Sandworm Targets European Energy Companies with Industroyer3 Variant

Wednesday, March 25, 2026 at 06:00 AM UTC·Source: CERT-EU / Mandiant

Updated: Thursday, March 26, 2026 at 10:00 AM UTC

Executive Summary

Sandworm deploys Industroyer3 variant against energy companies in Poland and Baltic states. ICS-specific payload targets Siemens SIPROTEC relays.

Analysis

CERT-EU and Mandiant have identified Sandworm deploying an updated variant of Industroyer malware targeting energy transmission companies in Poland, Lithuania, and Estonia. The malware includes ICS-specific modules targeting Siemens SIPROTEC protective relays and ABB RTU560 devices. Attack appears timed to coincide with geopolitical tensions in the region.

Timeline

Discovered

Mar 22, 2026

Exploitation Detected

Mar 22, 2026

Published

Mar 25, 2026

Source Attribution

Originally published by CERT-EU / Mandiant on Mar 25, 2026. Verified by: CERT-EU, Mandiant, ENISA.

Related Threats

MEDIUMMalware

Cryptohack Roundup: Banking Trojan Targets Crypto Firms

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/cryptohack-roundup-banking-trojan-targets-crypto-firms-image_small-2-a-31683.jpg" align=right hspace=4><b>Also: Indictments in Theft Case, KelpDAO Restarts Operations</b><br>This week, banking Trojan TCLBanker targeted crypto platforms, three people indicted in a violent digital assets-related robbery, Kelp DAO restarted services

5h agoBank Info Security

LOWMalware

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

CVE-2026-20182

7h agoCisco Talos

LOWMalware

ClickFix finds a backup plan in PySoxy proxy chains

ClickFix, a one-shot social engineering technique that tricks victims into executing malicious workflows disguised as fixes to technical issues in their systems, has got a persistence upgrade. In a one-off instance, ReliaQuest researchers have spotted an intrusion chain using scheduled tasks, PowerShell-based command-and-control (C2), and a unique abuse of the decade-old open-source proxy tool PyS

1d agoCSO Online