Havex (Dragonfly RAT)
What is Havex (Dragonfly RAT)?
Havex (Dragonfly RAT)An ICS-aware remote access trojan used by the Dragonfly / Energetic Bear / Berserk Bear group between 2013 and 2014 in espionage campaigns against Western energy and manufacturing sectors, notable for scanning OPC servers from inside victim networks.
Havex is a modular remote-access trojan used by the threat group variously called Dragonfly (Symantec), Energetic Bear (CrowdStrike), and Berserk Bear (others), widely attributed to Russian state interests. It was the primary RAT in a 2013–2014 espionage campaign documented by F-Secure, Symantec, and ICS-CERT against energy, defense, and pharmaceutical companies across Europe and North America. Distribution combined spear-phishing, watering-hole compromises of energy-sector websites, and trojanized installers downloaded from compromised ICS vendor sites — the first widely reported supply-chain attacks on ICS engineering software vendors. The notable ICS-specific behavior was an OPC-scanning module: once inside a victim network, Havex enumerated OPC Classic servers and gathered DCOM-exposed information about the connected industrial devices, suggesting reconnaissance for later disruptive operations rather than immediate sabotage. Havex is a landmark case for ICS defenders because it demonstrated that espionage-grade tooling routinely reaches OT engineering segments via IT compromises and trojanized vendor downloads.
● Examples
- 01
A 2014 victim energy utility downloaded a trojanized installer from a compromised ICS-vendor site; the Havex implant began OPC scanning the engineering subnet within hours.
- 02
Defenders trace Havex behavior in a victim network by alerting on OPC DCOM enumeration originating from non-engineering workstations.
● Frequently asked questions
What is Havex (Dragonfly RAT)?
An ICS-aware remote access trojan used by the Dragonfly / Energetic Bear / Berserk Bear group between 2013 and 2014 in espionage campaigns against Western energy and manufacturing sectors, notable for scanning OPC servers from inside victim networks. It belongs to the OT / ICS / IoT category of cybersecurity.
What does Havex (Dragonfly RAT) mean?
An ICS-aware remote access trojan used by the Dragonfly / Energetic Bear / Berserk Bear group between 2013 and 2014 in espionage campaigns against Western energy and manufacturing sectors, notable for scanning OPC servers from inside victim networks.
How does Havex (Dragonfly RAT) work?
Havex is a modular remote-access trojan used by the threat group variously called Dragonfly (Symantec), Energetic Bear (CrowdStrike), and Berserk Bear (others), widely attributed to Russian state interests. It was the primary RAT in a 2013–2014 espionage campaign documented by F-Secure, Symantec, and ICS-CERT against energy, defense, and pharmaceutical companies across Europe and North America. Distribution combined spear-phishing, watering-hole compromises of energy-sector websites, and trojanized installers downloaded from compromised ICS vendor sites — the first widely reported supply-chain attacks on ICS engineering software vendors. The notable ICS-specific behavior was an OPC-scanning module: once inside a victim network, Havex enumerated OPC Classic servers and gathered DCOM-exposed information about the connected industrial devices, suggesting reconnaissance for later disruptive operations rather than immediate sabotage. Havex is a landmark case for ICS defenders because it demonstrated that espionage-grade tooling routinely reaches OT engineering segments via IT compromises and trojanized vendor downloads.
How do you defend against Havex (Dragonfly RAT)?
Defences for Havex (Dragonfly RAT) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Havex (Dragonfly RAT)?
Common alternative names include: Dragonfly RAT, Energetic Bear RAT.
● Related terms
- ot-iot№ 587
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 1083
SCADA
Supervisory Control and Data Acquisition systems that gather telemetry from remote field devices and let operators monitor and command large industrial processes.
- malware№ 1023
Remote Access Trojan (RAT)
Malware that gives an attacker covert, interactive control of an infected device, similar to a hidden remote-administration tool.
- attacks№ 1234
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- attacks№ 1352
Watering Hole Attack
A targeted attack that compromises a website frequently visited by a specific group of users in order to infect them when they browse it.
- ot-iot№ 854
Operational Technology (OT)
Hardware and software that monitor and control physical processes, devices, and infrastructure such as factories, power plants, and utilities.