Nozomi/citadel ^new^ Direct

| Actor hypothesis | Evidence | |----------------|----------| | | Overlap with Industroyer mutexes; targeting of Ukrainian substations. | | China (APT41) | Use of same RedProtocol trojan infrastructure from 2021 energy campaigns. | | State-aligned private group | Commercial offensive security toolkits observed in early-stage loaders. |

C2 domains resolved to bulletproof hosting providers in Eastern Europe and utilized TLS certificates issued to fictitious entities. DNS beacon intervals varied from 60 seconds (active monitoring) to 24 hours (dormant). A subset of Citadel samples shared code with Industroyer (2016 Ukraine power outage) and VPNFilter (2018 router botnet). nozomi/citadel