DYMALLOY

DYMALLOY is a long-standing threat actor that employs a range of tactics to target industrial organizations, including spear-phishing and watering hole attacks. The group has been active since at least 2015 and has been associated with activity going back to 2011. DYMALLOY's attacks have successfully compromised multiple industrial control system (ICS) targets in Turkey, Europe, and North America between late 2015 and early 2017. In fall 2018, Dragos identified multiple new malware infections matching DYMALLOY's behavior. While the group avoids using custom toolkits or malware in its operations, which can make detection and specific attribution more difficult, its methodology overlaps with other groups like RASPITE and ALLANITE. For example, DYMALLOY uses similar techniques to embed a link to a resource in order to prompt an SMB connection and harvest Windows credentials. DYMALLOY has some links to Dragonfly, another threat actor that targeted industrial organizations from 2011 to 2014. DYMALLOY's attacks have continued into recent years, and it remains an active threat to industrial organizations today. Understanding the entirety of their adversary actions is key to detecting and attributing their activities.