ICS-specific malware, but from the encryption or\r\ncorruption of the virtualization infrastructure on which OT depends. These activities routinely\r\nresulted in Denial of View, Denial of Control, and multi-day Loss of Productivity and Revenue,\r\neven without any interaction with industrial protocols, i.e., a Fog affiliate that used compromised\r\nVPN access to reach an OT-adjacent ESXi hypervisor and deploy ransomware on SCADA-supporting virtual machines. Although no PLCs or field devices were touched, the loss of the\r\nvirtualization layer immediately removed operator visibility and control, resulting in operational\r\ndelays until the systems were rebuilt.\n\n67 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIncreased Targeting\r\nof OT-Adjacent\r\nand Supply-Chain\r\nEntities\r\nThroughout 2025, ransomware affiliates continued to compromise engineering firms (148\r\ncompromises), OT managed-service providers, ICS equipment vendors (124 compromises), and\r\nsystem integrators. These are all organizations whose environments often contain engineering\r\ndocumentation, configuration backups, remote access credentials, and privileged pathways to\r\nmultiple industrial sites. This reflects a broader cybercrime strategy in which adversaries seek\r\nmaximum operational leverage by targeting entities whose compromise can exert pressure\r\nacross an entire industrial ecosystem rather than on a single operator. Cl0p’s exploitation of Cleo\r\nMFT, CrushFTP, and later Oracle E-Business Suite (EBS) demonstrated how a single vulnerability\r\nin widely used file-transfer or ERP software can expose operational documents, engineering\r\ndata, and vendor-customer integrations across hundreds of industrial organizations, even when\r\nno OT networks are directly accessed.\r\nICS Subsectors Impact\r\nby Ransomware\r\nExpansion and\r\nFragmentation of\r\nthe RaaS Ecosystem\r\nDragos observed a more fragmented ecosystem in which affiliates frequently moved between\r\nRaaS programs and used the same intrusion playbooks regardless of RaaS group association.\r\nThis fragmentation, combined with increased availability of stolen credentials and ready-made\r\naccess from IABs, lowered the barrier for affiliates to launch opportunistic campaigns against\r\nindustrial organizations. Fragmentation was also evident in the lineage of several ransomware\r\nprograms active in 2025. Devman, Akira, BlackSuit, and INC Ransom reflect the continued\r\ndispersion of operators and affiliates from the broader Conti ecosystem, re-emerging under\r\nnew brands while maintaining similar tradecraft and targeting patterns. In parallel, Dragos\r\nidentified TAT24-87 operating as a highly active IAB whose access was subsequently leveraged\r\nby multiple ransomware operations, including BlackBasta, BlackSuit, 3AM, and EncryptHub.\r\nThese overlaps in access, infrastructure, and operator behavior indicate that many of the “new”\r\ngroups observed in 2025 were drawing from the same underlying affiliate pool and IAB-provided\r\nfootholds rather than representing truly distinct adversaries.\n\n68 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIdentity-Centric\r\nIntrusions Enabling\r\nIT-to-OT Operational\r\nImpacts\r\nDuring 2025, affiliates increasingly relied on credential logs sourced from infostealers,\r\npassword reuse across OT and IT systems, cloud-synchronized identities, and compromised\r\nvendor accounts sold through IAB marketplaces. This approach allowed adversaries to bypass\r\nperimeter detections entirely by authenticating legitimately into VPN portals, remote desktop\r\ninfrastructure, and cloud identity providers used across IT–OT boundaries. Identity abuse\r\nallowed adversaries to move rapidly and quietly through enterprise environments. These\r\ncampaigns required no specialized exploits and often avoided detection entirely until critical\r\nenterprise systems underpinning OT continuity such as ERP, virtualization, cloud SaaS platforms,\r\nor backup infrastructure, were degraded or unavailable.\r\nTAT25-84 (Scattered Lapsus$ Hunters) provided the clearest illustration of this identity-centric\r\nthreat model. Building on TAT24-02’s tradecraft, the group systematically exploited help-desk\r\nworkflows, self-service password reset mechanisms, and MFA enrollment to gain privileged\r\naccess. This enabled compromise of SAP, Azure AD, ERP, and virtualization platforms that\r\nindirectly support industrial operations. Resulting impacts included production line shutdowns\r\ndue to ERP outages, logistics delays that disrupted maintenance scheduling, and loss of visibility\r\ninto vendor-supplied industrial components. Although TAT25-84 did not access ICS assets\r\nor execute Stage 2 activity, their identity-driven intrusions demonstrated how compromises\r\nof enterprise identity systems can cascade into measurable OT impacts, particularly in highly\r\nintegrated industrial environments where IT availability is essential to operational continuity.\r\nOverall, the ransomware threat landscape impacting industrial organizations in 2025\r\nremained highly active and operationally disruptive, shaped less by the emergence of ICS-tailored malware and more by the expanding, fragmented ecosystem of affiliates and IABs\r\nexploiting weaknesses in remote access, identity, supply-chain relationships, and OT-support\r\nvirtualization. As these trends show no sign of slowing, OT/ICS asset owners must, above all,\r\nimplement ICS network visibility and monitoring, as well as proper segmentation. ICS-grade\r\nrigor should be applied to all OT access pathways and OT-support virtualization, treating VPNs,\r\nvendor tunnels, identity providers, and ESXi/vCenter environments that touch OT as critical\r\nICS assets, so that even when ransomware compromises enterprise systems, it cannot easily\r\nescalate into industrial outages.\r\nFalse ICS Claims and\r\nNarrative-Driven\r\nExtortion\r\nA growing trend in 2025 was the use of false ICS claims in ransomware extortion. Dragos\r\nobserved multiple ransomware operators and hybrid hacktivist personas attempting to inflate\r\ntheir perceived capabilities by misrepresenting access to industrial systems. In one example,\r\nDevman published screenshots of hypervisor consoles and environmental monitoring\r\ndashboards, falsely claiming to have developed “ICS-aware ransomware.” Dragos analysis found\r\nno evidence supporting these assertions and no indication Devman accessed or could interact\r\nwith ICS equipment. Despite being technically inaccurate, such claims created uncertainty for\r\nvictims, introduced friction into executive decision-making, and attracted media amplification.\r\nThese narratives allowed adversaries to artificially increase extortion pressure.\n\n69 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n• Dragos incident response teams observed\r\nan increase in cases involving compromised\r\ncredentials and unauthorized access to VMware\r\nESXi during ransomware events.\r\n• Exploitation of trusted third-party relationships is\r\nfrequently observed in incidents involving leaked\r\ncredentials from external partners.\r\n• 5 days is the average dwell time for Dragos OT\r\nRansomware Cases in 2025, all time is 42 days\r\nfor Ransomware.\r\n• Dragos Incident Response observed significant\r\noperational disruption in all OT ransomware\r\ncases in 2025.\r\n• 54 percent of Dragos Services Architecture\r\nReviews conducted revealed appropriate levels\r\nof ICS network monitoring deployed.\r\n \r\n• 88 percent of Dragos TTXs reported degraded\r\ndetection capabilities.\r\n• 3 percent of Network Penetration Tests reported\r\nlack of monitoring - customer’s do not often\r\nrequest a Network Penetration Tests if they lack\r\nmonitoring. They are almost certainly past the\r\ninitial implementation stages of monitoring and\r\nare now progressing towards operationalizing or\r\noptimizing their visibility.