There’s a certain energy you can only find at Recorded Future. Take that energy and bring it to London’s “Silicon Roundabout” and you get the perfect spot for Futurists to build and innovate.

Recorded Future's office @ The Bower on Old Street. Source: https://www.theboweroldst.com/

Across the globe, Recorded Future is 1000+ employees working towards the same mission: Securing Our World With Intelligence.

Our London office – one of our most storied hubs – hosts a range of departments supporting both local, regional, and global operations. The office brings together 100+ cross-functional professionals from People & Talent Acquisition, Finance, Sales, Marketing, Global Services, Research, and more!

Looking back: From the Attic to The Bower

Our story in London didn’t start in the high-rise, but in a converted attic with just a handful of people and a big mission.

This passion for building something great fueled incredible growth. Sam Pullen, Director of Intelligence Services, remembers when the entire EMEA team was just about 20 people. Since 2018, we’ve gone from service a few dozen customers in the region to ~700 now.

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

On the left: First Recorded Future office in London. On the right: Recorded Future's newest office

Inside the Office

This modern high-rise building’s open-plan layout offers quite a few collaboration spaces across our office, where the team likes to have small team meetings, breaks, or even lunch.

Like all Recorded Future offices, our meeting rooms follow a unique naming convention. While Boston uses countries, and Sweden volcanoes - London chose islands. Rumors say we picked islands following a 95-day rain streak – we can neither confirm nor deny. So, in our London office, you’ll find Futurists collaborating in rooms like Bora Bora, Crete, and even San Andres.

Our Culture

What truly defines our London office is the sense of camaraderie – whether that’s competing in a friendly team padel game, testing your dartboard skills, or truly memorable summer & end of year celebrations.

Whether over summer picnics and pedalos in Hyde Park years, playing 5-a-side football in the pouring rain, or at the most recent Christmas party at the Savoy - our Futurists celebrate wins together.

Friendly Team Padel Game at Canary Wharf

Onwards & Upwards: Why Recorded Future

We asked Sam and Joe what has been the highlight of their long tenure at Recorded Future: the opportunity to build. For Sam, it has been the opportunity to build great relationships with clients over nearly a decade. For Joe, it has been the opportunity to build new solutions and new ways to work towards our mission.

Ready for your next move? Join the team!

The 1940s: Theoretical Seeds and Massive Machines

Long before the first hack, pioneers were already contemplating the risks of digital intelligence. In 1945, the Electronic Numerical Integrator and Computer (ENIAC) - the first general-purpose electronic computer - showcased the power of computing, though it was a room-sized giant reserved for military use. While the idea of a "cybercriminal" was still science fiction, the theoretical groundwork for future threats was being laid.

Mathematician John von Neumann began developing his "Theory of Self-Reproducing Automata" during this era. He proposed that a machine-based organism could replicate itself across systems - the conceptual birth of the computer virus.

Key Characteristics of This Era:

• Physical Isolation: Security meant locking the door to a room-sized machine.
• Government Monopoly: Computers were exclusive to the military and the academic elite.
• Conceptual Threats: Risks were purely mathematical theories rather than practical realities.
• The Virus Blueprint: The foundational logic for self-replicating code was established.

By understanding these early foundations, we can appreciate how a field born in the realm of theory has become the frontline of global stability.

• The ENIAC: America's Pioneering Electronic Computer
• The Life, Work, and Legacy of John von Neumann

The 1950s: Mainframes, Physical Security, and Phone Phreaking

Governments, universities, and major businesses started using large, centralized machines known as mainframes. As these computers grew more powerful, the definition of "security" still remained grounded in the physical world. During this era, data protection simply meant controlling access to the room where the hardware sat. However, a new kind of technical subculture was beginning to emerge on the fringes of the telecommunications industry.

The 1950s saw the rise of phone phreaking, where enthusiasts exploited telephone signaling frequencies to make unauthorized long-distance calls. While not yet digital hacking, this movement introduced the concept of manipulating infrastructure for unintended purposes. This culture of curiosity and boundary-pushing would eventually produce industry titans; notably, both Steve Jobs and Steve Wozniak experimented with phreaking technology before the birth of Apple.

Key Characteristics of This Era:

• Physical Perimeter: Security was defined by locks and restricted personnel access.
• Phone Phreaking: The first widespread exploitation of a technological network.
• Nascent Authentication: Password-based systems began to appear in informal, non-standardized forms.
• Fragmented Protocols: Without a connected internet, every institution developed its own isolated security rules.

These early exploits proved that even the most robust physical defenses could be bypassed by those who understood the hidden language of the systems within.

• Phone Phreaking: Hacking Before The Internet
• Year 1971: Early Days Of Phone Phreaking With Steve Wozniak & Steve Jobs

The 1960s: The First Hackers and Growing Vulnerabilities

While known primarily for its social shifts, the 1960s also marked the birth of "hacking" as a technical practice. As computers became more prevalent in universities and large institutions, a new generation of users began exploring the limits of these systems. This era shifted the focus from purely physical security to the inherent vulnerabilities within the software itself.

In 1967, IBM invited students to test a new system, only to be surprised that their probing caused system crashes and revealed weaknesses. This informal "penetration test" proved that any system accessible to users was inherently open to exploitation. It was a wake-up call that sparked the transition of cybersecurity from a passive state to an active, intellectual discipline.

Key Characteristics of This Era:

• Intentional Probing: The birth of deliberate vulnerability testing and "white hat" exploration.
• Curiosity-Driven Hacking: Hacking emerged as a way to explore system boundaries, generally motivated by academic interest rather than malice.
• Access vs. Security: Institutions realized that providing user access created inevitable security risks.
• Beyond the Lock: The realization that cybersecurity required ongoing digital strategy, not just physical barriers.

This decade transformed the computer from a mysterious black box into a challenge to be solved, proving that human ingenuity would always be the greatest threat - and defense - to any system.

• The History of Hacking
• The Evolution of Ethical Hacking: From Curiosity to Cybersecurity

The 1970s: Networking and the First "Worm"

The 1970s transformed cybersecurity from a localized concern into a networked reality. The launch of ARPANET, the precursor to the modern internet, enabled researchers to share resources across distances but also opened a doorway for autonomous software to travel between systems.

In 1971, this potential was realized with Creeper, the world's first self-replicating network program. While harmless, its ability to move across the network and display messages was a revolutionary proof of concept. In response, programmer Ray Tomlinson created Reaper - the first antivirus program - specifically designed to hunt and delete Creeper. This decade also saw the rise of Kevin Mitnick, whose exploits in the 1980s showed that psychological manipulation, or social engineering, could bypass even the strongest technical barriers.

Key Characteristics of This Era:

• Network Connectivity: ARPANET's birth created the first interconnected digital landscape.
• The First Worm: Creeper demonstrated that programs could self-propagate autonomously.
• The First Antivirus: Reaper established the "detect and delete" model of digital defense.
• Social Engineering: Early hacks highlighted that human error is often the weakest link in the security chain.

This era proved that once computers started talking to each other, the "locked door" was no longer enough to keep an intruder out.

• The Creeper Virus
• Creeper and Reaper: The First Virus and Anti-Virus

The 1980s: Personal Computers and the Birth of an Industry

The 1980s shifted computing from sterile labs to homes and offices. This explosion of connectivity via modems and floppy disks turned theoretical threats into a global reality, giving rise to the first commercial antivirus software and formal incident response teams like CERT.

Key Characteristics of This Era:

• Wild Malware: Viruses like Elk Cloner and the Brain Virus moved beyond labs to infect personal computers worldwide.
• The Morris Worm (1988): The first major network-wide disruption, leading to the first conviction under the Computer Fraud and Abuse Act (Robert Tappan Morris).
• Cyber Espionage: Marcus Hess's breach of military systems for Soviet intelligence proved that digital networks had massive geopolitical stakes.
• Ransomware Roots: The AIDS Trojan introduced the world to the concept of holding digital files hostage for payment.

The 1980s proved that as computers became personal, the threats against them became universal.

• What is Malware?
• Computer Viruses of the 80s

The 1990s: The Public Internet and Exploding Threats

As the World Wide Web went mainstream, the attack surface grew exponentially. This was the era of the "Macro Virus," where malicious code hid in everyday documents, and the dominance of Windows made it a universal target for hackers.

Key Characteristics of This Era:

• Mass-Mailers: The Melissa virus demonstrated how email could be weaponized to clog global servers in hours.
• The Encryption Standard: Netscape's SSL (1995) laid the foundation for secure online commerce and HTTPS.
• Network Fortification: Firewalls became standard equipment as businesses scrambled to block external intrusions.
• Legal Frameworks: Organizations like the EFF began fighting for digital privacy and standardized cybercrime laws.

This decade transformed cybersecurity services from a technical niche into a vital pillar of global commerce and law.

• The Melissa Virus: FAQs
• The History and Impact of Netscape's SSL

The 2000s: Professionalized Crime and Mature Defenses

The 2000s saw cybercrime scale into a high-profit industry. High-speed broadband and the rise of e-commerce meant that a single breach could compromise tens of millions of records, forcing the industry to develop more sophisticated authentication and monitoring tools.

Key Characteristics of This Era:

• Massive DDoS Attacks: "Mafiaboy" proved that even giants like Amazon and eBay could be paralyzed by flooded traffic.
• Social Engineering at Scale: The ILOVEYOU virus infected millions by exploiting human curiosity and trust.
• Data Breach Epidemics: The TJX breach accelerated the adoption of strict data security standards like PCI DSS.
• Encrypted Ransomware: In 2006, ransomware began using RSA encryption, making it nearly impossible to recover files without a key.

As attacks became more lucrative, the defensive industry responded with the first generation of modern security standards and behavioral analysis.

• 25 Years Ago: The ILOVEYOU Worm
• How a Computer Science Student Created One of the First Email Viruses That Spread by Preying on Human Nature

The 2010s: Nation-States and Digital Weapons

The 2010s shifted the focus from criminal profit to national security. Cybersecurity became a theater of war, with governments deploying digital weapons to destroy physical infrastructure and influence global politics.

Key Characteristics of This Era:

• The Stuxnet Worm: The first acknowledged cyberweapon designed to cause physical destruction to industrial equipment.
• The Snowden Leaks: Exposed the massive scale of global surveillance, sparking a decade-long debate on privacy.
• Automation and AI: Machine learning began appearing on both sides - defenders used it for detection, while attackers used it to find flaws.
• Global Ransomware: WannaCry and NotPetya showed how automated exploits could cripple hospitals and shipping lines across 150 countries.

By the end of the decade, it was clear that a line of code could be just as impactful as a physical weapon.

• Top 12 Worst Computer Viruses in History (& What They Taught Us About Cybersecurity)
• Wannacry: How the Widespread Ransomware Changed Cybersecurity

The 2020s: AI Threats and Modern Threat Intelligence

Today, the line between the physical and digital worlds has vanished. With remote work and cloud-native businesses, security is now a proactive game of "Threat Intelligence", which involves predicting and neutralizing an adversary's move before they even make it.

Key Characteristics of This Era:

• Targeting Infrastructure: Attacks on power grids and water systems have raised the stakes from financial loss to public safety.
• AI-Powered Attacks: Adversaries use AI to create deepfakes and hyper-personalized phishing at speeds humans can't match.
• Predictive Defense: Modern strategy relies on Threat Intelligence, using AI to analyze patterns and stop attacks in their tracks.
• Cloud & Remote Security: The shift away from traditional offices has forced a move toward "Zero Trust" security models.

The ongoing battle between human ingenuity and artificial intelligence now defines the frontlines of our digital existence.

• What is a "Zero Trust" Security Model?
• AI and the Future of Cybersecurity
• The Impact of AI on Cyber Threat From Now to 2027
• What Is the Future of Cybersecurity?

What Is Payment Fraud?

Payment fraud refers to the theft of money from businesses or individuals through unauthorized transactions or deceptive purchases. Fraudsters may act using their own accounts or by gaining unauthorized access to someone else's account.

While payment fraud can happen in person, online transactions are especially vulnerable. According to Juniper Research, global business losses from online payment fraud are projected to surpass $362 billion between 2023 and 2028. A business's fraud risk depends largely on its industry, the sensitivity of the data it handles, and the payment methods it accepts. The more ways customers can interact with accounts and complete purchases, the more entry points exist for bad actors to exploit.

Different Types of Payment Fraud

Fraudsters use many tactics, and below we list 14 of the most common. Given the large number of threats, businesses must prepare their teams to recognize a variety of warning signs. Strong internal communication policies, clear escalation procedures, and knowledge of the landscape are foundational to any fraud prevention strategy.

1. Phishing

Phishing is a social engineering tactic in which criminals attempt to trick people into revealing sensitive information such as account credentials or payment details. These attacks often come in the form of malicious links sent via email or text, but they can also occur over the phone. Attackers may pose as trusted figures - a friend, a bank representative, or a government official - to manipulate victims.

Prevention tips:

• Let customers know exactly how your business will contact them, including phone numbers and email addresses.
• Be transparent about what information your staff will and will not ask for.
• Alert customers to any known phishing attempts targeting your brand.
• Train employees on information security protocols and how to identify suspicious communications.

2. Credit and Debit Card Fraud

This type of fraud involves obtaining card information - either physically or digitally - and using it to make unauthorized purchases. Cards may be stolen directly, or details may be harvested through card skimming devices installed on ATMs or point-of-sale terminals. Attackers also acquire card data through phishing schemes or by purchasing stolen credentials on the dark web.

Prevention tips:

• Restrict POS system access to authorized personnel and regularly inspect payment hardware for tampering.
• Build secure, encrypted payment pages that comply with data protection standards.
• Offer customers multiple notification options for purchases and account activity.
• Warn customers never to share account or confirmation numbers with unverified sources.

3. Wire Transfer Fraud

In wire transfer fraud, criminals convince victims to send money directly to them. Because wire transfers are difficult to reverse, they are a preferred method among scammers. Attackers commonly impersonate someone the victim trusts - a family member, a company executive, or a business vendor. The use of a convincing back-story is often referred to as "social engineering." For example, an attacker may text employees pretending to be their CEO, claiming an emergency and requesting an urgent fund transfer.

Prevention tips:

• Train employees to spot the signs of social engineering and impersonation.
• Establish official communication channels and avoid conducting financial business over easily spoofed channels like text messages.
• Report and share all phishing attempts with the entire team.

4. Check Fraud

Check fraud involves using counterfeit or altered checks to make payments or writing checks from accounts that lack sufficient funds. Fake checks may be digitally printed or modified versions of real checks. In some cases, the check is genuine but drawn from a closed account.

Prevention tips:

• Implement software that verifies the authenticity of checks.
• Train staff to recognize the visual and physical signs of fraudulent checks.

5. Chargeback and Refund Fraud

Also known as "friendly fraud," chargeback fraud occurs when a customer makes a legitimate purchase and then falsely claims a refund - either directly from the business or through their credit card company. This type of fraud is particularly tricky because it can be hard to distinguish from genuine disputes, especially when delivery or service quality is involved.

Prevention tips:

• Validate customer information, including billing addresses and card security codes.
• Use payment platforms that include fraud protection and dispute automation tools.
• Respond to refund and chargeback requests quickly.
• Minimize legitimate chargebacks by fulfilling orders accurately and on time.

6. Identity Theft

Identity theft happens when a criminal obtains someone's personal information and uses it for financial gain or to make purchases in someone else's name. For businesses, a common result is having to deal with chargebacks after customers discover fraudulent charges on their accounts. Although the primary victim is the customer, businesses have a responsibility to prevent data breaches that expose customer information in the first place.

Prevention tips:

• Train employees to recognize phishing and follow secure information handling practices.
• Ensure your payment systems comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.

7. Account Takeover Fraud

Account takeover (ATO) fraud typically follows identity theft. Once attackers obtain a user's credentials, they change the password and contact information to lock the real owner out. From there, they may use the account for fraudulent purchases or sell it to other bad actors.

Prevention tips:

• Enforce strong password requirements for all accounts.
• Require two-factor authentication (2FA) and send confirmation alerts for any significant account changes.
• Notify customers of purchases and account modifications in real time.

8. New Account Fraud

New account fraud (NAF) occurs when someone uses stolen or fabricated identities to open new lines of credit or accounts. These fraudulent accounts can then be used to make purchases or commit further fraud down the line.

Prevention tips:

• Require multi-factor authentication (MFA) - not just email verification - during account creation.
• Verify address details and card security information during transactions.
• Use fraud protection tools that leverage machine learning to detect unusual account creation patterns.

9. Gift Card Fraud

Gift card fraud is a social engineering scam where criminals pressure victims into purchasing gift cards and handing over the card numbers. Once the numbers are given, the funds are essentially unrecoverable, making this a popular method among scammers.

Prevention tips:

• Display warnings about gift card scams during the checkout process.
• Remind customers never to share gift card numbers with people they don't personally know.
• Educate in-store staff to recognize signs of gift card fraud and when to escalate the situation.

10. Merchant Identity Theft

In merchant identity theft, attackers impersonate legitimate businesses or vendors to defraud customers or partner organizations. They may use phishing to extract employee credentials and gain access to business systems, or they may pose as a trusted vendor and redirect payments to themselves.

Prevention tips:

• Train staff to identify phishing attempts and follow secure communication practices.
• Establish verification procedures when communicating with vendors and business partners.
• Report phishing attempts to employees and partners promptly.

11. Pagejacking and Domain Spoofing

Pagejacking involves cloning an existing webpage and redirecting users to the fake version to steal login credentials or payment information. Domain spoofing follows a similar concept - attackers build an identical-looking site under a slightly different URL. Users are typically directed to these fraudulent pages through malicious emails or texts.

Prevention tips:

• Run plagiarism detection tools to identify duplicate versions of your pages online.
• Pay attention to unusual customer service complaints that might signal a spoofed site.
• Submit takedown requests to search engines if you discover a duplicate site, and notify affected customers.

12. Mobile Payment Fraud

As mobile payments become more prevalent, they've also become a target for fraud. Attackers can exploit mobile apps through malware installation, stolen app credentials, or interception of 2FA codes. For example, a scammer may call a customer pretending to represent a business and ask them to read back a verification code - which is actually a 2FA code the attacker has triggered on the victim's account.

Prevention tips:

• Authenticate customers over the phone carefully to reduce the risk of impersonation-based fraud.
• Monitor for unusual spending or refund activity in mobile transactions.
• Educate customers about the risks of clicking on unknown links, QR codes, or visiting unfamiliar websites.

13. Push Payment Fraud

Unlike unauthorized transaction fraud, push payment fraud involves tricking the victim into willingly sending money to a fraudster. This can take many forms, including phishing, blackmail, or deceptive scenarios like fake emergencies. The key distinction is that the victim actively initiates the transfer.

Prevention tips:

• Clearly communicate to customers what your staff can and cannot ask them to do or pay.
• Make it easy for customers to report anyone impersonating your business.
• Issue proactive alerts about ongoing scam attempts tied to your brand.

14. ACH Payment Fraud

ACH (Automated Clearing House) payment fraud involves criminals gaining unauthorized access to a victim's bank account details and using them to initiate fraudulent transfers. For businesses, this risk can come from both outside attackers and malicious insiders.

Prevention tips:

• Strictly limit and monitor employee access to business bank accounts.
• Educate all staff with account access about phishing tactics and establish firm security policies.

Which Businesses Have the Highest Fraud Risk?

Not all businesses face the same level of exposure. Fraud risk is generally highest in sectors that process online payments, handle sensitive personal data, or still accept paper checks.

E-Commerce Businesses

E-Commerce businesses are particularly vulnerable. Online retail involves accepting payments from a wide range of locations, often with multiple payment methods. Features like peer-to-peer payment integrations or international checkout add more potential points of failure. The more accounts and payment methods a customer has linked, the more attractive a target they become for data breaches.

Healthcare, Banking, and Data-Sensitive Industries

These sectors are at elevated risk because of the high value of the information they store. A breach in these sectors doesn't just expose financial data - it can compromise identity information used to commit fraud across many platforms simultaneously.

Businesses Still Accepting Checks

These kinds of businesses face unique challenges. As check usage declines, employees may become less experienced at identifying fakes, which makes training and verification systems all the more important. According to the Association for Financial Professionals, check fraud remains one of the most common forms of payment fraud.

How to Mitigate Risk

A variety of tools and strategies are available to help businesses identify and reduce fraud exposure. Conducting a security risk assessment is a strong starting point, helping teams understand which vulnerabilities are most critical and where to prioritize investment.

From there, organizations should focus on establishing a solid operational and security foundation before layering in more advanced fraud detection capabilities.

Foundational Controls

These measures create a baseline level of protection by securing systems, safeguarding data, and reducing avoidable losses:

• Strong network and password security: Establish internal policies governing account access, password requirements, and physical access to devices and systems.
• Network tokenization: Ensure payment systems encrypt and tokenize customer data to protect sensitive information.
• PCI standards compliance: Build payment workflows that meet Payment Card Industry (PCI) standards to safeguard cardholder data.
• 3D Secure (3DS) authentication: Use the latest 3DS protocols to validate transactions and verify user identity before completing purchases.
• Chargeback protection: Work with your payment processor to implement tools that help minimize financial losses from disputed transactions.

Once these core protections are in place, businesses can enhance their fraud prevention strategies with more dynamic, data-driven approaches.

Advanced Detection & Optimization

These techniques improve visibility, adaptability, and long-term resilience against evolving fraud tactics:

• Fraud KPI tracking: Monitor key metrics such as dispute rates, authorization rates, and approval/decline ratios to identify trends and respond proactively.
• Rules-based systems: Implement rule-based detection as a reliable operational backbone. While rules require ongoing maintenance, they are especially useful in early stages and can be refined over time.
• Machine learning algorithms: Leverage ML-powered systems to analyze large, complex datasets and uncover patterns that are difficult to detect manually. These models continuously improve as they adapt to new fraud behaviors.

