Every OT breach has a file in its attack chain: The ICS/OT Threat Landscape, 2024–2026

The pace is accelerating. The year 2025 alone saw more distinct wiper campaigns against ICS/OT than any previous year. The geographic spread has widened, moving beyond the Ukraine–Russia theater into NATO member states such as Poland, Western Europe including Norway, and the Middle East, including Israel. Sector diversity has also expanded beyond energy and water into healthcare, telecom, and manufacturing.

The timeline above is dense, but it is not random. The incidents cluster around a small number of actor groups, each with distinct motivations, capabilities, and preferred targets.

Russia — still the most prolific ICS threat

Russia-linked actors account for the largest share of ICS-targeting activity in this period, operating through multiple groups with different roles.

Sandworm (ELECTRUM) remains the most capable ICS-focused adversary in the world. Their December 2025 campaign against Poland's power grid targeted approximately 30 distributed energy sites, including CHP facilities and renewable energy dispatch systems such as wind and solar. This marked the first major coordinated cyberattack targeting distributed energy resources at scale.

The DynoWiper malware deployed in that attack was a Windows PE wiper used against energy infrastructure. It wiped Windows-based machines at DER sites and disabled some OT and ICS equipment beyond repair. While no power outages occurred, the attackers gained access to operational technology systems critical to grid operations.

Earlier, their PathWiper campaign targeted Ukrainian critical infrastructure with a VBScript dropper paired with a PE wiper that destroys the MBR and MFT and overwrites files across all drives. In 2024, they deployed AcidPour, a Linux ELF wiper, against Ukrainian telecom infrastructure and orchestrated a supply chain compromise targeting energy and water systems.

KAMACITE functions as the enabling infrastructure layer. In 2025, this GRU-linked group was observed conducting reconnaissance scanning of U.S. industrial targets, representing pre-positioning activity that historically precedes ELECTRUM's destructive operations.

China — patient, deep, and expanding scope

China’s approach is fundamentally different from Russia’s. Where Russian actors destroy, Chinese actors persist.

VOLTZITE (Volt Typhoon) was confirmed inside a U.S. electric utility's OT network for over 300 days, exfiltrating GIS data and OT system configurations. This was not espionage for its own sake. The pre-positioning pattern is consistent with preparation for future disruption of U.S. electric infrastructure.

In 2025, the SYLVANITE initial access broker rapidly weaponized vulnerabilities in Ivanti VPN appliances, F5 devices, and other edge infrastructure. These footholds were then fed into the VOLTZITE pipeline for deeper OT intrusions. Targets expanded to include both electric and water utilities.

AZURITE, a newly tracked group reported in 2025, represents an escalation in China-linked OT targeting. AZURITE is actively targeting OT engineering workstations in manufacturing, defense, and automotive sectors across the U.S., Australia, and Europe. The group focuses on exfiltrating network diagrams, alarm data, and process configurations.

Iran — crossing the line into physical impact

Iranian state-sponsored actors made a decisive shift in this period, moving from opportunistic access to deliberate targeting of physical processes.

CyberAv3ngers (BAUXITE / IRGC) compromised more than 75 devices across multiple U.S. water facilities in 2023–2024, including the direct takeover of a PLC at a Pennsylvania booster station. Their IOCONTROL malware, a Linux binary with MQTT-based command and control embedded in device firmware update packages, was purpose-built for OT device compromise. In 2025, the BAUXITE group deployed BlueWipe-SewerGoo wiper variants against Israeli energy and storage infrastructure.

PYROXENE (IRGC-CEC, with APT35 overlap) targeted critical infrastructure and government networks in Israel and Albania in 2025. The group used a combination of social engineering and supply chain compromise to deliver PE wiper payloads.

Handala represents the blurring line between hacktivism and state-directed destruction. Assessed by multiple threat intelligence firms as a front for a threat actor called Void Manticore, sponsored by Iran’s Ministry of Intelligence and Security, the group emerged in late 2023 and has conducted sustained wiper operations against Israeli targets since.

Their toolkit is technically sophisticated. Phishing emails, often written in fluent Hebrew, deliver an NSIS installer that launches an AutoIT script to inject the wiper into a legitimate Windows process. The final payload overwrites files with randomized data, escalates privileges using a vulnerable driver, and exfiltrates system information via Telegram’s API before destroying data.

In March 2026, Handala hit Stryker, a Fortune 500 medical device manufacturer, wiping devices across 79 countries by abusing Microsoft Intune, the company’s endpoint management platform. No custom malware was required for the destructive phase. Admin-level Intune access provided a centralized kill switch for enrolled devices.

In April 2026, a joint advisory from six U.S. agencies warned that the same Iranian cluster had been actively disrupting internet-facing Rockwell PLCs across government, water, and energy targets since at least March 2026. The attackers used legitimate Rockwell engineering software to tamper with PLC project files and manipulate operator displays by exploiting a known authentication bypass, (CVE-2021-22681). This was active disruption of industrial processes on American soil.

Hacktivists — reaching the physical layer

Pro-Russian hacktivist groups crossed a threshold in this period. Z-PENTEST compromised an internet-exposed HMI at a Norwegian dam in 2025 using a weak password, gaining the ability to manipulate physical water control systems. CyberArmyofRussia_Reborn accessed an HMI in Muleshoe, Texas, causing a water tank to overflow before staff switched to manual operations.