\r\n• 56 percent of Dragos Network Penetration Tests\r\nincluded findings related to LOTL activity.\r\n• 3 percent of services engagements identified use\r\nof default credentials.\r\n• 53 percent of services reports identified public or\r\ninternet facing assets.\r\n• 49 percent of services engagements revealed\r\nremote access weaknesses.\r\n54%\r\n23% 42 days\r\n88%\r\nof Dragos Services Architecture Reviews\r\nconducted revealed appropriate levels of\r\nICS network monitoring deployed\r\nof IR cases were OT ransomware Average dwell time of OT ransomware\r\nacross all services data\r\nof Dragos TTXs reported degraded\r\ndetection capabilities\r\nOT Ransomware Stats\n\n70 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nVulnerabilities\r\n05.\r\nThe threat groups documented earlier in this report\r\nare getting into OT environments through a relatively\r\nconsistent set of paths: exposed VPNs, unpatched\r\nedge devices, remote access infrastructure, and\r\ncredential reuse. These are not exotic attack surfaces.\r\nThey are known weaknesses in known products, and\r\nin many cases the vulnerabilities being exploited have\r\npublic proof-of-concept code available. The gap is not\r\nawareness that these vulnerabilities exist. The gap is\r\nthat the OT vulnerability ecosystem does not always\r\ngive defenders what they need to act on them.\r\nIndustrial vulnerability management is fundamentally\r\ndifferent from its IT counterpart. Advisories are\r\nfrequently published with no patch, no workaround,\r\nand sometimes inaccurate severity scores. Equipment\r\nruns on decades-long life cycles where patching may\r\nbe impractical, risky, or irrelevant to the actual threat.\r\nAnd the conventional wisdom of prioritizing by CVSS\r\nscore breaks down in environments where a medium-severity flaw on an internet-exposed gateway poses far\r\nmore real-world risk than a critical-rated vulnerability\r\nburied deep in an air-gapped process network.\r\nThis section examines the vulnerability landscape as\r\nit actually affects OT defenders: where the advisory\r\necosystem falls short, how adversaries are exploiting\r\nwhat is available, where emerging technologies like\r\nbattery energy storage systems are introducing risk\r\nfaster than security practices can account for, and what\r\nthe data says about where to focus limited resources.\n\n71 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nFollowing a DOE whitepaper on battery energy storage systems (BESS)1, Dragos investigated the security of battery\r\nmanagement system (BMS) products. This led to an internal research project to evaluate the security of Nuvation BMS and\r\nMulti-Stack Controllers (MSCs), which are manufactured in the United States and Canada and distributed globally.\r\nBattery Energy Storage System and Demand\r\nEnergy Response Research\r\nProduct-Specific\r\nVulnerabilities\r\nWider Industry\r\nIssues\r\nThe Nuvation BMS is a typical field device with no meaningful security. Direct network access\r\nto the BMS allows disconnecting batteries, changing battery chemistry, capacity, reserve\r\ncapacity, shunt, and relay settings. These, in turn, can result in a loss of control, a loss of view,\r\nmanipulation of control, and manipulation of view in a BESS. For example, manipulating battery\r\ncapacity or shunt configuration can change an asset owner’s view of the battery’s charge status,\r\nand changes to the minimum reserve capacity and relay settings can affect battery availability\r\nby causing the BMS to disconnect the battery. For these reasons, the Nuvation BMS is not\r\nintended to be exposed to higher-level networks. A list of Nuvation-related vulnerabilities may\r\nbe found on the Dragos website2. Additionally, Dragos evaluated the MSC, which is intended for\r\nexposure to higher level networks. The MSC also provides cloud access, allowing Nuvation to\r\nremotely monitor and reconfigure the battery systems. During this evaluation, Dragos identified\r\nauthentication bypass and OS command injection vulnerabilities in the MSC (since fixed by the\r\nvendor). Furthermore, Dragos assessed the cloud service used to remotely manage the systems,\r\nwhich allowed any user with credentials to manipulate other user’s BMS. This access could be\r\nobtained by reverse-engineering equipment to obtain cloud credentials. This issue has also\r\nbeen fixed as of December 2025.\r\nThe full details of these vulnerabilities are published in VA-2025-06. Dragos advises end users\r\nto restrict access to both the BMS (especially TCP/80 and TCP/502) and the MSC (especially\r\nTCP/80, TCP/443, TCP/502, and TCP/3003). Security-conscious users may wish to prevent the\r\nMSC from making outbound UDP/1194 network connections.\r\nOne item Dragos evaluated with Nuvation products was the support for an industry-standard\r\ncommunications overlay called SunSpec. This is a data model which can be implemented on\r\nModbus or DNP3 network protocols that provides a self-describing map of data and control\r\npoints.3 This allows vendor-agnostic tools to automatically discover the meaning of IO points\r\ndefined in a device which implements SunSpec.\r\nWhile useful for asset owners, this functionality may enable attackers to use tools that also\r\ndiscover the IO and control points on a device. Due to the standard, there are basic controls\r\nwhich devices ‘MUST’ implement. For example, BMSs feature a control word to disconnect or\r\n1 Battery Energy Storage Systems Report – U.S. Department of Energy\r\nhttps://www.energy.gov/sites/default/files/2025-01/BESSIE_supply-chain-battery-report_111124_OPENRELEASE_SJ_1.pdf\r\n2 Nuvation Battery Storage Systems Vulnerabilities: CVE-2025-64119 – Dragos\r\nhttps://www.dragos.com/community/advisories/CVE-2025-64119\r\n3 SunSpec Model Definitions – Github https://github.com/sunspec/models\n\n72 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nreconnect their battery stacks, which can cause a loss of control for owners of battery systems.\r\nThe full range of settings on the BMS is not available via SunSpec; however, several attacks are\r\npossible with an understanding of the data model, which are publicly available.\r\nSunSpec Modbus also features tables for many other product types, including inverter-specific\r\nprofiles, generic profiles for AC-producing equipment, and generic profiles for DC power\r\nsystems. Dragos scanned the Internet for devices that implement Modbus-SunSpec and found\r\njust over 100, including 1MW power inverters designed to supply grid power to electric utilities.\r\nThese inverters contain remote control capability including the ability to disconnect the inverter.\r\nThese inverters were likely in production, with readable output of 500-900kW during daylight\r\nhours.\r\nSince SunSpec Modbus is a traditional control systems protocol, it allows manipulation without\r\nauthentication. Therefore, protection is largely device dependent. For example, some devices\r\nmay prevent sensitive direct operations, such as changing battery capacity or other settings,\r\nwhile the device is in use. However, it appears that many SunSpec devices will follow the\r\nspecification requirements, which require that certain control commands be implemented\r\nin specific registers. These registers are discoverable without referring to a device-specific\r\ndatasheet, instead they are described in SunSpec device profiles. This makes them easier to\r\ndiscover and makes attack tool development far simpler and more re-usable.\r\nIt is worth noting that the SunSpec Alliance published several security specifications, including\r\nfirmware upgrade and authentication requirements. Dragos has not yet identified any device\r\nimplementing this security profile. Upon review of the specifications, Dragos also remains\r\nskeptical that the security requirements will offer adequate protection against modern threat\r\ngroups. A device could implement the requirements of current security specifications and\r\nstill allow unauthorized access to systems, the loading of malicious firmware, and changes to\r\nsensitive settings without a meaningful barrier to entry.