Staying Ahead of Payment Fraud

Payment fraud is an ongoing challenge, but a proactive, layered approach can significantly reduce risk. By combining strong foundational controls with data-driven detection and continuous monitoring, businesses can stay ahead of evolving threats.

Ultimately, effective fraud prevention requires regular review, employee awareness, and a commitment to adapting as tactics change.

Additional Resources

• 2026 AFP Payments Fraud and Control Survey Report
• Learn How Federal Reserve Financial Services Can Help Against Check Fraud
• 47 Cybersecurity Statistics and Facts for 2026
• Beyond Phishing: Exploring the Rise of AI-enabled Cybercrime
• Preventing Fraud
• Top Ten Internal Controls to Prevent And Detect Fraud
• The Escalating Threat of Authorised Push Payment Fraud
• Payment Fraud and How To Fight Back
• A Short Guide for Spotting Phishing Attempts
• Eight Ways to Combat Fraud in The AI Age

Authority - Authority refers to how trustworthy a source is based on who created it. If information comes from a qualified expert or a well-known organization, it's more likely to be reliable than something posted by an unknown user.

Bystander - A bystander is someone who sees harmful behavior online, like cyberbullying, but chooses not to get involved or take action.

Cookies - Cookies are small files that websites store on your device to remember information about you, like login details or browsing habits. They make websites easier to use, but they also allow service providers to track your activity.

Cyberbullying - Cyberbullying is when someone uses digital platforms to repeatedly harass, threaten, or embarrass another person. Unlike trolling, it usually targets a specific individual.

Data Breach - A data breach happens when private or sensitive information is accessed or stolen without permission, often from companies or large platforms.

Digital Citizen - A digital citizen is anyone who uses technology to interact with others online. Being a good digital citizen means using the internet responsibly, respectfully, and safely.

Digital Footprint - A digital footprint is the trail of information you leave behind online through posts, searches, and interactions. The more you share, the greater your exposure to privacy issues or misuse of personal information. Also, once something is online, it can be very difficult to remove.

Digital Identity Theft - Digital identity theft occurs when someone steals your personal information, like passwords or account details, to pretend to be you or access your accounts.

Digital Divide - The digital divide refers to the gap between people who have access to modern technology and the internet and those who do not.

Encryption - Encryption is a method of protecting data by turning it into a coded format that only authorized users can read. It helps keep sensitive information secure.

Firewall - A firewall is a security system that monitors and controls incoming and outgoing network traffic, blocking anything that looks suspicious or harmful.

Imaginary Audience - The imaginary audience is the feeling that people are constantly watching and judging you. Social media can make this feeling stronger by showing likes, views, and comments.

Invisible Audience - The invisible audience refers to the unknown people who may see your online content, including strangers, future employers, or others outside your immediate circle. It pays to assess your security blind spots because you may not realize who is viewing your posts.

Malware - Malware is any type of harmful software designed to damage devices, steal information, or disrupt normal operations. It is often installed as part of a package or application that otherwise appears innocent.

Password Hygiene - Password hygiene refers to the practice of creating strong, unique passwords and keeping them secure instead of reusing the same one across multiple accounts.

Phishing - Phishing is a scam where attackers pretend to be a trusted source to trick you into giving away personal information, often through fake emails, texts, or websites.

Public Wi-Fi Risk - Public Wi-Fi risk refers to the potential dangers of using unsecured networks, where hackers may be able to intercept your data.

Reliability - Reliability refers to whether information is accurate and dependable. Just because something looks professional online doesn't mean it's true.

Social Comparison - Social comparison is the act of comparing your life to what you see online. Since people often share only their best moments, it can create unrealistic expectations.

Targeted Advertising - Targeted advertising uses your online behavior, location, and personal data to show ads that are specifically tailored to you.

Trolling - Trolling is when someone posts deliberately annoying or provocative content online to get attention or start arguments.

Two-Factor Authentication (2FA) - Two-factor authentication is a security feature that requires a second form of verification, like a code sent to your phone, in addition to your password.

Upstander - An upstander is someone who takes action when they see harmful behavior online, such as supporting the victim or reporting the issue.

VPN (Virtual Private Network) - A VPN is a tool that creates a secure, encrypted connection to the internet, helping protect your data and privacy, especially on public networks.

Additional Resources to Learn More

• What is a Digital Citizen?
• The Global Tech Divide: How the Digital Revolution is Leaving Some of Us in the Digital Dark Ages
• What is a Digital Footprint?
• What is Digital Identity Theft?
• Research About The "Imaginary Audience"
• What is Spam, Phishing, and Malware?
• Authority and Value of Information
• Dealing with Social Comparison in the Age of Social Media
• What is Targeted Advertising?
• What Makes a Troll? The Dangers of Online Narcissism

• Quantum computing is moving from theory toward early practical use, with direct implications for encryption, authentication, and long-term data confidentiality.
• The primary risk is the eventual emergence of cryptographically relevant quantum computers (CRQCs), which would break today’s public-key cryptography and undermine encryption, digital identity, and software trust at scale.
• Quantum risk is already present: “harvest now, decrypt later” activity exposes long-lived sensitive data today, regardless of when CRQCs ultimately arrive.
• Regulatory mandates and procurement standards are accelerating post-quantum cryptography (PQC) adoption, making quantum readiness a multi-year compliance and resilience priority.
• Organizations that delay preparation beyond 2026 are likely to face compressed migration timelines, higher transition costs, and increased operational disruption.

Quantum Computing Explained

Quantum computing applies principles of physics to solve certain complex problems far more efficiently than classical computers. Its security relevance lies primarily in cryptanalysis and optimization: A sufficiently powerful quantum computer will reduce the calculations required to protect today's public-key encryption from thousands of years to hours or less. Researchers have used the term “Q-Day” to refer to the hypothetical point at which quantum computers will be powerful enough to break encryption.

Quantum computing is now moving from theory toward early practical use, bringing “Q-Day” closer to reality. Industry estimates suggest quantum computing alone could generate up to $1.3 trillion in value by 2035. Major cloud providers, including IBM, Google, and Microsoft, are expanding their quantum services, while specialised firms such as Quantinuum and PsiQuantum continue to improve system stability and error correction. While these advances are not yet transformative, they are consistent with the early stages of commercial adoption.

Figure 1: Key risks of quantum computing (Source: Recorded Future)

Alongside its potential benefits across finance, pharmaceuticals, defense, and other sectors, quantum computing introduces four key security risks.

Risk 1: Breaking Public-Key Encryption

Figure 2: Potential impacts of breaking public-key encryption (Source: Recorded Future)

The most critical risk is the eventual arrival of cryptographically relevant quantum computers (CRQCs), systems capable of breaking widely used public-key algorithms such as RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman. These algorithms underpin internet communications (Transport Layer Security [TLS], virtual private networks [VPNs], Secure Shell [SSH]), identity and access management, industrial and internet-of-things (IoT) systems, and the integrity of software supply chains.

If broken, threat actors could decrypt sensitive data, impersonate trusted systems, and undermine digital authentication. This could enable:

• Forged digital signatures
• Compromised code-signing pipelines
• Spoofed websites, identities, and certificates
• Manipulated financial transactions and legal documents

Risk 2: Harvest Now, Decrypt Later (HNDL)

Figure 3: “Harvest now, decrypt later” workflow (Source: Recorded Future)

Although cryptographically relevant quantum computers (CRQCs) may still be years away, the risk is already materializing through “harvest now, decrypt later” (HNDL) activity. State-sponsored threat actors are likely collecting and storing encrypted data today with the intent to decrypt it once quantum capabilities mature. A 2021 Booz Allen Hamilton assessment found that Chinese economic espionage operations are likely targeting encrypted data with long-term intelligence value, including biometric identifiers, covert source identities, and weapons designs.

Large-scale routing manipulation offers one method for intercepting such data. Researchers at the US Naval War College and Tel Aviv University documented systematic Border Gateway Protocol (BGP) hijacking by China Telecom between 2016 and 2019, which redirected traffic from US, Canadian, and Scandinavian networks through Chinese infrastructure. These types of operations align with a long-term HNDL collection strategy.

Under the HNDL model, exposure occurs at the moment data is transmitted or stored, not when it is eventually decrypted. The primary risk, therefore, centers on long-lived data: information that must remain confidential for a decade or more, or whose sensitivity does not diminish over time, such as government and national security records, intellectual property and trade secrets, personal identifiers, financial data, biometric templates, healthcare records, and legal archives. For these data classes, compromise may not be immediately visible, but once decrypted, the consequences are irreversible. As a result, organizations holding long-lived sensitive data face near-term strategic risk regardless of when CRQCs become operational.

Large-scale routing manipulation offers one method for intercepting such data. Researchers at the US Naval War College and Tel Aviv University documented systematic Border Gateway Protocol (BGP) hijacking by China Telecom between 2016 and 2019, which redirected traffic from US, Canadian, and Scandinavian networks through Chinese infrastructure. These types of operations align with a long-term HNDL collection strategy.

Under the HNDL model, exposure occurs at the moment data is transmitted or stored, not when it is eventually decrypted. The primary risk, therefore, centers on long-lived data: information that must remain confidential for a decade or more, or whose sensitivity does not diminish over time, such as government and national security records, intellectual property and trade secrets, personal identifiers, financial data, biometric templates, healthcare records, and legal archives. For these data classes, compromise may not be immediately visible, but once decrypted, the consequences are irreversible. As a result, organizations holding long-lived sensitive data face near-term strategic risk regardless of when CRQCs become operational.

Risk 3: Quantum-Accelerated Brute-Force Attacks (Grover’s Algorithm)

Quantum computing does not break modern symmetric encryption outright, but it can accelerate search-intensive tasks through techniques such as Grover’s algorithm. This reduces defender reaction time and increases the effectiveness of weak or legacy cryptographic implementations. In practice, this could enable faster brute-force attempts against outdated encryption, quicker identification of exposed secrets or misconfigurations, and more efficient malware tuning and exploit development.

Recent demonstrations, such as Silicon Quantum Computing’s high-accuracy implementation on a four-qubit processor, remain limited in scale but reflect steady progress toward these capabilities. However, Grover’s algorithm is constrained by high hardware requirements and limited parallelization. As a result, modern symmetric algorithms such as AES-128/192/256 are expected to remain secure for the foreseeable future, while environments with poor cryptographic hygiene will be affected first.

Risk 4: Quantum- and AI-Enhanced Vulnerability Discovery

Quantum capability will not develop in isolation. As quantum systems improve optimization and search performance, and AI automates reconnaissance, exploit development, and lateral movement, adversaries are likely to operate at unprecedented speed and scale. Rather than identifying isolated weaknesses, attackers could rapidly map entire attack surfaces, chain misconfigurations, and deploy optimized malware variants in near real time. Research from 2024 demonstrates that machine-learning classifiers can already recover full cryptographic keys from PQC implementations using only a few hundred power traces, underscoring that even post-quantum algorithms will require hardened deployment.

This convergence of AI and quantum technologies could significantly increase an attacker's operational tempo and amplify the impact of individual security lapses. The risk is compounded by the fact that a rising number of organizations carry substantial security debt, with many reporting slow remediation cycles that leave vulnerabilities exposed for extended periods.

When Will CRQCs Arrive?

There is no definitive timeline for CRQCs. Most projections place their arrival in the mid-to-late 2030s, with credible breakthroughs possible earlier in the decade. These estimates should be treated with caution: forecasting is inherently uncertain because progress in quantum error correction and qubit scaling occurs in uneven advances rather than linear progression.

For security leaders, the precise date of “Q-Day” is less important than the lifecycle of deployed systems. Infrastructure implemented today may remain operational when CRQCs emerge. Current cryptographic decisions are therefore future-binding.

Under the HNDL model, quantum risk is already material for long-lived data. Preparedness, visibility, and cryptographic agility matter more than timeline prediction.

Figure 4: No definitive timeline for CRQCs (Source: Recorded Future)

How Should Organizations Prepare?

The transition to post-quantum cryptography (PQC) is no longer a theoretical exercise. It is increasingly driven by regulation, procurement requirements, and emerging industry norms. These developments should be interpreted as operational signals necessitating forward planning.

In the US, the Quantum Computing Cybersecurity Preparedness Act requires federal agencies to inventory quantum-vulnerable cryptography and develop migration plans. NIST’s 2024 PQC standards now set the baseline for federal procurement and are rapidly becoming global reference points. In parallel, Commercial National Security Algorithm (CNSA) 2.0 defines approved algorithms and transition timelines for national security systems, with full migration targeted by 2035. Similar momentum is building in Europe. The EU Cybersecurity Act and national quantum-preparedness strategies are accelerating early adoption, particularly across critical infrastructure sectors such as energy and transportation.

Although many of these mandates formally apply to public-sector systems, their practical impact extends well beyond government. Procurement requirements and supply-chain expectations are translating policy into commercial pressure. As a result, cryptographic inventory, structured migration planning, vendor alignment, and crypto-agility are likely to become baseline governance expectations rather than optional best practices. Boards are beginning to treat quantum risk as a strategic planning issue, not a distant technical concern, with some sectors allocating dedicated quantum-security budgets approaching 5% of total cybersecurity spend to support preparation.

Industry coordination further reinforces this direction of travel. Financial institutions, payment networks, and telecommunications providers are forming quantum-readiness working groups to align migration timelines and manage shared dependencies. SWIFT is developing PQC migration guidance for its global messaging network, and Mastercard has released a PQC migration white paper outlining practical transition steps.

Figure 5: Planning for the uncertain arrival of CRQCs (Source: Recorded Future)

As the HNDL risk window narrows, organizations that begin structured preparation now are likely to manage transition risk deliberately and cost-effectively. Security leaders should ensure they understand where quantum-vulnerable cryptography resides, how regulatory obligations may cascade through customers and partners, and whether critical suppliers have credible PQC transition roadmaps. Those that delay risk compressed timelines, regulatory pressure, and materially higher transition costs later in the decade. Specific technical and governance steps are detailed in the Mitigations section.

Outlook

HNDL activity will continue to expand.
State-sponsored threat actors are highly likely to increase long-term interception and storage of encrypted data, particularly from sectors handling information with long confidentiality lifetimes. Even as storage economics fluctuate, scalable interception infrastructure and economically sustainable long-term storage models enable continued accumulation of high-value encrypted material. Demonstrated routing manipulation capabilities further support persistent collection at scale, ensuring exposure continues to build regardless of when CRQCs ultimately arrive.

Attacker operational tempo will increase.
The convergence of AI-enabled automation with quantum-accelerated search and optimization is likely to compress defender response windows and amplify the impact of existing security debt. Organizations reliant on legacy cryptography and slow remediation cycles will feel this pressure first.

Regulatory and procurement pressure will intensify.
Post-quantum readiness is increasingly likely to become a baseline requirement for regulated markets, government contracts, and high-trust supply chains. US and European initiatives are formalizing transition timelines, and these mandates will propagate through vendor ecosystems, reframing quantum preparedness as a competitive requirement rather than a discretionary control.

Migration risk will become a primary enterprise challenge.
Organizations that delay cryptographic inventories and crypto-agility investments are likely to face compressed transition timelines, higher costs, and greater operational disruption as standards mature and vendor dependencies shift.

Mitigations

Organizations should treat quantum resilience as a phased program aligned to visibility, flexibility, and systemic risk reduction, with leaders actively testing assumptions at each stage.

Short-term (2026): Establish visibility and prioritization

Security teams should maintain a comprehensive cryptographic inventory, identifying quantum-vulnerable algorithms across applications, infrastructure, and third-party dependencies, as well as public key infrastructure (PKI), operational technology, and IoT environments, and mapping them to data sensitivity and confidentiality requirements.

Leaders should be asking:

• Do we have an enterprise-wide inventory of where quantum-vulnerable cryptography is embedded, including in legacy and third-party systems?
• Which data assets must remain confidential for a decade or more, and are they currently protected by algorithms likely to be broken by CRQCs?

Medium-term (2026–2028): Enable flexibility

Organizations should design for cryptographic agility, ensuring that new systems and major upgrades allow algorithm replacement without architectural redesign. Vendors supporting long-lived products should provide credible PQC transition roadmaps aligned to emerging standards.

Leaders should be asking:

• Are we continuing to deploy systems that hard-code cryptographic algorithms, thereby increasing future migration risk?
• Do our critical suppliers have credible, time-bound PQC transition plans, and how exposed would we be if they fell behind?

Long-term (2028-onwards): Reduce systemic exposure

Migration should prioritize long-lived data and high-trust functions, including identity infrastructure, code signing, certificate management, secure build pipelines, and critical third-party software. Strengthening software and supply-chain integrity will be essential to minimizing cascading risk during transition.

CISOs should be asking:

• Which enterprise trust anchors (for example, certificate authorities, signing keys, or hardware security modules) would create systemic impact if rendered vulnerable in a post-quantum scenario?
• Can we rotate and replace cryptographic components at scale without operational disruption if migration timelines compress unexpectedly?

Recorded Future intelligence can support these efforts by tracking emerging cryptographic risks through our Threat Intelligence Module, identifying exposed dependencies through our Attack Surface Intelligence, and assessing third-party quantum readiness as standards and vendor capabilities evolve through our Third-Party Intelligence Module.

Risk Scenario

GridCore Systems is a US-based provider of industrial control systems (ICS) and grid-management software for electric utilities nationwide. The firm relies on quantum-vulnerable public-key cryptography (RSA/ECC) for remote access, software signing, and secure data exchange with utilities and regulators, and has not yet completed a post-quantum cryptographic transition.

First-Order Implications

Second-Order Implications

Third-Order Implications

That’s why we’re honored to share that Gartner has named Recorded Future a Leader in the first-ever Magic Quadrant™ for Cyberthreat Intelligence Technologies. This new report evaluated 17 vendors in the space, providing a comprehensive look at the competitive landscape.

“In our view, being recognized as a Leader means something specific to us: we feel it reflects our ability to help our customers with the outcomes they depend on. These include stopping threats pre-attack, running intelligence autonomously at a scale no human team can match, and making every security control they own more effective," said Colin Mahony, CEO, Recorded Future. “We believe this recognition reflects both the trust our customers place in us and the strength of the outcomes we help them achieve.”

A research methodology that prioritizes customer voice

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. By applying a graphical treatment and a uniform set of evaluation criteria, a Magic Quadrant helps you quickly ascertain how well technology providers are executing their stated visions and how well they are performing against Gartner’s market view.

For Recorded Future, this meant that Gartner analysts spoke directly with our customers about their real-world experiences—the challenges they face, how they use our Platform, and the outcomes they've realized. We feel their voices shaped our position in the Magic Quadrant, just as they’ve always shaped our product offerings and roadmap.

The new Gartner report offers a snapshot of what the analysts heard from customers. We haven’t stopped working since then and there’s much to talk about.

There’s more… the next phase of threat intelligence

In conversations throughout 2025, our customers gave us their thoughts about product complexity, pricing models, and the challenges of scaling intelligence across their teams. As a result of their input, we’ve fundamentally changed how they can access and make the most of Recorded Future threat intelligence.

Here are the highlights of our continued commitment to simplicity and innovation to provide better experiences for our customers in 2026:

1. Goodbye, modules. Hello, simplicity. Meet our four new solutions.
Our four new solution areas cover the four major attack surfaces—an organization’s systems, brand, supply chain, and payment methods:

• Cyber Operations—This foundational solution empowers security teams with the intelligence to monitor and prioritize threats and vulnerabilities, get in-depth malware insights, triage alerts and detect threats, and stand up an intelligence-driven defense.
• Digital Risk Protection—Also foundational, this solution allows teams to monitor malicious sites, code repositories, and the dark web to detect brand abuse, employee credential compromise, and other threats to digital trust.
• Third-Party Risk—This solution enables teams to continuously assess supplier security posture with real-time intelligence, accurate risk ratings, vendor action plans, and more.
• Payment Fraud—With this solution, teams can detect and prevent card-not-present fraud with intelligence that identifies compromised payment data before it's used.

The solutions are built on a unified intelligence foundation to provide consistency, accuracy, and alignment around shared security outcomes. And they integrate with other security solutions like CrowdStrike Falcon and Google SecOps, bringing the benefits of Recorded Future intelligence and rich context directly into common SIEM and EDR workflows.

2. New pricing packages for less friction, more intelligence
We’re offering the four solutions in new pricing packages designed to fit customer needs:

• Simplicity—Customers can purchase one package instead of juggling multiple modules
• End-to-end workflows—Packages cover full use cases, complete with the key capabilities to get the job done
• Wider access—Higher tiers offer unlimited seats, so everyone now can be intelligence-led.

In addition, integrations are included. Now your tools in the security stack—SIEM, SOAR, firewall, endpoint protection, ticketing system, and more—can leverage Recorded Future intelligence without integration fees or limitations.

3. Expansion into Latin America
The threat landscape knows no geographical borders, and neither do we. We’ve expanded Recorded Future’s operations into Latin America, giving security teams in the region better access to the expertise and support they need to mount a successful proactive defense.

4. Autonomous Threat Operations for autonomous defense
In February, we launched Autonomous Threat Operations to help customers move from isolated threat intelligence insights and manual workflows to automated and continuous defensive actions across the entire security ecosystem. Complete with AI-powered, 24/7 autonomous threat hunting and multi-source correlation in the Intelligence Graph®.

As we continue to build on our vision of moving from automated to autonomous operations, we’re developing Recorded Future AI and agentic experiences to help our customers reduce alert fatigue, save time on research, and run threat hunts faster so they can detect and defend at scale.

