Dragos: Three New Threat Clusters Escalate ICS/OT Risk in 2025
Three new clusters — Sylvanite, Azurite, and Pyroxene — surfaced in 2025 and materially broadened industrial-targeting techniques, elevating near-term disruption risk. Dragos reports these entrants push active tracked adversaries to 11 of 26, signaling a shift from pure intellectual-property theft toward preparation for operational effects.
Sylvanite acts as a rapid-access broker: it weaponizes disclosed flaws, exploited an Ivanti VPN issue within 48 hours, installed persistent web shells on F5 appliances, harvested Active Directory credentials, and monetized access to long-dwell operators. Azurite relies on compromised SOHO routers and edge appliances to move into engineering workstations, then exfiltrates PLC layouts, HMI snapshots, and alarm feeds — information that materially reduces attacker reconnaissance time. Pyroxene specializes in IT-to-OT lateral movement, using crafted social-engineering fronts and destructive wiper tooling that can sever IT support chains critical to ICS availability.
Legacy actors also recalibrated operations: a Russia-linked reconnaissance cluster widened its scope to scan HMIs, gateways, meters and variable-frequency drives in new regions. Dragos assesses that collected schematics and operational state are being stockpiled to enable later disruptive operations, increasing exposure for utilities, oil and gas, manufacturing, transportation and aerospace. The combined pattern — n-day exploitation, access brokering, SOHO/edge pivoting, and wiper deployment — reduces the time needed to convert initial access into impactful outages.
Broader industry signals amplify Dragos's findings: improvements in automation and AI-driven toolkits are compressing the time from public disclosure to operational exploitation, while high-fidelity synthetic media and programmatic persona generation are making large-scale, highly convincing social-engineering campaigns cheaper and faster to run. These trends increase the value of curated credentials, validated sessions, and operational diagrams in underground markets and lower the skill barrier for middle-tier operators to execute disruptive OT-focused playbooks.
Defenders must therefore compress remediation timelines, prioritize segmentation between IT and OT, and monitor identity stores and edge telemetry for signs of web-shell persistence or anomalous credential use. Incident playbooks should assume attacks that do not directly modify PLCs but still halt processes by destroying IT support infrastructure. Operational responses are increasingly leaning on automated containment and verification (agentic-assisted triage with human oversight), identity-first architectures, multi-party verification for critical actions, and tighter browser and edge governance to blunt forged-content and impersonation campaigns. Without faster patching, hardened peripheral devices, and stronger identity controls, the commoditization of access and persistence increases the probability of operational disruption.
- Tracked threat groups: 26 total tracked; 11 active in 2025.
- New groups: 3 identified — Sylvanite, Azurite, Pyroxene.
- Ivanti exploit timeframe: weaponized within 48 hours of disclosure.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025
Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.
Field Effect: Cloud Identity Drove Majority of 2025 Incidents
Field Effect's 2026 outlook finds over 80% of incident alerts in 2025 traced to compromised cloud identities, with collaboration tools, remote‑support flows and edge appliances weaponized. Industry telemetry shows complementary trends — machine identities, exposed management planes and generative-model automation compressed reconnaissance and validation windows — elevating the urgency of non‑human credential rotation and behaviour‑based detection.
Industrial Control Systems: Rising pre‑positioning and ransomware force OT resilience shift
By 2026, adversaries will increasingly combine quiet, long‑dwell reconnaissance with financially motivated ransomware and faster weaponization to exploit ICS. Defenders must adopt CTEM, identity‑centric controls (including comprehensive machine‑identity inventories and rapid revocation), OT‑aware zero trust, SBOM-driven supply‑chain visibility, and conservative AI-based anomaly detection to preserve uptime and compress remediation windows.
Iran Escalation Raises U.S. Homeland Threat Calculus
A sustained regional campaign of kinetic strikes and parallel cyber operations — with open‑source trackers attributing more than 1,600 drone attacks — has prompted elevated U.S. domestic readiness, including an FBI posture lift and market and insurer repricing. Expect a near‑term rise in tailored phishing, influence campaigns and opportunistic intrusions that will force resource shifts across law enforcement, critical‑infrastructure defenders and insurance underwriters.
US and Global Outlook: AI Is Rewiring Malware Economics and Attack Paths for 2026
Advances in agentic and generative AI are accelerating attackers’ ability to discover vulnerabilities, craft tailored exploits, and scale precise intrusions, while high‑fidelity synthetic media amplifies social‑engineering at industrial scale. Organizations that rely solely on basic hygiene will be outpaced; defenders must combine rigorous fundamentals with identity‑first controls, behavioral detection, and governed AI playbooks to blunt this shift.
MuddyWater Breaches US Networks; Broadcom Flags Dindoor and Fakeset
The Iran-linked threat actor MuddyWater gained footholds across multiple North American and Israeli-facing networks, deploying two novel backdoors tracked as Dindoor and Fakeset . Parallel telemetry from other vendors (notably Check Point) documents a late-Feb/early-Mar 2026 wave of camera- and edge-focused intrusions that reuse commodity VPNs and automated credential-validation pipelines — reinforcing the need for identity-first hunts, management-plane isolation and rapid patching/credential rotation.
Cyberwar in 2026: Pre-positioning, AI and the Blurred Line Between Crime and Statecraft
Nation-state operations are increasingly about long-term pre-positioning inside critical infrastructure rather than one-off disruptive strikes, and the rapid spread of generative and agentic AI lowers the barrier to assemble and coordinate complex campaigns. That convergence — together with scalable impersonation, commodified access in underground markets, and the latent threat from future quantum decryption — forces defenders to prioritize early detection, identity-first controls, post-quantum planning, and calibrated public–private response mechanisms.
India targeted by Pakistan‑linked APT36 in coordinated three‑pronged RAT campaign
A Pakistan‑linked actor tracked as APT36 is conducting coordinated espionage against Indian government and defense networks using three distinct RAT families across Windows and Linux hosts, emphasizing stealthy persistence and in‑memory execution. The tradecraft mirrors broader long‑duration intrusion campaigns—including session orchestration and social‑engineering techniques—so defenders should prioritize cross‑domain telemetry, identity‑first controls, and rapid session protections to detect and disrupt access.