\r\nEnd users should require that distributed energy resources (DER) implement the SunSpec\r\nsecurity standards, but should not rely on these standards to provide full protection on their own.\r\nFor these reasons, every BESS should be protected from direct network access. Furthermore,\r\nany cloud or VPN management service for a BESS should be evaluated for basic security\r\ncontrols, such as whether clients can access BESS resources owned by another client (as in the\r\nNuvation evaluation). Subcontracting seems to be a common theme in internet-exposed BESS\r\nand other SunSpec systems. Management of the systems is often outsourced to firms which\r\nspecialize in battery or other DER systems, but these firms often lack cybersecurity knowledge.\r\nExploitation of\r\nVulnerabilities in ICS\r\nIn 2025, Dragos determined that most ICS-specific vulnerabilities exploited were used to gain\r\ninitial access or facilitate reconnaissance in OT. Only ~4 percent of ICS-relevant vulnerabilities\r\nare exploited in the wild, and half of those (2 percent) are only relevant to ICS because they\r\nprovide unauthorized access to ICS networks. Most of the exploitation identified in 2025,\r\ntargeted applications and devices vulnerable to unauthenticated remote code execution, many\r\nof which have public Proof of Concepts (POC) available online. It’s important for asset owners to\r\nunderstand exposure, track vulnerabilities with public POCs, and monitor feeds, such as Known\r\nExploited Vulnerabilities (KEV), to stay informed about active exploitation.\n\n73 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIn 2025, Dragos observed widespread exploitation of vulnerabilities in file transfer solutions,\r\nincluding Cleo MFT, CrushFTP, and Wing FTP. These flaws allow adversaries to gain\r\nadministrator-level access or execute arbitrary code remotely, often without authentication.\r\nOnce compromised, adversaries can steal sensitive files, deploy backdoors, and potentially\r\npivot deeper into connected networks. File transfer tools often handle operational documents,\r\nengineering files, and credentials, making them attractive targets for ransomware groups and\r\nIABs seeking financial gain through extortion or resale of access.\r\nBeginning in late 2024, the Cl0p ransomware group exploited Cleo MFT vulnerabilities (CVE-2024-50623 and CVE-2024-55956) and claimed to have targeted more than 300 victims across\r\nthe Transportation, Manufacturing, and Food sectors. CrushFTP faced two major campaigns\r\nin 2025: CVE-2025-31161 in March and CVE-2025-54309 in July, enabling attackers to bypass\r\nauthentication and gain full control of servers. Wing FTP was also targeted via CVE-2025-\r\n47812, which allowed unauthenticated remote code execution through Lua injection, granting\r\nroot or SYSTEM-level privileges. Post-compromise activities included installing remote access\r\ntools such as AnyDesk and ScreenConnect, creating new accounts, and setting up persistence\r\nmechanisms.\r\nOpportunistic adversaries continue to scan for exposed, unpatched systems, with thousands\r\nof vulnerable instances still online. These campaigns mirror previous attacks on MOVEit,\r\nGoAnywhere, and Accellion, highlighting a persistent trend of exploiting widely used file transfer\r\nplatforms for initial access and extortion.\r\nRansomware Groups\r\nContinue to Target\r\nExposed FTP Servers\n\n74 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\n2025 Vulnerability\r\nTrends\r\nIndustrial control systems (ICS) underpin critical infrastructure, yet vulnerability\r\nmanagementremainsfragmented and unreliable. Dragos analyzes ICS-relevant vulnerabilities\r\nand uncovers systemic issues in advisories, scoring, and mitigations. Discrepancies between\r\nCISA, vendor advisories, and the National Vulnerability Database (NVD) are still common,\r\ncreating delays and confusion for asset owners.\r\nNVD analysis alone can take up to two years, leaving organizations withouttimelyguidance\r\nand exposing them to unnecessary risk.One of the most significant findings wasinconsistency\r\nin CVSS scoring. Dragosdetermined 15 percent ofCISA and NVD CVEs had incorrect CVSS\r\nscores in 2025. Of these corrections, 64 percentwere higher than originally reported,likely\r\ncausedbyvendors understatingseverity.31 percent were lower than initially published, and\r\nthe remaining 4 percent had incorrect attributes that did not affect the numeric score. These\r\ninaccuracies can lead to poor prioritization and misunderstanding of risk.\r\nThroughout 2024 and 2025, adversaries actively exploited multiple vulnerabilities in perimeter-facing technologies. These include flaws in Ivanti Connect Secure VPN, Palo Alto Networks\r\nPAN-OS and Expedition, Fortinet FortiOS/FortiProxy, F5 BIG-IP, and Cisco ASA/FTD appliances.\r\nMost of these vulnerabilities allow unauthenticated, adversaries to bypass authentication,\r\nescalate privileges, or execute arbitrary code, often through exposed web interfaces or VPN\r\nservices. Public Proof of Concept exploits and widespread deployment of these devices across\r\nindustries make them high-value targets for ransomware groups and opportunistic adversaries.\r\nKey examples of threats compromising exposed perimeter devices include Ivanti Connect\r\nSecure vulnerabilities (CVE-2025-0282, CVE-2025-0283), which enable remote code execution\r\nand privilege escalation, and Palo Alto PAN-OS flaws (CVE-2024-0012, CVE-2024-9474,\r\nCVE-2025-0108) that allow authentication bypass and script execution. Fortinet devices were\r\ncompromised by exploitations of SSL VPN and web interface vulnerabilities (CVE-2024-21762,\r\nCVE-2024-55591), while F5 BIG-IP suffered from unauthenticated RCE (CVE-2023-46747).\r\nCisco ASA and FTD appliances faced repeated issues, including brute-force VPN attacks (CVE-2023-20269), web services DoS (CVE-2024-20353), and information disclosure (CVE-2020-\r\n3259). Many of these flaws are actively exploited in the wild, requiring minimal skill and no user\r\ninteraction.\r\nDragos noted a recurring trend: Java-based ecosystems (e.g., Confluence, ActiveMQ, Log4j)\r\ncontinue to attract adversary investment due to their widespread use and dependency chains.\r\nVendors with complex edge appliances—such as Fortinet, F5, Zyxel, and Cisco—show repeated\r\nexposure, often requiring urgent multi-version upgrades and guidance to avoid internet-facing\r\nmanagement interfaces. Misconfigurations and default credentials also amplify risk, as seen\r\nwith Apache Superset (CVE-2023-27524) and SOHO devices such as GL.iNet routers and\r\nPCMan FTP. Exploitation windows are extremely short, with weaponization occurring within\r\nhours of disclosure, underscoring the need for same-day patching, hardening defaults, and\r\nprioritizing pre-auth RCE vulnerabilities.\r\nDefenders should stay abreast of advisories and reports related to the exploitation of known\r\nvulnerabilities and patch systems, when feasible. These vulnerabilities highlight a persistent\r\ntrend: adversaries increasingly targeting perimeter devices as initial access points for\r\nransomware, data theft, and lateral movement into enterprise and OT networks. It is especially\r\nimportant to triage any compromise, identify any follow-on activity, and share lessons learned\r\nwith trusted communities.