Explore the Gartner Magic Quadrant report today

We’re proud to be recognized by Gartner as a Leader in Cyberthreat Intelligence Technology, and we’ll continue innovating for our customers to help them mitigate risk and stay ahead of evolving threats.

Get the report to review Gartner analysis and see how Recorded Future fits your CTI program needs.

____________________________________________________________________________________________________________________________________

Gartner, Magic Quadrant for Cyberthreat Intelligence Technologies, By Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, 04 May 2026.

Gartner and Magic Quadrant are trademarks of Gartner, Inc. and/or its affiliates.

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center. While most legitimate hosting providers evict threat actors once identified, a specific class of providers does the opposite. Recorded Future^® calls these providers threat activity enablers(TAEs).

What Is a Threat Activity Enabler?

Figure 1: Overview of threat activity enablers’ patterns, ecosystem, and impact

A threat activity enabler (TAE) is an individual, organization, or service provider that supports malicious cyber activity by providing infrastructure or services leveraged by threat actors. More commonly, this includes providers that lack a formal physical or virtual storefront, conduct business only via email or messaging platforms, and do not enforce know-your-customer (KYC) policies. It also includes hosting providers that selectively respond to abuse reports or law enforcement inquiries to maintain plausible deniability, as well as more traditional self-proclaimed “bulletproof” providers that openly ignore oversight or advertise non-cooperation.

TAE networks serve as the backbone for ransomware groups, infostealer campaigns, botnets, and even state-sponsored threat actor operations. What distinguishes TAE networks is the sustained concentration of malicious infrastructure within their networks.

How TAEs Operate

TAEs are masters of obfuscation and are highly resilient, hiding behind layers of decoy companies to evade accountability. They use several core tactics:

• Corporate Shell Games: They establish front companies across multiple jurisdictions to create legal distance between the infrastructure and the operators.
• Strategic Resource Control: They often operate as local internet registries (LIRs). This gives them direct control over IP resources and autonomous systems (ASNs), allowing them to manipulate network resources at will.
• Rapid Rebranding: When a network becomes too "hot" due to scrutiny, TAEs rapidly transfer IP address prefixes to a newly registered, clean-looking entity.

Identifying High-Risk TAE Networks

Recorded Future actively identifies high-risk TAE networks through its Network Threat Density List. These networks are ranked by their Threat Density Score, calculated from the concentration of validated malicious activity relative to the total number of IP address prefixes a network announces.

This approach cuts through the noise to quickly expose infrastructure that is disproportionately associated with threat activity, a core characteristic of TAEs, allowing network defenders to prioritize the infrastructure most likely to pose material risk.

Figure 2: High-risk suspected or confirmed TAE networks in 2025, ranked by Threat Density Score

From Insight to Action

Tracking TAE networks allows security teams to move from reacting to individual threats to proactively managing infrastructure risk. In practice, this means applying TAE intelligence across three core areas: prevention, detection, and exposure.

Operationalize TAE Intelligence

Figure 3: Three steps for operationalizing TAE intelligence

TAEs are persistent and continuously evolving, adapting quickly in response to sanctions, enforcement actions, and exposure. While their identities may change, their underlying infrastructure patterns often remain consistent.

The "metaspinner" Case Study

In April 2025, a TAE tracked by Recorded Future, Virtualine Technologies, shifted its IPv4 resources to a newly registered network that fraudulently impersonated a legitimate German software firm, metaspinner net GmbH. Because this provider’s historical infrastructure patterns were already being tracked, the newly created network was immediately identified as a front. Within weeks, this network became a primary distribution hub for malware families such as Latrodectus and AsyncRAT. When the operation was eventually exposed, Virtualine Technologies simply pivoted the infrastructure to a new identity within one of its existing autonomous systems to maintain its operations.

Figure 4: Validated malicious activity associated with Virtualine Technologies in 2025

This case underscores the reality of TAE networks: while identities, ownership records, and corporate fronts may change, the underlying infrastructure and its associated risk persist, making continuous tracking essential to identifying and prioritizing the networks that will drive future threat activity, as demonstrated by Virtualine subsequently emerging as the highest-risk TAE network in 2025.

The Stark Industries Case Study

In May 2025, the European Union sanctioned UK-registered hosting provider Stark Industries Solutions and its executives for enabling Russian state-sponsored cyber operations. However, enforcement did not halt Stark Industries’ operations. In the weeks leading up to the sanctions announcement, Stark Industries began transferring IP resources, modifying RIPE registrations, and shifting infrastructure to affiliated entities.

Figure 5: Timeline of Stark Industries-related events in 2025

Despite the sanctions, the underlying infrastructure, routing relationships, and operational patterns remained traceable across these new fronts. Continuous monitoring of TAE ecosystems enables defenders to detect these pivots in near real time, revealing continuity beneath corporate rebrands and legal restructurings. This case underscores a broader reality: sanctions may change names and ownership records, but without infrastructure-level visibility, the enabling networks behind malicious activity often persist.

What This Means for Security Leaders

TAEs represent an ongoing challenge. While individual campaigns and threat actors may come and go, the infrastructure that supports them remains adaptive and deliberately resilient.

For security leaders, this requires an additional shift from solely reacting to individual indicators to understanding and prioritizing the infrastructure that enables threat activity at scale. By identifying and tracking high-risk networks, organizations can reduce investigative noise, focus resources on the most impactful threats, and take proactive steps to limit exposure before attacks materialize.

Ultimately, addressing TAEs is not just about detection; it’s also about disrupting the conditions that enable modern cyber threats to operate.

Questions You Should Be Asking

• How much of your network communicates with high-risk infrastructure?
• Are you prioritizing alerts involving high-risk networks?
• Is TAE or ASN risk intelligence integrated into your detection and triage workflows to ensure the highest-risk activity is addressed first?
• Do any of your third-party providers rely on TAE-linked infrastructure?
• Do you have hidden exposure to TAE networks?
• Are your controls dynamically adjusting to infrastructure risk?
• Can you proactively restrict or challenge traffic to and from high-risk networks?

Embodied AI has arrived.. Humanoid and quadruped robots are moving off factory floors and into everyday operations, military deployments, and critical infrastructure. Technological advances in large language models LLMs and robotics are enabling robots to perform complex tasks autonomously.

Security has not kept pace. Researchers have demonstrated that commercially available robots can be hijacked over Bluetooth, covertly exfiltrate audio, video, and spatial data to servers in China, and even infect neighboring robots wirelessly, forming physical botnets. If unaddressed, these security weaknesses are set to scale massively once humanoid robots are fully integrated into critical workflows.

The risks need to be taken extremely seriously. A robot should be treated less like a machine on the balance sheet and more like a cyber-physical endpoint with cameras, microphones, radios, cloud dependencies, and motors. That means tougher procurement, tighter network controls, continuous vulnerability monitoring, and a credible plan for operational continuity if a fleet has to be pulled offline.

Figure 1: Summary of Unitree G1 vulnerabilities, associated business risks, mapped CVEs, and observed network activity (IPs and data exfiltration rates) (Source: Recorded Future)

Analysis

Market Drivers of Embodied AI Adoption

Embodied AI, intelligent systems in physical forms such as humanoid and quadruped robots, is moving from spectacle to staffing plans.

The shift is being driven as much by demographics as by technological progress. There are growing reports that the working-age population worldwide has begun to decline. China, an economic success story, has seen its population also decline again in 2025 as births hit a record low. These trends do not make large-scale automation inevitable, but they seriously strengthen the economic case for it in both corporate and government decision-making.

The International Federation of Robotics identifies labor shortages, real-world testing of humanoid robots, and increasing attention to safety and cybersecurity as defining trends for 2026. Some early deployments of embodied AI reinforce this trajectory. BMW reports that the Figure 02 humanoid robot has assisted in the production of more than 30,000 X3 vehicles, while GXO and Agility Robotics describe their partnership (established in 2024) as “the first formal commercial deployment of humanoid robots.” In high-risk environments, Sellafield is deploying quadruped robots to reduce human exposure in nuclear decommissioning.

Capital markets are also responding. Unitree filed for a reported $610 million initial public offering (IPO) in Shanghai in March 2026. Taken together, these signals suggest that robots are leaving pilot programs and becoming operational.

That transition makes the security question immediate rather than theoretical.

Expanding Attack Surface in Embodied AI Systems

Unlike traditional IT assets, embodied AI systems combine multiple high-risk components in a single platform: cameras, microphones, sensors, wireless radios, cloud connectivity, and physical actuation. This convergence creates a broad and under-secured attack surface.

A compromised robot can exfiltrate sensitive environmental and operational data, provide persistent remote access to internal networks, and interact physically with its environment, potentially causing unintended physical effects. This elevates robots from conventional endpoints to cyber-physical systems with both digital and real-world consequences.

The risk is compounded by architectural choices. Many platforms rely on cloud-dependent telemetry, wireless provisioning interfaces, and centralized control mechanisms. These design decisions create multiple entry points for attackers and increase the likelihood of compromise across entire fleets of embodied AI systems.

Demonstrated Vulnerabilities and Exploits

The risks are no longer theoretical. Documented vulnerabilities show that commercially available robots can be compromised with relative ease. Unlike traditional cyber threats, which mostly affect the digital world, exploiting robots enables attackers to manipulate the physical world, maximizing the potential for harm.

In 2025, researchers discovered an undocumented backdoor in Unitree’s Go1 quadruped robot that enabled remote access via the CloudSail service. Axios reported that an exposed web application programming interface (API) could allow attackers to locate devices globally and, if a robot was online, view live camera feeds without authentication. Where default credentials remained unchanged, full device control was possible. Whether described as a backdoor or a design failure, the implication is the same: robots may be reachable in ways operators do not anticipate, just like any other Internet of Things (IoT) device.

Figure 2: Summary of vulnerabilities affecting the Unitree Go1 robot, with Intelligence Card insights from the Recorded Future Intelligence Operations Platform (Source: Recorded Future)

Further research disclosed a critical vulnerability in the Bluetooth Low Energy and Wi-Fi provisioning interface used by multiple Unitree models, including the Go2, B2, G1, R1, and H1 robots. According to both the UniPwn research and IEEE Spectrum, the flaw combined hard-coded cryptographic keys, trivial authentication bypass, and command injection in the Wi-Fi setup process. An attacker within radio range could obtain root-level access without physical contact, giving them control over the robot.

Because the exploit propagates wirelessly, a single compromised device can enable lateral movement across nearby robots. This creates a fleet-level compromise scenario in which multiple units can be controlled simultaneously. The result resembles a physical botnet capable of both digital and physical actions.

Surveillance risks are equally significant. Researchers wrote that the Unitree G1 robot continuously exfiltrated multimodal sensor and service-state telemetry every 300 seconds without the operator’s knowledge. This included streaming data to external servers, potentially including audio, video, and spatial mapping. A robot operating inside a plant or laboratory may therefore be mapping the environment in real time.

Figure 3: Researchers found Unitree’s G1 quietly transmitting audio, video, and sensor data to the IP address (43[.]175[.]229[.]18) without user awareness (Source: Recorded Future)

The attack surface extends beyond firmware and networking layers. Researchers showed they could take control of a Unitree humanoid in about a minute, bypass its normal controller, and trigger physical actions. Demonstrations at GEEKCon in Shanghai indicated that both voice commands and short-range wireless exploits could hijack robots and propagate attacks to nearby units, including those not actively in use.

At the software layer, embodied AI systems introduce additional risks due to their reliance on large vision-language models. Researchers demonstrated that physical-world text can influence system behavior, as injected visual prompts were shown to steer autonomous driving, drone landing, and tracking tasks without compromising the underlying software. This would enable threat actors to take control of a self-driving car or turn a drone into their own surveillance feed by embedding a visual prompt in the environment, such as hiding a message on a stop sign.

Figure 4: Chinese robotic systems demonstrated during military training exercises (left) (Source: ABC YouTube); Concept rendering of the Atlas 2.0 robot operating in a next-generation factory environment (right) (Source: Boston Dynamics YouTube)

Systemic and Operational Risk Implications

The implications extend beyond individual devices to organizational and systemic risk. Embodied AI systems are already being deployed in environments where compromise has consequences beyond data loss. Manipulation or malfunction of robots during critical operations would have outsized economic or public safety consequences. Militaries are also experimenting with robotic systems (see Figure 4).

Figure 5: Droid TW 12.7 machine gun drone, deployed by Ukrainian forces to capture Russian positions without ground troops (Source: The Telegraph)

In 2024, the Golden Dragon exercise between Cambodia and China featured robot dogs among the systems on display. Meanwhile, in the US, politicians have begun pushing for Unitree to be designated as a federal supply-chain risk, reflecting national security concerns about commercial robotics platforms. This is a very similar move to Poland’s ban on sensor-rich vehicles accessing military sites to limit surveillance risk. Ukraine has successfully deployed ground-based robots and drones in combat operations, marking a significant shift in modern warfare. In a landmark operation in April 2026, Ukrainian forces captured a Russian position using only unmanned systems — the first recorded instance of a robot-only assault in the conflict.

Figure 6: A single vulnerability can simultaneously produce operational, data, safety, and strategic risks (Source: Recorded Future)

As adoption scales, these risks become interconnected. A vulnerability affecting one platform or vendor could propagate across fleets, sites, or sectors, creating systemic exposure.

At the same time, the pace of commercial development is outstripping regulatory oversight. Bank of America estimates that as many as three billion humanoid robots could be in operation by 2060. This convergence of demographic pressure, advancing AI capabilities, and falling production costs suggests that large-scale human-machine coexistence is highly probable.

Figure 7: Summary of the factors fueling growth in robotics production, illustrated by Bank of America data

(Source: Recorded Future)

Securing embodied AI systems is therefore not a peripheral technical issue. It is a strategic requirement that must be addressed before widespread deployment locks in insecure architectures at scale.

This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Updates

Geopolitical Landscape

• Iran’s hardliners are driving strategic deadlock, blockade resilience, and Strait closure. Insikt Group assesses Iran’s calculus is very likely shaped by IRGC influence and hardliner dominance: Supreme Leader Khamenei’s April 30 statement frames Iranian control of the Strait of Hormuz as a post-American regional order, chief negotiator Ghalibaf has reportedly resigned after a reprimand for raising nuclear issues in talks, and Iran’s public position has converged on a single precondition — the US must lift its naval blockade before negotiations can resume.
• The US blockade has cut Iranian oil exports by ~70% but has not achieved its strategic objectives. Iran faces critical oil storage constraints — Bloomberg reported 22 days or less of unused capacity as of April 27 — yet Insikt Group assesses Iran can very likely survive the current pressure level, and the full financial blow will lag three to four months as ~130 million barrels already loaded before the blockade remain in transit.
• Maritime standoff deepens as Iran seizes vessels, lays additional mines, and ceasefire talks stall. Following the US seizure of the Touska, the IRGC seized the MSC Francesca and Epaminondes and fired on a third vessel transiting the Strait; the IRGC reportedly dropped additional mines during the final week of April, and the Pentagon assesses mine-clearing could take up to six months after a formal end to hostilities.

The United States (US) is shifting toward a more force-driven security strategy primarily relying on military operations and economic pressure to counter transnational criminal organizations and limit Chinese, Russian, and Iranian influence in the Western Hemisphere.

Regional outcomes diverge across three core scenarios:

• US-aligned authoritarian cooperation with fragile stability
• Political fragmentation enabling criminal expansion and governance breakdown
• A strategic realignment toward BRICS that reduces US influence and increases great power competition

Each scenario increases the risks of political instability, regulatory fragmentation, and cyber threats, including increased surveillance, cybercrime, and targeting of critical infrastructure and multinational businesses.

Figure 1: Overview of possible scenarios resulting from the US’s strategic pivot to Western Hemisphere security

(Source: Recorded Future)

Analysis

The US 2025 National Security Strategy formalized a shift toward hemispheric priorities and narrower strategic objectives. This shift had been building throughout President Donald Trump’s first term:

• January 2025: An executive order formally designates cartels as foreign terrorist organizations.
• August 2025: The president signed a classified order directing military action against cartels beyond traditional law-enforcement frameworks.
• September 2025: US forces carried out the first strike on alleged drug-trafficking vessels. Since then, more than two dozen kinetic strikes in the Caribbean and Eastern Pacific have resulted in over 100 fatalities.
• December 2025: The US begins seizing oil tankers accused of sanctions evasion.
• January 2026: The US launches a special operation to capture and extract Venezuelan President Nicolás Maduro to face drug trafficking charges in court.
• March 2026: The US launches the “Shield of the Americas” initiative, intended to counter drug trafficking, transnational criminal networks, and illegal migration in the Western Hemisphere. In an address to Congress two weeks later, the commander of US Southern Command reinforced a greater military role in countering foreign terrorist organizations (FTOs) and managing other security priorities in the region.

Taken together, these moves suggest a shift from a law-enforcement-led regional security model toward more overt coercion driven by military intervention.

Figure 2: US military activity in Latin America has increased significantly since the August 2025 order directing action against cartels (Source: Recorded Future)

At a strategic level, US objectives remain centered on limiting transnational criminal activity and countering external competitors. Transnational criminal organizations are framed as a primary threat vector due to their role in narcotics trafficking and financial crime. China’s growing economic presence, anchored in trade and Belt and Road Initiative (BRI) infrastructure, is also seen as a threat to US interests. Russia and Iran maintain more targeted but persistent footholds, particularly through surveillance coordination in Nicaragua, Cuba, and Venezuela. US policy is oriented toward constraining adversary influence while reinforcing its own economic and security partnerships. The US is pursuing these objectives through a combination of expanded military operations, law enforcement activity, and coercive economic measures, including tariffs and sanctions tied to political alignment.

Figure 3: US naval and air assets have been deployed to the Caribbean to counter drug trafficking (Source: Newsweek)

Scenarios

The shift toward prioritizing US influence in the Western Hemisphere over other national security objectives will likely reshape the regional risk landscape. To assess the potential medium-term outcomes, Recorded Future identified key drivers and established baseline assumptions that underpin scenario development.

The following scenarios explore potential outcomes as the US reorients its security strategy toward the Western Hemisphere:

Scenario 1: Initial Authoritarian Stability

In this scenario, the US successfully asserts influence over historically adversarial authoritarian regimes, notably Venezuela and Cuba. These governments pivot toward cooperation with the US on trade, energy, and security, while maintaining repressive political systems domestically. US intervention has already reshaped Venezuela’s leadership and opened pathways for Western energy investment, while Cuba has responded to continued pressure by showing openness to economic reforms. Meanwhile, democracies like Colombia and Ecuador may adopt more coercive internal security postures, particularly in states facing cartel violence, in response to US pressure.

The US takes more aggressive measures to deter and counter non-Western infrastructure investments, leading to a relative diminishment in the influence of China and Russia as US engagement deepens. However, both powers will likely retain significant hemispheric influence and may pursue limited, asymmetric responses rather than direct confrontation.

Figure 4: US President Trump has praised interim Venezuelan president Delcy Rodriguez (Image source: Le Monde)

Scenario 2: Fragmentation and Criminal Expansion

US intervention produces a political backlash, weakening democracies and fueling the collapse of transitional regimes. Inconsistent or heavy-handed military actions against alleged criminals increase public outrage, leading to electoral turnover and instability. As governments escalate repression to maintain control, resistance movements and localized violence intensify, further eroding state authority. This dynamic creates governance vacuums that strengthen TCOs, particularly in border regions. In this environment, cartels and armed groups re-emerge as dominant power brokers, reversing gains in regional security and leading to a resurgence in criminal activity and violence.

Figure 5: Chancay “megaport” in Chancay, Peru, is funded under China’s Belt and Road Initiative

(Image source: China’s Global South Project)

Scenario 3: Accelerated Pivot to China

The US’s overreliance on military solutions at the expense of soft power enables China to position itself as an appealing alternative partner by offering positive incentives and stable, long-term policy-making. As a result, LATAM governments across the ideological spectrum quietly accelerate their pivot toward China, building on existing trade and investment ties. As this trend continues, LATAM governments feel emboldened to adopt more overt mechanisms to resist US influence, including legal challenges to military operations and regulations targeting US companies. Both China and Russia are able to increase their economic footprint and political influence in the region, especially if the US becomes less willing to maintain a consistent security presence.

Outlook

The scenarios are not mutually exclusive: multiple outcomes can play out in different countries or regions across Latin America. Below are key indicators to monitor to anticipate which outcome is more likely to emerge:

• Election Outcomes: Colombia, Peru, and Brazil all have elections in the next year; a change in leadership may reflect popular dissatisfaction with the current government’s foreign policy, precipitating a policy shift. Furthermore, a decisive Republican defeat in the US midterms may reduce appetite for foreign intervention, leading to inconsistent policy.
• US Intervention in Cuba: The US government is strongly signaling its intention to replace or significantly reform Cuba’s long-standing Communist regime. The success of the operation and the willingness of the US to back a transitional or reform government will determine which scenario described above plays out.
• LATAM Security Cooperations: Criminal groups and militias thrive in contested or under-governed regions, such as along borders. Look for signed agreements and joint operations as signs of cooperation — or the lack thereof signalling potential breakdown in security coordination and a greater likelihood of criminal expansion.
• The China Alternative: While China is likely to want to avoid direct confrontation over influence in the Western Hemisphere, the CCP may seek to offer more positive incentives to increase its economic footprint in the region, such as continued investments in ports, telecommunications, and other critical infrastructure.
• The War in Iran: Even though it’s happening on the other side of the world, the Iran war is likely to shape how the US pursues military operations in the Western Hemisphere. Battlefield setbacks could decrease appetite for military intervention, or energy security pressures could increase the imperative to ensure influence.

