{
	"id": "46e2c5c3-9bfa-4eb4-9a21-54c71432407a",
	"created_at": "2026-04-06T00:18:04.66902Z",
	"updated_at": "2026-04-10T03:31:24.003527Z",
	"deleted_at": null,
	"sha1_hash": "e8904155a2fe4e46450052d784770997159bbe54",
	"title": "The Impact of Dragonfly Malware on Industrial Control Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6538616,
	"plain_text": "The Impact of Dragonfly Malware on Industrial Control Systems\r\nBy Created by:Nell Nelson\r\nArchived: 2026-04-05 18:49:19 UTC\r\nDownload File\r\nThe Impact of Dragonfly Malware on Industrial Control Systems (PDF, 1.45MB)Published: 22 Jan, 2016\r\nDragonfly malware infected hundreds of business computers in an often successful attempt to collect information\r\non industrial control systems across the United States and Europe. The attack was performed in an orchestrated\r\nmanner over an extended period of time and used infection methods that were difficult to detect and thwart. The\r\nmalware collected information vital to the operation of the impacted systems across the energy and\r\npharmaceutical sectors. This abstract will explore the impact of Dragonfly Malware on systems used for\r\nautomated industrial control. The content will explain the manner in which Dragonfly infiltrated business systems\r\nin both Europe and the United States, how it was discovered, and the immediate and future impact of the malware\r\non infected systems and on the ICS industry. This paper will also discuss ways in which the industry can safeguard\r\nitself against future attacks similar to the Dragonfly malware effort.\r\nAdditional resources\r\nRelated courses\r\nSlide 1 of 7\r\nICS515: ICS Visibility, Detection, and Response\r\nICS515Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 1 of 6\n\nGIAC Response and Industrial Defense (GRID)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 22 Hands-On Labs\r\nView course detailsRegister\r\nSlide 2 of 7\r\nICS418: ICS Security Essentials for Leaders\r\nICS418Industrial Control Systems Security\r\n 12 CPEs / 12 Hours (Self-Paced)\r\n Labs: 12 Hands-On Labs\r\nView course detailsRegister\r\nSlide 3 of 7\r\nICS613: ICS/OT Penetration Testing \u0026 Assessments\r\nICS613Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 2 of 6\n\n5 Days (Instructor-Led)\r\n 30 CPEs / 30 Hours\r\n Labs: 27 Hands-On Labs\r\nView course detailsRegister\r\nSlide 4 of 7\r\nICS456: Essentials for NERC Critical Infrastructure Protection\r\nICS456Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 3 of 6\n\nGIAC Critical Infrastructure Protection (GCIP)\r\n 5 Days (Instructor-Led)\r\n 31 CPEs / 31 Hours (Self-Paced)\r\n Labs: 23 Hands-On Labs\r\nView course detailsRegister\r\nSlide 5 of 7\r\nICS310: ICS Cybersecurity Foundations\r\nICS310Industrial Control Systems Security\r\n 12 CPEs / 12 Hours (Self-Paced)\r\n Labs: 3 Hands-On Labs\r\nView course detailsRegister\r\nSlide 6 of 7\r\nICS410: ICS/SCADA Security Essentials\r\nICS410Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 4 of 6\n\nGIAC Global Industrial Cyber Security Professional (GICSP)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 15 Hands-On Labs\r\nView course detailsRegister\r\nSlide 7 of 7\r\nICS612: ICS Cybersecurity In-Depth\r\nICS612Industrial Control Systems Security\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 5 of 6\n\n5 Days (Instructor-Led)\r\n 30 CPEs / 30 Hours\r\n Labs: 31 Hands-On Labs\r\nView course detailsRegister\r\nSource: https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nhttps://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672"
	],
	"report_names": [
		"impact-dragonfly-malware-industrial-control-systems-36672"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434684,
	"ts_updated_at": 1775791884,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8904155a2fe4e46450052d784770997159bbe54.pdf",
		"text": "https://archive.orkl.eu/e8904155a2fe4e46450052d784770997159bbe54.txt",
		"img": "https://archive.orkl.eu/e8904155a2fe4e46450052d784770997159bbe54.jpg"
	}
}