Dragos’ 2026 “Year in Review” report (as covered by SecurityWeek) says three new threat groups began targeting ICS/OT environments in 2025, adding to the 26 groups Dragos tracks (with 11 active in 2025). The newly named groups are Sylvanite, Azurite, and Pyroxene, and the article emphasizes that these actors are not just generic IT attackers—they’re increasingly interested in critical infrastructure operations, including power, oil and gas, water, manufacturing, and government-related targets.

It describes Sylvanite as a fast “exploitation broker” that rapidly weaponizes known (n-day) vulnerabilities to gain access and then hands that access to Voltzite for long-term presence (including US grid-related targets). Azurite is portrayed as stealing OT-relevant information (like network diagrams, PLC/HMI data, and alarm/operational data), likely for intelligence and potential future disruption—often using compromised SOHO/edge devices to pivot toward OT. Pyroxene (overlapping with Iran-linked tradecraft) is highlighted for social engineering (e.g., fake LinkedIn personas) and destructive wiper activity, with Dragos warning that even IT-focused destruction can cascade into OT outages due to IT/OT dependencies.

‍

Source: https://www.securityweek.com/3-threat-groups-started-targeting-ics-ot-in-2025-dragos/