Mitigations

• Strengthen cyber resilience and third-party risk management: Enhance monitoring and defenses for critical infrastructure, telecommunications, and cloud environments. Use Recorded Future’s Geopolitical Intelligence module to understand the surveillance risk in countries where you operate. Conduct regular assessments of vendors and partners to reduce exposure to espionage, surveillance, and cybercrime.
• Prepare for regulatory fragmentation and data localization requirements: Develop flexible compliance frameworks that can adapt to diverging data sovereignty laws, sanctions regimes, and trade restrictions. This includes establishing localized data storage where necessary and maintaining legal contingency plans for rapid policy changes.
• Enhance crisis response and continuity planning: Build scenario-based contingency plans for political instability, violence, or infrastructure disruption (such as internet outages or supply-chain interruptions), which are routinely monitored in the Geopolitical Intelligence module. Contingency planning should include evacuation preparation, alternative logistics routes, and redundant communications systems to ensure operational continuity across volatile environments.

Further Reading

Mythos was meant to be contained. Within hours of the public Project Glasswing announcement, a third-party contractor environment became the access vector. Not because Anthropic did something wrong. Because controlled release, at the scale modern enterprise software operates, is a goal rather than a guarantee.

The interesting question isn’t who got in this time. It’s who gets in next, and their economics.

What happened?

The group accessed Mythos the same day it was announced, guessing the endpoint based on Anthropic’s naming conventions for prior models. The vector was an individual employed at a third-party contractor, not Anthropic’s core infrastructure. Source characterizations point to a research community “not wreaking havoc” with the model.

The misread

If the coverage only centers on Anthropic’s security posture or the AI safety debate, we’re missing an important angle.

The structural signal is that any preview or controlled-access model release has porous boundaries by design. Access controls on paper (contracts, NDAs, approved vendor lists) differ from those in practice. Every partner brings their own contractors, endpoints, and people with legitimate credentials and uneven security hygiene. That is the real control surface, not the cryptographic perimeter around the model itself. Which makes this a supply chain problem that happens to be about AI, not an AI problem that happens to involve vendors.

The blind spot

AI policy discourse is locked on US versus China, including energy, chip controls, export rules, sovereign AI posture, and who wins the race.

Structurally missing from the larger conversation is the one state actor whose entire foreign currency revenue stream is cyber-enabled theft. DPRK doesn’t need to win any race. They need a 20-30% productivity gain in existing operations.

The pipeline is documented. Insikt Group’s Crypto Country estimated that regime-linked cryptocurrency theft reached roughly $3 billion through 2023. The Multilateral Sanctions Monitoring Team (successor to the UN Panel of Experts after Russia’s 2024 veto) has since done the harder primary work. MSMT’s October 2025 report documents $2.8 billion stolen from cryptocurrency companies between January 2024 and September 2025 across more than 40 heists, with proceeds explicitly tied to WMD and ballistic missile program funding. The State Department updated the tally in January 2026: another $400 million stolen in the three months since publication, bringing the 2025 totals above $2 billion.

Every successful crypto exchange intrusion ends up on a launch pad.

Why North Korea wants the next model

Crypto exchange intrusions are labor-intensive at every phase. Recon, social engineering at scale (fake developer personas on GitHub and LinkedIn, spear-phishing of individual engineers at wallet providers), credential harvesting, post-exploit lateral movement, key extraction, and laundering.

Agentic capability compresses the cycle to include the same operator-hours, more successful intrusions, and more stolen $$$ per operator.

Bybit is an easy example. The FBI attributed approximately $1.5 billion in stolen virtual assets to TraderTraitor in February 2025. The intrusion chain ran months of patient targeting against a single Safe{Wallet} system administrator via phishing, followed by post-compromise operational patience. These types of attacks are expensive, time-intensive, and still extraordinarily productive.

Lazarus and TraderTraitor don’t need AGI. They need the productivity lift that turns a junior operator into a senior one and shaves weeks off the planning phase. It doesn’t have to be Mythos specifically. Any comparable capability through a comparable vector does the job.

Better tools mean more successful intrusions. More successful intrusions mean more stolen crypto. More stolen crypto means more missiles.

Three access patterns

Three different tradecraft patterns keep getting conflated in media coverage. They are not the same TTP, and treating them as one weakens the response on all three.

1. Contractor misuse. A legitimately credentialed employee at a third-party vendor uses their access for unauthorized purposes. This is the Mythos story. The credentials and access are real, though the intent is variable. Defenses (easy to say, hard to do well): telemetry, behavioral monitoring, and least-privilege scoping at the vendor tier.

2. Fraudulent hiring. An adversary places its own operatives inside the target through stolen or synthetic identities, often via remote IT contracting. This is the DPRK IT worker scheme. Insikt’s Inside the Scam documents PurpleBravo’s infrastructure: front companies in China spoofing legitimate IT firms, and a malware ecosystem (BeaverTail, InvisibleFerret, OtterCookie) targeting the cryptocurrency industry. The credentials are real, but the identities are fake. Defenses: identity verification at hire (in-person interviews to avoid AI tricks), ongoing personnel vetting, geographic and behavioral baselining.

3. Supply chain compromise. A trusted vendor’s systems get breached, and the attacker uses that vendor’s legitimate distribution channel to reach the real target. TeamPCP’s March 2026 LiteLLM compromise hit the AI toolchain directly, poisoning Trivy (a defensive security scanner) to reach a package with 95 million monthly downloads. Defenses: build-pipeline integrity, dependency monitoring, signed artifacts.

These three attack vectors converge on the same truth. Any preview or limited-release AI program that depends on third parties is exposed to all three vectors simultaneously. DPRK is the actor most motivated across the full triangle because the revenue case is specific, measurable, and directly beneficial for the regime. They are incentivized to be “AI native.”

So what?

In the security industry, we need to stop thinking about AI access as purely a lab problem when it’s also a sanctions problem. The great-power competition framing obscures the actor already online, with a rich history of monetizing cyber heists to fund missiles.

“Limited release” is a wonderful bumper sticker. The AI reality, from a threat-modeling perspective, is a countdown to turbo-charging adversarial capabilities.

Now what?

The honest conversation is that perimeter-style AI “controlled access” is less effective against State-sponsored adversaries. A productive security path is a distinct preview infrastructure, aggressive telemetry, canaries, and third-party access tied to personnel-level vetting rather than contractual attestation. (Guessable endpoints should be the first thing dead.)

Crypto exchanges and custodians: your threat model needs to anticipate what Lazarus can do 3 to 6 months from now, not what they did last quarter. Assume they improve faster than your defenses do.

Policymakers: DPRK is a first-class entity in AI access governance. The Multilateral Sanctions Monitoring Team framework already documents cyber-enabled sanctions evasion thoroughly. What it doesn’t yet do is name AI capability access as a sanctions-relevant category. Dual-use export controls have governed the transfer of semiconductor and missile technology for decades. AI capability is the obvious next category.

Corporate CISOs (outside the AI-lab orbit): your third-party contractor environments are now inside the AI capability threat surface, whether you opted in or not. Inventory accordingly.

Close

Mythos is a preview of an access pattern. Any actor whose business model is stealing money to build weapons will find the third-party seam. This time, it was hobbyists. DPRK has spent two decades proving why nonproliferation is the right frame here.

• The real challenge in cybersecurity isn’t intelligence or visibility, it’s speed. Attackers operate at machine speed, while most organizations are still constrained by manual, human-driven workflows.
• Traditional threat intelligence falls short because it stops at insight. To reduce risk effectively, intelligence must not only inform decisions but also actively drive response.
• Fragmentation across cyber, fraud, and third-party risk creates exploitable gaps. A unified, intelligence-driven approach is essential to understanding and addressing modern threats holistically.
• Autonomous defense is the path forward. By enabling continuous, real-time action across the attack surface, organizations can close the speed gap and move from reactive security to proactive risk reduction.

For most security teams today, volume and access to intelligence isn’t the problem. It’s the speed at which they can turn that intelligence into action.

Over the last decade, organizations have invested heavily in threat intelligence and cybersecurity. Global security spending has surged past $200 billion annually, growing double digits year over year, while security’s share of IT budgets has climbed from under 9% to more than 13%. Most CISOs report continued budget increases, and enterprises are making billion-dollar investments in intelligence capabilities.

And yet, breaches still happen. Fraud still slips through. Third-party risk still catches teams off guard. The issue isn’t visibility. It’s the growing gap between how fast threats move and how fast organizations can respond.

Attackers now operate at machine speed, leveraging automation and AI to identify vulnerabilities, launch campaigns, and exploit opportunities in real time. Most security teams, however, are still constrained by manual workflows, fragmented systems, and processes that require human intervention at every step. That mismatch is where risk can accumulate—and where even well-resourced teams fall behind.

The Hidden Cost of Human-Speed Security

For many organizations, this gap shows up in subtle but compounding ways. Analysts spend hours triaging alerts, trying to determine which signals actually matter. Security teams often discover incidents after damage has already occurred, not because the data wasn’t there, but because it couldn’t be acted on quickly enough. Across the organization, teams responsible for cyber operations, fraud, and third-party risk operate in silos, each with their own tools and workflows, rarely sharing a unified view of risk.

At the same time, expectations from leadership have shifted. Executives and boards no longer want activity metrics—they want clear evidence that security investments are reducing business risk. But when intelligence is not clearly connected to action from security teams, that proof becomes difficult to deliver.

Traditional threat intelligence was designed to inform decisions made by humans, at human speed. In today’s environment, that model introduces delay. And delay, in cybersecurity, is increasingly indistinguishable from exposure.

Intelligence That Acts, Not Just Informs

Closing the speed gap requires more than incremental improvements. It requires a shift in how organizations think about intelligence altogether. Moving forward, the future of cybersecurity must be more than just intelligence-led—it must be intelligence-acted.

In this model, intelligence doesn’t sit in dashboards waiting for analysts to interpret it. It continuously correlates signals, prioritizes what matters, and drives action across the security environment automatically. Instead of asking teams to move faster, it enables the entire system to operate at the speed of the threat.

This is the foundation of autonomous defense, and it’s the future of effective, machine-speed cybersecurity.

From Reactive to Autonomous: A New Operating Model

Autonomous defense fundamentally changes the role of the security team. Rather than serving as the bottleneck between detection and response, analysts become decision-makers operating on top of continuously running intelligence.

Recorded Future’s Autonomous Threat Operations brings this model to life by eliminating the manual steps that slow teams down. It ingests and correlates intelligence from multiple sources, applies context in real time, and triggers actions across existing security tools—all without requiring constant human input.

The impact of such a dramatic shift is immediate and measurable. Threat hunting becomes continuous instead of periodic. Alerts arrive enriched with context, reducing the time needed to investigate and respond. Detection and remediation workflows execute automatically, freeing analysts to focus on strategic threats rather than routine triage.

Just as importantly, this approach transforms how organizations measure success. Instead of tracking activity—alerts processed, queries written, incidents reviewed—teams can demonstrate real outcomes: faster response times, reduced exposure, and a clearer connection between intelligence and risk reduction; the latter of which is becoming increasingly necessary for organizational buy-in.

This is so much more than just adding another tool to the stack. Instead, it’s about making every existing control smarter, faster, and more effective. And it’s paying off. On average, security teams using Recorded Future save up to 100 hours per week through improved analyst productivity, allowing teams to redirect effort toward threat hunting and proactive defense instead of repetitive manual analysis.

The Bigger Challenge: Fragmented Visibility Across the Attack Surface

Speed alone, however, is only part of the equation. Many organizations are also limited by how they view risk. Threats today don’t respect organizational boundaries. A phishing campaign can lead to credential theft, which can then be used to access systems, exploit third-party relationships, or enable fraudulent transactions. These events are connected, but still far too many organizations manage them in isolation.

Cyber operations teams focus on internal threats. Fraud teams monitor transactions. Risk teams assess vendors. Each group has visibility into part of the problem, but no one has a complete picture. This fragmentation creates blind spots, and attackers are increasingly skilled at navigating between them.

A Unified Approach to Risk

To effectively reduce risk, organizations need more than faster response times. They need a connected understanding of their entire attack surface, along with the ability to act across it in a coordinated way.

Recorded Future addresses this through four core solution areas—Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud Intelligence—all built on a single, integrated intelligence foundation.

In cyber operations, this means moving beyond alert overload to real-time prioritization. Instead of forcing analysts to sift through volumes of data, intelligence surfaces the threats that are most relevant to the organization’s environment and enables immediate action. The combination of prioritization and automation allows teams to reduce noise while improving both detection speed and response quality.

In digital risk protection, the focus shifts beyond the traditional perimeter. Today’s attackers target brands, customers, and executives just as frequently as they target infrastructure. By monitoring the open, deep, and dark web, Recorded Future provides visibility into impersonation campaigns, credential exposure, and emerging threats long before they impact the organization. More importantly, it enables rapid response, whether that means taking down fraudulent domains or preventing account takeover attempts.

Third-party risk represents another growing challenge. As organizations expand their ecosystems, they inherit risk from vendors and partners, often without real-time visibility. Third-party involvement in breaches has reached a staggering 30%, up from just 15% a year ago. Static assessments and periodic reviews can’t keep pace with how quickly vendor risk evolves today. Continuous monitoring, grounded in real-world intelligence, allows organizations to detect issues earlier, respond faster, and maintain a more accurate understanding of their exposure.

In the realm of payment fraud intelligence, the shift is equally significant. There were some 269 million records posted across dark and clear web platforms in 2024, and a tripling of certain e-skimmer infections. It’s important to keep in mind that fraud doesn’t begin at the moment of transaction. Rather, it begins much earlier, in the environments where stolen data is exchanged and tested. Recorded Future provides comprehensive coverage across the complete payment fraud lifecycle. Sophisticated cleanup and normalization techniques result in better data quality and richer data sets, reducing manual research and enabling high confidence mitigation actions. By identifying these signals upstream and intervening, organizations can stop fraud before it’s executed, reducing both financial loss and customer impact.

One Intelligence Foundation. Total Visibility.

What makes this approach fundamentally different is that these capabilities are not delivered as isolated solutions. They are unified through the Recorded Future Intelligence Platform, which correlates data across millions of sources and billions of entities to provide a single, coherent view of risk.

This unified foundation enables organizations to connect signals that would otherwise remain siloed. Threat actors, infrastructure, vulnerabilities, and campaigns are all linked, allowing teams to understand not just what is happening, but what is likely to happen next.

That level of visibility is what makes autonomous defense possible. And not just within a single domain, but across the entire attack surface.

The urgency behind this shift cannot be overstated. Attackers are already operating at machine speed, using automation to scale their efforts and reduce the time between discovery and exploitation. At the same time, organizations that rely on manual processes are finding it increasingly difficult to keep up.

The consequences of this gap are significant. Longer dwell times allow attackers to entrench themselves more deeply. Delayed responses increase the cost and impact of incidents. And as breaches and fraud events become more visible, customer trust becomes harder to maintain.

This is no longer a question of optimization. It’s a question of whether existing operating models can keep pace with the reality of modern threats.

Rethinking What Threat Intelligence Should Do

As organizations evaluate their approach to cybersecurity, the role of threat intelligence needs to be reconsidered. It is no longer enough for intelligence to provide visibility. It must enable action. It must operate in real time. And it must extend across the full scope of organizational risk—not just one domain at a time.

Equally important, it must deliver outcomes that matter to the business. Faster detection, reduced exposure, and measurable risk reduction are no longer aspirational. They are essential for enterprise security in the modern, AI-powered threat landscape.

The goal for most organizations isn’t to replace their security stack. It’s to make it work better. By enabling intelligence to act autonomously, connecting visibility across domains, and aligning security operations with the speed of modern threats, organizations can close the gap that has long existed between insight and action. Recorded Future is built to make that possible.

If your team is still struggling with alert fatigue, delayed responses, or fragmented visibility, the issue may not be a lack of resources. It may be a limitation in how intelligence is being applied.

Now is the time to rethink that model.

Connect with Recorded Future to see how autonomous defense can help your organization move at the speed of today’s threats—and stay ahead of what comes next.

Contact us

Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaʼs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies.

Geopolitical competition over mining and refining critical elements and REEs is accelerating. Competition to mine them will almost certainly expand into the Arctic, Greenland, Antarctica, the seabed, and space. These emerging arenas introduce legal ambiguity, environmental tension, and strategic rivalry, creating new geopolitical flashpoints.

Cyber operations are increasingly intertwined with resource competition. Insikt Group has identified state-sponsored and criminally aligned cyber threat actors targeting mining organizations to gain a strategic advantage. As critical mineral supply chains grow in importance, cyber activity targeting the sector is expected to increase, with criminal groups potentially serving as proxies or access brokers for state-backed operations.

Figure 1: Map of where critical elements and REEs are being mined or have been located, along with key findings in the report Source: Recorded Future)

Analysis

What Are Rare Earth Elements and Critical Elements?

Rare earth elements (REEs) are a group of seventeen metals that are essential to modern technologies. REEs are vital to the Fourth Industrial Revolution, a term for the current era of connectivity, advanced analytics, automation, and advanced manufacturing technology. REEs are used in small but essential quantities; they significantly impact the efficiency, precision, and reliability of equipment. They also differ from most other critical elements because they are difficult to process and refine. The refining process requires complex separation, making supply chains slow to build and capital-intensive.

Figure 2: Simplified REE production process from mining to refining (Source: Recorded Future)

Critical elements such as lithium, copper, nickel, cobalt, and graphite are primarily used as structural, conductive, or energy-storage materials and are consumed in much larger quantities. These elements form the physical backbone of products like batteries, wiring, and digital infrastructure. In simple terms, critical elements build the systems, and REEs enable the systems to perform at high levels.

Where Are REEs and Critical Elements Located?

On land, critical elements are unevenly distributed globally, with mining concentrated in a few countries. REEs are primarily mined in China, with significant deposits in Australia and the United States (US).

Figure 3: The distribution of where critical minerals were mined in 2023 Source: World Resources Institute)

The seabed is an emerging arena for mining due to vast critical mineral reserves that are believed to lie on the ocean floor. On the seabed, minerals are packed into potato-sized nodules, form hard crusts, accumulate in sediment layers, and are emitted from hydrothermal vents. In April 2025, the Trump administration issued an executive order directing the US to rapidly scale its capability to mine and process seabed critical elements. Meanwhile, China continues to expand its deep-sea mining capabilities. Japan is also accelerating its deep-sea mining program and, in February 2026, recovered REEs from 6,000 meters below the surface of the Pacific Ocean.

Figure 4: Diagram showing how minerals containing critical elements can be extracted from the seabed Source: US Government Accountability Office)

Arctic ice volume has declined by more than 70% since the 1980s, opening new shipping routes and exposing vast natural resources. As ice retreats, significant deposits of critical elements such as cobalt, tin, and REEs are becoming accessible, alongside oil and gas reserves. Mineral-rich seabed nodules are also being uncovered, attracting increasing interest from both nation-states and private investors.

Greenland contains 25 of the European Commission’s 34 designated critical raw materials as well as substantial oil and gas potential. Mining remains difficult due to harsh conditions and limited infrastructure, but continued ice retreat combined with sufficient capital investment could unlock resources of major economic and geopolitical importance.

Figures 5 and 6: Map showing critical minerals located on Greenland (left) Source: The Telegraph);Map showing critical minerals in the Arctic region (right) Source: The Economist)

Antarctica is currently off-limits to mining until at least 2048 under a 1991 environmental agreement that designated the continent as a natural reserve. Antarctica is believed to hold significant reserves of oil, coal, and iron ore, which are already attracting growing interest for the future. China and Russia have announced plans to expand their presence in Antarctica. China’s intentions appear to be focused on resource exploitation, which could open up a new geopolitical fault line, this time in the South Pole.

Space is quickly becoming the next frontier for critical resource extraction. Critical elements are abundant on asteroids and on the Moon. As companies move toward space mining, the US and China are simultaneously racing to establish a permanent presence in space by the 2030s, intensifying an already highly competitive astropolitical environment.

What Is the Geopolitical Importance of REEs and Critical Elements?

Because industrialized nations need critical elements and REEs to manufacture advanced technologies, global demand is rapidly accelerating. China’s control over critical elements and REEs stems primarily from its dominance of processing and refining rather than extraction. By controlling much of the world’s REE separation and refining capacity, China holds significant leverage over global supply chains and strategic technologies.

This reliance has heightened anxiety in the US over access to critical and rare earth elements. In 2025, China demonstrated its leverage by threatening to suspend REE exports to the US, which compelled Washington to back away from plans to restrict the transfer of critical semiconductor technology.

The US government has since accelerated international critical minerals deals and begun investing in US mining operations to minimize its reliance on China, where over 90% of the world’s REEs are processed. Furthermore, we are now seeing the US strategically stockpiling critical minerals and seeking to form “critical minerals trade blocs.”

Have Any Cyberattacks Been Linked to REEs and Critical Elements?

State-sponsored cyber capabilities are deployed to support national objectives linked to mining operations and the exploration of new critical minerals.

In 2021, Insikt Group identified infrastructure previously linked to APT15, a Chinese state-sponsored threat actor targeting a Canada-based mining company focused on mining zinc, copper, and lead. While there is no public record of Chinese investment in that specific mining company, Chinese firms invested approximately CAD 40 million (USD $30 million) in other Canadian lithium miners during the same period. Ottawa later forced those companies to divest on national security grounds.

In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. These cyberattacks occurred around the same time that China entered into seabed exploration and mining partnerships with nations such as the Cook Islands, Kiribati, and Tonga. This campaign was almost certainly driven by a desire to gain advanced insight into deep-sea mining rules and rival nations' positions, helping it protect its critical minerals dominance and secure strategic seabed access ahead of its competitors.

