"Sylvanite appears to act as a "rapid exploitation broker" that enables the group named Voltzite to access critical infrastructure. Voltzite is known for gaining long-term access to targets, including the US electric grid. Sylvanite has been observed quickly weaponizing n-day vulnerabilities - for instance, it exploited Ivanti VPN vulnerabilities within 48 hours of their disclosure. The hackers then installed persistent web shells on F5 appliances, extracted AD credentials and then handed over access to Voltzite."
"The second group, Azurite, has also been linked to threat groups tied by other cybersecurity firms to China, including to Flax Typhoon, Ethereal Panda, and UNC5923. Some links have also been found to Voltzite. The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe."
Twenty-six threat groups were tracked, with eleven active in 2025. Three new groups—Sylvanite, Azurite, and Pyroxene—emerged targeting industrial control systems and operational technology. Sylvanite acted as a rapid exploitation broker enabling Voltzite to access critical infrastructure. Sylvanite weaponized n-day vulnerabilities, exploiting Ivanti VPN flaws within 48 hours, installing persistent web shells on F5 appliances, extracting Active Directory credentials, and handing access to Voltzite. Sylvanite targeted electric power, oil and gas, water, manufacturing, and public administration across North America, Europe, and Asia. Azurite showed links to groups tied to China and to Voltzite and stole operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]