BAUXITE
Ability to comprimise PLCs, modify ladder logic, and deploy custom backdoors on OT Devices.

BAUXITE is capable of Stage 2 ICS Cyber Kill Chain and has demonstrated the ability to compromise PLCs and deploy custom backdoors on OT devices. The group is active on OT/ICS-focused forums and extensively monitors security advisories from OEMs and ICS protocols, likely documenting and cataloging known vulnerabilities to target in future campaigns.
BAUXITE’s targeting strategies and operational focus evolved under state-sponsored directives or geopolitical pressures. Through 2025, BAUXITE is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally.
Date: Since 2017
ADVERSARY
- Overlaps with CyberAv3ngers
CAPABILITIES
- Uses publicly known exploits
- Consumes Security Advisories from OT/ICS OEMs
- Leverages tools built into Kali Linux
- Linux Backdoor with C2 over MQTT
VICTIM
- Global impact, victims in the U.S., Australia, U.K., and Israel
INFRASTRUCTURE
- Use/reuse of bulletproof hosting providers & owned infrastructure
- Different infrastructure for CNA/CNE, Scanning & Research
ICS IMPACT
- ICS Cyber Kill Chain Stage 2
- Denial of Control, Loss of Availability, Loss of Control, Loss of Productivity and Revenue, Loss of View