Between January 2021 and January 2026, Insikt Group identified multiple sophisticated cyber operations targeting Indonesia. While not every intrusion can be conclusively attributed to mining activity, these attacks align with China’s strategic interest in Indonesia’s natural resources; for example, Chinese companies control about 75% of Indonesia’s nickel refining capacity. Furthermore, Indonesia holds approximately 55 million metric tons of nickel reserves, which is over 40% of global reserves.

Figure 7: Timeline of Chinese cyber threat actor campaigns identified by Insikt Group targeting Indonesia from January 2021 to January 2026,alongside large mining deals Source: Recorded Future)

In 2025, a hacker group known as Silent Lynx (or YoroTrooper) was reported to be targeting Russia's mining sector. Security researchers assessed that Silent Lynx is likely Kazakhstan-based, due to its language fluency, use of local currency, and regional targeting.

Ransomware and criminal cyber groups frequently target the mining sector, primarily for financial gain. As the sector’s global economic importance grows, it may attract increased extortion efforts. Insikt Group has previously identified ransomware groups operating in close coordination with state actors, effectively using ransomware as a smokescreen; as a result, we cannot rule out criminal groups increasingly providing access to mining organizations for state-sponsored cyber operations.

Figure 8: Data from Recorded Futureʼs Ransomware Dashboard showing the top five ransomware groups targeting the mining and metals sector in 2025 Source: Recorded Future)

Figure 9: Timeline from January 2021 to January 2026 showing mining companies being named on ransomware extortion sites,

alongside mining company access being sold on dark web sites Source: Recorded Future)

In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake. BianLian is a financially motivated group that opportunistically targets multiple sectors and is believed to be operated by Russia-based threat actors. While this leak was likely financially driven, state collusion cannot be ruled out, as state-sponsored threat actors increasingly hide operations behind criminal activity.

Outlook

The US and its allies will almost certainly intensify efforts to reduce strategic dependence on China for critical minerals. This is because control of mineral supply chains will be a decisive factor in determining leadership in the Fourth Industrial Revolution.

Mining activity will almost certainly expand into new frontiers, including the deep sea, the Arctic, and Antarctica, permanently reshaping both economic competition and geopolitical risk.

Space will very likely emerge as the final frontier for resource extraction. The US and China will accelerate competition to secure access to lunar and asteroid-based minerals, extending terrestrial resource rivalries beyond Earth’s orbit.

State-sponsored cyber threat actors operating on behalf of industrialized nations will almost certainly increase their focus on targeting mining companies and governments operating in strategically significant mining regions.

Criminal cyber activity will very likely increasingly serve as a smokescreen or initial access vector for state-sponsored operations targeting critical mineral mining companies.

Recommended D3FEND Actions

Further Reading

Mitigations

Know your exposure to changes in critical mineral supplies: Map the locations of critical minerals in your products and suppliers, and identify potential single points of failure.
Resilience question: Are there any single points of failure in critical products or business lines if China were to restrict the supply of REEs?

Build a fallback plan: Put backup suppliers, alternate materials, and realistic inventory buffers in place for the highest-risk supplies your organization relies on.
Resilience question: What is our Plan B for our top three critical electronic supplies, such as laptops?

Prepare for criminal and state-sponsored cyberattacks: If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage. Actively monitor the latest indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) associated with threat actors known to target the sector or government bodies responsible for nation-state mining interests. Use Recorded Future’s Threat Intelligence Module to monitor for dark web and closed-source mentions tied to mining targeting.
Resilience question: If we’re hit with ransomware, how quickly can we restore operations? Do we have backup systems and data?

Map out your supply-chain risks: If your organization operates in or near the mining industry, you might have robust security measures — but your suppliers might not. Use Recorded Future’s Third-Party Intelligence Module to identify risks in your supply chain.
Resilience question: Which supplier or contractor would cause us the most problems if they were hacked, and could they be easily hacked from what we can identify?

Monitor the new mining hotspots: Track developments in the Arctic, Greenland, Antarctica, deep-sea mining, and space, as rules and conflicts there can quickly affect supply and reputation. Use Recorded Future’s Geopolitical Intelligence Module to gain visibility into new mining contracts and potential geopolitical risks from new deals.
Resilience question: What early warning signs are we monitoring that could disrupt our supply chain in the next 6–12 months?

Over the last decade, connectivity has expanded, yet the world has become more fragmented. Our everyday lives are more digital, but we spend more time parsing text messages for scams or deliberating the authenticity of potential deepfakes. Technology is delivering great productivity gains to small businesses while making them a larger target for cybercriminals.

In this environment, exposure becomes the default: Access points are growing, control is hard and reacting to change stops working. AI intensifies these dynamics because it compresses time for everyone, including adversaries.

Today, trust has become the most critical tool to move all businesses forward. Without trust, even the best ideas stall. People hesitate, adoption slows and growth stagnates.

Trust used to be something businesses tried to repair after a breach. Now it must be the starting point, and something to nurture and continuously prove in a world that has fundamentally changed.

It would be impossible to eliminate the risk entirely. Some estimates project cybercrime could cost the world $15.6 trillion annually before 2030, surpassing all but two of the world’s largest economies. Instead, the goal must be to build the ability to see sooner, decide faster and limit impact when, not if, something breaks. Trust today is all about bringing together speed, intelligence and collaboration, and that’s exactly what we’re developing across our teams.

Getting this right isn’t just good business sense, but the only way to ensure new technologies are embraced and economies can keep growing.

The advantage is intelligence

Real advantage comes from understanding context and connecting signals across systems. That’s what turns data into better decisions. This kind of intelligence increases speed, reduces risk and enables proactive action. With the right intelligence, teams can hunt for threats continuously, test assumptions and act before harm occurs, not just triage alerts after the fact.

You can see this shift in how the payments industry is evolving, including the work we’re doing by bringing Recorded Future’s threat intelligence together with Mastercard’s security capabilities, payments infrastructure and partnership models. We’re helping organizations understand where risk concentrates, how it propagates, and how quick, collective action can reduce the cost of cybercrime.

Faster insights mean earlier action, which minimizes impact — and deepens trust.

Trust is built through collaboration

Security doesn’t scale through isolated heroics. It scales through ecosystems: shared signals, shared standards and partners who can move together as new threats arise, attack vectors shift and failures spread.

Resilience is strongest when public and private sectors plan, exercise and respond together, rather than in parallel. Different players have different sightlines in the digital ecosystem. Startups look at the edges of innovation. Enterprises understand the realities of operating in today’s environment. Governments see where systemic risk concentrates. When those visions combine, our shields strengthen and expand, pushing cybercriminals out of the frame.

During our time here in Miami for the eMerge Americas conference, we’ve had the opportunity to speak to enterprises, startups, investors and government leaders about the need to accelerate resilience in Latin America, where the digital economy is booming but security hasn’t always kept pace. The region has the world’s fastest-growing rate of disclosed cyber incidents — in 2025 alone, Recorded Future tracked 452 ransomware incidents — but only seven countries have developed cybersecurity plans protecting critical infrastructure, and only 20 have formal computer security incident response teams.

That gap is where trust breaks, and where more collaboration can become a growth necessity. We can’t build sustainable economic growth in Latin America without building digital trust and cyber resilience. That’s why we are deepening our footprint here, enhancing regional threat intelligence and resilience and paving the way for stronger public-private collaboration to address these complex risks.

Secure digital access unlocks economic opportunity — and insecurity shuts it down fast. For a first-time digital user, one fraud incident can be enough to opt out for good. For a small business, one account takeover can wipe out months of progress. That’s why trust is inextricably linked to financial health. People can’t build stability on top of systems they’re afraid to use. At Mastercard, we’ve committed to connecting and protecting 500 million people and small businesses by 2030, because secure participation is foundational, not optional.

The bar for digital innovation today is not what we can deliver, but what people will trust enough to use, depend upon and harness for their own financial health. Because in the end, trust is the superpower.

Chinese-language, Telegram-based “guarantee” marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025. Although these guarantee marketplaces operate similarly to Huione Guarantee, they differ in their focus on particular aspects of cybercrime and in their targeting of specific geographies. To better understand these Chinese-language guarantee marketplaces, Insikt Group observed and analyzed another increasingly popular guarantee marketplace, dubbed Dabai Guarantee (“大白担保”).

Given that guarantee marketplaces typically involve hundreds to thousands of public and private channels, this report outlines how Insikt Group analysts navigated through just one of the Telegram channels belonging to Dabai Guarantee’s large infrastructure. The channel is known as Dabai Guarantee Public Group 301 (@DBTM301), and its main objective is to conduct “sweeping” operations (using illicit techniques to make purchases of physical goods at retailers or to withdraw and transact at country-specific ATMs) in South Korea and Japan. This report also includes the visible organizational structure of Dabai Guarantee Public Group 301, key rules, staff, and customer service functions.

This report primarily serves as an introduction to understanding how Chinese-language, Telegram-based guarantee marketplaces work and how to navigate them. It also includes interpretations of multiple criminal terminologies used by Chinese-speaking criminals, which are pivotal to understanding how Chinese cybercrime evolves over time. The cyber and fraud campaigns being promoted and launched on Dabai Guarantee and other similar guarantee marketplaces can negatively impact retail, banking, contactless payment providers, insurance companies, and individuals vulnerable to scam-related campaigns.

Key Findings

• Dabai Guarantee is a platform that enables multiple Chinese-speaking threat groups with strong presences across multiple countries to coordinate and launch global-scale fraud and cyber campaigns.
• Chinese-speaking syndicates are using Dabai Guarantee as a platform to facilitate campaigns involving financial and retail fraud, such as ATM withdrawal and ghost-tapping.
• Criminal groups participating in campaigns are often siloed, acting independently, and restricting the sharing of information, resources, and goals, thereby creating barriers to tracking their activities.
• Unlike conventional ghost-tapping campaigns that mainly target luxury businesses, “sweeping teams” typically purchase goods that are less expensive but still considered valuable to criminal groups and are relatively easy to transport (such as women’s cosmetics and tobacco products), likely to avoid detection by law enforcement. The sweeping teams eventually resell them in other markets for cash.
• Dabai Guarantee’s bot search function makes it easy for Chinese-speaking criminals to enter specific search terms and be matched with existing public groups running those campaigns.

Background

Chinese-language guarantee marketplaces first emerged around 2021 with the launch of Huione Guarantee, serving as reliable alternatives to traditional dark web marketplaces accessible via the Tor network. Owners of traditional dark web marketplaces, such as Exchange Market and Chang’An Sleepless Night, have close to full control over advertisements and transactions. These guarantee marketplaces seek to eliminate distrust stemming from criminal groups scamming one another, dark web marketplaces shutting down, potential exit scams, and parties failing to honor terms that were previously agreed upon. Furthermore, guarantee marketplaces operate on publicly accessible Telegram channels by design; these public channels are meant to be found and appeal to a wider Chinese-speaking audience that uses Telegram, noting that most Chinese criminals still use Telegram rather than Tor for communication.

Guarantee marketplaces are often different from typical peer-to-peer (P2P) transactions between threat actors. Guarantee marketplaces are one-stop shops that handle and facilitate all cryptocurrency transactions (typically Tether/USDT) and mediation services between parties, whereas P2P transactions typically take place directly between users or through a third-party escrow service. The preferred cryptocurrency of Chinese-speaking threat actors is USDT, a stablecoin pegged to the US dollar that maintains anonymity. Stablecoins are a type of cryptocurrency designed to maintain a stable value by pegging themselves to reserve assets, most commonly the US dollar, to mitigate the volatility of cryptocurrencies like Bitcoin. According to Chainalysis’s 2026 Crypto Crime Report, stablecoins have come to dominate the landscape of illicit transactions, accounting for 84% of all illicit transaction volume in 2025. Chinese cybercriminals prefer using stablecoins such as USDT due to their combination of price stability, ease of border transfer, and relative anonymity. USDT also helps Chinese cybercriminals bypass China’s strict capital controls and traditional banking scrutiny to move money across borders.

In January 2025, Insikt Group published a report on the Chinese-language guarantee marketplace Huione Guarantee, “Huione Guarantee Serves as a One-Stop Shop for Chinese-Speaking Cybercriminals.” The report described the activities facilitated by Huione Guarantee, which include investment fraud, money laundering, and various online scams. Despite Huione Guarantee’s shutdown on May 13, 2025, Insikt Group observed that other guarantee marketplaces, such as Tudou and Xinbi, stepped in to fill the void left by Huione Guarantee's closure. According to Elliptic, Tudou Guarantee also shut down its operations in January 2026, after processing $12 billion in transactions. Even though Xinbi Guarantee was previously reported to have shut down, it has since been rebuilt and maintains a presence on Telegram as of this writing. Other, but not widely reported, active Chinese-language guarantee marketplaces operating on Telegram (besides Dabai Guarantee) are Yinuo, BoChuang, and Ouyi.

Guarantee marketplaces can also facilitate new attack vectors such as ghost-tapping. In July 2025, Insikt Group published a report titled “Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem,” which details how Chinese-speaking cybercriminals and syndicates work together to conduct retail fraud using near-field communications (NFC) relay tactics. As of February 2026, Insikt Group observed that Dabai Guarantee has emerged as a major player in Chinese-language cybercrime, with its Telegram-based infrastructure resembling that of Huione Guarantee and offering malicious services similar to those advertised on Huione Guarantee, which is now defunct.

Dabai Guarantee Overview

Dabai Guarantee is a Telegram-based marketplace, consisting of thousands of public and private Chinese-language Telegram groups, that operates in a manner similar to Huione, Tudou, and Xinbi guarantees; many of these services cater to “small to medium-sized clients.” However, the operators of Dabai Guarantee do not maintain a clearnet website; they operate solely on Telegram, likely due to operational security (OPSEC) concerns. Operators of Dabai Guarantee likely chose not to have a clearnet website in light of Huione’s “bad OPSEC” practices — Huione Guarantee’s clearnet website made tracking much easier for law enforcement officials and researchers, which likely contributed to FinCEN sanctioning the organization in May 2025. The Dabai platform is populated with third-party vendors providing various services that facilitate cybercriminal and fraud activities, including money laundering methods and services, compromised social media and e-commerce accounts, SIM cards, personally identifiable information (PII), malware-as-a-service (MaaS), deepfake technology, know-your-customer (KYC) bypass services, and more.

Dabai Guarantee was likely founded in December 2024, based on its Telegram Channel’s creation date. There are currently six known official main Telegram channels:

• “公群导航 @dabai” (@dabai_a): “Public Group for Navigation Purpose”, 15,372 subscribers, as of this writing
• “大白担保大群” (@dabai_c): “Dabai Guarantee Big Group”, 19,225 members, as of this writing
• “大白供需频道” (@dabaiyajing): “Dabai Supply and Demand Channel”, 17,085 subscribers, as of this writing
• “大白担保规则” (@dabai_e): “Dabai Guarantee rules”, 428 subscribers, as of this writing
• “大白担保客服人员名单” (@dabai_f): “Dabai customer service list”, 527 subscribers, as of this writing
• “大白担保 @dabai” (@dabai): “Dabai Guarantee bot channel”

Dabai Guarantee’s public navigation channel, 公群导航 @dabai, is used to direct threat actors to different private/public Telegram channels to coordinate and collaborate on campaigns targeting both Chinese-speaking and non-Chinese-speaking victims. Below is a list of the service categories offered on the public Telegram groups on Dabai Guarantee. Each category has subcategories for more specific services. Each public Telegram group has a unique group number, the amount of the deposit made to Dabai Guarantee in USDT, the handles of group administrators and customer service representatives, the transaction rules, and a dedicated cryptocurrency wallet. More information can be found in Figure 1. These specialized channels include the following:

• “海外钓鱼类” (“Overseas Phishing”) — Coordinate phishing campaigns against individuals residing outside of China
• “买卖类” (“Trading”) — Buy and sell gift cards, databases, SIM cards, social media burner accounts, IP addresses, and physical goods
• “引流类” (“Traffic generation methods”) — Overseas SMS blasts, Baidu promotions, chat scripts, and other services
• “承兑类” (“Acceptance methods”) — Payment methods accepted by merchants include Alipay, WeChat Pay, and cryptocurrencies
• “通道合作类” (“Cooperation Channels”) — Motorcade teams to conduct overseas operations such as collecting or making payments via cash and cryptocurrencies, and logistic operations to move physical goods
• “短视频类” (“Short Videos”) — Short Douyin videos for promotions
• “合作类” (“Cooperation”) — ID Loans, Apple IDs, courier delivery services, and burner mobile phones
• “服务类” (“Services”) — SMS verification, file lookup, and graphic design services
• “卡商类” (“Carding Merchants”) — Money laundering through bank cards and contactless cash withdrawal without cards
• “搭建类” (“Developers”) — Software and bot setup services, and Apple signing/server/VPN/domain setup services
• “其他类” (“Others”) — Other miscellaneous fraud services, social escort services, police impersonation, artificial intelligence (AI), and search engine optimization (SEO)-related services
• “游戏类公群” (“Gaming-related public groups”) — Online gambling and video games

Figure 1: Dabai Guarantee’s public navigation purpose Telegram channel “公群导航 @dabai”, with listed categories (Source: Telegram)

Dabai Guarantee’s Rules (@dabai_e)

Dabai Guarantee’s rules channel (@dabai_e) has posted rules to prevent impersonation of the marketplace and to prevent users from creating their own “public groups” that are not officially regulated by Dabai Guarantee’s administrators. Some of the rules also showcase Dabai Guarantee’s OPSEC measures to prevent scamming and impersonation. The original Chinese text is in Appendix B. The following are some key rules:

• Members are not allowed to create their own public group channel without Dabai Guarantee`s approval.
• Members are not allowed to have private dealings with other parties or platforms, as Dabai Guarantee only guarantees transactions conducted on its platform. Dabai Guarantee also does not provide assurances for transactions with the Public Group “boss” or any other administrator. This means that no individual should have any transactions with the boss directly and should instead use Dabai Guarantee’s funds transfer mechanism.
• Individuals who initiate a chat session with you are 100% scammers; members are to block and refrain from chatting with them.
• The cryptocurrency address belonging to Dabai Guarantee is unique, and anyone sending other deposit addresses is a scammer.
• After members have staked their cryptocurrency as deposits, they are required to send Dabai Guarantee’s leadership screenshots of the deposit to @dabai for verification and confirmation. Any losses resulting from failure to contact @dabai will be the member’s responsibility.

Case Study: Public Group 301

Group Structure

For this report, we will use the Telegram channel “Public Group 301,” which belongs to Dabai Guarantee, as a case study. This is not meant to be a comprehensive analysis of Dabai Guarantee’s massive infrastructure and that of other Chinese-language guarantee marketplaces. It is difficult to accurately quantify how many “Public Group” channels and threat groups are on Dabai Guarantee, as the numbers tagged to Public Groups are not assigned in chronological order, resulting in a lack of visibility — unlike Huione Guarantee, which had a clearnet website that listed the Public Group channels to redirect threat actors. Although there are thousands of channels belonging to Dabai Guarantee alone, understanding Public Group 301’s structure can at least provide insight into how threat actors use Dabai Guarantee in their campaigns.

In guarantee marketplaces, threat actors looking to launch campaigns typically deposit USDT to start a public Telegram group approved by Dabai Guarantee. This model ensures that criminal syndicates do not have to deal with other threat actors directly, but have Dabai Guarantee as a mediator. In the case of Dabai Guarantee’s Public Group 301, affiliate threat groups do not have to engage directly with the group’s leader, @J0hnNo1, and instead receive payments from Dabai Guarantee after the completion of tasks required by @J0hnNo1. Guarantee marketplaces such as Huione, Tudou, Xinbi, and Dabai seek to eliminate the “lack of trust” among Chinese-speaking threat actors. These marketplaces are designed to become trusted platforms that foster coordination and cooperation between different Chinese-speaking criminal groups to achieve their objectives.

Insikt Group navigated through Public Group 301’s Telegram infrastructure in order to identify the redirection flow. As shown in Figure 1, each category contains a hyperlink that redirects to other channels. From Figure 1, selecting category 5, sub-category 2 (“海外扫货车队”, or “Overseas Goods Sweeping Team”) redirected to a pinned message as seen in Figure 2. This message lists four different public channels (“公群”) containing campaigns targeting the US, Canada, South Korea, and Japan.

Figure 2: Selecting “海外扫货车队” (Overseas Goods Sweeping Team) redirects users to four different Telegram groups, where threat actors are seen discussing and showing off their financial crime-related achievements in countries such as the US, Canada, South Korea, and Japan (Source: Telegram)

As seen in Figure 2, “公群” refers to unique Public Group channels for specific purposes or operations. Each public channel here contains a numerical group identifier and a “U” deposit amount, where “U” refers to USDT. For example, “公群935已押2000U” refers to Public Group Number 935, with 2,000 USDT already being deposited in Dabai Guarantee to start the campaign. The naming convention for these Public Groups is ”dbtmxxx”; in this case, Public Group Number 935 will have the Telegram channel @dbtm935. When selecting the second option, “公群301已押1000U韩国，日本扫货组”, which means Public Group Number 301, with 1,000 USDT already deposited to “sweep goods” in South Korea and Japan, the corresponding Telegram channel is @dbtm301.

Upon further investigation and analysis of the channel, Insikt Group assesses that “sweeping goods” refers to the use of illicit means, such as ghost-tapping, to purchase physical goods at physical retail stores (in this case, in South Korea and Japan). This activity also includes ATM cash withdrawals at Japanese or South Korean ATMs.

