Industroyer
CrashOverride, also known as Industroyer and WIN32/Industroyer, is ICS/OT malware designed to disrupt electric power infrastructure. The malware self-identifies as "crash," which led to the name CRASHOVERRIDE, but Industroyer is also widely used in reporting. It is associated with the Russian GRU-linked Sandworm Team (Unit 74455) and was used in the 2016 attack on a Ukrainian electrical transmission company, where it caused a temporary power outage in Kyiv. U.S. and allied government reporting attributes the 2016 intrusion and deployment of CrashOverride/Industroyer to Sandworm.
The malware is purpose-built to interact with native industrial control system protocols and electric grid equipment rather than relying on software exploitation. Reporting in the provided content states that the original malware was modular and supported four industrial protocols, including IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA. It can communicate directly with substation equipment, remotely control switches and circuit breakers in high-voltage substations, force breakers to remain open, and repeatedly toggle breakers until protective mechanisms isolate a substation, potentially causing a blackout. A later customized variant, Industroyer2, used only the IEC-104 protocol and was deployed by Sandworm in an attempted April 2022 attack against a Ukrainian energy provider targeting electrical substations.
Observed functionality in the content includes command-and-control over Tor nodes, exfiltration of hardware profiles and previously received commands to its C2 server via HTTP POST, enumeration of remote computers in the compromised network, and use of a custom port scanner to map networks. The malware also includes a data-wiper component that enumerates Registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. For persistence, Sandworm used a trojanized version of Windows Notepad as an additional backdoor mechanism during the 2016 Ukraine electric power attack.
The malware has been repeatedly cited as a landmark OT threat alongside Stuxnet, Triton/Trisis, Havex, BlackEnergy, and Incontroller/Pipedream because it was specifically tailored for operational technology and critical infrastructure disruption. High-confidence targeting in the provided content is the Ukrainian energy sector and electric grid infrastructure, particularly substations and transmission environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
SIPROTEC DoS Module ... ESET’s analysis claims the module sends UDP packets to port 50000 exploiting CVE-2015-5374 causing the SIPROTEC digital relay to fall into an unresponsive state... Using CVE-2015-5374 to Hamper Protective Relays ... Siemens released a patch for this in July 2015 under Siemens advisory SCA-732541. | The malware self-identifies as “crash” in multiple locations thus leading to the naming convention “CRASHOVERRIDE” for the malware framework.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malware self-identifies as “crash” in multiple locations thus leading to the naming convention “CRASHOVERRIDE” for the malware framework.
For example, industrial attack techniques employed by Triton and Industroyer were used by actors ranging from FIN11 to FIN6 during ransomware deployment, extortion and other activities.
For example, industrial attack techniques employed by Triton and Industroyer were used by actors ranging from FIN11 to FIN6 during ransomware deployment, extortion and other activities.
Signature Malware: Custom wipers (e.g. “Av3ngers” family), Industroyer-like ICS tools, Rust-enhanced payloads.
Public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine... the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniquePersistence
2 techniquesthe defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
Privilege Escalation
1 techniqueStealth
6 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
‘Kills’ legitimate the master process on the victim host • Masquerades as the new master
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Malware families such as CrashOverride and BlackEnergy, among others, demonstrate the ability to disrupt physical processes, while living-off-the-land (LOTL) techniques allow attackers to blend into normal operations.
Discovery
8 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
without a configuration file it enumerates the local network to identify potential targets
The command sequence polls the target device for the appropriate addresses.
The first action is to try to kill the communications service process which acts as the master process.
The backdoor then sends a series of HTTP POST requests with the victim’s Windows GUID (a unique identifier set with every Windows installation) in the HTTP body.
"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."
The HAVEX malware leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network.
Lateral Movement
2 techniquesThe report notes that adversaries are exploiting weak segmentation, compromised credentials and supply chain vulnerabilities to pivot from IT into OT networks.
A key concern is the exposure of ICS devices to the internet, especially those using legacy protocols like Modbus... This makes internet-exposed devices particularly vulnerable, as attackers can both read and modify data without needing credentials.
Collection
1 techniqueIt enumerates all OPC servers and their associated items looking for a subset related to ABB containing the string ctl.
Command and Control
6 techniquesAsyncRAT can proxy C2 through a Tor client. Attor has used Tor for C2 communication. Cyclops Blink has used Tor nodes for C2 traffic. GreyEnergy has used Tor relays for Command and Control servers. Siloscape uses Tor to communicate with C2. WannaCry uses Tor for command and control traffic.
After authentication opens HTTP channel to external command and control server (C2) through internal proxy
On execution, the malware attempts to contact a hard-coded proxy address located within the local network. ELECTRUM must establish the internal proxy before the installation of the backdoor.
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.
“Sandworm Team pushed additional malicious tools onto an infected system…”; repeated throughout: “can download additional payloads/files/modules from C2” and “upload/download files to/from victim’s machine.”
Access to the ICS network flows through a backdoor module.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Impact
4 techniquesOverwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files in this sample
The first action is to try to kill the communications service process which acts as the master process.
the module sends UDP packets to port 50000 exploiting CVE-2015-5374 causing the SIPROTEC digital relay to fall into an unresponsive state
The first task of the wiper writes zeros into all of the registry keys in: SYSTEM\CurrentControlSet\Services
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
63 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Purpose-built OT malware used to disrupt power operations, associated here with the 2016 Ukraine power grid attack.
ICS-focused malware known for disrupting physical processes in operational technology environments.
Referenced as an example of OT malware whose behavior is customized to the target environment via an external configuration file.
ICS-targeting malware cited as demonstrating the ability to disrupt operations, cause outages, and inflict physical damage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.