Source Code for TRK25 SCADA Hacking Tool Leaked Online, Increasing Risk to Industrial Control Systems

SCADA Hacking Tool 'TRK25' Source Code Leaked, Lowering Bar for ICS Attacks

HIGH
July 4, 2026
6m read
Industrial Control SystemsMalwareThreat Actor

Related Entities

Threat Actors

Infrastructure Destruction SquadDark Engine

Organizations

Siemens Ransom-ISACForescout

Products & Tech

PyQt5Modbus

Other

TRK25 ADVANCED SCADA

Full Report

Executive Summary

The source code for TRK25 ADVANCED SCADA, a malicious tool designed for attacking Industrial Control Systems (ICS), has been leaked to the public. The tool, developed by a threat actor known as Infrastructure Destruction Squad (or Dark Engine), automates the process of finding and compromising internet-exposed Operational Technology (OT) assets. TRK25 focuses on exploiting weak credentials for common industrial and remote access protocols rather than zero-day vulnerabilities. The public availability of this tool's source code dramatically lowers the skill threshold required to launch attacks against critical infrastructure, creating a significant risk for any organization with internet-facing OT equipment.

Threat Overview

TRK25 is a user-friendly hacking utility built with Python and PyQt5. It was originally sold on underground forums for approximately $500. Its purpose is to streamline attacks against ICS environments.

  • Functionality: The tool scans for devices, fingerprints services, and attempts to compromise them using credential stuffing or default passwords.
  • Targeted Protocols: It specifically targets common industrial protocols like Modbus (TCP/502) and remote administration services such as VNC (TCP/5900), RDP (TCP/3389), and SSH (TCP/22).
  • Target Prioritization: TRK25 includes a scoring algorithm to prioritize high-value targets, with a specific focus on Siemens S7 systems.
  • Payload: Upon successful compromise, the tool captures screenshots from the Human-Machine Interface (HMI), collects system metadata, and exfiltrates this information to the attacker. This access is often sold to other threat actors, including ransomware groups and state-sponsored APTs.

Technical Analysis

TRK25 automates several initial stages of an ICS attack.

The danger of TRK25 is not its technical sophistication, but its automation and ease of use. It commoditizes the initial access phase of ICS attacks, enabling a wider range of adversaries to target critical infrastructure.

Impact Assessment

The leak of TRK25's source code significantly increases the threat to under-secured industrial environments. The potential impacts include:

  • Increased Attack Volume: Less-skilled actors can now easily scan the internet for vulnerable OT devices and attempt to compromise them.
  • Access Brokering: Compromised access gained via TRK25 can be sold to more capable threat actors, who could then cause physical disruption, sabotage industrial processes, or deploy ransomware like EKANS or LockerGoga.
  • Safety Risks: Unauthorized access to HMIs controlling physical processes can lead to unsafe operating conditions, potentially causing equipment damage, environmental incidents, or even loss of life.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams for industrial environments should hunt for signs of scanning and brute-force attempts. The following patterns could indicate related activity:

Type
Port
Value
502, 5900, 3389, 22
Description
Monitor for a high volume of inbound connection attempts to these common industrial and admin ports from unknown IP addresses.
Type
Log Source
Value
Authentication logs
Description
A spike in failed login attempts for VNC, RDP, or SSH services on an HMI or engineering workstation is a strong indicator of a brute-force attack.
Type
Network Traffic Pattern
Value
Modbus traffic from external IPs
Description
Any Modbus traffic originating from the public internet is highly anomalous and should be blocked and investigated immediately.

Detection & Response

  1. Network Intrusion Detection System (NIDS): Deploy a NIDS with signatures for common industrial protocols. Configure it to alert on any communication attempts from the internet to OT network segments. This is a core part of D3FEND's Network Traffic Analysis (D3-NTA).
  2. Authentication Log Monitoring: Centralize and monitor authentication logs from all remote access services. Use a SIEM to create alerts for high rates of failed logins from a single source IP.
  3. Asset Inventory: Maintain a complete and accurate inventory of all internet-facing devices. Regularly scan your public IP space to identify any accidentally exposed OT assets.

Mitigation

Basic cybersecurity hygiene is the most effective defense against tools like TRK25.

  1. Eliminate Internet Exposure: The most critical mitigation is to ensure that no ICS/OT devices, especially HMIs and PLCs, are directly accessible from the internet. Use a properly configured firewall and a DMZ for any necessary remote access. This is a form of Network Isolation (D3-NI).
  2. Strong Credentials: Immediately change all default passwords on ICS devices and enforce a strong, unique password policy for all accounts. This directly counters the tool's primary attack method and aligns with Strong Password Policy (D3-SPP).
  3. Network Segmentation: Implement robust network segmentation between IT and OT networks to prevent attackers from pivoting from a compromised IT system to the industrial environment (M1030 - Network Segmentation).
  4. Multi-Factor Authentication (MFA): Where possible, enable MFA for all remote access to the OT network to provide a critical layer of defense against credential stuffing (M1032 - Multi-factor Authentication).

Timeline of Events

1
February 1, 2026
TRK25 tool is first advertised on Telegram.
2
April 1, 2026
Security researchers publish initial analyses of the tool after its source code is leaked.
3
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

The most important mitigation is to prevent ICS/OT devices from being exposed to the internet.

Enforcing strong, unique passwords and changing defaults defeats the primary attack method of this tool.

Properly segmenting IT and OT networks prevents attackers from reaching industrial systems.

Applying MFA to all remote access points provides a critical defense layer against credential-based attacks.

Timeline of Events

1
February 1, 2026

TRK25 tool is first advertised on Telegram.

2
April 1, 2026

Security researchers publish initial analyses of the tool after its source code is leaked.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

ICSSCADATRK25Source Code LeakHacking ToolCritical InfrastructureOT SecurityModbus

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.