Key Personnel Involved in Public Group 301

The following terms are important for understanding the operations of criminals involved in Public Group 301, and the entire Dabai Guarantee infrastructure more broadly:

• Boss (“群老板”): The main coordinator overseeing a group’s operations. These individuals are not directly related to Dabai Guarantee and operate more like customers, making use of Dabai Guarantee’s infrastructure to lay out tasks and promising payouts in USDT upon completion. The boss will typically start a campaign by placing significant deposits into Dabai Guarantee’s USDT cryptocurrency addresses (“上押地址”) in order to get Dabai Guarantee’s administrators to approve the creation of a Public Group channel. In Dabai Guarantee’s Public Group 301 (@dbtm301), @J0hnNo1 is the boss of the channel. We observed that this threat actor intends to conduct ghost-tapping and fraud campaigns in Japan and South Korea, with the key objective of obtaining physical goods, cash, and funds through unauthorized transactions. Once the boss confirms receipt of the items and is satisfied with the outcome, they can ask Dabai Guarantee to release the payment to the criminals who participated in the requested task.
• Channel Administrators (“管理员”): Dabai Guarantee’s personnel who act as intermediaries between the boss and other Chinese syndicates, ensuring that the boss gets the items and physical cash, while the Chinese syndicates are paid in USDT. These are the people who will process the payments. Channel administrators will also inspect video evidence provided by sweeping and “goods-receiving” teams and wait for confirmation from the boss that everything is satisfactory before releasing payments to the various Chinese-speaking criminal groups.
• Chinese Syndicates (“犯罪组织”): Teams in charge of providing the people (“mules”) to form sweeping and goods-receiving teams. These syndicates will coordinate with the boss and receive payment in USDT after completing the required jobs.
• Sweeping Teams (“扫货队”): Personnel tasked by the boss or other administrators with obtaining physical goods or conducting ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud, and to eventually transfer the goods to “goods receiving” teams.
• Goods Receiving Teams (“收货队”): Personnel tasked by either the boss or their respective Chinese syndicates with receiving goods from sweeping teams; the items will eventually have to reach the “goods inspection teams.”
• Goods Inspection Teams (“检货队”): Personnel tasked with physically inspecting the goods and cash being delivered by the sweeping or goods-receiving teams, typically appointed by bosses. When the “goods receiving” team is appointed by the boss, it is also possible that the “goods receiving” and “goods inspection” teams are composed of the same personnel, each fulfilling multiple roles. These teams will inform the boss whether the physical goods are satisfactory, and the boss will proceed to ask Dabai Guarantee to release the payment to the sweeping and goods-receiving teams.

Insikt Group assesses that individuals in the sweeping, goods receiving, and goods inspection teams act as mules, and these teams likely consist of Chinese-speaking tourists who can amass large quantities of physical goods and cash and exit the targeted countries as soon as possible. It is also likely that Chinese-speaking groups have members who are long-term residents of the countries targeted by the operations, such as South Korea and Japan.

Figure 3: Simplified illustration of Dabai Guarantee Public Group 301’s structure (Source: Recorded Future Data)

Figure 3 is a simplified illustration of Dabai Guarantee’s Public Group 301’s organizational structure. The barrier to entry for participating in “sweeping operations” is low, as participants just need to have the legal right to enter Japan or South Korea, pose as tourists, and follow the instructions given by the boss and other administrators. We estimate that there are likely more than a dozen sweeping teams linked to Dabai Guarantee operating in Japan and South Korea alone. Sweeping teams are likely assigned to obtain certain goods and cash in very specific areas and do not coordinate with one another because they are being deployed by different Chinese syndicates. This model suggests that operations are siloed, where teams act as independent, isolated units that restrict the sharing of information, resources, and goals.

Figure 4 shows the Telegram structure of Public Group 301, where @J0hnNo1 is the channel's boss. The channel is also composed of multiple Dabai Guarantee customer service staff, who serve as administrators. The original creator of the channel is @dbwb22; the Telegram account is no longer active, and @dbwb22 is no longer listed as one of Dabai Guarantee’s official customer service agents.

Figure 4: List of key personnel in Dabai Guarantee’s Public Group 301 (@dbtm301); @J0hnNo1 is listed as this group’s public channel boss (Source: Telegram)

The distribution of these teams significantly complicates efforts by researchers and law enforcement agencies to track and deter such criminal activities. For example, if members of “Sweeping Team A” are arrested for retail or financial fraud, law enforcement agencies will still need to locate the members of the “Goods Receiving Teams” and “Goods Inspection Teams” before they can even get close to decoding the identity of the boss, who is most likely coordinating operations from a location outside Japan or South Korea’s jurisdiction, such as Cambodia or Myanmar. Additionally, these sweeping teams most likely consist of low-level mules who are considered “expendables” by their Chinese syndicate recruiters. The screenshots in Figures 6, 7, 8, 9, and 10 illustrate the siloed operations conducted by different sweeping teams.

Figure 5 shows Dabai Guarantee customer service personnel @dbtm9 helping to set up public Telegram channel 301 on March 21, 2025, and serving as the channel’s key administrator. This individual serves as a mediator to facilitate transactions and dealings between the boss and other threat actors. The total amount of USDT deposited on that date was 485 USDT; as of this writing, it has risen to 1,000 USDT. The purpose of this channel is to encourage other threat actors to cooperate by taking part in sweeping and goods-receiving operations in Japan and South Korea. In the conversation below, the boss stated that the deposit amount will increase in proportion to the transaction amount. Insikt Group assesses that this would mean the sum of deposit scales with the size of operations in Japan and South Korea.

Figure 5: Screenshot of Public Group 301’s (@dbtm301) administrator (@dbtm9) establishing a group for “sweeping goods” and “receiving goods” operations in South Korea and Japan

Figure 6 shows that the boss is looking to recruit sweeping teams to conduct operations in Seoul, South Korea. The main objective is to purchase cosmetics, and once the goods have been delivered, the rewards will be “high.” The final sentence uses the term “速度快”, which means that the boss welcomes any sweeping team that can conduct and complete these operations quickly.

Figure 6: Screenshot of Public Group 301 “boss” @J0hnNo1 recruiting sweeping teams to purchase cosmetics in Seoul, South Korea (Source: Telegram)

Figure 7 features a sweeping team involved in purchasing tobacco-related products from the Terea brand at a CU store, a South Korean convenience store chain in Seoul, South Korea. It is clear that the boss has goods from specific brands they wish to obtain, and such goods may be resold for cash in other foreign markets at a later date, likely at a lower price to obtain hard currency as soon as possible. Insikt Group assesses that the items are very likely purchased using the ghost-tapping attack vector or through stolen payment card information. This reflects a shift from targeting luxury retailers to smaller-sized businesses, likely to avoid arousing suspicion from law enforcement authorities

Figure 7: Public Group 301’s boss @J0hnNo1 showing a CU receipt of tobacco sticks belonging to the Terea brand totaling 288,000 won, worth approximately $196 on March 25, 2025 (Source: Telegram)

Figure 8 shows an Apple Store receipt listing unspecified Apple products totaling 499,600 yen (approximately $3,145.66, as of this writing). Public Group 301’s boss @J0hnNo1 also stated, “Who said there are no large transactions in Japan? Just a single receipt amounted to 500,000 Yen.” This is likely a post encouraging syndicates to send more sweeping teams to acquire as many Apple products as possible, while hinting that the rewards could be lucrative.

Figure 8: Public Group 301’s boss @J0hnNo1 showing an Apple store receipt of items totaling 499,600 yen, approximately $3,145.66 on December 28, 2025 (Source: Telegram)

Figure 9 provides some evidence that Vietnamese individuals are also involved in sweeping operations. In the top-left corner of the iPhone in the image, the Vietnamese phrase "Không có SIM" means "No SIM card." This indicates that the person holding the phone is very likely a Vietnamese-speaking individual conducting unauthorized banking transactions using burner iPhones. Every single burner phone appears to be tagged with a label, which is very similar to the tactics, techniques, and procedures (TTPs) we documented in our Insikt Group report on ghost-tapping. It is also likely that this individual understands Japanese in addition to Chinese, as they were observed interacting with a Japanese banking application that displayed processed transactions. The transactions shown in the screenshot are dated between July 30, 2025, and August 28, 2025. The ability to use Japanese banking applications is an indicator that this individual is legally residing in Japan. In general, most Japanese banks require foreigners to close their bank accounts before leaving permanently; these regulations are implemented by major Japanese banks such as Shinsei Bank.

Figure 9: Image posted by Public Group 301’s boss @J0hnNo1 involving multiple unauthorized banking transactions from July 30, 2025, to August 2025. Insikt Group assesses that this is indicative of a ghost-tapping campaign targeting Japanese retail businesses involving multiple Apple burner iPhones on August 28, 2025 (Source: Telegram)

Figure 10 shows what appears to be an ATM cash withdrawal or transfer attempt at a Japanese ATM at an unspecified bank. This screenshot is also likely shown as an example of what sweeping teams in charge of withdrawing and transferring cash are expected and required to do.

Figure 10: Public Group 301’s boss @J0hnNo1 posted an image of what Insikt Group assesses to be an ATM cash withdrawal/transfer using a Japanese ATM machine on April 23, 2025 (Source: Telegram)

Figure 11 shows a cryptocurrency transaction of 10,629 USDT via the Tron (TRX) network to a sweeping team for the successful completion of the “mission.” The boss @J0hnNo1 thanked the sweeping team coordinator without identifying them. The exact phrase used while posting the image was “感谢老板信任”, which translates from Chinese to “Thank you boss for trusting me.” Boss, in this context, refers to the Chinese syndicates that provide the sweeping teams for successful operations. In the entire Dabai Guarantee Public Group 301 channel, there were many screenshots of such cryptocurrency transactions being sent to teams that participated in sweeping operations. The boss redacts recipients' cryptocurrency wallet addresses to prevent law enforcement agencies from tracking them. The TRON wallet address used by Public Group 301 is TByDzGWCirpCABaUorkhz5eWhjyDdYWgSo, as shown in Figure 11; this wallet address has facilitated a total of 2,943 transactions as of this writing.

Figure 11: Multiple screenshots involving USDT transactions are posted on the channel, likely for transparency and to reassure the sweeping teams (Source: Telegram)

Dabai Guarantee’s Staff and Customer Service Functions (@dabai_f)

Dabai Guarantee maintains a list of its official staff and customer service agents on its Telegram channel @dabai_f to facilitate the creation of Public Group channels and transactions. This system also helps prevent impersonation and scamming. Members are to contact customer service agents directly for any queries or concerns. The staff and customer service teams usually provide the functions listed in Tables 1 and 2; the customer service agents are listed in Figure 12 by their functions and Telegram handles.

Table 1: List of Dabai Guarantee’s official staff and functions (Source: Telegram, Recorded Future)

Table 2: List of Dabai Guarantee’s customer service agents (Source: Telegram, Recorded Future)

Figure 12: Dabai Guarantee customer service Telegram channel “大白担保客服人员名单” (@dabai_f) provides a list of customer service agents (Source: Telegram)

Automated Bot System Directs Chinese Syndicates to Relevant Public Groups for Existing Campaigns

Insikt Group analyzed the public administrator bot @dbdbqg_bot to observe how a Dabai Guarantee user would be routed by the platform to participate in cybercriminal activities. To use this functionality, individuals must enter search terms in Mandarin. We used the terms 远程 (remote) and 数据 (data), which returned three and ten public channels, respectively. When querying for the term “远程” (remote), which typically refers to ghost-tapping campaigns involving NFC relay methods, three Public Group channels appeared as relevant results. When querying for the term “数据” (data), which typically refers to databases, ten Public Group channels specializing in datasets appeared in the results. In addition, using a country as a search term, such as 美国 (US), will also return results that show fraud or cyber campaigns targeting the US. This bot function demonstrates how easy it is for criminal groups to search for relevant groups, determine which campaigns they wish to participate in, and identify the types of datasets they are interested in procuring. Table 3 shows the number of Public Group channels involved in fraud or cyber campaigns for the search terms; specific details are not listed due to certain global entities named in the Public Group channels belonging to Dabai Guarantee.

Figure 13: Dabai Guarantee’s public administrator bot @dbdbqg_bot has a search function that will return results relevant to the individual’s search (Source: Recorded Future Data)

Table 3: Search results of Dabai Guarantee’s Public Group channels using their bot function (Source: Telegram, Recorded Future)

Outlook

Even with guarantee marketplaces such as Huione Guarantee being shut down, many Chinese criminals are likely turning to these Telegram-based guarantee marketplaces to sell illicit goods and to offer their services. Guarantee marketplaces such as Dabai Guarantee have demonstrated their ability to coordinate operations in countries such as Japan, South Korea, Canada, and the US by using Chinese-speaking individuals who are traveling or residing in those geographies to conduct retail and financial fraud. Over time, Dabai Guarantee may be able to establish itself as a trusted escrow platform for Chinese syndicates to rely on, despite the growing competition from existing and new guarantee marketplaces. There is also a possibility that operators of other guarantee marketplaces could execute an exit scam, leading to a loss of trust in guarantee marketplaces as a whole among Chinese criminals.

Threat actors such as @J0hnNo1, the leader of Dabai Guarantee Public Group 301, seek to obtain physical goods and foreign currency through illegal means, giving specific instructions to different syndicates to complete their objectives. Such operations are scalable on demand and will become harder to track and disrupt over time due to the siloed nature of the sweeping and goods-receiving teams. This report showcases the activities and structure of a single group (Public Group 301), which is only one group among hundreds under Dabai Guarantee’s decentralized and growing infrastructure. Ghost-tapping and ATM withdrawals are commonly used by Chinese-speaking criminals for money laundering, and we will likely continue to see more threat actors facilitating such financial and retail-related crime on multiple guarantee marketplaces.

Insikt Group assesses that Chinese syndicates will continue to recruit and deploy non-Chinese individuals with specific language skills to participate in campaigns, as exemplified by the Vietnamese individual mentioned in Figure 9.

Insikt Group assesses that guarantee marketplaces have solidified themselves as a major alternative to traditional Chinese-language dark web marketplaces. This decentralized model is becoming increasingly popular among the global Chinese-speaking criminal diaspora, enabling criminals without sophisticated skillsets to coordinate with syndicates and participate in operations that require physical elements.

Appendix A: Glossary of Terms

Appendix B: Key Rules Written in Mandarin

(Translation available on p. 7)

⚠️交易注意事项⚠️

1.进群交易请先看置顶里面的群规则，交易过程请严格按照交易规则进行，群内所有事情请联系群内交易员 ，私下交易或者其他地方交易，后果自负，大白担保只担保本群内的交易。

2.大白担保业务只担保我们的公群内已经报备过的交易，我们不为公群老板或者其他管理员个人做担保，公群群老板对自己的业务员负责，如果群内业务员违规操作，由公群老板负责。

3.禁止以公群名义私下拉群做单，禁止金额不透明，如被用户举报后果自负。

4.大白担保工作人员不会主动私聊你，主动私聊你的100%都是骗子，请直接拉黑。

5.大白担保的上押地址是唯一的,发其它上押地址的一定是骗子,请大家远离骗子。

6.客户上押后,请及时发送上押截图与我们 @dabai 核实确认,如长时间未找 @dabai 核实确认押金而造成的损失由自己负责。

For defenders, the timeline for determining which vulnerabilities matter most and remediating them before exploitation begins is narrowing, even as the overall volume of vulnerabilities rises. Organizations that rely on manual prioritization, slow patch cycles, or legacy software will face growing operational and security risks.

Figure 1: Reality versus hype of automated vulnerability research

The Vulnerability to Exploit Ratio

Vulnerabilities are software flaws attackers can use to gain access, run malicious code, escalate privileges, or disrupt operations. However, not every bug becomes a real-world threat: many are hard to reach, difficult to weaponize, or simply not worth an attacker’s time.

The total number of disclosed vulnerabilities has increased sharply in recent years, rising from roughly 21,000 in 2021 to nearly 50,000 in 2025. Part of that increase likely reflects stronger disclosure practices and bug bounty activity, though software growth, a broader attack surface, and more systematic reporting also play a role. Nonetheless, in 2025, Recorded Future only identified 446 vulnerabilities that were actively exploited in the wild, a reminder that confirmed exploitations remain a small fraction of total disclosures.

Figure 2: Yearly comparison of disclosed CVEs against CVEs with public exploits and vulnerabilities assessed as actively exploited by the Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities (KEV) Catalog and Recorded Future, 2021-2025

This is because attackers do not exploit every bug they find. Instead, they focus on developing exploits for the small subset of vulnerabilities that offer the best combination of reach, reliability, and return on investment, such as flaws that can be exploited remotely or affect widely used software. In other words, a vulnerability still has to be validated, turned into a reliable exploit, matched to a target, and integrated into an attack path worth the effort.

When a flaw matches the criteria, however, exploitation can move quickly. VulnCheck found that nearly 29% of KEVs in 2025 were exploited on or before CVE publication, a slight increase from the previous year, indicating the continued prevalence of zero-days and n-days. Much as their legitimate counterparts use AI in software development, adversaries are already using AI to accelerate parts of the attack workflow, including vulnerability research, exploit-path analysis, and malware development, even if its precise effect on exploitation timelines is hard to quantify. Some trackers estimate the median time-to-exploit may now be measured in hours rather than days, demonstrating the shortening window of time to act on a high-impact vulnerability.

How AI Changes the Equation

Anthropic and OpenAI recently drew significant attention through their limited release of what they claimed were uniquely powerful cyber defense models. An independent evaluation of Anthropic’s Mythos found significant improvements in multi-step cyberattack simulations. However, AI-assisted vulnerability discovery and penetration testing predate these models, and most frontier models have already demonstrated the ability to identify vulnerabilities and assist with exploit development. At present, these tools are still most effective in the hands of capable operators rather than enabling frictionless, low-skill exploitation at scale. This matters, too, as even if these capabilities are used primarily by security researchers in the near term, the resulting increase in disclosures, proofs of concept, and validated findings still adds to the defensive burden.

This impacts vulnerability management in three important ways:

• More credible vulnerability reports to triage: New agentic systems can do more than flag suspicious code; they can reason through program behavior, validate findings, and help identify which weaknesses appear most exploitable.
• Less time to mitigate exploitable vulnerabilities: Large-language models (LLMs) are accelerating the speed and scale of weaponization, meaning the path from disclosure to exploit could go from hours to minutes.
• Reduced the cost of exploit development: Emerging models appear more capable of producing proof-of-concept exploit code, testing attack paths, and helping skilled operators iterate toward weaponizable exploits faster than before.

Figure 3: The vulnerability equation: How automated capabilities will likely impact reporting, exploit development, and impact

More Reports, More Noise

Using AI agents for software code will almost certainly increase the number of reported vulnerabilities and developed proofs-of-concept. Microsoft’s April 2026 Patch Tuesday, which followed Anthropic’s Project Glasswing announcement, was the company’s second-largest on record. However, according to Microsoft, it “does not reflect a significant increase in AI‑driven discoveries, though [they] did credit one vulnerability to an Anthropic researcher using Claude.” The more important question is not whether more flaws will be found — because they will be — but whether defenders can process, validate, and prioritize them fast enough to act.

Vulnerability submissions are already overwhelming researchers’ ability to assess their overall risk, creating a backlog of vulnerability enrichment and scoring. If AI sharply increases the volume of plausible findings, defenders will face even more uncertainty around which vulnerabilities represent the next high-impact systemic event and which are background noise.

Less Time to Act

For the vulnerabilities that are actually a problem, defenders have even less time to respond. Automated exploit development will likely shorten the path from discovery to proof of concept and, in some cases, to weaponization for the subset of vulnerabilities worth pursuing. Adding to the triage problem, some medium-severity or otherwise “non-critical” vulnerabilities will need to be re-evaluated as possible components of exploit chains, even if they would not normally rank as urgent on their own.

Drowning out the Alarms

Even as defenders deal with more noise, a larger volume of reported, plausible findings is likely to increase the absolute number of high-impact exploits they need to address quickly. As a result, defenders face an even greater challenge in identifying the small subset of issues that matter most before attackers do.

This does not mean every newly disclosed flaw will be weaponized, or that high-impact, “internet-breaking” events will become commonplace; however, even a modest increase in exploited vulnerabilities puts more pressure on prioritization, patching speed, and compensating controls, especially for organizations already struggling with manual triage, slow patch cycles, or legacy software.

How to Use Automation for Good

For most organizations, the immediate risk is not that every vulnerability will suddenly be exploited, but that defenders will have less time to determine which findings matter most. Vulnerability discovery and exposure management should therefore be treated as related but distinct problems: AI may increase the number of findings, but defenders still need context to determine which exposures are actually reachable, high-impact, and worth urgent remediation.

In this environment, using AI-enabled vulnerability discovery, prioritization, and defensive remediation will be essential to keeping pace with attackers. The five actions listed in the following section can help organizations stay ahead of the threat.

1. Automate Vulnerability Prioritization and Response

Shift from CVSS-only scoring to real-time exploitability and exposure-based risk scoring to handle the surge in AI-assisted vulnerability discovery. Deploy automated scanning, validation, and threat hunting to identify exploitation activity quickly, especially in widely used software and internet-facing systems. Recorded Future’s Insikt Group regularly reports on new vulnerabilities and exploit trends and develops Nuclei templates to detect actively exploited vulnerabilities.

2. Accelerate Patching and Upgrade Cycles

As the time to exploit shifts from days to hours, the time to mitigate vulnerabilities will similarly shorten. Patch management will need to move faster, particularly for internet-facing systems, widely used software components, and critical dependencies. Automated remediation and automated compensating controls will likely become necessary to keep pace with AI-accelerated discovery. The Vulnerability Intelligence module in the Recorded Future Intelligence Operations Platform can help with prioritization based on the likelihood of exploitation. Ensure all automated actions are logged and regularly audited by a human, and require a human-in-the-loop for any actions on high-impact systems.

