Nozomi/citadel -

| Actor hypothesis | Evidence | |----------------|----------| | | Overlap with Industroyer mutexes; targeting of Ukrainian substations. | | China (APT41) | Use of same RedProtocol trojan infrastructure from 2021 energy campaigns. | | State-aligned private group | Commercial offensive security toolkits observed in early-stage loaders. |

Nozomi/Citadel: Anatomy of a Multi-Stage Cyber-Espionage Campaign Against Critical Infrastructure Abstract The Nozomi/Citadel operation (named for overlapping malware components and target indicators) represents a paradigm shift in state-sponsored cyber aggression. First identified by industrial cybersecurity firm Nozomi Networks in 2022, the campaign leveraged a custom modular backdoor (Citadel) to penetrate European energy sector entities. This paper synthesizes open-source technical analyses, MITRE ATT&CK mappings, and geopolitical context to examine the operation’s kill chain, persistence mechanisms, and evasion tradecraft. We argue that Nozomi/Citadel exemplifies the convergence of espionage and pre-positioning for disruptive action, highlighting vulnerabilities in air-gapped industrial environments. 1. Introduction In March 2022—coinciding with the onset of the Russo-Ukrainian war—Nozomi Networks’ Threat Intelligence Lab reported anomalous DNS tunneling activity targeting a European electricity grid operator. Subsequent analysis revealed a multi-phase intrusion leveraging a previously undocumented remote access trojan (RAT) dubbed Citadel . The operation combined spear-phishing, living-off-the-land techniques, and custom ICS-aware modules. nozomi/citadel