Sandworm Targets European Energy Companies with Industroyer3 Variant

Wednesday, March 25, 2026 at 06:00 AM UTC·Source: CERT-EU / Mandiant

Updated: Thursday, March 26, 2026 at 10:00 AM UTC

Executive Summary

Sandworm deploys Industroyer3 variant against energy companies in Poland and Baltic states. ICS-specific payload targets Siemens SIPROTEC relays.

Analysis

CERT-EU and Mandiant have identified Sandworm deploying an updated variant of Industroyer malware targeting energy transmission companies in Poland, Lithuania, and Estonia. The malware includes ICS-specific modules targeting Siemens SIPROTEC protective relays and ABB RTU560 devices. Attack appears timed to coincide with geopolitical tensions in the region.

Timeline

Discovered

Mar 22, 2026

Exploitation Detected

Mar 22, 2026

Published

Mar 25, 2026

Source Attribution

Originally published by CERT-EU / Mandiant on Mar 25, 2026. Verified by: CERT-EU, Mandiant, ENISA.

Related Threats

MEDIUMMalware

Claude Code leak used to push infostealer malware on GitHub

Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. [...]

14h agoBleepingComputer

MEDIUMMalware

Bank Trojan 'Casbaneiro' Worms Through Latin America

Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly.

21h agoDark Reading

MEDIUMMalware

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

21h agoInfosecurity Magazine