FrostyGoop.

An ICS-specific malware discovered by Dragos in 2024 that abuses Modbus TCP to disrupt energy and heating control systems, attributed by Dragos to a Russia-linked actor and tied to a January 2024 attack on a Ukrainian municipal heating utility. It belongs to the OT / ICS / IoT category of cybersecurity.

An ICS-specific malware discovered by Dragos in 2024 that abuses Modbus TCP to disrupt energy and heating control systems, attributed by Dragos to a Russia-linked actor and tied to a January 2024 attack on a Ukrainian municipal heating utility.

FrostyGoop is an ICS-specific malware first publicly reported by Dragos in July 2024 and described as the ninth known piece of malware purpose-built to interact with industrial control systems. It is a Go binary designed to send Modbus TCP commands directly to industrial devices — most notably the ENCO heating controllers used at a Ukrainian district-heating utility in Lviv. In a January 2024 incident, FrostyGoop was used to send malicious Modbus TCP `write_multiple_registers` commands that altered controller setpoints, cutting heat for approximately 600 apartment buildings during winter for nearly two days. The malware's design assumes the attacker has already gained access to the engineering network; defenses are therefore concentrated upstream — robust IT/OT segmentation, removal of MikroTik-style edge devices with default credentials (the entry vector in the Lviv case), monitoring for unusual Modbus TCP write commands, and protocol-aware detection from OT-specific NDRs (Dragos, Claroty, Nozomi).

Defences for FrostyGoop typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: FROSTYGOOP, Modbus TCP malware (Lviv).