Awesome Industrial Control System (ICS) Malware

A curated and updated¹ list of awesome (and not-so-awesome) ICS malware.

---

Year	Name	Brief Description
2005	fast16	Early cyber-physical sabotage framework targeting high-precision engineering software used in industrial environments.
2010	Stuxnet	The world’s first publicly known digital weapon against ICSs.
2010	Night Dragon	Sophisticated malware to target global oil, energy, and petrochemical companies.
2011	Duqu	Advanced and complex malware used to Flame/Gauss target specific organizations, including ICS manufacturers.
2012	Shamoon Malware	Used to target large energy companies in the Middle East, including Saudi Aramco and RasGas.
2013	Havex	An ICS-focused RAT used for information gathering.
2014	BlackEnergy2	Malware that targeted human-machine interfaces (HMIs) in ICSs.
2015	BlackEnergy3	Malware that targeted human-machine interfaces (HMIs) in ICSs.
2015	Irongate	Malware family used to manipulate industrial process running on a simulated Siemens control system environment
2017	Industroyer aka CRASHOVERRIDE	Malware employed in attacking power grid in Ukraine.
2017	TRITON aka Trisis	Industrial safety systems in the Middle HatMan East targeted by sophisticated malware.
2022	Industroyer2	New simplified version of Industroyer1.
2022	Pipedream	Multitool targeting OPC-UA servers, Siemens and Omron devices.
2024	FrostyGoop	Malware employed to launch attacks against Modbus TCP-enabled devices.
2024	Fuxnet	Improved Stuxnet version employed by BlackJack group to attack Russian companies.
2024	IOCONTROL	Malware allowing backdoor access to compromised IoT/OT devices.
2024	Chaya_003	Malware able to kill Siemens engineering process and execute commands from a C2 server.
2025	DynoWiper	Malware designed to corrupt and disrupt files on compromised HMIs in Poland.
2026	ZionSiphon	Likely LLM-generated malware targeting Israeli water treatment and desalination systems

---

fast16

also known as fast16.sys

Technical Analysis

• SentinelLABS, fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet, 2026.
• R. Santamarta, Special Edition: Reverse Engineering The Fast16 Physics Payload, 2026.

Notes

• fast16 is a cyber sabotage framework dating back to 2005 that predates Stuxnet.
• It targets high-precision engineering and simulation software (e.g., structural analysis, hydrodynamics, physics simulations) used in industrial and scientific environments.
• The malware deploys a kernel-level filesystem driver (fast16.sys) that intercepts executable loading and applies rule-based in-memory patching.
• A key capability is the injection of floating-point routines that alter numerical computation results; reverse engineering shows the malware implements a state-driven adversarial model that modifies simulation outputs across defined regions (pass-through, linear, plateau), effectively acting as an "adversary-in-the-simulation".
• The framework includes a modular carrier (svcmgmt.exe) with propagation capabilities across networked systems, aiming to produce consistent corrupted outputs within a facility.
• While it does not directly target PLCs or SCADA protocols, its impact on engineering workflows relevant to industrial systems makes it significant to the ICS threat landscape.

Resources

• SentinelLABS, YARA rules for fast16 carrier and driver, 2026.
• Special Edition: Reverse Engineering The Fast16 Physics Payload, 2026.

Samples

SHA256

9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525 svcmgmt.exe
07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529 fast16.sys
8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9 connotify.dll

---

Stuxnet

Technical Analysis

• N. Falliere, L. O. Murchu, E. Chien, W32.Stuxnet Dossier, 2011.
• R. Langner, To kill a centrifuge: A technical analysis of what Stuxnet’s creators tried to achieve, Langner, 2013.
• AmrThabet, Stuxnet Malware Analysis Paper, 2011.
• N. Lawson, Stuxnet is embarrassing, not amazing, 2011.
• Center for Security Studies (CSS), ETH Zürich, Hotspot Analysis: Stuxnet, 2017.