3. Reduce Dependence on Legacy and Unsupported Software

AI may make it easier for threat actors to identify and validate exploitable weaknesses in older, under-maintained codebases. Unsupported systems and aging software are likely to become increasingly difficult to justify unless they are strongly isolated and tightly controlled.

4. Shift Vulnerability Detection Earlier in the Software Lifecycle

Organizations should integrate automated security testing and AI-assisted vulnerability discovery into development pipelines. Early detection can help defenders fix vulnerabilities before production, reducing remediation burden later.

5. Get Ready for the Next High-Impact Event

Develop emergency response and mitigation playbooks specifically for high-impact, broadly applicable flaws, including scenarios where a patch is not immediately available. Preparation should include not just patching, but also containment measures such as segmentation, access restrictions, traffic filtering, and other compensating controls.

Agentic AI adoption is accelerating rapidly as enterprise software and applications increasingly incorporate task-specific AI agents, enabling autonomous execution of complex tasks at machine speed.

The autonomy and scale of AI agents introduce significant enterprise risk, as errors, misconfigurations, or malicious manipulation can propagate quickly across interconnected systems, amplifying the potential impact of incidents.

Agentic AI will exacerbate existing weaknesses in software supply chains, as vulnerable or malicious open-source components can be deployed faster and at scale.

Identity and access management risks will also expand dramatically, as agents require broad, cross-environment permissions; compromised credentials, SSO platforms, or agent identities could enable large-scale service disruption or data exfiltration.

Prompt engineering enables threat actors to manipulate agents into carrying out malicious actions, underscoring the importance of layered security controls, zero-trust principles, and human-in-the-loop checkpoints to mitigate agent-driven threats.

Figure 1: AI agents have the potential to improve efficiency, reduce costs, and improve decision-making. However, the same features that make them so powerful will bring new security risks, and scale up old ones, if not managed effectively. (Image source: Recorded Future)

Analysis

Agentic Artificial Intelligence Is Set to Expand Rapidly

“Agentic artificial intelligence” refers to AI systems that can do things with limited human intervention. For example, traditional AI can draft code for a user who wants to build a website; agentic AI not only writes the code, but registers the domain and sets up hosting to launch the site.

Gartner predicts that as many as 40% of enterprise applications will incorporate task-specific AI agents by the end of 2026. A Deloitte report anticipates that at least 75% of companies will use agentic AI to some extent by 2028. The benefits of AI agents are that they can carry out complex tasks independently and at machine speed, working individually or as part of a multi-agent system.

However, the same features that make these systems powerful also introduce significant security risks. To operate effectively, agents need to seamlessly interact with other agents, humans, and software. This requires high degrees of trust, which can be exploited by malicious actors. Security best practices, notably zero-trust principles, are specifically designed to slow down these interactions, creating an inherent tension between AI agent implementation and security.

Agents Amplify Systemic Cybersecurity Weaknesses

Software engineering teams account for nearly 50% of AI use, demonstrating that AI is already deeply integrated into software development processes. This suggests that AI agents will likely play a significant role in future software development, working alongside human developers to generate, test, and deploy code.

The introduction of agents will amplify software supply-chain security weaknesses, allowing threat actors to take advantage of vulnerable or intentionally manipulated code to embed exploits in enterprise software. While these issues have existed long before AI or AI agents, the introduction of agents will cause these mistakes to be carried out faster and at scale. Initial studies suggest that AI-generated code is less secure than human-generated code, though AI coding performance is improving rapidly. Ensuring transparency and documentation in agent coding workflows is critical to ensuring a rigorous, secure development operations (SecDevOps) process.

Identity and access are additional enterprise security issues that AI agents are likely to amplify. For AI agents to operate effectively, they will also need access to various cloud applications and environments. This increases the complexity of identity management, as identity and permissions will need to extend to virtual agents.

Currently, many AI tools that connect to external data or to other tools operate in a trust-by-default mode, creating significant vulnerabilities. If this is extended to agentic AI, the potential harms from exploitation could increase significantly, as agents are capable of acts such as sending emails, deleting files, or authorizing payments. Defenders will need to ensure access permissions are properly managed and tracked for agentic users in the same way they manage permissions for traditional software and human users.

Figure 2: How AI agents may amplify current security weaknesses

(Image source: Recorded Future)

Prompt Engineering Remains a Pervasive Threat to Agents

While AI agents will accelerate existing enterprise security problems, they also introduce risks unique to artificial intelligence. Threat actors can deliver malicious instructions to AI agents via prompt engineering, causing the agents to act in alignment with the threat actors rather than with their legitimate users. Prompts can be delivered directly (through a chat interface), encoded in malware, or hidden in emails or other innocuous communications.

With the increased adoption of AI agents, threat actors may move further away from traditional malware and prioritize manipulating agents to scale and enhance operational efficiency. Targeting agents directly enables threat actors to leverage the speed and scale of AI agents, causing greater harm with a lower chance of detection or mitigation.

Figure 3: Potential attack scenarios weaponizing AI agents (Image source: Recorded Future)

Completely securing agents against prompt engineering is likely impossible. The need for AI agents to be useful will likely prevent developers from imposing fully effective guardrails against prompt engineering. This risk is similar to the difficulty of making humans resilient to social engineering operations. While training and awareness may help mitigate the effectiveness of some scams, threat actors continually find new ways to use people’s incentives against them.

Defenders can make AI agents more resilient to prompt engineering attacks by implementing layered security. Building in checkpoints where a human or another agent can assess or approve an action will help detect misaligned behavior and limit the potential harm. This is similar to fraud prevention or mitigation for human employees, such as procedures requiring additional approvals for transferring large sums of money.

Multi-agent AI Increases Unpredictability

As AI agents become more common, they will increasingly interact independently with each other to complete tasks. Multiple agents are susceptible to both intentional and accidental manipulation, which can manifest in unpredictable ways. Researchers have categorized these outcomes as:

• Miscoordination: Agents cannot align behaviors to achieve an objective
• Collusion: Unwanted cooperation between AI agents
• Conflict: AI agents act to enhance their position at the expense of others

These outcomes can occur accidentally due to misaligned incentives and safety guardrails, or they can be programmed or intentionally manipulated. Despite safety guardrails, agents have been observed engaging in behavior they would otherwise have avoided. For example, AI agents on MoltBook, a social media network for bots, were observed disclosing potentially sensitive information about their users, including names, hobbies, hardware, and software (in addition to serious security failures associated with the site itself). Unwanted or unanticipated outcomes can occur when agents have free will to decide how they will carry out an objective.

Outlook

The first agentic data breach will very likely be the result of overly permissive environments: When threat actors succeed in using AI agents to carry out a breach, it will very likely be the result of an enterprise environment that operated using default permission settings.

Identity security will very likely shift toward “agent identity governance”: Enterprises will very likely expand identity and access management (IAM) frameworks to treat AI agents as priority digital identities, requiring lifecycle management, least-privilege enforcement, behavioral monitoring, and dedicated audit controls similar to (or stricter than) those in place for human users.

Prompt injection will likely evolve into a mainstream enterprise attack technique: Threat actors will likely increasingly prioritize manipulating AI agents over deploying traditional malware, using prompt injection, poisoned data inputs, and agent swarms to scale financial scams, cyber-physical disruption, and market manipulation — driving demand for layered guardrails and human-in-the-loop validation controls.

AI will likely reshape cyber insurance risk modeling and pricing: As AI agents become embedded across enterprise environments, the cyber insurance industry will likely face greater uncertainty in modeling risk exposure. Insurers are likely to respond by tightening underwriting standards around AI governance, requiring demonstrable controls such as agent identity management, human-in-the-loop safeguards, and prompt injection resilience.

Further Reading

Mitigations

Enforce zero-trust for agent identities: Treat AI agents as privileged digital identities subject to least-privilege access controls. Use Recorded Future Identity Intelligence to monitor for data breaches that expose agentic identities as well as human identities.

Resilience Question: Do we have a strategy for onboarding virtual identities into our IAM solution?

Ensure visibility into agent behavior: Deploy continuous monitoring tailored to agent behavior, including logging agent decisions, prompts, and actions, and setting up detections for anomalous task execution patterns.

Resilience Question: Do we understand how and why agents are making decisions, and can we quickly detect misaligned actions?

Strengthen supply-chain and code governance: Extend SecDevOps controls to AI-generated and agent-modified code. Assess AI-generated code for vulnerabilities and monitor for hallucinated or typosquatted dependencies. Use Recorded Future’s Third-Party Risk to monitor for downstream vulnerabilities in third-party software.

Resilience Question: Have we adapted SecDevOps to account for agentic coding?

Harden against prompt injection and input manipulation: Treat all external inputs as untrusted. Increase layered defenses to include multiple validation points and guardrails to minimize the impact of actions due to malicious prompts or inadvertent misalignment.

Resilience Question: What detections are in place to monitor for suspicious prompts?

Recommended D3FEND Actions

Threat intelligence can elevate cybersecurity programs from reactive to autonomous, transforming workflows and delivering measurable improvements. In a recent webinar, we shared practical steps for integrating threat intelligence into existing security stacks, optimizing workflows, and accelerating organizational maturity in cybersecurity practices.

Read on for actionable insights, frameworks, and tools shared during the session.

Bridging the gap: threat intelligence integration

The key to effective threat intelligence is making your tools work together seamlessly. Recorded Future doesn’t aim to replace your existing cybersecurity tools, but rather to enrich and connect them.

When Recorded Future connects to the tools already in your stack, it automatically adds contextually relevant threat intelligence to whatever you're working on. This can mean less manual effort and faster, better-informed decisions.

Understanding your organization’s cyber maturity

A useful starting point is assessing where your organization currently stands across four stages of cybersecurity maturity: reactive, proactive, predictive, and autonomous:

1. Reactive organizations focus on responding to incidents as they occur.
2. Proactive organizations hunt for threats before they lead to incidents and align detection systems to adapt toward emerging risks.
3. Predictive programs extend threat intelligence beyond the security operations center (SOC) to other organizational stakeholders.
4. Autonomous programs leverage automation to identify and respond to threats in real time at machine speed.

Maturity doesn't have to be assessed at the program level alone. Individual use cases may be at different stages. Alert management, for instance, may already be highly automated, while other workflows remain more reactive.

A helpful way to identify where to focus is to ask a series of questions, including:

• What does my current alert workflow look like?
• What's my most time-consuming process?
• What's my top priority for the next 12 months?

Your answers will enable you to identify areas for improvement and then prioritize your workflows as needed.

Three key integration workflows—and one bonus workflow

Next, we suggest integration workflows that are designed to help you optimize your security operations with Recorded Future threat intelligence:

1. Indicator of compromise (IOC) enrichment

Detection tools often generate alerts with limited context, leaving you asking why something was flagged and how risky it actually is.By integrating Recorded Future, you’ll find that those alerts can be automatically enriched with information such as malware families, exploited vulnerabilities, and threat actor connections—enabling better, faster decisions without additional manual research.

2. Vulnerability prioritization

Most organizations depend on CVSS scores or vendor-provided data to assess vulnerabilities, but that approach doesn't always reflect real-world risk. A more effective strategy is asking: Is this vulnerability being actively exploited in targeted campaigns? Are threat actors targeting my industry with it?

Recorded Future enhances vulnerability management primarily through threat intelligence context, with risk scoring that tells you why something is risky—specifically whether a CVE is being actively exploited in the wild, and whether it's targeting organizations in your industry.

3. Autonomous Threat Operations

The most advanced workflow involves automating threat detection and prevention from end to end. Recorded Future can identify emerging threats, initiate retroactive threat hunts, and automatically update detection and blocking lists in tools like EDR platforms—all without manual intervention. This will enable your security team to shift from reactive firefighting to real-time, autonomous threat prevention. Learn more about Autonomous Threat Operations, available in Recorded Future’s Professional and Elite pricing packages.

4. Bonus workflow: Watch list automation

Your existing vulnerability scanners like Tenable, Qualys, Wiz, and Rapid7 are already identifying vulnerabilities in your environment. A Watch List automation connector can link those tools directly into Recorded Future's Watch Lists, so the Platform automatically reflects your real threat footprint at all times. Instead of tracking a static list of top vulnerabilities, you get contextual intelligence tied to what's actually in your environment, and you're automatically alerted when vulnerabilities change in risk status.This shifts vulnerability management from a reactive posture to a predictive one, and makes prioritization effectively autonomous.

The role of Recorded Future’s Integration Center

The Integration Center makes it straightforward to connect with popular security tools including Splunk, ServiceNow, CrowdStrike, and SentinelOne. Many of these integrations are pre-built and can be activated in just a few clicks, meaning there may already be value waiting to be unlocked within your existing SIEM, SOAR, EDR, TIP, vulnerability management tools, GRC platforms, and more.

Driving business value with integrated threat intelligence

Beyond operational efficiency, well-integrated threat intelligence workflows build organizational trust and give security leaders a stronger, data-backed narrative about how their teams are operating. Automating enrichment and response creates the space to focus on strategic priorities—and makes it easier to demonstrate the program's value to leadership.

The path toward autonomous threat operations requires sophisticated technology, seamless integrations, smart prioritization, and strategic planning. The best approach is simply to start: Activate a workflow, see the value it delivers, and build from there.

If you need help getting started or have questions about your organization’s specific needs, book a custom demo.

If you’re a millennial or Gen Z-er, then you probably haven’t used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.

Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.

On the face of it, these look like two ends of the fraud spectrum:

• On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
• On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.

The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So what’s the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudster’s response to exploit both.

Commercial checks and copycat businesses across state lines

In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month period—a 161% increase from the prior year. Recorded Future’s Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.

Mapping stolen checks by zip code; courtesy of Recorded Future

Yet even among declining consumer check usage rates, businesses’ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.

In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. How’d they do it? You can’t just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.

Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name “The Bazooka Companies, LLC”, so culprits registered a fictitious company in New York under the name “The Bazooka Companies 1 Inc”. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.

Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence (PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.

As with most fraud, this scheme’s emergence is based on:

• Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most states’ limited mandate to investigate business registrations, and we’re left with the first gap:

“As long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filing” (National Association of Secretaries of State, September 2025)

When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity — synthetic or otherwise — then the bank won’t have a clear reason to reject the application just because a business called John’s Toilet Supply, LLC exists in another state.

• Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.

80% discount on shoes? How can you say no?

If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.

The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforce’s 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the “company shows its platforms’ users an estimated 15 billion ‘higher risk’ scam advertisements — those that show clear signs of being fraudulent — every day”. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.

The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. What’s changed is that these are no longer just phishing websites. They’re functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.

This is creating problems throughout the ecosystem:

• Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
• Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud aren’t present. The cardholder is authorizing the transaction, and there’s nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, it’s the cardholder doing the transacting under manipulation.)
• The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)

But just like with the check fraud example, a big part of why online shopping scams have exploded — outside of generative AI making brand abuse content easier than ever to create at scale — is ecosystem gaps and fraudsters reacting to the defense:

• Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
• Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.

Thinking towards the way out

On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.

Of course, in the Bazooka example of same-name business impersonation, this wouldn’t help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?

On the online shopping scam side, solutions are more complex and scattered across the ecosystem.

• At the top of the funnel, there’s rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
• At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.

For card issuers on the frontline, it’s a more delicate dance. Card issuers aren’t on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuer’s problem.

The best solution aligns with the industry’s movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.

In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.

So, in the meantime, where does all this leave us? The same thing you’ve heard plenty of times: stop using checks if you can and don’t trust too-good-to-be-true offers from online ads.

How Recorded Future Helps

The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.

• Payment Fraud Intelligence — tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
• Digital Risk Protection — provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions — with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.

In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository.

From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.

And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.

Identity Is the Perimeter (and the Attack Surface)

The throughline in the TeamPCP campaign is identity. Start to finish.

TeamPCP intelligence summary courtesy of Recorded Future.

No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.

Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.

Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.

This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works.

We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.

The Impact Is Not Just Ransomware

TeamPCPs’ Telegram channel references a ransomware victim’s site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.

CipherForce intelligence summary courtesy of Recorded Future.

But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?

The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.

Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called “Swiper,” run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.

Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running “double brokering scams,” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the broker’s name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.

These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.

In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).

The tendency is to categorize supply chain attacks as a “security tool problem” or a “developer problem.” It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.

Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.

But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.

The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.

So What. Now What.

TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.

For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.

But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.

The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone else’s payday.

How Recorded Future Helps

The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:

• Identity Intelligence — monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response — including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
• Insikt Group — elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
• Third-Party Risk — continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.

Leaders should plan for multiple future scenarios, prioritizing resilience and effective decision-making

Current State (April 10)

• Severe tensions persist despite a two-week ceasefire:
  The agreement remains fragile and conditional on reopening the Strait of Hormuz; each side has already accused Iran War: Future Scenarios and Business Implications the other of violations.
• Maritime flows partially resume but remain uncertain:
  Disruptions and elevated security risks persist. President Trump has signaled readiness to resume strikes on Iranian infrastructure if ceasefire conditions are not met.
• Economic conditions remain unstable:
  Energy markets remain volatile, with continued pressure on supply chains. Shipping, insurance, and aviation activity are only partially restored. Inside Iran, infrastructure damage is driving power shortages and industrial disruption.
• Cyber activity has intensified:
  Operations targeting energy and critical infrastructure are increasing, reinforcing systemic risk across key sectors.

Figure 1: An explosion in Tehran, February 28, 2026 (Source: PBS)

Figure 2: Cone of Plausibility Overview: Iran Conflict (Source: Recorded Future)

Framework Overview

To assess how the Iran conflict could evolve over the next 6–12 months, Insikt Group analyzed regional and global dynamics using the PESTLE-M framework, covering Political, Economic, Social, Technological, Legal, Environmental, and Military domains, with a focus on Iran, the United States, Israel, and Gulf States.

Figure 3: PESTLE-M Framework (Source: Recorded Future)

This analysis informed a scenario generation exercise using a Cone of Plausibility (CoP) method. The objective was not to predict a single outcome, but to explore a range of alternative futures based on observed signals and emerging trends.

Methodology

For each PESTLE-M category, we identified key drivers that could increase or decrease the likelihood of escalation, de-escalation, or sustained instability, and assessed how these dynamics may evolve under different assumptions. These were combined to develop six scenarios: one baseline, two plausible (best and worst case), and three wildcard scenarios, enabling organizations to evaluate how the conflict may unfold and the potential impacts on their operating environment.

Within the CoP framework:

• Drivers are signals and trends that could shape future developments
• Assumptions reflect how those drivers may evolve over time
• Scenarios describe how these dynamics could combine to produce distinct future states

We define scenarios as follows:

• Baseline: A forward projection of current trends and conditions
• Plausible: A realistic alternative outcome based on evolving drivers and assumptions
• Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Baseline Scenario: Fragile Ceasefire with Sustained Economic Disruption

Key Drivers and Assumptions

• Conditional ceasefire -> Underlying conflict causes unaddressed
• Maritime coercion -> Economic warfare persists
• Infrastructure targeting -> Energy disruption continues

Figure 5: Brent oil prices and projections (Source: Oxford Economics)

Figure 6: Iran is also threatening maritime traffic through the Bab al-Mandab, another key route (Source: Times of India)

Baseline: A forward projection of current trends and conditions

Ceasefire holds, but conflict shifts into sustained economic warfare.

A fragile ceasefire reduces the pace of direct military exchanges strikes, but the drivers of conflict remain unresolved. Iran lacks the capacity for decisive escalation but retains asymmetric leverage, while the US prioritizes energy market stability and conflict containment. The Strait of Hormuz reopens only intermittently, with recurring disruptions, inspections, and security incidents, keeping shipping, insurance, and energy markets under sustained pressure. Gulf financial, logistics, and technology sectors operate intermittently, airlines maintain some route suspensions, and cyber activity remains elevated against regional infrastructure and Western-linked organizations. The conflict evolves into economic coercion as a primary tool, driving elevated oil and gas prices, persistent market volatility, and tighter financing conditions. Supply chains gradually reconfigure away from high-risk routes, increasing costs and reducing efficiency. Russia benefits from sustained high energy prices and reduced Western focus, strengthening its position in Ukraine. China capitalizes on fragmentation by expanding alternative trade and financial networks, reinforcing a more bifurcated global system.

Likelihood

Most likely if ceasefire holds without resolution: Conflict remains below full-scale war, but economic disruption persists as the dominant mode of competition.

Plausible Scenario (Best Case): Managed Stalemate

Key Drivers and Assumptions

• US threats and military strikes fail to coerce Iran into concession -> Limited appetite for sustained conflict
• Significant economic disruption -> Economic costs drive political decisions
• US military footprint in region -> Potential for re-escalation

Figure 7: US President Trump delivers a warning to Iran at a White House Easter event (Source: PBS News)

Figure 8: Iran has used maritime traffic through the Strait of Hormuz as leverage in the conflict (Source: CNBC)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

The US portrays its leadership decapitation campaign as successfully facilitating “regime change,” creating space for diplomatic engagement with “new” leadership. Iran maintains increased level of oversight over the Strait of Hormuz, while internally the IRGC plays a greater role in strategic decision-making.

Domestic economic and political pressure leads to the US to scale back military operations without clear resolution of key regional security issues, including Iran’s right to nuclear enrichment, ballistic missile program, and support to regional proxies. Maritime traffic slowly returns to pre-war levels, with a new protocol for vessel traffic under an internationally accepted mandate. Iran retains an increased level of oversight over the Strait of Hormuz passages and profits from the traffic. This relieves some economic strain, though lingering supply chain effects remain. Cyber attacks persist as a means of asymmetric coercion. The US lifts some sanctions against the “new” regime, but other sanctions remain in place, complicating the regulatory environment. Interest in renewable energy increases as companies seek to mitigate against future disruption, though oil demand returns to pre-conflict norms. Israel continues limited, highly targeted strikes, while the US retains its military presence in the region, keeping the possibility for re-escalation open.

