{
	"id": "e21267b4-869f-4c28-b44d-07cba2a659b5",
	"created_at": "2026-04-10T03:19:58.584661Z",
	"updated_at": "2026-04-10T03:22:17.654674Z",
	"deleted_at": null,
	"sha1_hash": "d0771c7deeb381f7e5202a78f6ee4d827d0b4a41",
	"title": "New ICS Threat Activity Group: STIBNITE",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 647756,
	"plain_text": "New ICS Threat Activity Group: STIBNITE\r\nBy Dragos, Inc.\r\nPublished: 2021-03-24 · Archived: 2026-04-10 03:02:00 UTC\r\nDragos first disclosed four new threat activity groups targeting ICS/OT last month in the ICS Cybersecurity 2020\r\nYear in Review report. In this blog post, we will provide more information on one of the new groups: STIBNITE.\r\nThe fundamental assessment of threats tracked by Dragos is that they are explicitly attempting to gain access to\r\nICS networks and operations or are successful in achieving access, not simply trying to gain access to an industrial\r\norganization.\r\nActivity Group: a set of intrusion events related with varying degrees of confidence by similarities in their\r\nfeatures or processes used to answer analytic questions and develop broad mitigation strategies that achieve\r\neffects beyond the immediate threat.\r\nSTIBNITE Activity Group Overview\r\nThe STIBNITE Activity Group targeted wind generation and government entities in Azerbaijan. STIBNITE\r\nlaunched multiple intrusion operations against targets from late 2019 through 2020. STIBNITE leverages\r\nspearphishing to drop a custom malware known as PoetRAT. Dragos assesses with moderate confidence that the\r\nadversary performed focused intrusion and information gathering operations aligned with Stage 1 of the Industrial\r\nControl System (ICS) Cyber Kill Chain.\r\nSTIBNITE activity focuses on a region, the Caucasus, not typically observed in ICS targeting. As stated in past\r\nDragos reporting and public comments, critical infrastructure intrusions and ICS events can correlate to areas of\r\nlatent or existing conflict. As a result, known disruptive operations largely focus on existing conflict zones, such\r\nas Ukraine or the Gulf region.\r\nSTIBNITE gains initial access via credential theft websites spoofing Azeri government organizations, and\r\nspearphishing campaigns using variants of malicious Microsoft Office documents.\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/\r\nPage 1 of 3\n\nFigure 1: Diamond Model representation of STIBNITE\r\nThe group leverages customized malware, called PoetRAT, for information gathering activities and post\r\nexploitation activity including listing files, taking screenshots, transferring files, and command execution.\r\nSTIBNITE is known to use Dynamic Domain Name System (DDNS) and common ports for C2 traffic. Dragos\r\nalso discovered that STIBNITE reused infrastructure between its 2020 campaigns.\r\nSTIBNITE uses an executable package of a Python-based implementation of Mimikatz (PypyKatz) and the open-source LaZagne credential collection project for credential harvesting. The group also uses other open-source\r\nresources for web browser credential theft and data encoding and decoding routines using the Affine substitution\r\ncipher. Credential harvesting tools could allow adversaries to propagate throughout the network. As reported in the\r\nICS Cybersecurity Year in Review, Dragos discovered that in 2020, 88 percent of Dragos services engagements\r\ninvolved significant issues with network segmentation.\r\nAt this time, the extent of the group’s ICS interest is limited to targeting wind generation in Azerbaijan.\r\nSTIBNITE’s tools and targeting focus would enable transition from Stage 1 operations to a Stage 2 intrusion given\r\ndeveloped access and stolen information, such as user credentials. Dragos tracks many threats earlier in the ICS\r\nCyber Kill Chain because Activity Groups may cross over into the OT environment. It can take years for a Stage 1\r\ngroup to transition into OT access depending on its objectives and timeline.\r\nDetecting and Mitigating STIBNITE Activity\r\nAlthough STIBNITE activity is currently focused on IT networks, information gathered – such as logon\r\ncredentials and network information – can be used to facilitate follow-on ICS network compromise. OT operators\r\nshould look for PoetRAT activity in IT and OT environments through execution of Python and Lua.\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/\r\nPage 2 of 3\n\nThe Dragos Platform incorporates multiple detections and analytics designed specifically to detect credential reuse\r\nand malicious logon activity. Such tactics are deployed by multiple activity groups tracked by Dragos, making\r\ncoverage of such abuse vital for ICS network protection. In the ICS Cybersecurity 2020 Year in Review, Dragos\r\nfound that 90 percent of its services customers lacked fundamental visibility into ICS environments. This means\r\nmost ICS asset owners and operators will be blind to threats and lack critical cybersecurity data. Learn more about\r\nthe value of asset visibility in building a comprehensive OT cybersecurity program by downloading our OT asset\r\nvisibility white paper.\r\nDetections for all STIBNITE behaviors are available in the Dragos Platform.\r\nICS Considerations for the Future\r\nThe identified activity in Azerbaijan, while limited in scope at this time, emphasizes the proliferation of ICS\r\ntargeting in combination with more traditional tensions. Azerbaijan remains at war with Armenia over the\r\nNagorno-Karabakh region and continues to emerge as an alternative oil and gas provider to Europe. As interest in\r\nICS-related cyber effects continues to increase, ICS-related intrusions such as those associated with STIBNITE\r\nwill only continue and grow.\r\nSource: https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/\r\nhttps://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/"
	],
	"report_names": [
		"new-ics-threat-activity-group-stibnite"
	],
	"threat_actors": [],
	"ts_created_at": 1775791198,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0771c7deeb381f7e5202a78f6ee4d827d0b4a41.pdf",
		"text": "https://archive.orkl.eu/d0771c7deeb381f7e5202a78f6ee4d827d0b4a41.txt",
		"img": "https://archive.orkl.eu/d0771c7deeb381f7e5202a78f6ee4d827d0b4a41.jpg"
	}
}