Industroyer

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

‘Kills’ legitimate the master process on the victim host • Masquerades as the new master

File dropped and deleted after program exit

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Malware families such as CrashOverride and BlackEnergy, among others, demonstrate the ability to disrupt physical processes, while living-off-the-land (LOTL) techniques allow attackers to blend into normal operations.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.

They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

without a configuration file it enumerates the local network to identify potential targets

The command sequence polls the target device for the appropriate addresses.

The first action is to try to kill the communications service process which acts as the master process.

The backdoor then sends a series of HTTP POST requests with the victim’s Windows GUID (a unique identifier set with every Windows installation) in the HTTP body.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

The HAVEX malware leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network.

The report notes that adversaries are exploiting weak segmentation, compromised credentials and supply chain vulnerabilities to pivot from IT into OT networks.

A key concern is the exposure of ICS devices to the internet, especially those using legacy protocols like Modbus... This makes internet-exposed devices particularly vulnerable, as attackers can both read and modify data without needing credentials.

It enumerates all OPC servers and their associated items looking for a subset related to ABB containing the string ctl.

AsyncRAT can proxy C2 through a Tor client. Attor has used Tor for C2 communication. Cyclops Blink has used Tor nodes for C2 traffic. GreyEnergy has used Tor relays for Command and Control servers. Siloscape uses Tor to communicate with C2. WannaCry uses Tor for command and control traffic.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

On execution, the malware attempts to contact a hard-coded proxy address located within the local network. ELECTRUM must establish the internal proxy before the installation of the backdoor.

During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.

Access to the ICS network flows through a backdoor module.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files in this sample

The first action is to try to kill the communications service process which acts as the master process.

the module sends UDP packets to port 50000 exploiting CVE-2015-5374 causing the SIPROTEC digital relay to fall into an unresponsive state

The first task of the wiper writes zeros into all of the registry keys in: SYSTEM\CurrentControlSet\Services

7. Impact - Data Destruction ( T1485 ) / Data Manipulation ( T1565 ) ... Изменение уставок регулятора (FC16 на нужные регистры Modbus), останов ПЛК, манипуляция показаниями датчиков.

FC05, FC06, FC15, FC16 - воздействие: Transmitted Data Manipulation (T1565.002, Impact) или Service Stop (T1489, Impact).