Overview
- Dragos identified three specialized groups in 2025—Sylvanite, Azurite, and Pyroxene—advancing OT intrusions through access brokering, OT data theft, and IT‑to‑OT pivoting with wipers.
- Sylvanite rapidly weaponized n‑day flaws in edge devices such as Ivanti and F5 to install web shells, extract credentials, and broker access to operators including Voltzite.
- Azurite exfiltrated OT network diagrams, alarm data, PLC configurations, and HMI files from engineering workstations to support capability development across US, Europe, and Asia‑Pacific targets.
- Pyroxene used recruitment‑themed social engineering and data‑wiping malware in supply‑chain‑leveraged campaigns, with Dragos assessing it is positioning for future ICS‑impacting operations.
- Ransomware activity hit about 3,300 industrial victims in 2025 across 119 groups, with average dwell time of 42 days as attackers abused remote‑access portals and virtualization layers, while fewer than 10% of OT networks had monitoring and 30% of incidents were first flagged by operations staff.