TALONITE

TALONITE is a threat activity group tracked by Dragos since July 2019. Its operations have focused on initial access compromises in the U.S. electric sector. Reported victimology also includes electric utilities in Japan and Taiwan, and its infrastructure is described as almost exclusively based in East Asia. TALONITE primarily uses spearphishing with malicious documents or executables for initial access, including engineering-themed lures designed to exploit trust. The group uses two custom multi-component malware families, LookBack and FlowCloud, and also abuses legitimate binaries or modifies legitimate binaries to add malicious functionality. Dragos describes TALONITE as blending tactics and using a mix of adversary-owned and compromised infrastructure, making the activity difficult to track and contain. The described ICS impact includes initial access, information gathering, and enabling further operations within the electric sector. Dragos reported behavioral overlap with the China-linked APT10 group, but stated it could not definitively attribute TALONITE to APT10. No additional aliases or sub-groups were provided in the content.