Industrial cybersecurity firm Dragos identified three new OT (operational technology) threat groups as adversaries push beyond reconnaissance and into attempted real-world disruption of industrial processes. The newly tracked actors, Azurite, Pyroxene, and Sylvanite, bring the total number of groups monitored globally to 26, with 11 active in 2025 alone.
Azurite and Pyroxene operate inside OT environments, exfiltrating alarm data, configuration files, and operational intelligence from engineering workstations. Sylvanite operates as an initial access provider, rapidly weaponizing edge device vulnerabilities and handing off compromised environments to Stage 2 adversaries like Voltzite within days. This division of labor compresses the timeline from initial breach to operational impact.
The expansion reflects a maturing threat ecosystem in which initial access brokers hand off footholds for deeper OT intrusions, intelligence-focused actors steal engineering and process data to enable future operations, and state-aligned or hacktivist groups demonstrate increasing willingness to manipulate industrial systems, deploy destructive malware, and target energy, defense, and critical infrastructure sectors across North America, Europe, the Middle East, and Asia-Pacific.
In a Tuesday media statement, Robert Lee, CEO of Dragos, said that “The threat landscape in 2025 reached a new level of maturity. Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced. We’re seeing the ecosystem evolve with specialized threat groups systematically building access pathways for more capable adversaries to reach OT environments.”
He also noted some meaningful defensive gains in 2025. “Organizations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of 5 days compared to the industry-wide average of 42 days, proving that detection maturity directly correlates with response success. But the gaps that remain are serious. Establishing comprehensive OT visibility now is critical. If organizations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage, and distributed energy resources creates exponentially greater blind spots.”
Dragos observed in its 9th Annual Year in Review, published Tuesday, that 2025 marked a clear escalation in industrial cyber activity, with specialized threat groups moving beyond reconnaissance to mapping control loops and understanding physical processes at a granular level, lowering the barrier to real-world operational impact. The firm warns that ransomware is increasingly operational technology in consequence, even when misclassified as IT incidents, because affected systems run Windows despite functioning as SCADA servers or engineering workstations within control loops.
Lee underlined that incident response data and insurance analysis show a persistent pattern of misidentification, leaving many organizations underestimating operational risk while still struggling to implement basic cybersecurity controls needed to detect and contain attacks before they disrupt plant operations.
The 82-page Dragos report identifies Azurite as an ICS Kill Chain Stage 2 adversary targeting OT engineering workstations and exfiltrating operational data, resulting in loss of confidentiality, theft of sensitive information, persistent access, and enabling future offensive operations. Azurite conducts interactive operations on engineering workstations to identify and stage OT related data for exfiltration, demonstrating knowledge of OT-specific software but not manipulating or disrupting processes. Its activity appears focused on intelligence gathering, environmental awareness, and preparation for potential offensive operations during geopolitical conflict.
The group targets manufacturing, automotive, electric, oil and gas, pharmaceutical, defense industrial base, and government organizations across the U.S., Australia, Europe, Japan, South Korea, and Taiwan, and shares technical overlaps with Flax Typhoon.
Azurite gains initial access through remote access services, edge devices, SOHO routers, and web application firewalls, aiming to maintain persistent network access for intelligence and geopolitical objectives. Dragos assesses with moderate confidence that public exposure, sanctions, and law enforcement actions have not deterred its operations. The group relies on purpose-built VPS infrastructure and compromised SOHO devices within botnets to conduct reconnaissance, exploitation, command and control, and data exfiltration.
Pyroxene emerged as an active group in 2025, carrying out supply chain leveraged attacks against defense, critical infrastructure, and industrial sectors, expanding its operations from the Middle East into North America and Western Europe since 2023, with activity aligned to Stage 2 of the ICS Cyber Kill Chain, including reconnaissance and assessment of pathways into OT environments.