These are not sophisticated attacks. They are simple, opportunistic, and increasingly consequential. The barrier to causing physical disruption in OT environments is lower than many operators assume.

Across all of these incidents with different actors, sectors, and geographies, a consistent set of patterns is revealed.

Wipers have become the dominant destructive tool

This is the most significant trend in ICS and OT threat activity. In 2024–2025 alone, at least six distinct wiper campaigns targeted industrial and critical infrastructure environments: DynoWiper targeting Poland’s energy sector, PathWiper targeting Ukrainian critical infrastructure, AcidPour targeting Ukrainian telecom, BAUXITE or BlueWipe-SewerGoo targeting Israeli energy, PYROXENE targeting government and critical infrastructure in Israel and Albania, and Handala targeting global healthcare.

The wipers are becoming more targeted. DynoWiper was deployed specifically against energy infrastructure in Poland, wiping Windows-based machines at distributed energy sites and disabling some OT equipment beyond recovery. PathWiper destroys the MBR and MFT before overwriting files, making recovery as difficult as possible. AcidPour targets embedded Linux devices, wiping UBI volumes and Device Mapper partitions used in OT equipment.

Handala’s Stryker attack demonstrated a different type of evolution. Instead of deploying custom malware at scale, the attackers abused a legitimate enterprise management tool called Microsoft Intune to issue a mass wipe command across enrolled devices simultaneously. This effectively turned the organization’s own infrastructure into the weapon. These are not general-purpose tools repurposed for OT. They are engineered or co-opted for the environments they impact.

ICS-specific malware is evolving in sophistication

FrostyGoop deserves special attention as a milestone. Deployed against the Lviv district heating system in January 2024, it was the first malware to directly exploit the Modbus TCP protocol in a production environment. Written in Go and compiled as a Windows PE binary, it was delivered through the engineering network, crossing from IT into OT through a file transfer. The attack left more than 600 apartment buildings without heat for two days in sub-zero temperatures.

FrostyGoop matters because Modbus TCP is widely used in industrial environments worldwide. The malware demonstrated that attackers have moved beyond targeting Windows workstations adjacent to OT. They are now writing code that communicates directly with industrial protocols.

Every OT breach has a file in its attack chain

This is the common denominator. Across every incident in the timeline, regardless of actor, sector, or geography, a malicious file crossed a trust boundary at some point in the attack chain:

• Wipers were delivered as PE executables, VBScript droppers, and Linux ELF binaries.

• Supply chain compromises used trojanized installer packages and software updates.

• Spearphishing delivered weaponized documents, including Excel files with VBA macros and OneNote files with embedded payloads.

• ICS-specific malware arrived as compiled Go binaries such as FrostyGoop, Python payloads such as Triton and COSMICENERGY, and custom PE binaries such as Industroyer2 and DynoWiper.

• Even living-off-the-land campaigns like Volt Typhoon left file artifacts, including web shells, lateral movement scripts, and credential harvesting tools dropped on compromised systems.

• Ransomware payloads affecting OT-adjacent environments, such as Halliburton and Arkansas City, were delivered through phishing attachments and server compromises.

The file types vary. The delivery mechanisms vary. The actors vary. The pattern remains consistent: a file enters the environment, crosses into a trust zone, and either executes directly or enables the next stage of compromise.

Edge devices and exposed HMIs are the new perimeter

Both the Z-PENTEST dam attack in Norway and the Muleshoe water overflow in Texas exploited the same weakness: internet-exposed HMIs with weak or default credentials. The CyberAv3ngers campaign against U.S. water facilities targeted Unitronics PLCs using default credentials. These are not zero-day exploits. They are configuration failures at the boundary between OT systems and the internet.

The IT and OT boundary is where attacks pivot

Across incident after incident, the attack pivot occurs at the IT and OT boundary. Engineering workstations, which sit in both environments and connect enterprise networks with production-floor PLCs, are the most common pivot point. AZURITE targets them directly. Volt Typhoon moved through them. Triton required physical access to one. FrostyGoop was delivered through the engineering network. Protecting the workstation means protecting the file that lands on it.

Complementing this, Predictive Alin AI introduces a pre-execution detection layer that operates at the perimeter. Instead of waiting for files to detonate, it analyzes structural and behavioral indicators to predict malicious intent in milliseconds. This allows organizations to block high-risk files before they enter the environment or reach critical systems.

Predictive Alin AI is continuously retrained using zero-day threats identified by MetaDefender Aether. Each confirmed threat strengthens the model’s ability to detect similar attacks earlier in the chain. This creates a feedback loop between deep analysis and predictive detection, where Aether uncovers unknown threats and Alin uses that intelligence to stop the next generation of attacks before execution.

Deployed together, MetaDefender Aether and Predictive Alin AI provide both depth and speed. Predictive Alin AI delivers instant, pre-execution verdicts at the perimeter, while MetaDefender Aether performs comprehensive behavioral analysis for files that require deeper inspection. This layered approach reduces false positives, accelerates SOC response, and ensures that both known and unknown threats are identified before they can impact OT environments.