Skip to main content
Mallory
Back to threat actors
2 malware families

CHRYSENE

Also known asCHRYSENE

CHRYSENE is a Dragos-tracked activity group associated with initial intrusions and reconnaissance targeting industrial organizations. According to the provided content, the group has been responsible for initial intrusions since at least mid-2017 across several critical infrastructure sectors, including electric utilities, oil and gas, petrochemical, and electric generation, with an operational focus on Europe, North America, and the Middle East. The content states CHRYSENE developed from an espionage campaign that drew attention after the 2012 Shamoon cyberattack and that the group remains active and evolving. Reported tradecraft includes phishing using IT-themed lures, PowerShell for post-exploitation, watering-hole attacks, malware, and covert communications for reconnaissance. No state attribution is provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Capital Goods
  • Utilities
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ISMDoorCHRYSENE ... CAPABILITIES: Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR1May 25, 2026
Shamoon"CHRYSENE developed from an espionage campaign that first gained attention after the destructive Shamoon cyberattack in 2012 that impacted Saudi Aramco."1Mar 18, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
dragos blogNews
Nov 25, 2025

Espionage-oriented activity group tied (by lineage) to campaigns around the 2012 Shamoon incident; targets petrochemical, oil & gas, and electric generation; active and evolving with targeting beyond the Gulf region.

Read more
dragos blogNews
Nov 25, 2025
Your first line of defense against adversaries | Dragos

Uses watering-hole attacks, malware, and covert communication for reconnaissance.

Read more
dragos blogNews
Nov 26, 2025
Your first line of defense against adversaries | Dragos

Uses watering-hole attacks, malware, and covert communication for reconnaissance.

Read more
dragos blogNews
May 25, 2026

Initial-intrusion-focused group targeting critical infrastructure and industrial organizations for IT compromise, reconnaissance, and victim acquisition, likely to support follow-on operations by other actors.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.