Advisories

• ICS-CERT, Advisory (ICSA-10-238-01B): Stuxnet malware mitigation, 2010.

Press

• K. Zetter, How digital detectives deciphered Stuxnet: The most menacing malware in history, Wired, 2011.
• K. Zetter, An unprecedented look at Stuxnet: The world’s first digital weapon, Wired, 2014.
• A. C. Foltz, Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate, 2012.

Others

• D. Turner, Prepared Testimony and Statement for the Record of Dean Turner, United States Senate Committee on Homeland Security and Governmental Affairs, 2010.

Samples

• loneicewolf, Stuxnet-Source, 2014.

---

Night Dragon

Technical Analysis

• McAfee, Global energy cyberattacks: Night Dragon, 2011.

Advisories

• ICS-CERT, Advisory (ICSA-11-041-01A): McAfee Night Dragon report, 2011.

---

Duqu

Technical Analysis

• B. Bencsath, Duqu, Flame, Gauss: Followers of Stuxnet, RSA Conference, 2012.

---

Shamoon Malware

Technical Analysis

• Symantec, The Shamoon attacks, 2011.

Advisories

• ICS-CERT, JSAR-12-241-01B: Shamoon/DistTrack malware, 2012.

Press

• N. Perlroth, In cyberattack on Saudi firm, U.S. sees Iran firing back, The New York Times, 2012.
• K. Zetter, Qatari gas company hit with virus in wave of attacks on energy companies, Wired, 2012.

---

Havex

also known as Oldrea

Technical Analysis

• Malpedia, Havex RAT, 2014.
• F-SECURE Labs, Havex Hunts For ICS/SCADA Systems, 2014.
• TrendMicro, HAVEX Targets Industrial Control Systems, 2014.
• Rrushi J, Farhangi H, Howey C, Carmichael K, Dabell J. A quantitative evaluation of the target selection of havex ics malware plugin. InIndustrial control system security (ICSS) workshop, 2025.

Advisories

• ICS-CERT, Advisory (ICSA-14-178-01): ICS focused malware, 2014.
• CISA, Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector, 2022.

Resources

• Malpedia, Yara rule, direct download

Samples

SHA1

7f249736efc0c31c44e96fb72c1efcc028857ac7
1c90ecf995a70af8f1d15e9c355b075b4800b4de
db8ed2922ba5f81a4d25edb7331ea8c0f0f349ae
efe9462bfa3564fe031b5ff0f2e4f8db8ef22882

---

BlackEnergy2

Technical Analysis

• Malpedia, BlackEnergy, 2024.
• SecureList, BE2 custom plugins, router abuse, and target profiles, 2014.
• Secureworks, BlackEnergy Version 2 Threat Analysis, 2010.
• S. Siddhant (SUTD), BlackEnergy - Malware for Cyber-Physical Attacks, 2016
• Incibe, ICS malware analysis study: BlackEnergy, 2024.

Resources

• Malpedia, Yara rules, direct download, 2024.

