Dragos Named Three New OT Threat Groups. One Deployed Wipers During the Iran Conflict. Here's Where Each One Fits.
- Patrick Duggan
- 40 minutes ago
- 4 min read
Dragos now tracks 26 OT threat groups, three of them new this cycle: SYLVANITE, AZURITE, and PYROXENE. We keep a standing watch on adversaries who touch industrial control systems, and until today our adversary index held the old mineral-named roster — CHRYSENE, MAGNALLIUM, XENOTIME, DYMALLOY — but not these three. This is us closing that gap, and doing the part that matters more than the names: saying which existing threat each one actually belongs to, because none of these groups operates alone. The headline finding in the 2026 Dragos report is that OT adversaries have stopped working as lone wolves and started working as an ecosystem — access brokers feeding intrusion specialists feeding disruption crews. Read through that lens, the three new names are not three new problems. They are three new roles in problems we already track.
PYROXENE is the one that belongs to our Iran watch, and it is the most dangerous of the three because it does not steal or broker — it destroys. During the regional conflict in June, PYROXENE deployed destructive wiper malware against critical infrastructure, targeting the United States, Western Europe, and the Middle East. That timing and that target set put it squarely alongside the actors we already follow in the Iran lane, the wiper-wielding MOIS-adjacent operators who treat critical infrastructure as a retaliation surface. What makes PYROXENE worth a defender's specific attention is how it gets in: multi-year supply-chain campaigns and social engineering aimed at operational personnel, including fake LinkedIn profiles posing as recruiters to reach the people who actually run the plant. It also leans on initial access handed off from PARISITE, an Iran-nexus access group. So the PYROXENE playbook is a long game — cultivate a plant operator over months through a fake recruiter relationship, or ride in on access PARISITE already established, then wait for a geopolitical trigger to burn the environment down. For anyone running OT in energy, water, or manufacturing, the actionable part is not an IP to block. It is that your operators are being courted on LinkedIn right now, and the courtship is the intrusion.
SYLVANITE is a China-nexus access broker, and it belongs to the story we have been telling about VOLTZITE — the group better known as Volt Typhoon. Dragos observed SYLVANITE directly while responding to incidents at U.S. electric and water utilities, where it exploited Ivanti vulnerabilities and extracted Active Directory credentials, then handed the established foothold to VOLTZITE for the deeper OT intrusion. It shares technical overlap with the UNC5221, UNC5174, and UNC5291 clusters — the Ivanti-and-edge-appliance exploitation crews that have been the connective tissue of Chinese pre-positioning against U.S. critical infrastructure. This matters because it confirms a division of labor we have watched harden all year: one group's entire job is to kick the edge-device door open and grab the credentials, and a different, quieter group walks through to sit in the control network. SYLVANITE is the door-kicker. The Ivanti, F5, SAP, and ConnectWise bugs it moves through are the same edge-appliance soft surface we have written about for months — the foot in the door is, once again, every foot.
AZURITE is the patient one, and it belongs to the Flax Typhoon story. Where SYLVANITE brokers and PYROXENE burns, AZURITE watches. Its focus is long-term access and OT data theft — specifically the theft of the engineering knowledge that makes a later disruptive attack possible. It targets OT engineering workstations and exfiltrates network diagrams, alarm data, and process information across manufacturing, defense, automotive, electric, oil and gas, and government organizations in the U.S., Australia, Europe, and Asia-Pacific. That shopping list is not random. Network diagrams, alarm configurations, and process values are exactly what an adversary needs to build a capability that can cause a specific physical effect on a specific plant later — the difference between malware that crashes a computer and malware that opens a valve. AZURITE's technical overlap with Flax Typhoon puts it in the Chinese pre-positioning family alongside SYLVANITE, but in a complementary role: SYLVANITE gets in, AZURITE learns the building well enough to one day break it on purpose.
Put the three together and the ecosystem is legible. A Chinese-nexus pair — SYLVANITE breaking in through edge appliances, AZURITE stealing the engineering blueprints — building the long-term capability to disrupt U.S. utilities on a future timeline. And an Iran-nexus destroyer, PYROXENE, already willing to deploy wipers on the near timeline whenever the geopolitics demand it, getting in not through a CVE but through a fake recruiter and a patient supply-chain compromise. The old mineral names on the Dragos board were mostly espionage. These three are the maturation into disruption, and two of the three do not need a single exploit to reach your operators — they need a plausible LinkedIn message and time.
We are adding all three to our OT watch. The defensive takeaways are unglamorous and specific: rotate and monitor Active Directory credential use around any Ivanti, F5, SAP, or ConnectWise appliance you expose, because that is SYLVANITE's on-ramp; treat engineering workstations as crown-jewel assets with their own egress monitoring, because that is what AZURITE is after; and tell your operations staff, out loud, that the friendly recruiter on LinkedIn is a documented OT attack vector now, because that is how PYROXENE finds the person who can get it to the wiper.
Sources: Dragos 2026 OT/ICS Cybersecurity Year in Review and associated reporting (Industrial Cyber, Cybersecurity Dive). Attribution overlaps (VOLTZITE/Volt Typhoon, Flax Typhoon, UNC5221/5174/5291, PARISITE) are Dragos's; the ecosystem framing and the mapping to our standing Iran and China watches are ours.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
