FrostyGoop, also known as BUSTLEBERM, is a newly identified malware targeting industrial control systems (ICS) and operational technology (OT) networks. Unlike conventional IT-focused threats, FrostyGoop exploits the Modbus TCP protocol to issue unauthorized register commands, enabling attackers to alter device configurations, disrupt processes, and even cause physical damage. Written in Go (Golang) and leveraging open-source libraries, the malware is deceptively simple but highly effective. It operates without persistence, using encrypted JSON task files and direct Modbus commands to remain stealthy. In 2024–2025, FrostyGoop was linked to a major incident in Ukraine that left over 600 residential buildings without heating, highlighting its real-world impact on critical infrastructure.

The Shieldworkz analysis emphasizes FrostyGoop’s high-risk profile for environments running legacy industrial protocols without authentication or encryption. Recommended defenses include strong IT/OT network segmentation, deep packet inspection (DPI) for Modbus traffic, hardened perimeter devices, and adoption of secure industrial protocols. FrostyGoop demonstrates the shift toward “exploit-less” OT attacks, where adversaries weaponize inherent weaknesses in ICS communication rather than relying on traditional exploits. For operators of critical infrastructure, this report reinforces the urgent need for robust OT cybersecurity measures to protect operational continuity and public safety.