The TRITON malware was discovered in December 2017, deployed on a Schneider Electrics Triconex Safety Instrumented System (SIS) engineering workstation running the Microsoft Windows operating system. An SIS is a system that provides emergency shutdown capabilities for industrial processes.

Triton is the fifth ever piece of malware specifically tailored to Industrial Control Systems (ICS), and the first to directly target an SIS. It was designed specifically to target critical infrastructure, to disrupt, degrade, or destroy physical systems. By modifying the SIS, Triton malware has the ability to prevent safety controls and shutdown mechanisms from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.


• read and write programs, read and write individual functions and query the state of the SIS controller.

• communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with attacker-defined payloads

• the ability to remove itself from the compromised system

Included Components

• trilog.exe - reads exposed controller data, creates payload files and appends them to controller memory and execution table

– imain.bin - (payload file)
– inject.bin - (payload file)

• - contains standard python libraries, dependencies for Py2EXE (.pyc) binaries:

• TS_cnames.pyc

• TsBase.pyc - translates higher level commands from TsHi to TriStation protocol function code.

• TsHi.pyc - higher level functionality for recon and attack, handles signing for lower level network related functions

• TsLow.pyc - device discovery, usesTriStation UDP protocol for communication between TS-Base and target device.

• sh.pyc




Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).

Add To Cart