Security firm Dragos Inc. has identified a new advanced persistent threat (APT) group, named SandViper, conducting a widespread cyber-espionage campaign against the global energy sector. The campaign primarily targets oil and gas companies, particularly those involved in liquefied natural gas (LNG) in the Middle East and Europe. The group employs a new, modular backdoor called DuneStalker to achieve its objectives. The malware is designed for stealth and long-term persistence, enabling the theft of highly sensitive operational technology (OT) and proprietary business data. The campaign highlights the increasing focus of sophisticated threat actors on critical infrastructure for strategic intelligence gathering.
SandViper is a highly sophisticated threat actor that has been active since at least late 2025. Their operations demonstrate a deep understanding of the energy sector, targeting specific individuals like engineers and project managers with tailored social engineering lures.
The SandViper campaign is notable for its patience and focus on stealth. The use of a watering hole attack combined with a browser exploit is a sophisticated method for gaining initial access that can bypass some traditional email security.
The DuneStalker malware is designed to operate under the radar. Its modularity allows it to load different capabilities as needed, such as:
.dxf, .dwg) and production data.While Dragos has not made a formal attribution, they note that SandViper's TTPs and targeting align with the strategic interests of nation-states like Russia and Iran, both of which have a history of targeting the energy sector.
T1566.002 - Spearphishing Link - Sending emails with links to malicious sites.T1189 - Drive-by Compromise - Exploiting a browser vulnerability on the watering hole site.T1203 - Exploitation for Client Execution - The browser exploit that drops the malware.T1547.001 - Registry Run Keys / Startup Folder - A likely method for the backdoor to maintain persistence.T1005 - Data from Local System - Collecting sensitive files related to OT and business operations.T1071.001 - Web Protocols - DuneStalker likely uses HTTP/S for C2 communications.T1048 - Exfiltration Over Alternative Protocol - Stealing the collected OT and project data.The primary impact of this campaign is economic and strategic espionage. By stealing sensitive data, SandViper's sponsors can gain significant advantages:
The Dragos report is said to contain a full list of IOCs, but they were not enumerated in the source articles. Organizations in the energy sector are advised to obtain the full report from Dragos for these details.
Process Analysis.Keeping web browsers and their plugins fully patched is the primary defense against drive-by compromise attacks.
Training employees to spot and report sophisticated spear-phishing emails is crucial to prevent them from clicking malicious links.
Strictly segmenting IT and OT networks is critical in the energy sector to prevent an IT compromise from spilling over into industrial control systems.
Using web filtering and DNS security to block access to uncategorized or newly registered domains can prevent users from reaching watering hole sites.
Maintain a strict and timely patching schedule for all client-side software, especially web browsers and their associated plugins. The SandViper attack relies on exploiting a browser vulnerability. A robust patch management program that ensures browsers are updated enterprise-wide within days of a patch release would neutralize this initial access vector. This is particularly important for engineers and project managers who are prime targets and may have access to both IT and OT environments.
Implement a DNS security solution that blocks access to known malicious domains, as well as newly registered and uncategorized domains. The watering hole sites used by SandViper are likely hosted on recently created domains. A protective DNS service can prevent the user's browser from ever connecting to the malicious site, even if they click the spear-phishing link. This proactive blocking mechanism is highly effective against campaigns that rely on new infrastructure.
For organizations in the energy sector, the strict isolation of the Operational Technology (OT) network from the corporate IT network is non-negotiable. The campaign's goal is to steal OT data. A well-designed network architecture with a demilitarized zone (DMZ) and unidirectional gateways for any necessary data flow from OT to IT can prevent an attacker who compromises an IT workstation from pivoting into the sensitive control systems environment. All traffic between these zones must be inspected and logged.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.