FrostyGoop.

An ICS-specific malware discovered by Dragos in 2024 that abuses Modbus TCP to disrupt energy and heating control systems, attributed by Dragos to a Russia-linked actor and tied to a January 2024 attack on a Ukrainian municipal heating utility. 它属于网络安全的 OT / ICS / 物联网 分类。

An ICS-specific malware discovered by Dragos in 2024 that abuses Modbus TCP to disrupt energy and heating control systems, attributed by Dragos to a Russia-linked actor and tied to a January 2024 attack on a Ukrainian municipal heating utility.

FrostyGoop is an ICS-specific malware first publicly reported by Dragos in July 2024 and described as the ninth known piece of malware purpose-built to interact with industrial control systems. It is a Go binary designed to send Modbus TCP commands directly to industrial devices — most notably the ENCO heating controllers used at a Ukrainian district-heating utility in Lviv. In a January 2024 incident, FrostyGoop was used to send malicious Modbus TCP `write_multiple_registers` commands that altered controller setpoints, cutting heat for approximately 600 apartment buildings during winter for nearly two days. The malware's design assumes the attacker has already gained access to the engineering network; defenses are therefore concentrated upstream — robust IT/OT segmentation, removal of MikroTik-style edge devices with default credentials (the entry vector in the Lviv case), monitoring for unusual Modbus TCP write commands, and protocol-aware detection from OT-specific NDRs (Dragos, Claroty, Nozomi).

针对 FrostyGoop 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: FROSTYGOOP, Modbus TCP malware (Lviv)。