Samples

MD5

d57ccbb25882b16198a0f43285dafbb4
7740a9e5e3feecd3b7274f929d37bccf
948cd0bf83a670c05401c8b67d2eb310
f2be8c6c62be8f459d4bb7c2eb9b9d5e
26a10fa32d0d7216c8946c8d83dd3787
8c51ba91d26dd34cf7a223eaa38bfb03
c69bfd68107ced6e08fa22f72761a869
3cd7b0d0d256d8ff8c962f1155d7ab64
298b9a6b1093e037e65da31f9ac1a807
d009c50875879bd2aefab3fa1e20be09
88b3f0ef8c80a333c7f68d9b45472b88
17b00de1c61d887b7625642bad9af954
27eddda79c79ab226b9b24005e2e9b6c
48937e732d0d11e99c68895ac8578374
82418d99339bf9ff69875a649238ac18
f9dcb0638c8c2f979233b29348d18447
72372ffac0ee73dc8b6d237878e119c1
c229a7d86a9e9a970d18c33e560f3dfc
ef618bd99411f11d0aa5b67d1173ccdf
383c07e3957fd39c3d0557c6df615a1a
105586891deb04ac08d57083bf218f93
1deea42a0543ce1beeeeeef1ffb801e5
7d1e1ec1b1b0a82bd0029e8391b0b530
1f751bf5039f771006b41bdc24bfadd3
d10734a4b3682a773e5b6739b86d9b88
632bba51133284f9efe91ce126eda12d
a22e08e643ef76648bec55ced182d2fe
04565d1a290d61474510dd728f9b5aae
3c1bc5680bf93094c3ffa913c12e528b
6a03d22a958d3d774ac5437e04361552
0217eb80de0e649f199a657aebba73aa
79cec7edf058af6e6455db5b06ccbc6e
f8453697521766d2423469b53a233ca7
8a449de07bd54912d85e7da22474d3a9
3f9dc60445eceb4d5420bb09b9e03fbf
8f459ae20291f2721244465aa6a6f7b9
4b323d4320efa67315a76be2d77a0c83
035848a0e6ad6ee65a25be3483af86f2
90d8e7a92284789d2e15ded22d34ccc3
edb324467f6d36c7f49def27af5953a5
c1e7368eda5aa7b09e6812569ebd4242
ec99e82ad8dbf1532b0a5b32c592efdf
391b9434379308e242749761f9edda8e
6bf76626037d187f47a54e97c173bc66
895f7469e50e9bb83cbb36614782a33e
1feacbef9d6e9f763590370c53cd6a30
82234c358d921a97d3d3a9e27e1c9825
558d0a7232c75e29eaa4c1df8a55f56b
e565255a113b1af8df5adec568a161f3
1821351d67a3dce1045be09e88461fe9
b1fe41542ff2fcb3aa05ff3c3c6d7d13
53c5520febbe89c25977d9f45137a114
4513e3e8b5506df268881b132ffdcde1
19ce80e963a5bcb4057ef4f1dd1d4a89
9b29903a67dfd6fec33f50e34874b68b
b637f8b5f39170e7e5ada940141ddb58
c09683d23d8a900a848c04bab66310f1
6d4c2cd95a2b27777539beee307625a2
e32d5c22e90cf96296870798f9ef3d15
64c3ecfd104c0d5b478244fe670809cc
b69f09eee3da15e1f8d8e8f76d3a892a
294f9e8686a6ab92fb654060c4412edf
6135bd02103fd3bab05c2d2edf87e80a
b973daa1510b6d8e4adea3fb7af05870
8dce09a2b2b25fcf2400cffb044e56b8
6008f85d63f690bb1bfc678e4dc05f97
1bf8434e6f6e201f10849f1a4a9a12a4
6cac1a8ba79f327d0ad3f4cc5a839aa1
462860910526904ef8334ee17acbbbe5
eeec7c4a99fdfb0ef99be9007f069ba8
6bbc54fb91a1d1df51d2af379c3b1102
8b152fc5885cb4629f802543993f32a1
6d1187f554040a072982ab4e6b329d14
3bfe642e752263a1e2fe22cbb243de57
c629933d129c5290403e9fce8d713797
1c62b3d0eb64b1511e0151aa6edce484
811fcbadd31bccf4268653f9668c1540
0a89949a3a933f944d0ce4c0a0c57735
a0f594802fbeb5851ba40095f7d3dbd1
bf6ce6d90535022fb6c95ac9dafcb5a5
df84ff928709401c8ad44f322ec91392
fda6f18cf72e479570e8205b0103a0d3
39835e790f8d9421d0a6279398bb76dc
fe6295c647e40f8481a16a14c1dfb222
592c5fbf99565374e9c20cade9ac38aa
ad8dc222a258d11de8798702e52366aa
bc21639bf4d12e9b01c0d762a3ffb15e
3122353bdd756626f2dc95ed3254f8bf
e02d19f07f61d73fb6dd5f7d06e9f8d2
d2c7bf274edb2045bc5662e559a33942
ac1a265be63be7122b94c63aabcc9a66
e06c27e3a436537a9028fdafc426f58e
6cf2302e129911079a316cf73a4d010f
38b6ad30940ddfe684dad7a10aea1d82
f190cda937984779b87169f35e459c3a
698a41c92226f8e444f9ca7647c8068c
bc95b3d795a0c28ea4f57eafcab8b5bb
82127dc2513694a151cbe1a296258850
d387a5e232ed08966381eb2515caa8e1
f4b9eb3ddcab6fd5d88d188bc682d21d
8e42fd3f9d5aac43d69ca740feb38f97
a43e8ddecfa8f3c603162a30406d5365
ea7dd992062d2f22166c1fca1a4981a1
7bf6dcf413fe71af2d102934686a816b
cf064356b31f765e87c6109a63bdbf43
4a46e2dc16ceaba768b5ad3cdcb7e097
2134721de03a70c13f2b10cfe6018f36
7add5fd0d84713f609679840460c0464
cc9402e5ddc34b5f5302179c48429a56
9803e49d9e1c121346d5b22f3945bda8
c5f5837bdf486e5cc2621cc985e65019
2b72fda4b499903253281ebbca961775
7031f6097df04f003457c9c7ecbcda1c
6a6c2691fef091c1fc2e1c25d7c3c44c
9bd3fa59f30df5d54a2df385eba710a5
5100eb13cac2fc3dec2d00c5d1d3921c
0a2c2f5cf97c65f6473bdfc90113d81e
30b74abc22a5b75d356e3a57e2c84180
a0424e8436cbc44107119f62c8e7491b
c1ba892d254edd8a580a16aea6f197e9
e70976785efcfaeed20aefab5c2eda60
397b5d66bac2eb5e950d2a4f9a5e5f2c
4e9bde9b6abf7992f92598be4b6d1781
54d266dee2139dd82b826a9988f35426
5b4faa2846e91e811829a594fecfe493
907448af4388072cdc01e69b7b97b174
ccad214045af69d06768499a0bd3d556
1395dfda817818c450327ab331d51c1b
715e9e60be5a9b32075189cb04a0247e
3835c8168d66104eed16c2cd99952045
f32c29a620d72ec0a435982d7a69f683
95e9162456d933fff9560bee3c270c4e
da01ef50673f419cf06b106546d06b50
2dd4c551eacce0aaffedf4e00e0d03de
34f80f228f8509a67970f6062075e211
81ca7526881a0a41b6721048d2f20874
d642c73d0577dd087a02069d46f68dac

