{
	"id": "b8e74155-3fe9-4300-b6b1-945404dc5a83",
	"created_at": "2026-04-06T00:13:24.655491Z",
	"updated_at": "2026-04-10T13:12:25.901147Z",
	"deleted_at": null,
	"sha1_hash": "b2ecc733a5e0aead8db3fc35b063e84863bd8c3c",
	"title": "Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1091414,
	"plain_text": "Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE\r\nBy Sam Hanson\r\nPublished: 2023-05-05 · Archived: 2026-04-02 10:50:37 UTC\r\nIn April of 2022, Dragos published a whitepaper and hosted a webinar discussing PIPEDREAM, the seventh\r\nknown industrial control systems (ICS)-specific malware developed by the CHERNOVITE threat group. Dragos\r\nfollowed up with a blog titled, “Analyzing PIPEDREAM: Results from Runtime Testing.” Continuing this\r\nresearch, Dragos is releasing additional information on the Open Platform Communications Unified Architecture\r\n(OPC UA) module nicknamed MOUSEHOLE, focusing on further analysis and runtime testing results.\r\nIn the first post of this two-part blog, Dragos analysts briefly provide background on OPC UA fundamentals, then\r\ndive into a high-level overview of MOUSEHOLE’s capabilities, discuss the open-source Python library utilized\r\nby MOUSEHOLE, and finally highlight other libraries that an adversary could abuse in a similar way. In part two,\r\nDragos analysts discuss the static and dynamic analysis of MOUSEHOLE, an experiment we conducted to\r\nshowcase MOUSEHOLE’s capabilities, and what industrial control system (ICS) asset owners and security\r\npractitioners can do to protect against rogue OPC UA clients.\r\nWhat is OPC UA?\r\nOpen Platform Communications Unified Architecture (OPC UA) is a popular industrial protocol allowing for data\r\ncommunication between various devices and systems. OPC UA was created to better address the needs of the\r\ngrowing industrial automation market, moving away from its predecessor, OPC Classic’s reliance on Windows\r\nand COM/DCOM technology. OPC UA is platform independent, meaning it can be used on Windows, Linux, or\r\nMacOS hosts, and includes all functionalities found in the OPC Classic specification.1 OPC UA was released in\r\n2008 by the OPC Foundation and later added as an IEC standard (IEC 62541).\r\nSimply put, OPC UA is an industrial and Internet of things (IoT) communication standard and can directly impact\r\nhow critical systems function. For example, logic running a programmable logic controller (PLC) could use\r\nvariables set and modified by a separate device through the OPC UA protocol.\r\nIt is important to remember that while MOUSEHOLE abuses the OPC UA protocol, there’s nothing inherently\r\ninsecure about OPC UA. In fact, the protocol provides a variety of impressive security settings and\r\nconfigurations.2, 3, 4 While vendors who produce OPC UA server software may not require strong security\r\nsettings to be configured by the user,5 that is a vendor implementation issue and not an OPC UA problem.\r\nFor more information on the technical details of the OPC UA specification, please see the OPC Foundation’s\r\nonline reference.\r\nWhat Is MOUSEHOLE?\r\nhttps://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nPage 1 of 5\n\nMOUSEHOLE is one of five modules in PIPEDREAM, the seventh known industrial control systems (ICS)-\r\nspecific malware. MOUSEHOLE is a Python program that functions as an OPC UA client application. It is\r\ndesigned for easy interaction with OPC UA servers from the command line and contains various capabilities,\r\nincluding:\r\nScanning a network for an OPC UA server\r\nBrute forcing the authentication mechanism\r\nReading the structure of a server\r\nReading and writing to specific node attributes\r\nSetting various security settings such as security mode, policies, certificates, and private keys\r\nAn adversary with an understanding of a victim’s operational technology (OT) environment could modify a node’s\r\nvalue attribute on a poorly secured OPC UA server, causing a direct impact on operations, including the possibility\r\nof Loss of Control to connected control systems.\r\nMOUSEHOLE leverages the open-source Python library, python-opcua, which significantly reduces the\r\ncomplexity of interacting directly with the protocol, thus lowering the bar of sophistication required to impact\r\noperations successfully.\r\nMOUSEHOLE and the Python-OPCUA Library\r\nThe python-opcua library, while deprecated, is available on GitHub for anyone to download and use. This API\r\nmakes it incredibly easy for a programmer to connect, authenticate, and send requests to an OPC UA server with\r\nonly a few API calls. The library exposes various services to the programmer, such as the read or write attribute\r\nservice, which can be called upon by the client and executed by the server. The library achieves this by\r\nimplementing internal Python classes and objects that comply with the OPC UA Service Set protocol\r\nspecification. These Python objects are sent in binary format, interpreted, and executed by the server.