\r\nAdversaries\r\nExploiting Exposed\r\nPerimeter Devices\n\n75 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nMoreover, CVSS scores oftenfail toreflect ICS-specific realities. For example, asystem\r\nwith a ‘critical’ vulnerability may still allow exploitation even after patching, thanks to\r\ninsecure-by-design features. This is why Dragos applies its own risk-based prioritization\r\nmodel called‘Now, Next,Never.’Only 3 percent of analyzed vulnerabilities fell into\r\ntheNowcategory,representingthose actively exploited, remotely accessible, and\r\noften accompanied by a public POC. These poseimmediate and severe risks to critical\r\nsystems.Nextvulnerabilitiesaccounted for 71 percent and were typically remotelyexploitable\r\nbutcan be mitigated through strong network hygiene practicessuch as segmentation and\r\nenforcing least privilege.Finally,Nevervulnerabilitiesaccounted for27 percent of all CVEs,\r\noffering minimal risk reduction even when addressed. These “Never” vulnerabilities often come\r\nwith high prerequisites to exploit, along with the attacker gaining very little ‘new’ access in\r\nan industrial environment. Often these “Never” vulnerabilities are only exploitable with some\r\nexisting access to the ICS, which means that an attacker is not likely to need the vulnerability to\r\nachieve an industrial impact.\r\nDragos alsoidentifiedsignificant gaps inremediation options, 25 percent of advisories\r\ncontained no patch or mitigation advice, leaving asset owners without a clear path to\r\nreduce risk. To address this, Dragos analysts assessedvulnerable components and\r\nprovidedtailoredmitigations for 52 percentof advisories which were initially missing the data,\r\nhelping organizationsmaintainresilience despite vendor limitations.\r\nWeaponization trends further complicates the threat landscape. In 2025,4 percent of ICS-relevant vulnerabilities had a public POC and were actively exploited. The majority of these\r\nadvisories earn a “Now” remediation rating, with exceptions made for exploitation in 3rd party\r\nlibraries or other product types that provide neither immediate access to, nor immediate impact\r\nto, industrial operations.\r\nDragos also examined asset placement within networks and found that 73 percentof advisories\r\napplied to assets that arelocateddeep within ICS environments, close to critical processes.Only\r\n22 percentof vulnerable assetswere positioned at the enterprise boundary, where exploitation\r\noften provides adversaries withinitialaccesstoICS networks.\r\nFinally, Dragos assessed the operations impact ofvulnerabilities on critical processes.\r\nOnly 1 percent of advisories,ifexploited, would affect the operator’s view of the process\r\nwithoutimpactingcontrol,andnoneimpactedcontrol alone. However,27 percent affectedboth\r\nview and control, making them prime targets for sophisticated attacks. Fortunately,72 percent\r\nwould cause no immediate process impact, though multiple vulnerabilities could be chained to\r\nachieve disruptive outcomes.\r\nICS vulnerability management cannot rely solely on CVSS scores or delayed NVD analysis.\r\nDragos addresses these gaps by applying a risk-based prioritization model, providing mitigations\r\nwhen patches are unavailable, and monitoring weaponization trends and asset placement risks.\r\nAsset owners should focus on vulnerabilities that truly matter to operational resilience rather\r\nthan those with the highest CVSS score.\n\n76 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nINFOGRAPHIC\r\nPurdue Model\n\n77 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nOf those:\r\nThese inaccuracies are often caused by vendors understating severity.\r\nIn 2025, 15 percent of CISA and NVD CVEs had incorrect CVSS scores, which\r\ncan prevent accurate prioritization for patch management and mitigation.\r\nSome advisories alerted asset owners to a problem without a solution.\r\nVulnerability Statistics\r\n25%\r\nof public advisories contained no patch or mitigation advice\r\nOf those\r\ncorrections: 64%\r\n31%\r\n4%\r\nof CVEs were MORE SEVERE than the public advisory\r\nwere LESS SEVERE than reported\r\nhad incorrect attributes that did not affect the score\r\nDragos provided tailored mitigation advice for 52 percent\r\nof advisories that were initially missing this data, helping\r\norganizations maintain resilience despite vendor limitations.\r\n52%\r\ntailored mitigation\r\nadvice provided\r\nto advisories by\r\nDragos\n\n78 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nChart 1:\r\nCVEs with\r\nProof of\r\nConcept\r\n4%\r\nof ICS-relevant vulnerabilities had a public POC and\r\nwere actively exploited in 2025\r\nCVSS Score\r\nCorrections\r\n(of the 15%\r\nwith errors)\r\n64%\r\n31%\r\n4%\r\nscored higher after Dragos research\r\nscored lower\r\nhad incorrect attributes that did not affect the score\r\nManaging vulnerabilities in OT requires risk-based prioritization.\r\nIn 2025,\r\nDragos\r\nreported:\r\n71%\r\ncan be addressed with compensating controls or at next maintenance cycle\r\n(“Next”) — typically remotely exploitable but mitigable through network\r\nhygiene like segmentation and least privilege\r\n3%\r\nof vulnerabilities required immediate action (“Now”) — actively exploited,\r\nremotely accessible, often with a public POC\r\n27%\r\ndon’t warrant remediation efforts (“Never”) — high prerequisites to exploit\r\nwith minimal risk reduction even when addressed\r\nNOW/NEXT/NEVER:\n\n79 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nInsights From Dragos Intelligence Fabric\r\n80 percent of service engagements\r\nincluded findings related to OT\r\nvulnerability management\r\nOnly 5 percent of reports identified EOL\r\nor unsupported assets, underscoring that\r\nEOL assets are rarely the core issue -\r\nlimited visibility hinders the application of\r\nrisk-based mitigations beyond patching,\r\nwhich is often impractical or delayed.\n\n80 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nFindings from the\r\nField: 2025 Lessons\r\nLearned\r\n06.\n\n81 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nOverview\r\nCall to Action\r\nThroughout 2025, incident response cases were consistently initiated after the identification\r\nof malware (23 percent) and ransomware (23 percent). However, unexplained operational\r\nissues (30 percent) were commonly considered cyber-related for diligence purposes. These\r\ncases were characterized by irregular events (e.g., premature value and hardware failures)\r\nthat asset owners were unable to determine the root cause of, due to a lack of data collection\r\nand monitoring before the incident. The numbers are rounded out by a mixture of malicious\r\nnetwork traffic and false positives, at 15 percent and 7 percent, respectively. While most\r\nincidents resulted in at least a one-week outage, the longest Dragos recovery effort in 2025\r\nlasted approximately three weeks. Adversaries targeted hypervisors hosting critical OT systems,\r\ndemonstrating operational efficiency by compromising shared infrastructure rather than\r\nindividual assets. These attacks primarily exploited weak credentials associated with privileged\r\naccounts.\r\nThe activity observed throughout the last few years reinforces a clear and urgent reality:\r\nAdversaries continue to gain access to OT/ICS networks through exposed public-facing\r\nsystems, rapid exploitation of newly disclosed vulnerabilities, and insecure default\r\nconfigurations. Persistent visibility gaps prevent organizations from detecting this activity once\r\naccess is established, particularly after adversaries pivot to OT/ICS networks. Incomplete asset\r\ninventory, limited telemetry, and a lack of ICS-aware monitoring allow adversaries to conduct\r\nreconnaissance, establish persistence, and abuse native protocols without detection, with\r\nawareness frequently occurring only after operational or business impact.\r\nIn 2026, defenders should anticipate continued exploitation of high-value, internet-exposed\r\ntechnologies and ICS-adjacent platforms. While reducing external attack surfaces and\r\nhardening management interfaces remain necessary, these measures alone do not address\r\nthe core challenge of safeguarding critical infrastructure. Organizations must prioritize gaining\r\nvisibility into OT/ICS environments by establishing accurate asset inventories, collecting\r\nrelevant telemetry, and deploying ICS-aware detection capabilities. Continuous monitoring and\r\nevaluation of the effectiveness of deployed security controls, including isolation and boundary\r\ndevices, coupled with timely intelligence sharing within trusted communities, remains critical to\r\nexposing adversary behavior before operational or business impact occurs.