In 2025, three new threat groups have emerged, focusing their cyberattacks on industrial control systems (ICS) and operational technology (OT), as highlighted in the latest report by cybersecurity firm Dragos. This report, which is the company’s ninth annual assessment, reveals the addition of Sylvanite, Azurite, and Pyroxene to the list of 26 monitored threat groups, with 11 of them remaining active throughout the year.
Emergence of Sylvanite
Sylvanite has been identified as a rapid exploitation broker, facilitating access to critical infrastructure for another group known as Voltzite. Notably, Voltzite is recognized for its long-term infiltration capabilities, particularly within the US electric grid. Sylvanite has demonstrated swift exploitation of n-day vulnerabilities, such as the Ivanti VPN flaws, managing to install persistent web shells and extract Active Directory credentials on F5 appliances, subsequently providing this access to Voltzite.
This group’s targets span various sectors, including electric power, oil and gas, water, manufacturing, and public administration, affecting regions like North America, Europe, and Asia. Though there are overlapping activities with Chinese-linked groups like UNC5221, precise attribution remains complex, and such overlaps do not conclusively prove a direct connection.
Insights into Azurite
Another newly identified group, Azurite, shares links with several Chinese-associated threat groups such as Flax Typhoon and Ethereal Panda, and shows some connections to Voltzite. Azurite’s activities have been directed towards stealing operational data from manufacturing, automotive, defense, and government sectors across the globe, including the US and Europe.
By compromising SOHO routers and leveraging edge devices, Azurite has infiltrated OT networks, gathering vital information like network diagrams and alarm data. While this might primarily serve for intellectual property theft, the exfiltrated data could also enable significant operational disruptions.
Understanding Pyroxene
The third group, Pyroxene, has associations with Iran-linked entities like APT35. Active since 2023, Pyroxene specializes in facilitating cross-domain access from IT to OT networks, employing social engineering tactics and wiper malware. They have targeted sectors such as aerospace, transportation, and utilities, posing a risk of severe disruption through the destruction of IT systems.
Dragos indicates that Pyroxene is positioning itself for future ICS-impacting operations by exploiting supply chains and IT-OT dependencies. This creates a credible risk of disruption, even if OT networks are not the primary targets.
Ongoing Threats and Future Outlook
Beyond the newly identified groups, the report also notes that existing threats like Kamacite, linked to Russia, are expanding their scope. Previously targeting Ukraine, they now scan for industrial devices globally, suggesting a resumption of broader operations.
Dragos CEO Robert M. Lee emphasizes that while intellectual property theft remains a primary focus, these groups are increasingly interested in data that could facilitate future disruptions. The comprehensive 2026 report also covers ransomware attacks and vulnerabilities in ICS/OT products, providing strategic recommendations for defenders.
