Industrial Control Systems (ICSs) are increasingly targeted by sophisticated OT malware, yet the dynamic analysis tools used to study such threats rely on virtualized environments whose realism re- mains largely unverified. Advanced IT malware routinely detects sand- box artifacts to evade analysis, but whether analogous evasion strategies are feasible in OT settings, where industrial traffic and physical-process dynamics offer distinctive fingerprints, has never been studied. In this paper, we first survey 12 real-world OT malware samples and confirm that no existing OT malware employs anti-analysis checks, despite the clear opportunity to exploit OT-specific signals as sandbox fingerprints. Building on this finding, we introduce ShadowICS, a passive anti analysis framework trained on a novel taxonomy of OT-specific features spanning temporal, physical-process, and network dimensions. Based on lightweight machine learning models deployable by any OT malware with access to the OT network, ShadowICS achieves up to 97.9% accuracy in distinguishing real OT deployments from simulations across multiple attacker access levels. Finally, we translate our findings into concrete mitigation strategies for sandbox designers, identifying temporal realism as the primary target for improvement.

ShadowICS: Anti-Analysis OT Malware via Passive Industrial Traffic Monitoring

Donadel, Denis
;
Antonioli, Daniele;Merro, Massimo
2026-01-01

Abstract

Industrial Control Systems (ICSs) are increasingly targeted by sophisticated OT malware, yet the dynamic analysis tools used to study such threats rely on virtualized environments whose realism re- mains largely unverified. Advanced IT malware routinely detects sand- box artifacts to evade analysis, but whether analogous evasion strategies are feasible in OT settings, where industrial traffic and physical-process dynamics offer distinctive fingerprints, has never been studied. In this paper, we first survey 12 real-world OT malware samples and confirm that no existing OT malware employs anti-analysis checks, despite the clear opportunity to exploit OT-specific signals as sandbox fingerprints. Building on this finding, we introduce ShadowICS, a passive anti analysis framework trained on a novel taxonomy of OT-specific features spanning temporal, physical-process, and network dimensions. Based on lightweight machine learning models deployable by any OT malware with access to the OT network, ShadowICS achieves up to 97.9% accuracy in distinguishing real OT deployments from simulations across multiple attacker access levels. Finally, we translate our findings into concrete mitigation strategies for sandbox designers, identifying temporal realism as the primary target for improvement.
2026
Industrial Control System
Sandbox
Malware
Evasive
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11562/1198047
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact