Dragos 2026 Report: What the 3 New OT Threat Groups Mean for Your Factory

The Benchmark Report for OT Security

The Dragos 2026 OT Cybersecurity Year in Review — the 9th annual edition — remains the single most comprehensive public dataset on threats to industrial control systems. This year's numbers are stark:

• 26 threat groups now tracked (up from 23 in the previous report)
• 11 groups active during 2025
• 3 new groups identified: SYLVANITE, PYROXENE, and AZURITE
• 49% increase in ransomware groups targeting manufacturing
• 119 ransomware groups active against industrial targets, producing 3,300+ victims
• Manufacturing accounts for over two-thirds of all industrial ransomware victims

Three new threat groups in a single year is significant. Each one represents a distinct operational model, and together they show the OT threat ecosystem is growing more organized — and manufacturers cannot ignore that.

The Three New Threat Groups

SYLVANITE: The Access Broker

SYLVANITE does not execute attacks on OT systems directly. Instead, it compromises OT-adjacent infrastructure — VPN concentrators, jump hosts, remote access gateways — and sells that access to other groups. This is the OT equivalent of the initial access broker model that has driven IT ransomware for years.

What makes SYLVANITE dangerous for manufacturers:

• They specifically target remote access infrastructure used by maintenance vendors and integrators
• Their footholds persist for weeks or months before being sold
• The buyer of that access could be a ransomware group, a nation-state, or both
• By the time an attack occurs, the original intrusion vector is cold

PYROXENE: The Supply Chain Threat

PYROXENE compromises software update mechanisms for OT vendor tools — HMI packages, engineering workstation software, and SCADA configuration utilities. Their payloads include wiper malware designed to destroy engineering project files and HMI configurations. We examine PYROXENE's methodology in detail in our analysis of supply chain attacks on OT and lessons from the PYROXENE campaign.

The supply chain angle makes PYROXENE particularly difficult to detect:

• Malicious updates arrive through trusted vendor channels
• Standard allowlisting and signature-based detection passes the payload through
• The wiper activates on a timer or external trigger, not immediately on installation
• Recovery requires full restoration from backup — if backups exist and are current

AZURITE: The Control Loop Mapper

AZURITE is the most technically sophisticated of the three. Their objective is not disruption — it is understanding. They conduct long-duration intrusions (months) focused on:

1. Capturing and analyzing OT protocol traffic (Modbus TCP, DNP3, OPC-UA)
2. Mapping sensor-to-controller-to-actuator relationships
3. Exfiltrating PLC logic and setpoint configurations
4. Building a complete model of how the target's physical processes work

This is the prerequisite for a Stuxnet-class attack. AZURITE's data collection allows a follow-on actor to craft commands that manipulate physical processes in ways that look normal to operators but produce dangerous or destructive outcomes.

Why This Matters for Manufacturers

The emergence of these three groups — operating simultaneously — creates a full attack supply chain:

1. SYLVANITE provides the initial foothold
2. AZURITE conducts the reconnaissance and control loop mapping
3. PYROXENE (or a ransomware group) executes the destructive payload

Manufacturing is disproportionately affected because:

• Over two-thirds of industrial ransomware victims are manufacturers (Dragos 2026 data)
• Factory networks are often flat, with minimal segmentation between IT and OT
• Remote vendor access is standard practice and poorly controlled
• Legacy controllers have no operating system that supports third-party security agents

The shift from reconnaissance to control loop mapping is the most dangerous escalation. It means adversaries are no longer just looking at your network — they are learning how attackers map control loops to manipulate physical processes.

What You Can Do Right Now

1. Segment Remote Access

SYLVANITE's entire model depends on exploiting remote access infrastructure. Enforce:

• Network segmentation between remote access landing zones and OT networks
• Per-session, per-user access policies — no persistent VPN tunnels
• Multi-factor authentication on every remote access path

2. Verify Your Supply Chain

PYROXENE targets vendor update channels. Mitigate with:

• Hash verification of all vendor software before deployment
• Isolated staging environments for testing updates before they touch production
• Offline backups of all HMI and engineering workstation configurations

3. Block Passive Traffic Analysis

AZURITE depends on sniffing OT protocol traffic. Prevent it with:

• Microsegmentation that limits broadcast domains and prevents unauthorized traffic capture
• Encrypted network overlays for sensitive control traffic
• Protocol-aware monitoring that detects unusual read/query patterns on OT protocols

4. Assume Breach, Verify Continuously

The Dragos data makes it clear: the question is not whether adversaries will target your factory. It is whether they are already inside.

• Deploy continuous network monitoring that baselines normal OT traffic and alerts on deviations
• Conduct quarterly threat hunts focused on OT network segments
• Maintain tested, offline backups of all OT configurations and logic

The 2026 Dragos report documents what the threat environment looks like today. These three groups — SYLVANITE, PYROXENE, and AZURITE — represent a coordinated ecosystem. The defensive response needs to be equally systematic: segment, monitor, verify, and control access at every layer.