Wassonite
WASSONITE is a Dragos-tracked activity group identified following a malware intrusion at the Kudankulam Nuclear Power Plant (KKNPP) in India. Dragos assessed the group as active since at least 2018. The group targets industrial control system (ICS)-related organizations, with observed victims and targeting in electric generation, nuclear energy, manufacturing, and space- or research-related entities. Reporting states its activity has primarily focused on South and East Asia, especially India, with likely additional targeting in Japan and South Korea. Based on the cited reporting, WASSONITE’s observed operations represent Stage 1 of the ICS kill chain and consist of access operations in enterprise/IT networks rather than demonstrated ICS-specific disruptive or destructive capability. Its operations rely on DTrack malware for remote access, Mimikatz and other public tools for credential capture, and native system tools for file transfer and lateral movement. Third-party security firms have associated DTrack and related malware with the Lazarus Group. The content also notes that Dragos separately associates another activity group, COVELLITE, with Lazarus-related activity, but states that COVELLITE differs from WASSONITE in capabilities, infrastructure, and target overlap. No direct political attribution for WASSONITE is stated by Dragos in the provided content. Known alias in the provided content: wassonite.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Energy
- Capital Goods
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇮🇳 India
- 🇯🇵 Japan
- 🇰🇷 South Korea
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targets industrial sectors in Asia using spear phishing and AppleSeed backdoor, with advanced knowledge of industrial operations.
ICS-focused access operations targeting Asian entities, especially in India, with activity against electric generation, nuclear energy, manufacturing, and space-related research organizations. The content states the activity is Stage 1 ICS kill-chain access operations within IT networks and does not appear to have ICS-specific disruptive or destructive capability.
Targets electric generation and nuclear energy (plus manufacturing/research) primarily in India; uses DTrack and credential theft plus lateral movement tooling.
Uses known malware for remote access, credential capture, and lateral movement.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.