---

BlackEnergy3

Technical Analysis

• Malpedia, BlackEnergy, 2024.
• S. Siddhant (SUTD), BlackEnergy - Malware for Cyber-Physical Attacks, 2016
• Incibe, ICS malware analysis study: BlackEnergy, 2024.

Advisories

• ICS-CERT, Alert (ICS-ALERT-14-281-01E): Ongoing sophisticated malware campaign compromising ICS, 2014.

Press

• K. Zetter, Everything we know about Ukraines power plant hack, Wired, 2016.

Samples

MD5

f0ebb6105c0981fdd15888122355398c
7cb6363699c5fd683187e24b35dd303e
4d5c00bddc8ea6bfa9604b078d686d45
f37b67705d238a7c2dfcdd7ae3c6dfaa
46649163c659cba8a7d0d4075329efa3
628ef31852e91895d601290ce44650b1
723eb7a18f4699c892bc21bba27a6a1a
8b9f4eade3a0a650af628b1b26205ba3
f6c47fcc66ed7c3022605748cb5d66c6
6c1996c00448ec3a809b86357355d8f9
faab06832712f6d877baacfe1f96fe15
2c72ef155c77b306184fa940a2de3844
2e62e8949d123722ec9998d245bc1966
b0dc4c3402e7999d733fa2b668371ade
93fa40bd637868a271002a17e6dbd93b
f98abf80598fd89dada12c6db48e3051
8a7c30a7a105bd62ee71214d268865e3
2f6582797bbc34e4df47ac25e363571d
81d127dd7957e172feb88843fe2f8dc1
3e25544414030c961c196cea36ed899d

---

Irongate

Technical Analysis

• Mandiant, IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems, 2016.
• R. M. Lee, Sans, IRONGATE Malware - Thoughts and Lessons Learned for ICS/SCADA Defenders, 2016.

