This repository contains original samples and decompiled sources of malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers. For more information scroll to "Learn More".

Each organization describing this malware in reports used a different name (TRISIS/TRITON/HatMan). For that reason, there is no one, common name for it.

Folder original_samples contains original files used by the malware that could be found in the wild:

All archives are secured with password: infected

Folder decompiled_code contains decompiled python files, originating from trilog.exe file and library.zip archive described above:

Folder yara_rules contains yara rules (that I am aware of) detecting this malware:

Some people in the community were raising the issue that publishing the samples and decompiled sources might be dangerous. I agreed until these were not public. I have found the included files in at least two publicly available sources, that means anyone can download it if know where to search. What is more, I believe that organizations/people who could be able to reuse it and have the capability to deploy it in a real attack have already accessed it long time ago. This repository makes it more accessible for community and academia who might work on improving defense solutions and saves some time on looking for decompilers.

• Report by Dragos:

  https://dragos.com/blog/trisis/TRISIS-01.pdf

• Report by Mandiant (FireEye):

  https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

• Report by ICS-CERT (NCCIC):

  https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf

• Webinar by Dragos:

  https://vimeo.com/248057640

• Analysis by Craftsman Safety Lab (Chinese)

  http://icsmaster.com/security/Triton_src_analysis.html

Currently looking for the missing inject.bin (0544d425c7555dc4e9d76b571f31f500) file