\r\nThe following insights and statistics are grouped by relevance to the SANS ICS 5 Critical\r\nControls and industry breakouts have been provided where analysts have assessed with\r\nmedium to high confidence, and industry breakouts are provided where analysts have assessed\r\nwith medium to high confidence that the sample size is representative of the industry.\n\n82 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nIR Cases\r\nIncident Response\r\nPlans\r\nA common theme among confirmed OT incidents with a cyber dimension was the presence of\r\nweaknesses in remote access, monitoring, human behaviour, and the overall security posture.\r\nThe incidents observed by Dragos this year revealed a trend toward operational disruption,\r\nforced environment rebuilds due to ransomware, and persistent gaps in OT security practices.\r\nMalware and ransomware led the charge, comprising the majority of incidents responded to\r\nby Dragos. The average dwell time between incidents was 5.4 days across these incidents. In\r\naddition to malware (23 percent) and ransomware (23 percent), the third most common incident\r\nresponded to involved operational issues. Examples included unexplained incidents, treated as\r\ncyber-related for diligence purposes, such as irregular values and hardware failure (30 percent).\r\nThe numbers are rounded out by a mixture of malicious network traffic and false positives, at 15\r\npercent and 7 percent, respectively.\r\nAsset owners and operators must develop and maintain an OT/ICS-specific Incident Response\r\nPlan (IRP) addressing the unique requirements and risks of their OT/ICS environments. This plan\r\nshould consider how these industrial systems operate and how best to respond to likely OT/ICS\r\nevents. In 2025, 10 percent of Dragos services reports included a finding related to deficiencies\r\nin organizational IRPs and 6 percent cited the complete absence of an OT/ICS IRP. This figure\r\nrises sharply to 24 percent within the Manufacturing sector, indicating a higher prevalence of\r\nfoundational IRP gaps in that industry.\r\n \r\nFor asset owners that have established OT/ICS-specific incident response procedures, Dragos\r\nrecommends customers operationalize and exercise those plans and technical provisions.\r\nTabletop exercises (TTXs) are one of the most effective methods for validating incident\r\nresponse plans, as they allow organizations to assess roles, decision-making, communication,\r\nand procedural gaps in a low-risk, controlled environment. Exercises provide incident\r\nresponders with a low-stress educational opportunity to identify gaps and improvements in core\r\nIR capabilities. TTXs also provide a means of socializing content and raising awareness of OT/\r\nICS cybersecurity among plant personnel.\r\n \r\n• DETECT: The process of identifying and categorizing anomalous activity or events in a\r\ntimely manner and understanding their potential impact.\r\n• COMMUNICATE: Distributing information to and corresponding with people and\r\norganizations during a disruptive event.\r\n• ACTIVATE: The process of activating an information system-focused Incident Response\r\nPlan (IRP) that may assemble the [CSIRT, SIRT, IRT, IMT], depending on the extent of an\r\nevent.\r\n• RESPOND: The process of executing response processes, technical capabilities, and\r\nprocedures upon notification of a qualifying event.\r\n• CONTAIN: The activities performed to prevent the expansion of an event and mitigate its\r\neffects.\r\n• DOCUMENT: The process of documenting and cataloguing event information, decisions,\r\nand evidence.\r\n• RECOVER: The process of restoring systems to a normal operational state following a\r\ncybersecurity incident or event.\r\nCritical Control 01: OT/ICS Incident Response\n\n83 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nThe Dragos engagement team scores these capabilities based upon the following ratings:\r\n• COULD PERFORM WITHOUT CHALLENGE (P): The target associated with the core\r\ncapability could be completed in a manner according to the published IRP and did not\r\nnegatively impact the performance of other activities. The performance of this activity\r\ndid not increase the risk associated with the incident.\r\n• COULD PERFORM WITH SOME CHALLENGES (S): The target associated with the core\r\ncapability could be completed in a manner according to the published IRP and did not\r\nnegatively impact the performance of other activities. The performance of this activity\r\ndid not increase the risks associated with the incident. However, opportunities to\r\nenhance effectiveness and/or efficiency were identified.\r\n• COULD PERFORM WITH MAJOR CHALLENGES (M): The target associated with the core\r\ncapability was completed in a manner that achieved the objective(s), but some or all of\r\nthe following were observed: demonstrated actions in accordance with the published\r\nIRP had a negative impact on the performance of other activities and contributed to\r\nadditional risks associated with the incident.\r\n• LIKELY UNABLE TO PERFORM (U): The target associated with the core capability could\r\nnot or would not be performed according to the published IRP.\r\n2025 TTX Scores –\r\nIndustry Breakdown\r\nThe table above highlights several notable challenges identified through tabletop exercises.\r\nA significant majority of organizations reported difficulties with detection (88 percent),\r\ncontainment (94 percent), and incident response plan (IRP) activation (82 percent), underscoring\r\npersistent gaps in operational readiness. Dragos consistently observed that 82 percent of\r\nasset owners lacked clear criteria for determining when operational anomalies should trigger\r\ncybersecurity investigations. TTXs for OT environments differ from IT-focused exercises, as\r\ninitial indicators are often observed within industrial processes and operations, where they may\r\nbe misinterpreted as routine operational anomalies rather than cybersecurity events. In some\r\ncases, OT/ICS personnel lacked the foundational skills needed to conduct basic cybersecurity\r\ninvestigations, such as log review and network traffic analysis, which support early identification\r\nof cybersecurity issues. Integrating these activities into existing troubleshooting processes\r\nenables more efficient triage before engaging cybersecurity specialists.\r\nCore\r\nCapability\r\nAverage\r\nAll Industries\r\nAverage\r\nOil \u0026 Gas\r\nAverage\r\nManufacturing Average Electric\r\nActivate Some Challenges Some Challenges Some Challenges No Challenges\r\nDetect Some Challenges Some Challenges Major Challenges Major Challenges\r\nRespond Some Challenges Some Challenges Some Challenges Some Challenges\r\nCommunicate Some Challenges Major Challenges Major Challenges Some Challenges\r\nRecover Some Challenges Some Challenges Some Challenges No Challenges\r\nContain Some Challenges Major Challenges Major Challenges Some Challenges\r\nDocument Some Challenges Major Challenges Major Challenges Some Challenges\n\n84 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nNetwork\r\nSegmentation\r\nPoor IT and OT segmentation remains the most common architectural weakness, appearing in 81\r\npercent of reports, with representation across all sectors, including 29 percent in oil and gas, 24\r\npercent in manufacturing, and 22 percent in electric.