Between 2024 and 2025, Dragos observed Pyroxene targeting aviation, aerospace, defense, and maritime sectors across the U.S., Western Europe, Israel, and the United Arab Emirates. In early 2025, it identified collaboration with Parisite, assessed with high confidence as an initial access provider that handed off compromised critical infrastructure access, enabling Pyroxene to conduct internal reconnaissance and move toward OT environments. Dragos assesses with low confidence that Pyroxene intentionally surveyed OT networks to preposition for future operations, consistent with Stage 2 of the ICS Cyber Kill Chain.
The group’s record of destructive activity heightens the risk that existing IT or OT adjacent access could be operationalized to cause loss of view, control, or availability in ICS environments. Pyroxene overlaps technically with activity known as UNC1549, which the U.S. government links to IRGC-aligned espionage and has sanctioned for targeting U.S. critical infrastructure.
The group also used recruitment-themed social engineering, cultivating targets through fake social media profiles before deploying tailored malware that established stealth backdoors via victim-specific Microsoft Azure command and control. Rather than directly attacking primary targets, Pyroxene often exploits suppliers and contractors as indirect entry points into higher-value networks.
Lastly, Sylvanite operates as a Stage 1 initial access threat group conducting large-scale campaigns against internet-facing systems and has been observed handing off access to Voltzite, a Stage 2 actor known for stealing OT data and manipulating OT systems. Meanwhile, the update finds that Voltzite focuses on stealing OT data and has a history of intruding into OT networks. It uses proxy networks to exfiltrate GIS data, OT network diagrams, and operating instructions, including detailed information on energy system layouts. This ICS-specific intelligence could enable the group to develop tailored tools to cause operational disruption.
Sylvanite has been observed across North America, Europe, the U.K., France, Japan, South Korea, Guam, the Philippines, and Saudi Arabia, targeting electric power, water and wastewater, oil and gas, manufacturing, and public administration sectors.
While it has not moved into OT networks, it focuses on collecting OT network information and operating procedures, which can enhance the capabilities of ICS-focused adversaries such as Voltzite, to whom it has previously provided footholds. Dragos classifies Sylvanite as a Stage 1 threat group based on its activities and notes technical overlaps with several tracked clusters. In 2025, Dragos observed Sylvanite activity during an incident response involving U.S. electric and water utilities.
In 2025, Voltzite continued targeting critical infrastructure, most notably by compromising the web interfaces of Sierra Wireless AirLink RV50 and RV55 cellular gateways across electric and oil and gas organizations. These industrial cellular routers, widely used to connect and manage mission-critical OT and industrial IoT systems, created significant risk by bypassing network perimeters, introducing visibility gaps, exposing legacy equipment, and lacking physical security in remote locations.
The campaign primarily affected U.S. midstream pipeline operations but extended across upstream and downstream environments. Voltzite exploited remote services, used multi-hop proxying for command and control, and exfiltrated operational and sensor data, using the devices as entry points for lateral movement into OT networks. The group pivoted to engineering workstations to extract configuration files and alarm data to assess how to trigger process disruptions, demonstrating increased ICS-specific capability and prompting its designation as a Stage 2 threat group.
Dragos observed Voltzite-linked activity using the JDY botnet to systematically scan public-facing IP ranges and remote access gateways in the energy, oil and gas, and defense sectors, focusing on VPN appliances such as F5 Big IP, Palo Alto GlobalProtect, and Citrix. Although no exploitation was confirmed, Dragos assesses with moderate confidence that the reconnaissance was intended to pre-stage future intrusions and operational data theft.
In early 2025, a campaign exploiting a remote code execution flaw in Trimble Cityworks GIS software targeted IIS servers, with Dragos noting low confidence operational overlap with Voltzite. Attackers used unsafe deserialization to execute code without authentication and deployed tools, including JoJoLoader and Cobalt Strike, for command execution and data exfiltration. Stolen GIS data, which maps critical infrastructure assets and relationships, could enable precise, disruptive attacks on electric and water utilities.
Addressing the late-December coordinated cyberattack targeting Polish energy infrastructure, including combined heat and power facilities and renewable energy management systems, Dragos noted that Polish authorities attributed the activity to actors linked to Russian state services and said defensive measures prevented disruption to national power delivery or grid stability. The company assesses with moderate confidence that the tradecraft and objectives align with the Electrum threat group, though the assessment remains preliminary. National cybersecurity authorities have been sharing restricted technical guidance with energy sector organizations.
