Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Azurite

Also known asAZURITE

Azurite is a Dragos-tracked OT/ICS-focused threat group identified in 2025 that targets critical infrastructure and industrial organizations. Dragos assesses Azurite as overlapping with China’s Flax Typhoon activity. The group’s described operational focus is gaining long-term access to OT engineering workstations and conducting data exfiltration of operationally relevant files, including network diagrams, alarm data, and process information. Reported targeting includes OT/ICS environments across manufacturing, defense, automotive, electric power, oil and gas, and government organizations, with victim geographies spanning the United States, Europe, and the Asia-Pacific region. Known alias in the provided content: “azurite” (no additional aliases specified).

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Utilities
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
scworldNews
Feb 18, 2026
Dragos report: New threat groups target critical infrastructure | SC Media

OT-focused activity cluster overlapping with Flax Typhoon, targeting OT engineering workstations to establish long-term access and exfiltrate data.

Read more
risky biz rssNews
Feb 18, 2026
Supply chain attack plants backdoor on Android tablets

Dragos-tracked activity cluster newly observed targeting ICS/OT environments (no further details provided in the content).

Read more
help net securityNews
Feb 17, 2026
OT teams are losing the time advantage against industrial threat actors - Help Net Security

Named by Dragos as a newly identified (2025) threat group targeting OT environments; no additional activity details provided in the content.

Read more
register securityNews
Feb 17, 2026
China-linked crew embedded in US energy networks • The Register

OT-focused long-term access and operational data theft (engineering workstation access; exfiltration of diagrams/alarm/process data) to support downstream capability development; activity overlaps with Flax Typhoon.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.