THREE new threat groups started targeting industrial control systems (ICS) and other operational technology (OT) in 2025, according to Dragos’ 9th Year in Review OT/ICS Cybersecurity Report. Of the total 26 threat groups Dragos tracks, 11 were active in 2025, with Sylvanite, Azurite and Pyroxene newly appearing on the map.
Sylvanite acts as a rapid exploitation broker that enables Voltzite to access critical infrastructure, having weaponised n-day vulnerabilities such as Ivanti VPN flaws within 48 hours of disclosure and installing persistent web shells on F5 appliances to harvest AD credentials before handing over access to Voltzite.
Azurite has been linked to China-associated groups and has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data, while compromising edge devices to pivot into OT from engineering workstations.
Pyroxene, which overlaps with Iran-linked groups, specialises in cross-domain access from IT to OT, using social engineering such as fake LinkedIn profiles and wipers, and has targeted manufacturing, transportation, logistics, aerospace, aviation and utilities across the United States, Europe and the Middle East. Dragos cautions that precise attribution remains challenging and that IT-OT disruption risks can arise even without direct OT targeting.