\r\nLet’s walk through an example client application to demonstrate how simple it is to connect to and manipulate an\r\nOPC UA server. We will discuss the get_value function (which reads a node’s value attribute) to demonstrate how\r\nthe API works under the hood. Our script will connect to a poorly secured server (anonymous authentication\r\nenabled), read a node value attribute, and finally, write a value to the node. In total, the final script looks like the\r\nfollowing:\r\nhttps://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nPage 2 of 5\n\nOnly six lines of code are needed to connect, receive, and send data to the server, which are the foundational\r\ncomponents of MOUSEHOLE’s functionality. However, a lot is happening under the hood that the programmer\r\nmay be blissfully unaware of.\r\nFor example, the get_value method executes a series of functions that populate a Python ReadRequest object\r\nrepresenting the OPC UA read service. This ReadRequest object is binarized and sent to the server, which is then\r\ninterpreted and executed, as shown in Figure 2. The value is sent back to the client and, in our example script,\r\nstored in the node_value variable seen in Figure 1.\r\nThe set_value method works similarly but instead sends a WriteRequest object representing the write service to\r\nthe server. The API makes it as simple as possible to interact with the OPC UA server without exposing the\r\nprogrammer to the complexities of OPC UA or its internal structures.\r\nOpen-Source Industrial Protocol Libraries\r\nFrom a programming perspective, MOUSEHOLE is not a sophisticated tool. Most of the code is a simple\r\ncommand line interface for the python-opcua library, where much of the complexity is hidden. The programmer\r\nhttps://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nPage 3 of 5\n\nmust understand only the highest-level function calls and objects. This abstraction of knowledge is a double-edged\r\nsword; it simplifies the job of a legitimate developer while allowing adversaries to quickly develop programs that\r\ncan cause serious industrial impact with little required expertise in the technology and protocols.\r\nThere are dozens of open-source industrial protocol libraries and APIs on GitHub that could be abused in a similar\r\nfashion, including Modbus, BACnet, DNP3, IEC 104, IEC 61850 Ethernet/IP and CIP, Ethercat, and many more.6\r\nSome of these libraries and APIs are incredibly advanced and provide significant capabilities to the user. For\r\nexample, the open-source PyModbus implementation is a full-featured server and client application with a\r\ncommand line interface. An adversary could download this tool and have a significantly more capable Modbus\r\nequivalent to MOUSEHOLE. Dragos has no evidence that these libraries have been leveraged to create malicious\r\ntools. Nonetheless, these libraries could be abused in the future.\r\nIn Summary\r\nCHERNOVITE’s creation of a malicious OPC UA tool is more indicative of OPC UA’s ubiquity than the\r\nprotocol’s security. CHERNOVITE could have easily used any number of open-source libraries that implement\r\ncommon industrial protocols, many of which are less secure than OPC UA. As the proliferation of ICS tools and\r\nknowledge expands, it is paramount that defenders understand what emerging threats may exist and take action to\r\nmitigate the risk.\r\nPart two of our blog covers the runtime experiments we conducted with MOUSEHOLE and best practices for\r\nOPC UA server security. Stay tuned! In the meantime, be sure to check out other PIPEDREAM-related content on\r\nour blog:\r\nCHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)\r\nResponding to CHERNOVITE’s PIPEDREAM with Dragos Global Services\r\nDetecting CHERNOVITE’s PIPEDREAM with the Dragos Platform\r\nGet the Complete Analysis\r\nLearn more about the discovery and capabilities of CHERNOVITE’s PIPEDREAM malware in our whitepaper.\r\nDOWNLOAD WHITEPAPER\r\nSource:\r\n1. Unified Architecture – opcfoundation.org\r\n2. Exploring Cybersecurity and OPC UA for a Secure Systems Architecture – opcconnect.opcfoundation.org\r\n3. OPC 10000-2: Security – reference.opcfoundation.org\r\n4. OPC UA Security Analysis – opcfoundation.org\r\n5. Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems –\r\narxiv.org\r\n6. ICS-Security-Tools – github.com\r\nhttps://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nPage 4 of 5\n\nSam Hanson is a Vulnerability Analyst on the Intelligence Research Team. Sam graduated from the University of\r\nMinnesota – Twin Cities in 2020 with a Computer Science degree and a focus on Computer Security.\r\nSource: https://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nhttps://www.dragos.com/blog/pipedream-mousehole-opcua-module/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.dragos.com/blog/pipedream-mousehole-opcua-module/"
	],
	"report_names": [
		"pipedream-mousehole-opcua-module"
	],
	"threat_actors": [
		{
			"id": "091dc6fb-2650-4646-894a-41de0d463f94",
			"created_at": "2023-11-17T02:00:07.594612Z",
			"updated_at": "2026-04-10T02:00:03.455179Z",
			"deleted_at": null,
			"main_name": "Chernovite",
			"aliases": [],
			"source_name": "MISPGALAXY:Chernovite",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2ecc733a5e0aead8db3fc35b063e84863bd8c3c.pdf",
		"text": "https://archive.orkl.eu/b2ecc733a5e0aead8db3fc35b063e84863bd8c3c.txt",
		"img": "https://archive.orkl.eu/b2ecc733a5e0aead8db3fc35b063e84863bd8c3c.jpg"
	}
}