Press

• D. Bonderud, SecurityIntelligence, New ICS Malware Irongate Channels Stuxnet to Scam SCADA Systems, 2016.
• T. Spring, threatpost, Irongate ICS Malware Steals From Stuxnet Playbook, 2016.
• K. J. Higgins, Dark Reading, Irongate ICS Malware Steals From Stuxnet Playbook, 2016.

Samples

MD5

1F338BDD92F08803A2AC7022A34D98FD install.exe
7C51474E6560C51DFC815D4A227BA1AA Step7ProSim.dll
874F7BCAB71F4745EA6CDA2E2FB5A78C scada.exe
41906403206EA5C7DCDBFAE230ADD9FA update.exe(3)
EF2A97512FDB45CD26089AD2FF61F1CC update.exe(2)
3152F21D701A2397E7B22711B8019B82 update_no_pipe.exe(2)
9F37E1EA08E6A4AE03E9FEBA6D1F6259 update_no_pipe.exe(1)
75D118996F5190EDAFCA1B1904A7EEA8 update.exe(1)
957581FB38A4E76E84F60E2BB19B9499 bla.exe
7A0C1017E6B5BB5DC776B3B883A1D0E0 audiodg.exe

---

Industroyer

also known as CRASHOVERRIDE

Technical Analysis

• Dragos, CRASHOVERRIDE: Analysis of the threat to electric grid operations, 2017
• A. Cherepanov, WIN32/INDUSTROYER: A new threat for industrial control systems, Welivesecurity, June 12, 2017.
• G. Tsaraias, I. Speziale (Nozomi Netowkrs), Industroyer vs.Industroyer2: Evolution of the IEC 104 Component, 2022.
• Salazar L, Castro SR, Lozano J, et al. A tale of two Industroyers: It was the season of darkness. In 2024 IEEE Symposium on Security and Privacy (SP), IEEE, 2024

Advisories

• DHS, Alert (TA17-163A): CRASHOVERRIDE malware, USCERT, June 12, 2017.

Samples

SHA-256

a319551ef72492b3cd489de676b2f6e7938a5ef23e572d36dd742b599686caac 101.dll
7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad 104.dll
4e7d2b269088c1575a31668d86de95fd3dde6caa88051d7ec110f7f150058789 61850.dll
ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910 haslo.exe (Wiper)
156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f opc.exe
7cc9ac6383437dd96161b93b017500a22a2c8d05f58778b9b9fce8ea73304546 svchost.exe (Launcher)
21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561 launcher.exe (Launcher)

---

TRITON

also known as Trisis and HatMan

Technical Analysis

• Dragos, TRISIS malware: Analysis of safety system targeted malware, 2017.
• Mandiant, Attackers Deploy New ICS Attack Framework, 2017.

Advisories

• ICS-CERT, MAR-17-352-01, Hatmansafety system targeted malware, 2017

Press

• Symantec, Triton: New malware threatens industrial safety systems, 2017.

Resources

• MDudek-ICS, TRITON-TRISIS-HATMAN samples and decompiled, 2020.
• Mandiant, Yara Rule, 2020.