\r\nCommon misconfigurations or lack of best practices include:\r\n• Lack of egress control - a network enforces inbound access control but no outbound\r\naccess control\r\n• Insecure remote access - direct connectivity is permitted from untrusted to trusted\r\nnetwork zones\r\n• Overly-permissive rules - a rule permits a large number of source IP, and/or destination\r\nIP, and/or services\r\n• Insecure service - a rule permits legacy services that are known for being insecure (e.g.,\r\nTelnet)\r\n• Rule shadowing - One rule has the same (or larger) scope than a second rule with a\r\nsame or different action\r\n• Rule correlation - two rules with same or different actions have an overlapping scope\r\nbut not entirely\r\n• Rule redundancy - two rules with the same action have any amount of overlap\r\n• Rule irrelevance - a rule that affects packets that cannot possibly reach that firewall\r\n• Rule generalization - a rule with a scope that is entirely covered by a second rule with a\r\nsame or different action\r\nDragos observed significant third-party and downstream risk in OT/ICS environments from\r\nservice providers and managed security partners that introduced ingress points into victim\r\nnetworks. The risk was further compounded through weak security practices such as poor\r\npassword hygiene, storing critical credentials in human-readable formats, and unnecessarily\r\nexposing remote access. In these cases, flat network architectures allowed malware and\r\nransomware to move laterally with minimal resistance. These incidents proved disruptive\r\nbecause of longstanding architectural weaknesses that left few effective barriers once\r\nadversaries gained access.\r\nFindings related to shared IT and OT domains were identified in 12 percent of reports overall, but\r\nwere most heavily concentrated in manufacturing at 46 percent, compared to 14 percent in oil\r\nand gas and 12 percent in electric.\r\nShared IT/OT domains create unnecessary pathways between enterprise IT networks\r\nand operational technology (OT) environments. This weakens the security posture of OT\r\nenvironments because a compromise in the IT network can more easily propagate into OT\r\nsystems, potentially disrupting critical industrial processes and bypassing traditional network\r\nsegmentation controls designed to protect safety and reliability.\r\nCritical Control 02: Defensible Architecture\r\nDragos considers an architecture defensible when it is purpose-built to reduce OT/ICS risks through system design and\r\nimplementation. In 2025, 42 percent included at least one major finding related to Control #2, Defensible Architecture,\r\nwith the highest prevalence in manufacturing at 27 percent, followed by oil and gas at 20 percent and electric at 19\r\npercent.\n\n85 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefault or Weak\r\nCredentials\r\nEndpoint Protection\r\nThe use of default or vendor-supplied credentials was once prevalent in OT/ICS environments.\r\nThese credentials are widely known and easily exploited, giving attackers a low-effort path\r\nto unauthorized access and potential control of critical systems. By 2025, default credentials\r\nappeared in only 3 percent of reports overall, but they remained more common in certain\r\nsectors, particularly electric at 35 percent and oil and gas at 26 percent, highlighting persistent\r\ngaps in basic security hygiene.\r\nIn 2025, Adversaries capitalized on these weaknesses by deploying ransomware variants such\r\nas Fog and Greenlux, which leveraged weak credentials and limited network segmentation to\r\ngain a foothold in OT environments. In several incidents, attackers compromised hypervisors\r\nsupporting critical OT systems and encrypted servers and virtual disks. The widespread\r\nadoption of virtualization increased attacker efficiency by enabling lateral movement, stealthy\r\npersistence, and scalable ransomware operations.\r\nTraditional antivirus (AV) and endpoint detection and response (EDR) solutions are less\r\ncommon inOTenvironments due to concerns about system stability and compatibility with\r\nlegacy equipment. When present, they are often outdated and configured with extensive\r\nwhitelisting of directories and network shares to avoid disrupting critical operations, a condition\r\nthat is commonly exploited by both red teams and adversaries to store malicious files without\r\ndetection.\r\nThese limitations are reflected in 2025 services data, where 19 percent of all reports cited gaps\r\nin endpoint security or malware protection withinOT/ICS network segments, mostfrequentlyin\r\noil and gas at 37 percent, followed by electric at 25 percent and manufacturing at 11 percent.\r\nIn practice, AV and EDR tools deployed inOT/ICS environments rely primarily on signature-based detection, with little contextual awareness of\r\nOTsystems or ICS-specific malware. As a\r\nresult, they provide limited visibility and are most effective at detectingcommodity, IT-centric\r\nmalware rather than stage 2 adversaryactivitiestargeting industrial operations.\r\nThis gap is further illustrated in incident response data, where 13 percent of 2025 Dragos IR\r\ncases involved headless malware that operates without a user interface or visible processes,\r\nallowing it to execute silently and evade traditional signature-based detection mechanisms that\r\nrely on visible artifacts or user interaction.\r\nAn effective approach combines careful AV/EDR deployment with network monitoring and\r\nasset visibility to detect threats without disrupting critical operations. When deployed, they\r\nprovide visibility into malicious activity and help detect known threats, but they often struggle\r\ntoidentifynovel or targeted attacks specific to industrial systems. Dragos recommends\r\ndeploying up-to-date EDR/AV on jump servers and systems within theOTDMZ to protect critical\r\naccess points withoutimpactingoperational systems andleveragingan ICS-aware networking\r\nmonitoring solution for detecting stage 2 attacks.\n\n86 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nDefensible Architecture\r\nFindings by Industry\r\nSector and Category\r\nDistribution of defensible architecture,\r\nnetwork segmentation, and endpoint\r\nprotection findings across Electric, Oil \u0026\r\nGas, Manufacturing, and other sectors\r\nfrom 2025 Dragos Services engagements.\n\n87 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nCritical Control 03: ICS Network Visibility \u0026 Monitoring\r\nAcross incident response, penetration testing, and consulting engagements, persistent\r\nvisibility gaps were observed, with environments routinely lacking the telemetry needed to\r\nconduct root-cause analysis or detect malicious activity. Visibility forms the foundation of\r\nrobust cybersecurity programs and enables the development of metrics that drive maturity\r\nand resilience. Achieving meaningful visibility requires centralized collection and correlation\r\nof network and device logs, network traffic analysis, andaccurateasset inventories across IT\r\nandOTnetwork segments.\r\nIn practice, visibility is often limited to narrow monitoring scopes, such asobservingonly the IT\r\ntoOTboundary orfailing to inspectICS-specific protocols.These constraints prevent defenders\r\nfrom developing an accurate understanding of critical network activity and adversary behavior\r\nonce access is established.\r\nDespite its importance, 2025 assessments continue to reveal persistent visibility gaps,\r\nwith Architecture Reviewsidentifyingsubstantial deficiencies inOTand ICS visibility\r\nand monitoring across 46 percent of assessments, particularly in oil and gas, electric,\r\nand manufacturing environments.Dragos Network Penetration Tests revealed similar\r\ndetection gaps, with 56 percentdemonstratingan inability toidentifyadversary activity\r\nthatleveragednativeadministrative tools. In these cases, red teamers abused legitimate system\r\nutilities such as PowerShell, cmd.exe, WMI, RDP, and SSH tooperatewithout triggering alerts.\r\nThis lack of detection capability is reinforced by control implementation data, as fewer than 5\r\npercent of tested environments had PowerShell execution logging enabled, despite its role as a\r\nfoundational control for exposing this class of stealthy activity.