Kamacite

Also known asKAMACITE

KAMACITE is an OT-focused threat group tracked by Dragos that overlaps with the Sandworm cluster, also referred to as APT44 and Seashell Blizzard. The content describes KAMACITE as an access development and initial access group supporting ELECTRUM, with a division of labor in which KAMACITE establishes and maintains access and ELECTRUM conducts OT/ICS-impacting operations. KAMACITE is linked in the content to the actors behind the 2015 and 2016 Ukraine power incidents alongside ELECTRUM, and the reporting characterizes this activity as Russia-linked and part of the Sandworm ecosystem. According to the content, KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services. It is described as conducting reconnaissance and persistence over extended periods, enabling pivots toward OT networks and execution of Stage 1 of the ICS Cyber Kill Chain. The content also states that KAMACITE has leveraged spearphishing, exploitation of SOHO routers, and custom capabilities to enable ELECTRUM operations. Recent activity in the content includes expansion beyond Ukraine into the European OT supply chain from late 2024 through early 2025, including spear-phishing aimed at engineering and vendor personnel and long-running conversations using industry-specific terminology. Between March and July 2025, KAMACITE conducted sustained reconnaissance against internet-exposed industrial devices in the United States, including devices in the water, energy, and manufacturing sectors. Reported scanning targets included Schneider Electric Altivar variable frequency drives, Smart HMIs, Accuenergy AXM modules, and Sierra Wireless AirLink gateways. The content states Dragos found no evidence of successful exploitation in that scanning activity and assessed exposed edge devices were being treated as operational intelligence sources for future disruption planning. The content also states that in early 2022 KAMACITE targeted vulnerabilities in WatchGuard and ASUS firewall and router devices with CYCLOPS BLINK malware. In later reporting on the Polish power-grid attack, KAMACITE is described as using spear-phishing, stolen credentials, and exploitation of exposed services to establish access, while ELECTRUM carried out the OT-focused actions. Known alias in the provided content: kamacite.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Utilities

Where they target

Geographies tied to known operations.

🇺🇦 Ukraine

MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

1 technique

T1106

Native API

TA0011

Command and Control

1 technique

T1219

Remote Access Tools

TA0040

Impact

2 techniques

T1490

Inhibit System Recovery

T1499

Endpoint Denial of Service

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

help net securityNews

Feb 17, 2026

OT teams are losing the time advantage against industrial threat actors - Help Net Security

Access development and reconnaissance group historically supporting ELECTRUM; conducted spear-phishing against OT supply-chain personnel and later performed targeted scanning/reconnaissance of exposed industrial edge devices consistent with control-loop mapping.

Feb 17, 2026

China-linked crew embedded in US energy networks • The Register

Initial access provider for Electrum; conducted reconnaissance/scanning of vulnerable internet-exposed industrial devices in US water, energy, and manufacturing sectors.

Feb 17, 2026

China-linked crew embedded in US energy networks • The Register

Initial access/reconnaissance activity supporting Electrum, characterized by precision scanning of internet-exposed industrial devices in US critical infrastructure sectors.

the hacker newsNews

Jan 28, 2026

Russian ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid

Access-enablement cluster supporting OT intrusions: establishes and maintains initial access, performs reconnaissance and persistence over extended periods to burrow into OT environments and remain low profile; conducts scanning of industrial devices (noted against U.S.-located devices) to identify/position access that can later be operationalized for OT impact by ELECTRUM.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.