BAUXITE

Ability to comprimise PLCs, modify ladder logic, and deploy custom backdoors on OT Devices.

THREAT DESCRIPTION

Dragos-designated threat group BAUXITE was implicated in multiple global campaigns targeting OT/ICS entities and specific devices. Based on capabilities and network infrastructure, this group shares substantial technical overlaps with the pro-Iranian hacktivist persona CyberAv3ngers.

BAUXITE is capable of Stage 2 ICS Cyber Kill Chain and has demonstrated the ability to compromise PLCs and deploy custom backdoors on OT devices. The group is active on OT/ICS-focused forums and extensively monitors security advisories from OEMs and ICS protocols, likely documenting and cataloging known vulnerabilities to target in future campaigns.

BAUXITE’s targeting strategies and operational focus evolved under state-sponsored directives or geopolitical pressures. Through 2025, BAUXITE is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally.

Date: Since 2017

ADVERSARY

Overlaps with CyberAv3ngers

CAPABILITIES

Uses publicly known exploits
Consumes Security Advisories from OT/ICS OEMs
Leverages tools built into Kali Linux
Linux Backdoor with C2 over MQTT

VICTIM

Global impact, victims in the U.S., Australia, U.K., and Israel

INFRASTRUCTURE

Use/reuse of bulletproof hosting providers & owned infrastructure
Different infrastructure for CNA/CNE, Scanning & Research

ICS IMPACT

ICS Cyber Kill Chain Stage 2
Denial of Control, Loss of Availability, Loss of Control, Loss of Productivity and Revenue, Loss of View

Explore Threat Groups

VOLTZITE

September 4, 2025 11:25 AM
HEXANE

September 4, 2025 11:23 AM
CHERNOVITE

September 4, 2025 11:19 AM