\r\nIn OT/ICS environments, the abuse of ICS-native protocols is functionally equivalent to IT-centric\r\nliving-off-the-land techniques. This activity typically requires no custom malware, appears\r\noperationally legitimate, blends into normal control communications, andfrequentlyevades\r\ntraditional security tools that lack ICS protocol awareness and context. As a result, the use of\r\ninsecure protocols without compensating controls consistently ranks among the top findings\r\nin Dragos Services engagements. The impact of this protocol abuse extends beyond data\r\nexposure to include the misoperation of industrial equipment, asdemonstratedin multiple\r\nhistoricOTcyber incidents.\r\nThese visibility gaps were alsoobservedin 88 percent of tabletop exercises. Deficient detection\r\ncapabilities in emulated incident response scenariosindicatethat meaningful operational\r\nor business impact wouldlikely occurbefore detection in real-world incidents, leading to\r\nlonger and more costly response efforts. Collectively, these results reinforce the critical need\r\nfor comprehensive visibility, advanced detection capabilities, and continuous evaluation to\r\nstrengthenOTcybersecurity posture.\n\n88 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nCritical Control 04: Secure Remote Access\r\nSecure remote access, in this context, refers to a controlled and monitored method for\r\nconnecting OT networks to business IT networks or external locations. Dragos recommends\r\nimplementing multi-factor authentication (MFA), jump hosts, VPNs, and other verification\r\nmechanisms to minimize the risk of unauthorized access by effectively limiting, managing,\r\nandmonitoringinteractive connections toOT/ICS networks. These practices help ensure both\r\nbusiness continuity and operational flexibility.\r\nIn 2025, service data continued to underscore MFA as the single most effective control for\r\nremote access, with fewer than 5 percent of reports identifyingenvironments without any\r\nMFA implementation, even if not consistently enforced across all access paths. However,\r\nMFArepresentsonly onecomponentof a comprehensive remote access strategy.\r\nBroader weaknesses in remote access controlsremainprevalent, as 49 percent of services\r\nreports includedelevatedfindings related to Control #4, Secure Remote Access. These issues\r\nmostfrequentlyaffected manufacturing at 28 percent, followed by oil and gas at 25 percent and\r\nthe electric sector at 17 percent.\r\nFindings in this category commonlyinvolvedinsecure configurations of RDP, VNC, and remote\r\nadministration utilities. In this context, remote access refers to lateral or internal network access\r\nand does not necessarily imply direct internet exposure.\r\nNevertheless, exposure to public networksremainsa significant risk. Over half of all services\r\nreports, 53 percent,identifiedpublic or internet-facing systems associated with the same\r\ncontrol,impacting27 percent of oil and gas, 27 percent of manufacturing, and 18 percent\r\nof electric environments. These conditions continue to present exploitable pathways,\r\nasdemonstratedby hacktivist groups such as CyberAv3ngers, which have successfully\r\ncompromised devices in this category.\r\nTwo primary categories of incidents dominated this year: ransomware and commodity malware.\r\nAlthough their root causes differed, the outcomes were similar, namely process disruption\r\nand costly OT/ICSenvironment rebuilds. These attacks exploited well-known weaknesses,\r\nincluding shared credentials, lack ofMFA, poor credential storage, and exposed management\r\ninterfaces. Each of these gapsdirectly relatesto deficiencies in secure remote access\r\nand networksegmentation;two controls that, when neglected, enable adversaries to gain\r\nandmaintainaccess.\r\nSecure Remote Access\r\nFindings by Industry\r\nSector\r\nIndustry breakdown of elevated secure\r\nremote access findings from 2025\r\nDragos Services engagements, with\r\nManufacturing and Oil \u0026 Gas each\r\naccounting for the largest share.\n\n89 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nCritical Control 05: Risk-based Vulnerability Management\r\nOT/ICS environments face unique challenges for vulnerability management. Legacy and\r\nunsupported systems make patching difficult without risking operational disruptions or\r\nsafety incidents. Limited visibility, proprietary protocols, and strict change management\r\nfurther complicate the identification and remediation of vulnerabilities. High availability\r\nrequirements, evolving threats, and regulatory pressures force organizations to balance\r\nsecurity improvements with continuous operation. In 2025, 80 percent of reports included a\r\nfinding related to control #5, Vulnerability Management, affecting 31 percent of oil and gas,\r\n20 percent of manufacturing, and 21 percent of electric environments. Interestingly, findings\r\nrelated to end-of-life or unsupported operating systems and applications were highlighted\r\nin less than 5 percent of reports. These numbers reflect a common misconception that OT/\r\nICS systems cannot be updated. While patching serves as the primary vulnerability mitigation\r\nmechanism in IT environments, OT systems operate under fundamentally different constraints.\r\nSystem interdependencies, safety requirements, and vendor qualification processes often\r\nmake patching infrequent or impractical, making alternative mitigations the norm. As a result,\r\norganizations struggle less with unsupported systems and more with accurately identifying\r\nvulnerabilities and implementing effective compensating controls across OT environments,\r\ndriven by persistent visibility gaps, including incomplete asset inventories and limited insight into\r\nsystem communications. Applying a risk-based approach enables timely patching and mitigation\r\nwithout disrupting operations. For more details on specific OT/ICS vulnerabilities and trends,\r\nrefer to the Vulnerabilities section of this report.\r\nVulnerability\r\nManagement Findings\r\nby Industry Sector\r\nIndustry breakdown of vulnerability\r\nmanagement findings from 2025 Dragos\r\nServices engagements, with Oil \u0026 Gas\r\nrepresenting the largest share at 31\r\npercent.\n\n90 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\nCall to Action\r\n07.\r\nThe activity observed throughout 2025 reinforces\r\nan urgent reality: adversaries are already targeting\r\ninfrastructure as it evolves. ELECTRUM’s focus\r\non distributed energy resources in Poland and the\r\nsecurity gaps identified in battery energy storage\r\nsystems demonstrate that new infrastructure is\r\nbeing deployed faster than security can keep pace.\r\nLooking ahead, organizations face compounding\r\ncomplexity as AI technologies move into operational\r\nenvironments. Organizations that cannot monitor\r\ntoday’s OT networks will find that AI adoption creates\r\nexponentially greater blind spots, making root cause\r\nanalysis and incident response increasingly difficult.\r\nEstablishing comprehensive OT visibility now, before\r\nAI and renewable energy adoption further accelerate,\r\nis critical for maintaining operational resilience.\n\n91 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\r\n© Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\r\nDragos is the world’s leading OT cybersecurity firm headquartered in Washington DC, USA\r\narea with offices around the world. It provides the most effective OT cybersecurity technology\r\nfor industrial and critical infrastructure to deliver on our global mission: safeguarding\r\ncivilization. The Dragos Platform provides visibility and monitoring of OT environments for\r\nasset identification, vulnerability management, and threat detection with continuous insights\r\ngenerated by the industry’s most experienced OT threat intelligence and services team. Dragos\r\nprotects customers across the range of operational sectors, including electric, oil \u0026 gas, data\r\ncenters, manufacturing, water, transportation, mining, and government.