TRITON
Triton, also known as TRISIS and HatMan, is ICS-specific malware designed to target and manipulate safety instrumented systems (SIS), specifically Schneider Electric Triconex safety controllers. It was used in the 2017 attack on a Middle East petrochemical facility, widely reported as occurring in Saudi Arabia, where attackers attempted to manipulate SIS controllers; several controllers entered a fail-safe state and the plant shut down automatically, leading to discovery of the malware. Open-source and government reporting cited in the content state that the malware was designed to disable or interfere with safety protections and alarms, giving attackers the ability to read and write programs and functions on SIS controllers, query controller state, send commands such as halt, and remotely reprogram controllers using the TriStation protocol. Analysis in the content indicates the malware could have enabled complete control of infected systems and had the potential to cause significant physical damage and loss of life.
The malware is associated with the threat group XENOTIME, also referred to as TEMP.Veles in some reporting. Multiple cited sources also connect Triton to the Russian state research institution TsNIIKhM, which was sanctioned by the U.S. Treasury and the UK for its connection to the malware; U.S. government reporting states TsNIIKhM supported the 2017 attack and built customized tools enabling it. The initial deployment in the 2017 petrochemical intrusion is described in the content as having followed phishing-based access, with subsequent pivoting from IT into OT enabled by compromised VPN access, insecure DMZ/firewall configuration, RDP sessions to engineering workstations, and broader enterprise compromise. Reporting in the content further states that actors behind Triton later scanned and probed at least 20 U.S. electric utilities in 2019 and continue to be considered a threat to the global energy sector.
The malware is consistently described as one of the small number of publicly known OT/ICS-tailored malware families and is frequently cited alongside Stuxnet, Industroyer/CrashOverride, Havex, BlackEnergy, and Incontroller as an example of malware capable of disrupting industrial processes and causing physical consequences in critical infrastructure. The content specifically identifies energy, oil and gas, petrochemical, and broader critical infrastructure environments as relevant target sectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS controllers, disabling the safety alarms that prevent dangerous conditions.
For example, industrial attack techniques employed by Triton and Industroyer were used by actors ranging from FIN11 to FIN6 during ransomware deployment, extortion and other activities.
For example, industrial attack techniques employed by Triton and Industroyer were used by actors ranging from FIN11 to FIN6 during ransomware deployment, extortion and other activities.
Another key finding in the leak is confirmation of the existence of another delivery vector called 'Triton', which can target devices with Samsung Exynos with baseband exploits, forcing 2G downgrades to lay the ground for infection.
"Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol."
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueIn 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
Initial Access
2 techniquesThe malware was initially deployed through phishing that targeted the petrochemical facility.
Execution
1 technique1. 攻撃コード実行と同期失敗 / 三重化冗長コントローラー ... 3つのプロセッサ間で処理結果に不一致が発生。
Persistence
1 techniqueStealth
1 technique"Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "ADVSTORESHELL... strings... encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed." / "APT29 has used encoded PowerShell commands." / "APT41 used VMProtected binaries..."
Lateral Movement
1 techniqueA key concern is the exposure of ICS devices to the internet, especially those using legacy protocols like Modbus... This makes internet-exposed devices particularly vulnerable, as attackers can both read and modify data without needing credentials.
Impact
1 techniqueAnother water utility serving 2 million people in North Texas said Tuesday that it is also dealing with a cybersecurity incident that caused operational issues...
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ICS malware referenced as an example of a cyber attack affecting industrial environments and safety-related operations.
ICS-targeting malware cited as demonstrating the ability to disrupt operations, cause outages, and inflict physical damage.
ICS malware highlighted for its ability to interfere with industrial processes and potentially cause physical damage in critical infrastructure environments.
Triton is a delivery vector for Predator spyware that targets Samsung Exynos devices using baseband exploits, including forced 2G downgrades to facilitate infection. It is part of Intellexa's arsenal for compromising mobile devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.