3 Threat Groups Started Targeting ICS/OT in 2025: Dragos

Three new threat groups started targeting industrial control systems (ICS) and other operational technology (OT) in 2025, according to a new report from cybersecurity company Dragos.

The security firm’s 9th annual Year in Review OT/ICS Cybersecurity Report shows that of the total of 26 threat groups tracked by Dragos, 11 were active in 2025. Three of them are newly added to the list: Sylvanite, Azurite, and Pyroxene.

Sylvanite appears to act as a “rapid exploitation broker” that enables the group named Voltzite to access critical infrastructure. Voltzite is known for gaining long‑term access to targets, including the US electric grid.

Sylvanite has been observed quickly weaponizing n‑day vulnerabilities — for instance, it exploited Ivanti VPN vulnerabilities within 48 hours of their disclosure. The hackers then installed persistent web shells on F5 appliances, extracted Active Directory credentials, and then handed over access to Voltzite.

The group has targeted electric power, oil and gas, water, manufacturing, and public administration organizations in North America, Europe, Japan, South Korea, the Philippines, Saudi Arabia, and Guam.

Sylvanite overlaps with groups and activity previously linked by other cybersecurity firms to China, including UNC5221 (known for the use of the Brickstorm malware).

However, Dragos noted that precise attribution remains challenging, and overlapping activity between two groups does not necessarily mean they are the same entity.

The second new group, Azurite, has also been linked to threat groups tied by other cybersecurity firms to China, including to Flax Typhoon, Ethereal Panda, and UNC5923. Some links to Voltzite have also been found.

The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe.

The hackers have compromised SOHO routers to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they can conduct malicious activities using existing software to evade detection.

According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual‑property theft, the stolen information could also be used to cause disruption in the targeted organization.

“Azurite has not been observed manipulating, stopping, or modifying OT‑specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”

Image: Illustration showing a five‑step process of an adversary gaining network access to exfiltrate data (Azorite attack targeting ICS).

The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).

Pyroxene, which has been around since at least 2023, specializes in cross‑domain access, enabling movement from IT to OT networks.

The group stands out for its use of social engineering, including creating fake LinkedIn profiles that pose as aerospace recruiters, and the use of wipers.

Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.

“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.

It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS‑impacting operations by exploiting supply chains, trusted relationships, and IT‑OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”

Updates on known threat groups targeting ICS/OT

Kamacite, a Russia‑linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable‑frequency drives (VFDs).

Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaign targeting Poland’s power grid.

According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.

In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.

Dragos’ full 2026 report also includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.