BAUXITE

Dragos-designated threat group BAUXITE was implicated in multiple global campaigns targeting OT/ICS entities and specific devices. Based on capabilities and network infrastructure, this group shares substantial technical overlaps with the pro-Iranian hacktivist persona CyberAv3ngers.

BAUXITE is capable of Stage 2 ICS Cyber Kill Chain and has demonstrated the ability to compromise PLCs and deploy custom backdoors on OT devices. The group is active on OT/ICS-focused forums and extensively monitors security advisories from OEMs and ICS protocols, likely documenting and cataloging known vulnerabilities to target in future campaigns.  

BAUXITE’s targeting strategies and operational focus evolved under state-sponsored directives or geopolitical pressures. Through 2025, BAUXITE is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally. 

About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.  

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.