February 19, 2026

3 New Threat Groups Emerge Targeting Industrial Control Systems (ICS) and Operational Technology (OT) in 2025, According to Dragos Threat Intelligence

Vaibhav February 17, 2026
3-New-Threat-Groups-Emerge-Targeting-Industrial-Control-Systems-ICS-and-Operational-Technology-OT-in-2025-According-to-Dragos-Threat-Intelligencedata
Post Views: 43

Three New Threat Groups Target Industrial Control Systems in 2025

A recent report by cybersecurity firm Dragos reveals that three new threat groups have begun targeting industrial control systems (ICS) and operational technology (OT) in 2025. The report, Dragos’ 9th annual Year in Review OT/ICS Cybersecurity Report, identifies 11 active threat groups, including three new groups: Sylvanite, Azurite, and Pyroxene.

Sylvanite: Rapid Exploitation Broker

Sylvanite, described as a “rapid exploitation broker,” enables another group, Voltzite, to access critical infrastructure. Voltzite is known for gaining long-term access to targets, including the US electric grid. Sylvanite quickly exploits newly disclosed vulnerabilities, such as Ivanti VPN vulnerabilities, and installs persistent web shells on F5 appliances. The group has targeted various organizations in North America, Europe, Japan, South Korea, the Philippines, Saudi Arabia, and Guam.

Although Sylvanite overlaps with groups linked to China, Dragos notes that precise attribution remains challenging. The group’s activity is similar to that of UNC5221, which is known for using the Brickstorm malware.

Azurite: Stealing Operational Information

The second new group, Azurite, has also been linked to threat groups tied to China, including Flax Typhoon, Ethereal Panda, and UNC5923. Azurite steals operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe. The group compromises SOHO routers to build proxy infrastructure and leverages edge devices to pivot to OT networks.

Azurite exfiltrates OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in targeted organizations.

Pyroxene: Cross-Domain Access

The third new group, Pyroxene, has been around since at least 2023 and specializes in cross-domain access, enabling movement from IT to OT networks. Pyroxene uses social engineering tactics, including creating fake profiles posing as aerospace recruiters, and employs wipers. The group has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.

Pyroxene’s activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten). The group’s use of wiper malware can have severe downstream impacts on ICS operations, disrupting operational dependencies and increasing safety risks.

Other Threat Groups and Recommendations

In addition to the new threat groups, the report updates on known groups targeting ICS/OT. Kamacite, a Russia-linked group, has expanded its targets beyond Ukraine, scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs). Electrum, a group responsible for reconnaissance and initial access, has conducted disruptive attacks targeting Ukraine and recently expanded to Poland’s power grid.

Dragos CEO Robert M. Lee noted that threat groups are focusing on the theft of intellectual property and collecting data that can later be used to cause disruption or damage. The report also includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.


Blog Image

About Author

Vaibhav

See author's posts

More Stories

Cellebrite-Tool-Used-on-Kenyan-Activist-s-Phone-in-Police-Custody-Surveillance-Concerns-Risedata

Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody: Surveillance Concerns Rise

Vaibhav February 18, 2026
Grandstream-GXP1600-VoIP-Phones-Vulnerable-to-Unauthenticated-Remote-Code-Execution-Flawdata

Grandstream GXP1600 VoIP Phones Vulnerable to Unauthenticated Remote Code Execution Flaw

Vaibhav February 18, 2026
Quantum-Resilient-Convergence-Safeguarding-AI-Space-and-Critical-Infrastructure-from-Cyber-Threatsdata

Quantum-Resilient Convergence: Safeguarding AI, Space, and Critical Infrastructure from Cyber Threats

Vaibhav February 18, 2026

You may have missed

Firebase-Misconfiguration-Exposes-300M-Messages-From-Chat-Ask-AI-Usersdata

Firebase Misconfiguration Exposes 300M Messages From Chat & Ask AI Users

Vaibhav February 19, 2026
Cellebrite-Tool-Used-on-Kenyan-Activist-s-Phone-in-Police-Custody-Surveillance-Concerns-Risedata

Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody: Surveillance Concerns Rise

Vaibhav February 18, 2026
Grandstream-GXP1600-VoIP-Phones-Vulnerable-to-Unauthenticated-Remote-Code-Execution-Flawdata

Grandstream GXP1600 VoIP Phones Vulnerable to Unauthenticated Remote Code Execution Flaw

Vaibhav February 18, 2026
Quantum-Resilient-Convergence-Safeguarding-AI-Space-and-Critical-Infrastructure-from-Cyber-Threatsdata

Quantum-Resilient Convergence: Safeguarding AI, Space, and Critical Infrastructure from Cyber Threats

Vaibhav February 18, 2026
SmarterMail-Vulnerabilities-Exposed-Rapid-Weaponization-of-Critical-Flawsdata

SmarterMail Vulnerabilities Exposed: Rapid Weaponization of Critical Flaws

Vaibhav February 18, 2026
en_USEnglish
en_USEnglish