Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Pyroxene

Also known asPYROXENE

Pyroxene is a threat group tracked by Dragos as OT-relevant and linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Dragos reports Pyroxene conducts supply chain-leveraged attacks and social-engineering-driven intrusions targeting defense, critical infrastructure, and industrial sectors, with observed activity expanding from the Middle East into North America and Western Europe. Pyroxene has been reported deploying data-wiping malware against organizations in Israel. Dragos also notes Pyroxene overlaps with activity attributed to Imperial Kitten (aka APT35), described as the cyber arm of the IRGC, and that Pyroxene often leverages initial access provided by an entity referred to as PARISITE to move from IT into OT networks. Known alias: Pyroxene.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Capital Goods
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1195
Supply Chain Compromise
T1566
Phishing
TA0040
Impact
1 technique
T1485×2
Data Destruction
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Feb 19, 2026
ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

Supply-chain-leveraged intrusions against defense/critical infrastructure/industrial targets, with an IT-to-OT pivot enabled by initial access; overlaps with activity attributed to Imperial Kitten.

Read more
scworldNews
Feb 18, 2026
Dragos report: New threat groups target critical infrastructure | SC Media

Iran-linked (IRGC-associated) cluster conducting supply-chain attacks enabled by social engineering and deploying data-wiping malware against Israeli organizations.

Read more
help net securityNews
Feb 17, 2026
OT teams are losing the time advantage against industrial threat actors - Help Net Security

Named by Dragos as a newly identified (2025) threat group targeting OT environments; no additional activity details provided in the content.

Read more
register securityNews
Feb 17, 2026
China-linked crew embedded in US energy networks • The Register

Iran-aligned cluster conducting supply-chain-leveraged operations against defense/critical infrastructure/industrial targets, using recruitment-themed social engineering to deliver backdoors and other malware; also associated with data-wiping activity in Israel.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.