Although no customer outages were reported, the incident underscores continued adversary focus on operational environments supporting power generation and grid coordination. Dragos tracked the activity through incident response and sensitive reporting, noting deliberate attempts to impact operational assets rather than limit activity to enterprise systems. CHP plants and renewable aggregation platforms represent critical leverage points in modern energy systems, where even localized disruption could create cascading operational strain and recovery challenges.
“The attacks occurred approximately six days after the 10th anniversary of the December 2015 cyber-induced power outage in Ukraine, widely regarded as the first publicly confirmed cyber operation to successfully disrupt electric power operations, endangering civilian infrastructure and life in the middle of Eastern European winter,” the report added. “That activity was subsequently attributed by multiple governments to the same Russian threat ecosystem now associated with Electrum, which has technical overlaps with Sandworm, which the U.S. government has attributed to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST).”
While anniversaries alone should not be over-weighted as causal indicators, Dragos observes that Russian cyber operations have historically demonstrated sensitivity to symbolic timing, messaging value, and operational signaling during periods of geopolitical tension. “The proximity of this activity to a milestone in the evolution of cyber-enabled infrastructure disruption reinforces the strategic context for assessing it. Over the past year, both Kamacite and Electrum have executed destructive attacks against ISPs in Ukraine and widespread, persistent scanning of exposed industrial devices in the United States, signaling a significant and potentially alarming shift in targeting from recent years.”
Beginning in late 2024 and extending into early 2025, Dragos observed a significant escalation in Kamacite activity targeting organizations across the European OT/ICS supply chain, a departure from prior years, when the group largely focused on Ukrainian critical infrastructure and government entities. This shift became clearer following a February 2025 CERT-UA report on threat activity designated UAC-0212, which detailed a multi-stage campaign impacting energy, water, and heating organizations across ten Ukrainian regions and over 20 firms supporting industrial operations.
The report assesses, with moderate confidence, that UAC-0212 represents the same activity tracked as Kamacite, supported by extensive 1:1 technical overlap across infrastructure, malware, and targeting patterns. “Dragos observed KAMACITE execute in late 2024. CERT-UA’s findings confirmed that Kamacite’s spear-phishing activity against attendees of the 2024 GIE conference, which Dragos initially assessed as a standalone campaign, was likely part of a broader and more ambitious effort to exploit trusted relationships across the European industrial ecosystem.”
Dragos’ analysis indicates the campaign continued at least through March 2025, after which Kamacite likely abandoned the infrastructure dedicated to the campaign.
The reports detailed that the scanning activity demonstrates that Kamacite is now willing to conduct broad-spectrum reconnaissance across the U.S. industrial footprint, integrate infrastructure knowledge into the development of initial access methods to support Electrum’s operations, and explore direct OT-edge entry points, rather than focusing on enterprise or supply-chain compromise.
While such expansion increases the likelihood of future destructive or disruptive campaigns, it could draw on previously identified exposed U.S. operational environments, control-loop layouts, device capabilities, and exposed ingress routes. These insights reinforce the view that internet-exposed ICS devices are not merely ‘low-hanging fruit,’ but continue to be strategically meaningful reconnaissance targets.
Since late 2023, Dragos has tracked Bauxite campaigns targeting OT entities and devices worldwide. The group shows significant technical overlap with the CyberAv3ngers hacktivist persona and maintains a direct focus on causing serious ICS impact. Bauxite poses a credible operational risk, combining hacktivist messaging, destructive malware deployment, and ICS-focused targeting. It has demonstrated Stage 2 ICS Kill Chain behaviors, including manipulation of Unitronics PLCs, attacks on Sophos firewalls, and the IOControl campaign, which compromised more than 400 OT devices and firewalls globally.
