PETROVITE

Employs spearphishing and backdoor capabilities for initial access, reconnaissance, C2.

THREAT DESCRIPTION

Dragos is currently tracking a new stage 1 ICS Cyber Kill Chain adversary identified as PETROVITE. PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan.

The overlaps with other AGs and consistent capability development could lead to more targeted ICS incidents beyond general system reconnaissance and collection. While Dragos cannot connect PETROVITE to any known, disruptive event, the group remains active and continues to display an interest in collection on ICS/OT systems and networks.

Dragos is aware of targeted operations that started during the third quarter of 2019 and have intermittently continued throughout 2021. Campaigns during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas campaigns during 2021 focused on compromising legitimate infrastructure in other parts of the world.

Date: Since 2019

ADVERSARY

Overlaps with KAMACITE and FANCY BEAR activity

CAPABILITIES

Tailored spearphishing documents
ZEBROCY - backdoor system recon and collection capability

VICTIM

Eurasian Resources Group business units located in Kazakhstan;
Mining and Energy operations, Critical Manufacturing in Kazakhstan and Central Asia;
Interest in collection on ICS/OT systems & networks

INFRASTRUCTURE

Legitimate, compromised third-party infrastructure;
Often WordPress servers;
Has compromised servers in victim country of Kazakhstan;

ICS IMPACT

Stage 1 of ICS Kill Chain
Delivery, Installation, Command and Control, Action on Objectives

Explore Threat Groups

VOLTZITE

September 4, 2025 11:25 AM
HEXANE

September 4, 2025 11:23 AM
CHERNOVITE

September 4, 2025 11:19 AM