Samples

SHA-256

e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230 trilog.exe
08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949 imain.bin
5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14 inject.bin
bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59 library.zip
2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326 TS_cnames.pyc
1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42 TsBase.pyc
758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272 TsHi.pyc
5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32 TSLow.pyc
c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1 sh.pyc

---

Industroyer2

Technical Analysis

• G. Tsaraias, I. Speziale (Nozomi Netowkrs), Industroyer vs.Industroyer2: Evolution of the IEC 104 Component, 2022.
• Salazar L, Castro SR, Lozano J, et al. A tale of two Industroyers: It was the season of darkness. In 2024 IEEE Symposium on Security and Privacy (SP), IEEE, 2024
• Vedere Labs (Forescout) and TU/Eindhoven, Industroyer2 and INCONTROLLER, 2022.
• Nozomi Networks Labs, Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload, 2022.
• ESET Research, Industroyer2: Industroyer reloaded, 2022.

Advisories

• Computer Emergency Response Team of Ukraine, Cyberattack by the Sandworm group (UAC-0082) on Ukrainian energy facilities using the malware INDUSTROYER2 and CADDYWIPER (CERT-UA#4435), 2022.

Samples

SHA-256

ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc
43d07f28b7b699f43abd4f695596c15a90d772bfbd6029c8ee7bc5859c2b0861 sc.sh (OrcShred)
bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99 wobf.sh (AwfulShred)
87ca2b130a8ec91d0c9c0366b419a0fce3cb6a935523d900918e634564b88028 wsol.sh (SoloShred)
cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327 {zrada.exe, peremoga.exe, vatt.exe} (ArguePatch)
1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a pa.pay (TailJump)
fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa caddywiper.bin (CaddyWiper)
7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87 108_100.exe (2022-03-23) (Industroyer2)

---

Pipedream

also known as Chernovite, Incontroller.

Technical Analysis

• Dragos, Pipedream: CHERNOVITE’S Emerging Malware Targeting Industrial Control Systems, 2022.
• S. Hanson (Dragos), Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE, 2023.
• TXOne, Analysis of the PIPEDREAM Malware Local Exploit, 2022.
• N. Brubaker, K. Lunden, et al. (Mandiant), INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems, 2022.
• Vedere Labs (Forescout) and TU/Eindhoven, Industroyer2 and INCONTROLLER, 2022.

Press

• Security Intelligence, Pipedream malware can disrupt or destroy industrial systems, 2023.
• Dark Reading, Early Discovery of Pipedream Malware a Success Story for Industrial Security, 2022.

Resources

• Mandiant, YARA rule, 2022.

Samples

SHA-256

69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2 LazyCargo (exploiting CVE-2020-15368, no ICS behavior)

---

FrostyGoop

also known as BUSTLEBERM.

Technical Analysis

• Dragos, Impact of FrostyGoop ICS Malware on Connected OT Systems, 2024.
• Nozomi Networks, Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware, 2024.
• ShadowStackRE, FrostyGoop, 2024.
• D. Parson (SANS), What’s the Scoop on FrostyGoop: The Latest ICS Malware and ICS Controls Considerations, 2024.
• Uni42 (PaloAlto Networks), FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications, 2024.
• Forescout Research, ICS Malware ‘FrostyGoop/BUSTLEBERM’: Insights Others Missed, 2024.
• R. Jasper, Functional Analysis of FrostyGoop ICS Malware pt. 1/2, 2024.

Press

• C. Vasquez, Cyberscoops, Simple ‘FrostyGoop’ malware responsible for turning off Ukrainians’ heat in January attack , 2024.

Resources

• Nozomi Networks, Yara rules, 2024.

Samples

SHA-256

2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a modbus.exe
5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb mb.exe
a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c read-all-mb.exe
c64b67c116044708e282d0d1a8caea2360270a7fc679befa5e28d1ca15f6714c frosty.exe
91062ed8cc5d92a3235936fb93c1e9181b901ce6fb9d4100cc01167cdc08745f frosty.exe
a25f91b6133cb4eb3ecb3e0598bbab16b80baa40059e623e387a6b1082d6f575 frosty.exe
06919e6651820eb7f783cea8f5bc78184f3d437bc9c6cde9bfbe1e38e5c73160 task-text.json

---

Fuxnet

Technical Analysis

• MOSCOLLECTOR TAKEDOWN - 9th of April 2024, 2024. Attacker blogpost!
• Team82 - Claroty, Unpacking the Blackjack Group's Fuxnet Malware, 2024.
• N. Moshe, FuxNet: The New ICS Malware that Targets Critical Infrastructure Sensors, SANS ICS Security (Video), 2024
• Sectrio, Fuxnet: the Industrial Control System Malware, 2024.
• INCIBE, Fuxnet: the malware that paralyzed ICS systems, 2024.
• Dragos, Strategic Overview of the Fuxnet Malware, 2024.

