Dragos: Three New Threat Clusters Escalate ICS/OT Risk in 2025
Three new clusters — Sylvanite, Azurite, and Pyroxene — surfaced in 2025 and materially broadened industrial-targeting techniques, elevating near-term disruption risk. Dragos reports these entrants push active tracked adversaries to 11 of 26, signaling a shift from pure intellectual-property theft toward preparation for operational effects.
Sylvanite acts as a rapid-access broker: it weaponizes disclosed flaws, exploited an Ivanti VPN issue within 48 hours, installed persistent web shells on F5 appliances, harvested Active Directory credentials, and monetized access to long-dwell operators. Azurite relies on compromised SOHO routers and edge appliances to move into engineering workstations, then exfiltrates PLC layouts, HMI snapshots, and alarm feeds — information that materially reduces attacker reconnaissance time. Pyroxene specializes in IT-to-OT lateral movement, using crafted social-engineering fronts and destructive wiper tooling that can sever IT support chains critical to ICS availability.
Legacy actors also recalibrated operations: a Russia-linked reconnaissance cluster widened its scope to scan HMIs, gateways, meters and variable-frequency drives in new regions. Dragos assesses that collected schematics and operational state are being stockpiled to enable later disruptive operations, increasing exposure for utilities, oil and gas, manufacturing, transportation and aerospace. The combined pattern — n-day exploitation, access brokering, SOHO/edge pivoting, and wiper deployment — reduces the time needed to convert initial access into impactful outages.
Broader industry signals amplify Dragos's findings: improvements in automation and AI-driven toolkits are compressing the time from public disclosure to operational exploitation, while high-fidelity synthetic media and programmatic persona generation are making large-scale, highly convincing social-engineering campaigns cheaper and faster to run. These trends increase the value of curated credentials, validated sessions, and operational diagrams in underground markets and lower the skill barrier for middle-tier operators to execute disruptive OT-focused playbooks.
Defenders must therefore compress remediation timelines, prioritize segmentation between IT and OT, and monitor identity stores and edge telemetry for signs of web-shell persistence or anomalous credential use. Incident playbooks should assume attacks that do not directly modify PLCs but still halt processes by destroying IT support infrastructure. Operational responses are increasingly leaning on automated containment and verification (agentic-assisted triage with human oversight), identity-first architectures, multi-party verification for critical actions, and tighter browser and edge governance to blunt forged-content and impersonation campaigns. Without faster patching, hardened peripheral devices, and stronger identity controls, the commoditization of access and persistence increases the probability of operational disruption.
- Tracked threat groups: 26 total tracked; 11 active in 2025.
- New groups: 3 identified — Sylvanite, Azurite, Pyroxene.
- Ivanti exploit timeframe: weaponized within 48 hours of disclosure.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
Industrial Control Systems: Rising pre‑positioning and ransomware force OT resilience shift
By 2026, adversaries will increasingly combine quiet, long‑dwell reconnaissance with financially motivated ransomware and faster weaponization to exploit ICS. Defenders must adopt CTEM, identity‑centric controls (including comprehensive machine‑identity inventories and rapid revocation), OT‑aware zero trust, SBOM-driven supply‑chain visibility, and conservative AI-based anomaly detection to preserve uptime and compress remediation windows.
US and Global Outlook: AI Is Rewiring Malware Economics and Attack Paths for 2026
Advances in agentic and generative AI are accelerating attackers’ ability to discover vulnerabilities, craft tailored exploits, and scale precise intrusions, while high‑fidelity synthetic media amplifies social‑engineering at industrial scale. Organizations that rely solely on basic hygiene will be outpaced; defenders must combine rigorous fundamentals with identity‑first controls, behavioral detection, and governed AI playbooks to blunt this shift.