COVELLITE targets civilian electric energy networks worldwide to collect intelligence on intellectual property and internal industrial operations, with reported activity in Europe, East Asia, North America, and a small 2017 phishing campaign against selected U.S. electric companies. The phishing emails masqueraded as resumes or invitations and delivered malicious Word documents that installed a RAT for reconnaissance and persistent covert access. Dragos says COVELLITE infrastructure and malware resemble Lazarus Group/HIDDEN COBRA tooling and that technical analysis indicates evolution from known Lazarus toolkits, but it does not establish the operational relationship beyond that overlap. The group had no ICS-specific capability at the time of reporting, but its focus on infrastructure operations and improving capabilities made it a priority threat to the ICS industry.