---

IOCONTROL

Technical Analysis

• Team 82 (Claroty), Inside a New OT/IoT Cyberweapon: IOCONTROL, 2024.

Press

• P. Paganini, Security Affairs, IOCONTROL cyberweapon used to target infrastructure in the US and Isreael, 2024.

Samples

SHA-256

1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498

---

Chaya_003

Technical Analysis

• A. Amri, S. Molige et al. (Forescout), ICS Threat Analysis: New, Experimental Malware Can Kill Engineering Processes, 2024.

Samples

SHA-256

b16a67f49ce5aa057236d2bff3e1ab2dcc2c6d3f2551e4520f54e125b2e289d8 test.exe
517e35b32c4a1dedb155bbd208422cd5c5d34b5ec378712b7e8182fd26473c7e lsass.exe
9579c6987ac8969d0b0cc0cc2a9da3b034fac41525d96fa79fa02d05813e70f9 elsass.exe

---

DynoWiper

Technical Analysis

• CERT Polska, Energy Sector Incident Report – 29 December, 2026.
• ESET Research, DynoWiper update: Technical analysis and attribution, 2026.

Press

• A.J. Vicens, Reuters, Russian military intelligence hackers likely behind December cyberattacks on Polish energy targets, researchers say, 2026.

Samples

SHA-256

65099f306d27c8bcdd7ba3062c012d2471812ec5e06678096394b238210f0f7c Source.exe
835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 dynacom_update.exe
60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b schtask.exe
d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160 schtask.exe

---

ZionSiphon

Technical Analysis

• Darktrace, Inside ZionSiphon: Darktrace’s Analysis of OT Malware Targeting Israeli Water Systems, 2026.
• Dragos, ZionSiphon: Why This Malware Isn’t A Credible ICS Threat, 2026.

Notes

• ZionSiphon is an OT-focused malware sample targeting Israeli water treatment and desalination environments.
• The malware contains Israel-specific IP range checks and water-infrastructure-related strings, including references to Mekorot, Sorek, Hadera, Ashdod, Palmachim, and Shafdan.
• It checks for desalination and water-treatment indicators such as reverse osmosis, chlorine-control, pump-control, and salinity-control processes and files.
• Capabilities include privilege escalation, user-level persistence through a disguised svchost.exe, removable-media propagation, local configuration-file tampering, and subnet scanning for OT services.
• The malware probes OT-relevant ports including Modbus/TCP 502, DNP3 20000, and S7comm 102.
• Its Modbus logic appears the most developed, attempting to read holding registers and write values related to chlorine dosing.
• The DNP3 and S7comm logic appears incomplete or placeholder-like.
• The analyzed version appears dysfunctional because its country-validation logic fails even for IPs in the intended Israeli ranges, suggesting the sample may be unfinished, misconfigured, defanged, or a development build.
• While initial analyses suggested OT-targeting behavior, Dragos assessed ZionSiphon as not a credible ICS threat, citing broken logic, unrealistic assumptions, and likely LLM-generated artifacts.
• Many of the process names, file paths, and ICS interactions appear to be fictional or incorrect, indicating lack of real-world ICS knowledge.
• Even if targeting logic were fixed, the malware would fail to produce meaningful physical impact due to flawed implementation.
• ZionSiphon is better understood as an experimental or low-maturity OT malware attempt, rather than an operational cyber-physical weapon.

Resources

• VirusTotal sample details

Samples

SHA-256

07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f

---

---

¹: as much as I can. PRs are appreciated 😊.