3 Threat Groups Started Targeting ICS/OT in 2025: Dragos

The industrial control systems (ICS) landscape is undergoing a rapid shift as threat actors diversify their tactics beyond traditional ransomware. 2025 saw three previously undocumented groups—Sylvanite, Azurite and Pyroxene—enter the arena, each leveraging distinct attack vectors that exploit the growing convergence of IT and OT environments. This evolution reflects a broader trend where adversaries prioritize rapid exploitation of newly disclosed vulnerabilities and the harvesting of operational data, laying the groundwork for future disruptive campaigns.

Sylvanite’s role as an "exploitation broker" underscores a new business model in cyber‑espionage: quickly weaponising n‑day flaws, such as Ivanti VPN bugs, and provisioning persistent access to Voltzite, a group already embedded in the US electric grid. Azurite, meanwhile, concentrates on data exfiltration, compromising SOHO routers and edge devices to build proxy chains that reach engineering workstations. By stealing PLC configurations, alarm logs and HMI schematics, Azurite equips nation‑state planners with the intelligence needed for precise, low‑noise attacks. Pyroxene adds a social‑engineering layer, crafting fake LinkedIn recruiter personas to infiltrate supply chains, and deploying wiper malware that can cripple IT services, indirectly disabling dependent OT processes.

For defenders, the report signals a need to tighten IT‑OT segmentation, enforce strict credential hygiene, and monitor for anomalous proxy traffic originating from consumer‑grade devices. Continuous vulnerability management—especially for VPN and F5 appliances—remains critical, as does threat‑intel sharing across sectors. As geopolitical tensions drive these groups toward more destructive capabilities, organizations must adopt a proactive, intelligence‑driven posture to safeguard the continuity of essential services.