New 'SandViper' APT Group Targets Global Energy Sector with 'DuneStalker' Backdoor

'SandViper' APT Hits Global Energy Sector with New 'DuneStalker' Espionage Malware

HIGH
July 1, 2026
5m read
Threat ActorMalwareIndustrial Control Systems

Related Entities

Threat Actors

SandViper

Organizations

Other

DuneStalker

Full Report

Executive Summary

Security firm Dragos Inc. has identified a new advanced persistent threat (APT) group, named SandViper, conducting a widespread cyber-espionage campaign against the global energy sector. The campaign primarily targets oil and gas companies, particularly those involved in liquefied natural gas (LNG) in the Middle East and Europe. The group employs a new, modular backdoor called DuneStalker to achieve its objectives. The malware is designed for stealth and long-term persistence, enabling the theft of highly sensitive operational technology (OT) and proprietary business data. The campaign highlights the increasing focus of sophisticated threat actors on critical infrastructure for strategic intelligence gathering.


Threat Overview

SandViper is a highly sophisticated threat actor that has been active since at least late 2025. Their operations demonstrate a deep understanding of the energy sector, targeting specific individuals like engineers and project managers with tailored social engineering lures.

  • Targeting: The group's targets are not random. They are focused on oil and gas companies in strategic locations, including Saudi Arabia, the UAE, Qatar, and Germany, with a specific interest in LNG operations.
  • Initial Access: The attack chain begins with spear-phishing emails containing links to watering hole sites. These sites are designed to look like legitimate project management portals relevant to the energy sector. The sites exploit a browser vulnerability to drop the initial stage of the DuneStalker malware.
  • Malware: DuneStalker is a multi-stage, modular backdoor. This architecture allows the attackers to deploy specific modules based on the target environment, enhancing stealth and functionality. Its primary purpose is to collect and exfiltrate sensitive data.

Technical Analysis

The SandViper campaign is notable for its patience and focus on stealth. The use of a watering hole attack combined with a browser exploit is a sophisticated method for gaining initial access that can bypass some traditional email security.

The DuneStalker malware is designed to operate under the radar. Its modularity allows it to load different capabilities as needed, such as:

  • A reconnaissance module to map the internal network and identify OT systems.
  • A keylogging and screen-capturing module to steal credentials and monitor user activity.
  • A file-collection module that can target specific file types related to geological surveys (.dxf, .dwg) and production data.
  • A stealthy exfiltration module that likely uses encrypted channels and steganography to send data back to the C2 server.

While Dragos has not made a formal attribution, they note that SandViper's TTPs and targeting align with the strategic interests of nation-states like Russia and Iran, both of which have a history of targeting the energy sector.

MITRE ATT&CK TTPs

Impact Assessment

The primary impact of this campaign is economic and strategic espionage. By stealing sensitive data, SandViper's sponsors can gain significant advantages:

  • Economic Advantage: Access to proprietary geological survey data, drilling plans, and LNG production metrics can provide a competitive edge in the multi-trillion-dollar energy market.
  • Strategic Intelligence: Understanding the operational capabilities and future plans of major energy producers provides valuable geopolitical intelligence.
  • Foundation for Future Attacks: The access and information gained could be used to plan future disruptive or destructive attacks against the victims' OT environments, posing a risk to critical infrastructure.

IOCs — Directly from Articles

The Dragos report is said to contain a full list of IOCs, but they were not enumerated in the source articles. Organizations in the energy sector are advised to obtain the full report from Dragos for these details.

Detection & Response

  • Detection:
    • Monitor for spear-phishing attempts and train users to recognize and report them.
    • Use web proxies and DNS filtering to block access to known malicious domains and newly registered domains that are often used in watering hole attacks.
    • Deploy EDR solutions to detect the execution of browser exploits and the subsequent dropping of malware payloads. Use D3FEND's Process Analysis.
    • Monitor network traffic for anomalous connections from corporate networks to external hosts, especially from systems in the OT environment.
  • Response:
    • If a compromise is suspected, isolate the affected workstations and servers.
    • Conduct a forensic analysis to determine the scope of the compromise and what data was exfiltrated.
    • Review and reset credentials for all users and systems in the affected network segments.

Mitigation

  • Browser Security: Ensure all web browsers are kept up-to-date with the latest security patches to prevent drive-by compromise attacks.
  • Email Security: Implement advanced email security solutions that can analyze links and detect phishing attempts.
  • Network Segmentation: Maintain a strict separation between IT and OT networks. Monitor and control all traffic that passes between these two environments.
  • User Training: Conduct regular user awareness training focused on identifying spear-phishing and social engineering attempts.
  • Threat Intelligence: Organizations in the energy sector should subscribe to and consume threat intelligence feeds specific to their industry, such as the information provided by Dragos and other ICS/OT security vendors.

Timeline of Events

1
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

Keeping web browsers and their plugins fully patched is the primary defense against drive-by compromise attacks.

Training employees to spot and report sophisticated spear-phishing emails is crucial to prevent them from clicking malicious links.

Strictly segmenting IT and OT networks is critical in the energy sector to prevent an IT compromise from spilling over into industrial control systems.

Using web filtering and DNS security to block access to uncategorized or newly registered domains can prevent users from reaching watering hole sites.

D3FEND Defensive Countermeasures

Maintain a strict and timely patching schedule for all client-side software, especially web browsers and their associated plugins. The SandViper attack relies on exploiting a browser vulnerability. A robust patch management program that ensures browsers are updated enterprise-wide within days of a patch release would neutralize this initial access vector. This is particularly important for engineers and project managers who are prime targets and may have access to both IT and OT environments.

Implement a DNS security solution that blocks access to known malicious domains, as well as newly registered and uncategorized domains. The watering hole sites used by SandViper are likely hosted on recently created domains. A protective DNS service can prevent the user's browser from ever connecting to the malicious site, even if they click the spear-phishing link. This proactive blocking mechanism is highly effective against campaigns that rely on new infrastructure.

For organizations in the energy sector, the strict isolation of the Operational Technology (OT) network from the corporate IT network is non-negotiable. The campaign's goal is to steal OT data. A well-designed network architecture with a demilitarized zone (DMZ) and unidirectional gateways for any necessary data flow from OT to IT can prevent an attacker who compromises an IT workstation from pivoting into the sensitive control systems environment. All traffic between these zones must be inspected and logged.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

aptespionageenergy sectorot securityicsmalwarewatering hole

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.