Security researchers identified three new threat groups that either provided access to or launched direct attacks against operational technology environments, according to a report released Tuesday by Dragos.
A group tracked as Sylvanite provides initial access for Voltzite, which overlaps with the group commonly known as Volt Typhoon.
Volt Typhoon is a state-linked threat group that U.S. authorities previously warned has targeted U.S. critical infrastructure sites for disruptive attacks in the event of a military conflict in the Asia-Pacific region.
Dragos researchers warn that Sylvanite is a distinct group providing initial access by abusing edge devices.
“It’s not the team trying to gain long-term access and OT — that’s Voltzite — but it is the team working with or for Voltzite that is going in and developing the access,” Robert Lee, co-founder and CEO of Dragos, said during a media briefing last week.
Sylvanite was linked to a May 2025 incident at a U.S. utility company where vulnerabilities in Ivanti Endpoint Manager Mobile were exploited, including CVE-2025-4427 and CVE-2025-44428, according to the report.
Azurite, a group that overlaps with Flax Typhoon, uses compromised small office/home office environments to target engineering workstations, according to Dragos. The group uses living-off-the-land techniques to maintain persistence.
A third group, tracked as Pyroxene, uses social engineering techniques. including fake LinkedIn profiles, to pose as recruiters. The group has expanded operations from the Middle East into North America and Western Europe since 2023, targeting aerospace, defense, maritime and other sectors.
In 2025, the group deployed wiper malware against multiple targets in Israel, around the time of the 12-day military conflict with Iran, according to Dragos. Researchers warn the group is actively positioning for future operations that could impact industrial control systems.
Beyond these newly identified threat groups, researchers warned that existing groups are expanding operations.
Kamacite operates as the access team for Electrum, a long time adversary linked to 2015 attacks against the Ukrainian power grid. Kamacite was linked to an escalation of attacks from 2024 to 2025 targeting ICS supply chains in Europe, according to Dragos.
“There is no other team in the world that has as much experience taking down infrastructure as Electrum,” Lee said during the briefing.
Lee also said that as the cyber phase of the war in Ukraine winds down, experienced threat groups are beginning to target industries in other parts of the world, including Europe and the U.S.
As an example of the threat, Electrum was linked to the December attack against the electrical grid in Poland. That attack targeted multiple facilities, including wind farms and solar installations, according to Dragos, which was part of the incident response team.
