Sylvanite
SYLVANITE is a threat group tracked by Dragos as a large-scale initial access broker targeting industrial and critical infrastructure organizations through internet-facing systems. Dragos describes SYLVANITE as serving as an initial access broker for VOLTZITE, which it says is highly correlated with Volt Typhoon, by rapidly weaponizing disclosed vulnerabilities and then handing off access for deeper operational technology (OT) intrusions. Reported targeted sectors include electric power generation, transmission and distribution, water and sewage, oil and gas, manufacturing, and other industrial organizations. Reported geographic targeting includes North America, Europe, the UK, South Korea, Guam, the Philippines, Saudi Arabia, Asia, and the Middle East. According to the provided reporting, SYLVANITE exploits known vulnerabilities in internet-facing products from F5, Ivanti, SAP, and ConnectWise, and Robert M. Lee stated the group reverse engineers disclosed vulnerabilities and can target devices within 48 hours of disclosure. Dragos reported SYLVANITE used tooling including Cobalt Strike, Sliver, and multiple web shells. In one cited May 2025 incident at a U.S. utility involving Ivanti Endpoint Manager Mobile (EPMM) CVE-2025-4427 and CVE-2025-4428, attackers extracted backend MySQL data including LDAP user details and Office 365 tokens and replayed stolen credentials for lateral movement, though Dragos said limited telemetry prevented confirmation of movement toward OT systems. The content consistently characterizes SYLVANITE as an access-enablement group rather than the actor maintaining long-term access or causing effects. Known alias/context in the content links SYLVANITE to follow-on activity by VOLTZITE / Volt Typhoon.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An access-enablement cluster that gains initial access to operational technology and utility environments and then hands that access off to Volt Typhoon for follow-on activity.
OT-focused activity cluster described as an initial access broker supporting Volt Typhoon/Voltzite by exploiting (weaponizing) vulnerabilities in F5, Ivanti, and SAP products to enable downstream intrusions.
Threat group described as obtaining and weaponizing edge device vulnerabilities before patches are applied, then handing off access for deeper OT intrusions.
Dragos-tracked activity cluster newly observed targeting ICS/OT environments (no further details provided in the content).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.