In 2025, Bauxite escalated by deploying custom wiper malware against targets in Israel during regional conflict, marking a shift toward destructive intent aimed at degrading system availability. Although the wipers were not ICS specific, their use against industrial entities reflected a willingness to impose operational downtime aligned with broader geopolitical objectives. The group also maintained an active hacktivist posture, sending threatening communications to ICS vendors, security researchers, and OT stakeholders, increasing operational and reputational pressure during periods of heightened geopolitical tension.
Dragos conducted a technical analysis of wiper malware last June and, with high confidence, assessed that Bauxite had deployed two wiper variants against unspecified targets in Israel in destructive cyber operations. Dragos further assesses with high confidence that Bauxite’s shift toward broader operational disruption activity was likely an adversarial collective response to the conflict between Israel and Iran in June 2025.
In July, Dragos identified PLC_Controller.exe, a compiled Python-based tool capable of sending S7comm and COTP requests to force older Siemens S7 300 and S7 400 PLCs into STOP mode. While its functionality mirrors existing Simatic S7 Metasploit modules, PLC_Controller is fully operational and could be readily used to cause loss of control and disrupt operations in environments running vulnerable legacy programmable logic controllers (PLCs).
Dragos found that 45% of identified S7 devices are these older models and assesses with moderate confidence that the tool was used in a national red team exercise coordinated by China’s Ministry of Public Security. Its availability underscores a credible risk to ICS asset owners and the need to secure and monitor legacy PLCs.
Dragos analyzed a PowerShell script called exploit[dot]ps1 in November that scans for Modbus servers, identifies holding registers above a set value, and repeatedly overwrites them, alongside a modified Slowloris tool enhanced with botnet functionality for coordinated DDoS attacks. Dragos assesses with high confidence that exploit[dot]ps1 was built as an offensive tool, though it currently poses low risk to OT environments because it appears tailored to a specific target. However, the script could be adapted into a more broadly applicable Modbus attack capability.
The report also identified that in 2025, several TAT groups stole ICS data to support Stage 2 OT threat development. TAT25-74 breached an Indian metals manufacturer, exfiltrating HMI data and credentials linked to graphite-based arc furnace operations. TAT25-95 compromised a Pakistani state-owned power transmission company, escalated privileges, searched for SCADA assets, and stole credentials and operational files that could enable future ICS disruption.
In 2025, hacktivism evolved into a more sophisticated, geopolitically aligned threat model blending ideological messaging with state-linked tactics, including data leaks and attempts to disrupt physical processes. Groups increasingly exploit exposed HMIs, weak remote access, open industrial protocols, and outdated OT devices, while using advanced tools, ‘living-off-the-land’ techniques, and AI-enabled reconnaissance to expand reach. Although often opportunistic, their growing capability and focus on vulnerable industrial infrastructure reflect a maturing and more operationally relevant threat.
Dragos also reported that throughout 2025, most incident response engagements were triggered by confirmed malware and ransomware, each accounting for 23% of cases. Another 30% began as investigations into unexplained operational issues that asset owners treated as potential cyber incidents out of caution. These events often involved irregular behavior, such as premature value changes or hardware failures, where root cause analysis was hindered by limited data collection and monitoring before the incident. Malicious network traffic accounted for 15% of cases, while 7% were ultimately deemed false positives.
Most incidents led to outages lasting at least one week, with the longest recovery effort extending to roughly three weeks. In several cases, adversaries targeted hypervisors supporting critical OT systems, compromising shared infrastructure to maximize impact, primarily by exploiting weak privileged credentials.
Dragos warns that adversaries continue to access OT and ICS networks through exposed internet-facing systems, rapid exploitation of new vulnerabilities, and insecure default configurations, while persistent visibility gaps prevent timely detection once attackers pivot into operational environments. Incomplete asset inventories, limited telemetry, and a lack of ICS-aware monitoring allow reconnaissance and persistence to go unnoticed until business or operational impact occurs.
In 2026, defenders should expect continued targeting of high-value and ICS adjacent technologies. Beyond reducing attack surfaces, organizations must prioritize accurate asset inventories, meaningful telemetry, ICS-specific detection, continuous control validation, and trusted intelligence sharing to detect and disrupt adversaries before impact.
