3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
AZURITE

AZURITE

ID: 153d791e129374536ec34f381edd35d777718
Crimeware Spyware/Stealer State-Sponsored
Threat types: Cyber-Espionage, OT Intrusion
China AUS, JPN, TWN, USA
Updated: 2026-04-13
Created: 2026-03-23
Progress: 75% Completeness: 68% Freshness: 90%
Operation zone: Australia, Japan, Taiwan, United States
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

AZURITE is a China-linked OT-focused threat cluster publicly disclosed in 2026 and assessed to overlap with activity also tracked under labels such as Flax Typhoon, Ethereal Panda, and UNC5923. Public reporting indicates that it exploits exposed edge infrastructure, pivots toward engineering workstations, and exfiltrates OT-relevant operational data including network diagrams, alarm data, PLC configuration material, and HMI-related information.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-02-17 — Public reporting states that AZURITE quickly implements public proof-of-concept exploit code and targets exposed infrastructure. · ref
  • 2026-02-20 — Public reporting says AZURITE exploits vulnerabilities in public-facing infrastructure, particularly VPNs, firewalls, and NAS devices. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-02-20 — Public hunting guidance highlights analysis of valid sessions into the network via internet-facing network devices, implying abuse of legitimate access after compromise. · ref
T1090 Proxy TA0011
  • 2026-02-17 — Security reporting states that AZURITE compromised SOHO routers to build proxy infrastructure. · ref
  • 2026-02-17 — Public reporting notes use of compromised small office/home office environments to target engineering workstations. · ref
T1218 System Binary Proxy Execution TA0005
  • 2026-02-17 — INFERENCE (confidence: medium): public reporting that the actor used existing software and living-off-the-land techniques to evade detection supports proxy execution through trusted binaries or legitimate software already present in the environment. · ref
T1082 System Information Discovery TA0007
  • 2026-02-17 — INFERENCE (confidence: medium): sustained operations on engineering workstations and theft of environment-specific operational data imply systematic host and system information discovery. · ref
T1046 Network Service Discovery TA0007
  • 2026-02-17 — INFERENCE (confidence: medium): pivoting from edge access into OT-relevant assets and environment awareness strongly suggests network service discovery along the path to engineering workstations. · ref
T0802 Automated Collection TA0100
  • 2026-02-17 — INFERENCE (confidence: medium): exfiltration of repeated classes of operational data such as alarms, configuration files, and diagrams suggests structured or semi-automated collection activity within the OT environment. · ref
T0840 Network Connection Enumeration TA0102
  • 2026-02-17 — INFERENCE (confidence: medium): to reach engineering workstations and build environment awareness, the actor likely enumerated network connections and trust pathways in OT-adjacent segments. · ref
T1005 Data from Local System TA0009
  • 2026-02-17 — Public reporting states that AZURITE exfiltrated alarm data, PLC configurations, HMI data, and OT network diagrams from target assets. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2026-02-17 — INFERENCE (confidence: medium): because public reporting confirms exfiltration of operational data but not the exact transfer mechanism, exfiltration over an established command-and-control or actor-controlled channel is a plausible mapping. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-23T03:40:01+00:00

AZURITE — China-linked OT reconnaissance and pre-positioning cluster

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Cyber-espionage / OT intrusion preparation - Origin: China (assessed, medium confidence)

Author: iQBlack CTI Team


Executive Summary

AZURITE is a newly publicized OT-focused threat group disclosed by Dragos in February 2026. Public reporting describes the cluster as China-linked and assessed to overlap in part with activity that other vendors have tracked under labels such as Flax Typhoon, Ethereal Panda, and UNC5923. The currently visible pattern is not one of overt industrial disruption, but of targeted collection inside OT-adjacent environments, particularly engineering workstations and related operational assets.


Observed activity suggests a disciplined reconnaissance-and-preparation model. AZURITE reportedly exploits public-facing infrastructure, including small-office/home-office (SOHO) devices and other edge systems, builds proxy and pivot paths, reaches OT-relevant assets, and exfiltrates data such as alarm information, network diagrams, PLC configuration material, and HMI-related data. This makes the cluster strategically important even in the absence of confirmed destructive operations.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — AZURITE

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — AZURITE


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-23T03:43:30+00:00

OSINT Library — AZURITE


2026-02-17 — Dragos — “Launched: 9th Annual Dragos OT Cybersecurity Year in Review”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.