\r\nLearn more: dragos.com\r\nAbout Dragos\r\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\n\n9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\n 9T H A N N UA L | 2026 \nY E A R I N R E V I E W\nOT/ I C S CY B E R S EC U R I T Y R E P O R T\n\n 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\nAbout VOLTZITE As seen in last year’s coverage of VOLTZITE, it maintains a dedicated focus on OT data, with\n a history of OT network intrusions and heavy usage of LOTL techniques. VOLTZITE maintains\n a dedicated focus on OT data, with a history of OT network intrusions, and leverages proxy\n networks to steal Geographic Information System (GIS) data, OT network diagrams, and OT\n operating instructions from its victims. Aided by this ICS-focused data, VOLTZITE could craft a\n malicious OT-specific tool capable of operational disruption. VOLTZITE has previously exfiltrated\n GIS data containing critical information about the layout and architecture of energy systems.\nICS CYBER KILL CHAIN \nVOLTZITE: Stage 1 \u0026 \nStage 2 Attacks \nATTACK PATH \nVOLTZITE Attack Path \n45 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential. \n\n 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\nINFOGRAPHIC \nHunting for VOLTZITE \n50 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\n\n 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\nINFOGRAPHIC \nHunting for BAUXITE \n57 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.\n\n 9TH ANNUAL YEAR IN REVIEW | OT/ICS CYBERSECURITY REPORT UPDATED FEBRUARY 2026\nINFOGRAPHIC \nPurdue Model \n76 © Dragos, Inc. All Rights Reserved. Proprietary \u0026 Confidential.", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://5943619.hs-sites.com/hubfs/312-Year-in-Review/2026/Dragos-2026-OT-Cybersecurity-Report-A-Year-in-Review.pdf?hsCtaAttrib=205683189348" ], "report_names": [ "Dragos-2026-OT-Cybersecurity-Report-A-Year-in-Review.pdf?hsCtaAttrib=205683189348" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-29T06:58:57.892464Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-29T06:58:58.270898Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-29T06:58:56.316107Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision", "COBALT MIRAGE", "Agent Serpens" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-29T06:58:57.587988Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-29T06:58:56.755633Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-29T06:58:58.254021Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-29T06:58:56.751454Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "Red Dev 61", "UNC5221" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-29T06:58:57.833725Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-29T06:58:57.759076Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-29T06:58:56.518404Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661", "Lapsus" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-29T06:58:58.101536Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-29T06:58:56.786897Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-29T06:58:56.823603Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-29T06:58:56.837813Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-29T06:58:57.891787Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d", "created_at": "2023-12-21T02:00:06.092349Z", "updated_at": "2026-04-29T06:58:56.735794Z", "deleted_at": null, "main_name": "Solntsepek", "aliases": [], "source_name": "MISPGALAXY:Solntsepek", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-29T06:58:57.895048Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-29T06:58:57.756962Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-29T06:58:57.522649Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-29T06:58:56.187821Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-29T06:58:58.321796Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T06:58:57.738664Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T06:58:57.506187Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "42ee1c89-d75c-4e1e-91fa-dab8c0e83bf6", "created_at": "2024-04-20T02:00:03.5779Z", "updated_at": "2026-04-29T06:58:56.858749Z", "deleted_at": null, "main_name": "UNC5291", "aliases": [], "source_name": "MISPGALAXY:UNC5291", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-29T06:58:57.735943Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus", "DazedToad" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-29T06:58:57.782463Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-29T06:58:57.996042Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-29T06:58:58.147234Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-29T06:58:57.513628Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-29T06:58:57.873095Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-29T06:58:57.005306Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-29T06:58:57.491949Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-29T06:58:57.508616Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-29T06:58:56.464638Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-29T06:58:57.693917Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec", "SystemBC" ], "source_id": "MITRE", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-29T06:58:57.573614Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-29T06:58:57.99378Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "07131850-5161-48b8-98be-6b0271d44d0e", "created_at": "2024-01-23T13:22:35.085803Z", "updated_at": "2026-04-29T06:58:56.758538Z", "deleted_at": null, "main_name": "Cotton Sandstorm", "aliases": [ "Emennet Pasargad", "Holy Souls", "MARNANBRIDGE", "NEPTUNIUM", "HAYWIRE KITTEN" ], "source_name": "MISPGALAXY:Cotton Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-29T06:58:57.585466Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-29T06:58:57.589482Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-29T06:58:56.581488Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "VOLTZITE", "Dev-0391", "Storm-0391", "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba909e34-bce1-4af4-b89a-3e855718f193", "created_at": "2026-01-18T02:00:03.059161Z", "updated_at": "2026-04-29T06:58:57.054243Z", "deleted_at": null, "main_name": "Houken", "aliases": [], "source_name": "MISPGALAXY:Houken", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf", "created_at": "2026-01-17T02:00:03.195495Z", "updated_at": "2026-04-29T06:58:57.052089Z", "deleted_at": null, "main_name": "CL-STA-0048", "aliases": [ "CL STA 0048" ], "source_name": "MISPGALAXY:CL-STA-0048", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T06:58:57.48365Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "6c532a3a-8977-4f5e-aa4f-311e19952e2f", "created_at": "2026-03-24T02:00:04.630235Z", "updated_at": "2026-04-29T06:58:57.13957Z", "deleted_at": null, "main_name": "Z-Pentest Alliance", "aliases": [ "Z-Pentest" ], "source_name": "MISPGALAXY:Z-Pentest Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1103f128-3e5f-40bc-9aa1-4c68c699bd24", "created_at": "2026-03-24T02:00:04.636396Z", "updated_at": "2026-04-29T06:58:57.15136Z", "deleted_at": null, "main_name": "Infrastructure Destruction Squad", "aliases": [ "Dark Engine" ], "source_name": "MISPGALAXY:Infrastructure Destruction Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-29T06:58:57.716092Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429268, "ts_updated_at": 1777450959, "ts_creation_date": 1771331363, "ts_modification_date": 1771331426, "files": { "pdf": "https://archive.orkl.eu/8dbb11eb8dadb89c8d5bfaaedda99cb9611c998d.pdf", "text": "https://archive.orkl.eu/8dbb11eb8dadb89c8d5bfaaedda99cb9611c998d.txt", "img": "https://archive.orkl.eu/8dbb11eb8dadb89c8d5bfaaedda99cb9611c998d.jpg" } }