PYROXENE
Targets OT engineering workstations to exfiltrate operational data and enable future offensive operations.
THREAT DESCRIPTION
PYROXENE is a Dragos-tracked threat group that targets critical infrastructure organizations across the defense and transportation sectors, including aerospace, aviation, and maritime industries. PYROXENE conducts sustained supply chain compromise activity, often leveraging recruitment-themed social engineering campaigns and strategic website compromises to profile and engage individuals as indirect access vectors into higher-value targets.
The adversary demonstrates patient, methodical operational behavior, often interacting with targets over extended periods before delivering tailored malware or attempting credential theft, leading to compromises of suppliers, contractors, and trusted third parties to facilitate indirect access to higher-value organizations, including those with OT environments.
PYROXENE has collaborated with PARISITE, a highly capable, initial-access-focused adversary, during deep intrusions of critical infrastructure organizations. Using pre-positioned access, PYROXENE establishes pathways into OT environments and conducts reconnaissance and enumeration to support future operational requirements. During periods of heightened geopolitical tension and conflict, PYROXENE will transition to disruptive capabilities, including the deployment of destructive wiper malware against its victims.
The adversary demonstrates patient, methodical operational behavior, often interacting with targets over extended periods before delivering tailored malware or attempting credential theft, leading to compromises of suppliers, contractors, and trusted third parties to facilitate indirect access to higher-value organizations, including those with OT environments.
PYROXENE has collaborated with PARISITE, a highly capable, initial-access-focused adversary, during deep intrusions of critical infrastructure organizations. Using pre-positioned access, PYROXENE establishes pathways into OT environments and conducts reconnaissance and enumeration to support future operational requirements. During periods of heightened geopolitical tension and conflict, PYROXENE will transition to disruptive capabilities, including the deployment of destructive wiper malware against its victims.
Date: Since 2017
- Shares technical overlaps with APT35, UNC1549, Tortoiseshell adversary clusters.
- Associated with IRGC operators sanctioned by the U.S. Government for attacks against U.S critical infrastructure.
- Collaborates with PARISITE for initial access.
- Transitions between intelligence gathering and disruptive operations.
- Stages recruitment-themed social engineering campaigns using social media profiles.
- Builds custom RAT malware (MINIBIKE) and destructive wiper malware (BLUERABBIT).
- Custom-built capabilities and LOTL techniques to move laterally between enterprise IT and OT-adjacent networks
- Confirmed critical infrastructure victims in United States, Europe, and Middle East
- Focus on transportation and logistics, defense, aerospace, aviation, maritime, and government sectors
- Spoofed domains of legitimate entities. Leverages compromised websites and email accounts for follow-on activity
- Malware command and control (C2) often obscured by legitimate services, email message-based, or CDN and cloud-hosted domains.
- Favors commercial and bulletproof hosting providers for privately owned VPS and VPN infrastructure.
- Compromise of IT-to-OT pathways enabling lateral movement
- Establishes footholds supporting future disruption or targeted ICS manipulation
