Two New Entries in a Short and Serious List
The catalogue of malware purpose-built to attack industrial control systems is short. For years it consisted of a handful of names, Stuxnet, Havex, Industroyer, TRITON, and a few others, each a significant event in the history of OT security. In 2024, two more were added to that list, and both are instructive because of how they achieved their effects.
FrostyGoop and Fuxnet were disclosed within months of each other, and each was used to disrupt real infrastructure. Neither relied on an exotic, device-specific implant of the kind that made earlier ICS malware so difficult to build. Instead, both weaponized the ordinary industrial protocols that operational technology depends on to function. That shift, from bespoke exploitation toward the abuse of legitimate protocol functionality, is the reason these two are worth studying closely.
FrostyGoop: Weaponizing Modbus
FrostyGoop, also referred to as BUSTLEBERM, was disclosed by Dragos in July 2024 and is recognized as the ninth known ICS-specific malware. It came to attention through a disruptive attack, but its technical approach is what makes it significant.
The malware is written in Golang and interacts directly with industrial devices using Modbus TCP over port 502, one of the most common and long-established protocols in all of operational technology. Rather than exploiting a vulnerability in a specific device, FrostyGoop uses the legitimate functionality of Modbus to read from and write to target devices. In the incident that brought it to light, the malware was associated with a configuration referencing ENCO control devices, and Dragos assessed that its functionality is not limited to those devices but could affect other equipment communicating over Modbus TCP.
The real-world impact was tangible and human. In late January 2024, adversaries used this capability against a municipal district heating company in Lviv, Ukraine. By sending Modbus commands to controllers and downgrading their firmware, they caused inaccurate readings and a loss of heating to more than 600 apartment buildings, and remediation took nearly two days, during which residents endured sub-zero temperatures. It was a clear demonstration that a protocol-level attack on unremarkable equipment can produce serious physical consequences.
Defensive implication: Because FrostyGoop abuses legitimate Modbus functionality rather than a patchable vulnerability, signature-based detection has limited value. The activity looks like valid Modbus traffic. Detection depends on understanding what normal Modbus communication looks like in the environment, so that unexpected commands, unusual sources, or firmware operations can be recognized as anomalous.
Fuxnet: Targeting Sensors and Gateways
Fuxnet, analyzed by Claroty's Team82 in 2024, took a different but related approach. It was reportedly used by a group known as Blackjack, assessed to be affiliated with Ukrainian interests, in an attack against Moscollector, a Moscow company responsible for underground infrastructure including water, sewage, and communications systems.
The malware's purpose was to corrupt and disable the sensor gateways that collect data from physical sensors across that infrastructure, and to attempt to damage the sensors themselves. To do this, Fuxnet targeted the M-Bus protocol, a communication standard used by sensors and meters. It generated M-Bus frames designed to be treated as valid by target sensors, using the legitimate structure of the protocol to deliver its effect. In practice, the attackers bricked the sensor gateways, cutting off the monitoring capability that the infrastructure depended on.
The incident also offered a useful lesson in assessing claims. The group claimed to have destroyed tens of thousands of sensors, but independent analysis of the leaked data indicated the real impact was on the order of several hundred sensor gateways, with the physical sensors themselves likely largely intact. The disruption was real and serious, but the headline claim was considerably larger than the technical reality.
Defensive implication: Fuxnet reinforces that the communication layer between sensors, gateways, and monitoring systems is itself a target. Protecting and monitoring these often-overlooked links, and segmenting the gateways that aggregate sensor data, reduces the exposure this kind of attack relies on.
What These Two Have in Common
Considered together, FrostyGoop and Fuxnet point to several trends that matter for OT defenders.
They abuse legitimate protocols. Both used the normal functionality of industrial protocols, Modbus TCP and M-Bus, rather than device-specific exploits. This lowers the effort required to build such malware and makes it broadly applicable across many devices that speak the same protocol.
They target unglamorous, widespread equipment. Heating controllers and sensor gateways are not exotic. They are the ordinary, numerous devices that keep infrastructure running, and their compromise produces real disruption.
They cause physical, infrastructure-level effects. Both incidents affected services that people depend on, heating and infrastructure monitoring, demonstrating that the goal was operational disruption, not data theft.
They do not depend on the malware residing on the target device. By communicating over the network using standard protocols, this class of malware can affect devices without needing to compromise them individually first.
Trend implication: The barrier to disruptive OT attacks is lowering, because abusing widespread protocols is more scalable than building device-specific exploits. Defenses that assume attackers need rare, specialized capabilities are increasingly optimistic.
Detecting and Defending Against Protocol-Native Malware
The good news is that the defenses effective against this class of threat are well understood and align with sound OT security practice generally.
Establish protocol-aware visibility. Passive monitoring that understands industrial protocols such as Modbus is essential, because it provides the record of normal communication against which malicious commands stand out. Both FrostyGoop and Fuxnet generate protocol traffic that looks legitimate in isolation but is anomalous against a known baseline.
Baseline normal communication. Knowing which devices should issue which commands, to which targets, at what frequency, is what turns a valid-looking but unexpected Modbus write or firmware operation into a detectable event.
Segment rigorously. Limiting which systems can send commands to controllers and gateways reduces the paths available for this kind of attack. A device that cannot be reached over Modbus from an unauthorized source cannot be commanded by malware operating from there.
Protect firmware integrity. FrostyGoop's use of firmware downgrade highlights the value of controlling and monitoring firmware operations, so that unauthorized changes are detected.
Monitor the sensor and gateway layer. Fuxnet's focus on gateways is a reminder to extend visibility and protection to the data-collection infrastructure, not only the primary control devices.
Common Findings
From assessment work relevant to this class of threat, the recurring gaps include:
- No Modbus or industrial-protocol monitoring, leaving protocol abuse invisible.
- Flat networks that allow commands to reach controllers and gateways from many sources.
- No communication baseline, so a valid-looking but unauthorized command cannot be distinguished from normal activity.
- Unmonitored firmware operations, allowing changes such as downgrades to pass unnoticed.
- Overlooked sensor and gateway infrastructure, protected less rigorously than primary control systems.
The Bottom Line
FrostyGoop and Fuxnet are important not because they were technically dazzling, but because they were effective using ordinary means. By weaponizing the everyday protocols of operational technology, they disrupted real infrastructure and affected real people, and they did so in a way that is more repeatable and more broadly applicable than the bespoke ICS malware of the past.
For defenders, the response is clear and achievable: gain visibility into industrial protocol communication, understand what normal looks like, segment so that commands cannot flow freely, and protect the integrity of firmware and the sensor infrastructure. These are the fundamentals of OT security, and they are precisely what this new wave of protocol-native malware is least able to overcome.
Beacon Security helps critical infrastructure operators build the protocol-aware visibility, baselining, and segmentation needed to detect and defend against protocol-native ICS malware. Contact us to assess your resilience against threats like FrostyGoop and Fuxnet.