Likelihood

Less likely as conflict continues: This scenario assumes the US’s limited appetite for full-scale war, but the opportunities for de-escalation diminish as the conflict persists.

Plausible Scenario (Worst Case): Regional Conflict with Gulf Involvement

Key Drivers and Assumptions

• Conditional ceasefire -> Continuing provocation re-escalates conflict
• Strait of Hormuz chokehold effective -> Asymmetric advantage to disruption
• Gulf infrastructure targeted -> Multi-state escalation

Figure 9: The Saudi crown prince reportedly urged President Trump to continue war (Source: NYT)

Figure 10: The UAE has been proactive in the conflict, taking nonmilitary measures against Iran (Source: South China Post)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

Ceasefire collapses, triggering multi-state regional war.

A temporary ceasefire breaks down following renewed strikes and failure to secure maritime access. Iran escalates missile and proxy attacks, including targeting Gulf energy infrastructure. With critical thresholds crossed, Saudi Arabia, the UAE, and Bahrain enter the conflict directly to protect economic and political stability. The Strait of Hormuz and Bab al-Mandab become sustained conflict zones, with repeated attacks, mining, and vessel seizures. Shipping and insurance markets withdraw at scale, severely constraining global energy flows. Energy prices surge, driving inflation and recession risk globally. Fuel shortages emerge in import-dependent economies, triggering industrial slowdowns, reduced mobility, and rolling outages. Cyber operations escalate into coordinated campaigns targeting energy, logistics, and financial systems. Legal fragmentation accelerates, with overlapping sanctions regimes, asset controls, and enforcement actions constraining cross-border operations. Russia exploits elevated energy revenues and reduced Western focus to press its advantage in Ukraine. China remains indirect but leverages Western overstretch to increase pressure on Taiwan.

Likelihood

More likely if ceasefire collapses and Gulf assets are targeted: Escalation becomes self-reinforcing once regional actors are drawn into direct conflict.

Wildcard Scenario 1: Lasting Peace Agreement

Key Drivers and Assumptions

• Severe degradation of Iranian infrastructure -> Iran compelled to concede
• Global economic disruption → International support for peace process
• Sustained disruption to Hormuz and energy markets → Mutual incentive to stabilize

Figure 11: Pakistan has offered to host talks to broker peace between US, Iran (Source: Time)

Figure 12: Traffic through the Strait of Hormuz dropped significantly since conflict began (Source: Lloyd's List)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Negotiated settlement reached between the US and Iran, allowing for longterm drawdown of conflict.
Significant degradation of Iran’s energy, military, and industrial infrastructure, combined with mounting economic strain, power shortages, and reduced capacity to sustain conflict, compels Tehran to reassess its position and signal willingness to accept concessions. In parallel, the United States faces rising economic costs from prolonged energy disruption, inflation, and market instability, increasing pressure to stabilize conditions. A negotiated settlement emerges through indirect talks, mediated by Oman, with Iran accepting concessions on maritime security and nuclear constraints in exchange for phased sanctions relief and assurances against further strikes. Iran seeks a revised Strait of Hormuz security framework and limited economic concessions, though broader demands such as reparations are only partially addressed. The Strait of Hormuz fully reopens under agreed security mechanisms, restoring stable shipping and energy flows. Sanctions ease gradually, enabling reintegration of Iranian energy exports and limited foreign investment. Military activity declines sharply, cyber operations reduce, and global energy markets stabilise, easing inflationary pressures and improving financial conditions.

Likelihood

Low probability: Requires significant concessions from one side under sustained pressure.

Wildcard Scenario 2: Iranian Regime Collapses

Key Drivers and Assumptions

• Decades of political repression -> No viable alternative to Iranian regime
• Sectarian and political unrest -> Protracted internal conflict
• Targeting of leadership -> Regime instability and eventual collapse

Figure 13: Mass protests against the regime in December 2025 were brutally repressed (Source: Le Monde)

Figure 14: Displaced Syrians have lived in refugee camps for ten years, demonstrating the long-term impacts of internal conflict (Source: UNHCR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

The Islamic Republic collapses, plunging the country into a civil war and complex humanitarian crisis.

The US and Israel’s persistent “decapitation strategy” weakens the regime to the point where it is no longer able to assert internal control. With no viable alternative, the country falls into a multiparty civil war made up of pro-regime, pro-democracy, and assorted regional and ideological militias. Food and fuel shortages are severe in certain regions. Refugee camps are built in Iraq while Europe’s asylum system faces overwhelming demands. The US claims Kharg Island in the chaos and asserts control over the Strait of Hormuz, mitigating international economic damage. However, the political instability gives pro-regime and other ideological groups a base for asymmetric operations, leading to persistent regional disruption. Cyber capabilities degrade amid internal fighting, though some hacktivist operations persist against a wider variety of ideological enemies. Damage to water and energy facilities sustained during the conflict exacerbates humanitarian crisis and slows recovery. Russia supplies military support to pro-regime factions, but not enough to significantly tilt the balance of power.

Likelihood

Long-term resilience of regime and viability of alternatives is unknown, making it difficult to assess likelihood with confidence.

Wildcard Scenario 3: Nuclear Crisis

Key Drivers and Assumptions

• Protracted high-intensity conflict -> Increased likelihood of miscalculation
• Location of facility -> Risks of radiological contamination spread by air and water
• Diplomatic failures -> Inability to coordinate on response

Figure 15: Bushehr has not yet been a direct target, though missiles have landed near it (Source: Development Aid)

Figure 16: Weather patterns following the Chernobyl nuclear disaster spread radiological material affecting up to 6 million people (Source: UNSCEAR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Missile strikes hitting a nuclear facility lead to a radiological incident, causing immediate global shock and rapid escalation.

A missile strike causes extensive damage to Iran’s Bushehr civilian nuclear power facility, causing radiological release with cross-border contamination. This occurs due to escalation, miscalculation, or degraded command and control. Immediate impacts include evacuation zones and disruption to regional energy supply. Emergency response efforts are delayed by ongoing conflict, limiting containment and extending environmental and economic damage. As a result, southern Iran and Gulf States experience long-term harm to drinking water supply and maritime food sources. The conflict also prevents long-term monitoring in Iran, which extends the long-term health and environmental damage from inadvertent exposure. Contamination further restricts maritime trade routes in the Gulf, while energy markets react sharply to both supply disruption and elevated systemic risk. Cyber and information operations amplify panic and misinformation.

Likelihood

Low probability, high impact: Risk of intentional or unintended strike increases under sustained conflict.

The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Group® 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.

Consider what Insikt Group® tracked last year:

• State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
• Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
• Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
• Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.

The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.

The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.

Re-Imagining How Intelligence Is Delivered And Operationalized

Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.

Today’s threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, they’re asking for a fundamentally different way to consume and operationalize intelligence.

Customers are asking us to provide:

• Complete capabilities to support use cases aligned with core risk domains.
• Democratized access to intelligence across teams, workflows and systems.
• A simplified and predictable way to purchase for ease of budgeting and adoption.

In response, we’ve re-imagined Recorded Future is delivered:

“Four Solutions. Three Packages. One Intelligence Foundation.”

A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.

Four Solutions for Four Critical Risk Domains

Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. We’ve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.

Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.

Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.

Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.

Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.

Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graph®, a signal detected in one domain immediately enriches context across the others.

Three Packages That Scale With Your Program

Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.

• Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
• Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
• Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teams—from CTI to SOC to Risk—driving smarter and faster risk-enabled decision making and response.

Across all packages, customers get full access to the Intelligence Graph®, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.

Built for Everyone Who Needs Intelligence, Not Just Analysts

Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.

For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.

Every package also includes unlimited integrations from Recorded Future’s hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.

One Intelligence Foundation Across Every Domain

What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graph®, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.

A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.

That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.

The Path Forward

Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.

Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.

We built this for the threats you're facing right now, and the ones coming next.

These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.

One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.

In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.

Quick Reference: March 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in March based on Recorded Future data.

Key Trends: March 2026

• Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
• Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
  • Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
  • Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
  • The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
• 9 of the 31 vulnerabilities (CVE-2026-3910, CVE-2026-33017, CVE-2025-32432, CVE-2025-54068, CVE-2026-20963, CVE-2025-68613, CVE-2025-26399, CVE-2021-30952, and CVE-2023-41974) allowed attackers to conduct RCE.
  • These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.

Exploitation Analysis

This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group®. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.

Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)

On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Cisco’s Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.

The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.

They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.

Insikt Group® obtained a screen locker sample (SHA256: 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f) shared by Amazon Threat Intelligence from Recorded Future Malware Intelligence. Sandbox analysis detected the sample as benign. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Changes the machine’s desktop wallpaper that displays a pornographic image
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare timing

Figure 1: Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)

Recorded Future customers can find additional exploitation details and MITRE ATT&CK techniques associated with the exploitation of Cisco FMC Zero-Day (CVE-2026-20131) in the Diamond Models section of this TTP Instance.

Critical Deserialization of Untrusted Data Vulnerability Affecting Cisco Secure FMC Software and Cisco SCC Firewall Management (CVE-2026-20131)

On March 11, 2026, GitHub user Sadaf Athar Khan (sak110 on GitHub) shared an alleged proof-of-concept PoC exploit for CVE-2026-20131. CVE-2026-20131 is a critical Deserialization of Untrusted Data vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. Cisco Secure FMC Software is a web-based platform for centrally managing firewall policies, events, and device administration. Cisco SCC Firewall Management is a Software-as-a-Service-based (SaaS) solution for centralized configuration, monitoring, and maintenance across firewall deployments.

Exploitation of CVE-2026-20131 allows an unauthenticated remote threat actor to execute arbitrary code and gain root privileges on the affected devices. On March 4, 2026, Cisco published a security advisory and released software updates to fix CVE-2026-20131. The vulnerability resides in the web-based management interface of FMC, where insecure deserialization of a user-supplied Java byte stream allows threat actors to pass serialized objects into Java object handling without sufficient validation. As a result, an unauthenticated remote threat actor can send a crafted serialized Java object to the management interface, trigger arbitrary code execution, and escalate privileges to root.

Figure 2: Vulnerability Intelligence Card® for CVE-2026-20131 in Recorded Future (Source: Recorded Future)

Based on Sadaf Athar Khan’s repository, the PoC requires a target URL and a command. Once provided, the PoC generates a malicious Java-serialized object using ysoserial, embedding the supplied command within the payload and preparing it for delivery to the specified target.

The PoC then attempts to submit the serialized object to a set of candidate endpoints included in the PoC that accept serialized Java data. A reachable deserialization path allows the application to process the object and run the embedded command on the target host. After delivery, the PoC checks the server’s HTTP response codes and treats an HTTP 500 response as an indication that deserialization triggered command execution. The PoC flags HTTP 200 for manual verification because exploitation could succeed without returning visible output.

Insikt Group® has not tested this PoC for accuracy or efficacy. Recorded Future customers can find MITRE ATT&CK techniques associated with the alleged PoC in the Entities section of this TTP Instance.

Take Action

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.

The Challenge with Protecting Your Most Targeted People

According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.

What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords — they capture the authorization URLs where those credentials were entered. According to Recorded Future’s 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.

Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)

That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.

The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.

The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.

Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.

That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.

Monitoring Built for High-Value Targets

VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.

From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.

Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.

When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual — all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.

A Complete Picture of Identity Exposure

VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.

For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.

This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.

Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.

Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.

Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.

Recognized in the 2026 Forrester Wave™

Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchase here).

We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward.

We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.

The Gap Between Hygiene and Intelligence

Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.

But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?

They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed.

From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.

Third-Party Risk Management Is an Intelligence Operation

If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.

That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.

We've brought together two distinct capabilities that, until now, existed in separate worlds.

1. RiskRecon — built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
2. Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation — often before the affected vendor is even aware.

Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.

What This Looks Like in Practice

The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.

• When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours — not the days or weeks it takes for vendor self-disclosure.
• When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
• When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.

Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed — turning what used to be a reactive scramble into a controlled, proactive response.

These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.

Where We're Going

We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.

Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.

The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.

Join the Shift to Intelligence-Driven Third-Party Risk

Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.

The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.

That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.

Venezuelan Acting President Delcy Rodríguezʼs policy decisions will affect economic and political stability in Venezuela in the coming months. Her approach will likely be shaped by a deep familiarity with the state security apparatus, her revolutionary identity, a demonstrated willingness to break from orthodoxy and seek coordination with Washington, an interest in restoring support for the ruling United Socialist Party of Venezuela PSUV, and a long memory for perceived slights. These principles, paired with changing local power dynamics after the January 3, 2026, United States US special operation to capture former Venezuelan President Nicolás Maduro and his wife, Cilia Flores, suggest Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning. At the same time, she will likely find ways to cooperate with the US in ways designed to preserve the rule of PSUV and her credibility with other members of the ruling coalition. Rodríguezʼs core objectives are very likely to preserve PSUV rule and resist an opposition-led transfer of power, while maximizing the economic benefits of reengagement with Washington, including sanctions relief, investment, and a possible economic recovery. This will likely contribute to Rodríguez governing in a manner that avoids high-risk moves that could fracture her coalition or trigger instability that undermines her utility to the White House. In this approach, the biggest internal threat she faces in the short term is very likely PSUV rivals, including Interior Minister Diosdado Cabello, and other military and economic elites who perceive US engagement as a direct threat to their interests. While it is impossible to predict every move the Venezuelan government may take, public and private organizations can better anticipate risks to stability and investments — such as resistance to US-supported reforms or evidence of internal divisions in the regime — by systematically monitoring the rhetoric and actions of Delcy Rodríguez, Diosdado Cabello, and other senior officials using the Recorded Future® Intelligence Operations Platform

Key Findings

• The January 3, 2026, US operation provoked panic among Venezuelan elites and fueled deep uncertainty regarding the plan to succeed Maduro, which was only resolved when US signaling prompted Venezuelan institutions to confirm that Rodríguez would assume presidential duties.
• Rodríguezʼs hold on power is threatened internally by rival PSUV figures, chief among them Interior Minister Diosdado Cabello and his network of allies across Venezuelaʼs security apparatus and among pro-government armed groups.
• Externally, the main threats to Rodríguezʼs power stem from US leverage over Caracas, including US geopolitical aims to bring Venezuela further under Washingtonʼs influence as well as US officialsʼ stated pursuit of a transition and support for the opposition faction led by María Corina Machado.
• To avoid a destabilizing rupture that could trigger US backlash, Delcy Rodríguez will very likely prioritize internal governability and economic stabilization, cooperating with Washington enough to see sustained sanctions relief while seeking to manage rather than expel hardline rivals from her coalition.
• To preserve her own credibility and influence in Venezuela, Rodríguez is likely to pair compliance with Washingtonʼs demands with “face-savingˮ gestures that assert Venezuelan sovereignty, and to resist genuinely competitive elections unless economic gains materially improve the PSUVʼs electoral odds.

Assessing Current Dynamics in Venezuela

Over the past 25 years, US-Venezuela relations have worsened as Venezuela’s government actively sought to oppose US interests in the Western Hemisphere, deepened relations with US rivals around the globe, and became increasingly authoritarian. This began under the deceased former president Hugo Chávez, whose movement, known as “Chavismo,” has governed the country since 1999. After Nicolás Maduro took power in Venezuela following Chávez’s death in 2013, he accelerated the consolidation of power and the erosion of democratic institutions begun by his predecessor. The US responded by imposing financial and oil sanctions meant to limit Venezuela’s ability to profit from its vast oil reserves and sanctioning over 200 members of the Venezuelan elite. The US pressure campaign on Venezuela accelerated in late 2025 under President Donald Trump, who deployed a historic number of naval assets to the Caribbean.

This military campaign culminated at around 02:00 Venezuelan Standard Time (VET) on January 3, 2026, when US special forces carried out airstrikes and a surgical intervention into Venezuela as part of an operation to capture and extract Maduro and his wife, Cilia Flores, to face drug trafficking and terrorism charges in New York. These events were the most significant US military operation in Latin America since the 1989 invasion of Panama, and ratified a new US doctrine that emphasizes primacy and willingness to use all available tools (economic, diplomatic, and military) to advance US interests in the Western Hemisphere, as laid out in the 2025 National Security Strategy. In Venezuela, the events of January 3 precipitated the most impactful shakeup of the country’s political order in decades.

While Acting President Delcy Rodríguez has signaled an openness to working with US priorities, this cooperation is affected by active tensions among the ruling elite and longstanding mistrust between Washington and Caracas. Understanding the events of January 3, 2026, and the immediate aftermath is crucial to evaluating the state of play on the ground and in the bilateral relationship.

Uncertainty in the Immediate Aftermath of the US Operation

In the immediate aftermath of the January 3 operation, there was widespread uncertainty in Venezuela regarding the future of PSUV rule. While the constitutional line of succession makes clear that the vice president should assume power in the president’s absence, initial messages from Venezuelan officials emphasized solidarity with Maduro and Flores rather than offering clarity on the future of PSUV governance. There was no official public reaction to the operation from the Venezuelan government until 04:14 VET, when former Defense Minister Vladimir Padrino López published a video on social media condemning the attack. He stated that Venezuela’s military — the Bolivarian Armed Forces (FANB) — was declaring a national emergency and deploying at strategic points around the country and called for unity against “imperialist threats.” Statements from Venezuelan officials since then confirmed the raid but did not clarify the makeup of the Venezuelan government.

Figure 1: Venezuelan state TV broadcast showing Rodríguez presiding over a meeting of the

Council of National Defense (Source: Telesur)

The first clarity on Venezuela’s future leadership came from Washington. At roughly 11:50 EST (12:50 VET), US president Donald Trump gave a public address in which he explicitly stated that Washington would work with Rodríguez as it assumed a more direct role in overseeing the country’s energy and security policies. Trump also said that María Corina Machado, the most popular opposition figure in the country (who had been outside the country since December 2025 and is currently in Washington) did not “have the support within or the respect within the country” to rule. While Trump claimed that Rodríguez had been "sworn in," Rodríguez’s hold on power was not publicly ratified until 15:20 VET. At that time, state television aired footage of the Council of National Defense, a body made up of the main institutional leaders of the country, featuring Rodríguez chairing the meeting and Cabello, López, and National Assembly President Jorge Rodríguez (Delcy Rodríguez’s brother) present. It was not until roughly 22:00 VET that state media began circulating a decision from the Constitutional Chamber of the Venezuelan Supreme Tribunal of Justice (TSJ) that made clear that Rodríguez would assume the duties of the president. In its ruling, the TSJ invoked a Chávez-era precedent to overrule constitutional language that would otherwise require her to schedule an early election, effectively indicating that Rodríguez is very likely seeking a mandate until Maduro’s term ends in January 2031. Neither Rodríguez nor any other official has yet made this claim explicit, and US officials have suggested that new elections should be held before then. On January 5, she was officially sworn into office in a televised ceremony held in the National Assembly in the presence of key figures in the regime and diplomats from China, Iran, Russia, and Cuba.

US-Venezuela Relations Since January 3

Since January 3, the US has generally signaled support for a working relationship with Delcy Rodríguez, while making clear that Washington expects full cooperation with its energy and security priorities. In the immediate aftermath of the operation, President Trump told reporters that he might consider a second strike if Rodríguez did not cooperate, but then, on January 9, announced on Truth Social that he had “cancelled the previously expected second Wave of Attacks” in response to the Venezuelan government releasing a number of political prisoners. Since this announcement, Trump has sought to 1 convey that he and Rodríguez work closely together. On March 5, 2026, Trump posted on social media that Rodríguez is “doing a great job, and working with US Representatives very well.”

US Secretary of State Marco Rubio has also expressed a willingness to work with Rodríguez’s interim government, but provided more explicit emphasis on a transition as the ultimate end goal of US policy. Speaking to reporters on January 7, Rubio described the US approach as consisting of three main phases: stabilization, recovery, and transition. Stabilization, he stated, is needed to prevent Venezuela from “descending into chaos,” which would be avoided by US control over oil-sale proceeds. Rubio clarified that the “recovery” phase would be aimed at reopening the oil sector to US and other Western firms, and it would ultimately be followed by a “process of transition” that would include reconciliation among Venezuelans. This three-phase framing has been echoed by other US officials, although to date, no fixed timeframe for a transition has been made public. US officials have also said that severing Venezuela’s ties to Russia, China, Cuba, and other US geopolitical adversaries is a top priority in the relationship.

US-Venezuela coordination on energy policy appears to be advancing rapidly. On January 29, Venezuela’s PSUV-controlled National Assembly passed a reform to the country’s Organic Hydrocarbons Law, aimed at increasing autonomy for private companies involved in the country’s oil and gas industry. While the revised law continues to assert state ownership over hydrocarbon reserves, it broadens the mechanisms through which private companies can participate in upstream activity, including allowing private operators — via contracts with state-owned energy company Petróleos de Venezuela S.A. (PDVSA) or joint ventures — to assume operational control while retaining a share of production. The reform also introduces a much more flexible framework for royalties and taxes, which can be set on a case-by-case basis by the Ministry of Energy, with royalties of up to 30% and taxes of up to 15%. Previous windfall taxes have been eliminated in this reform.

US support for revitalized energy cooperation with Venezuela has been enthusiastic, and President Trump has actively encouraged US and other Western oil companies to invest as much as $100 billion in Venezuela. Two days after the passage of the Organic Hydrocarbons Law reforms, the US sent Chargé d’Affaires Laura Dogu, who leads the Venezuela Affairs Unit out of the US Embassy in Colombia, to Caracas, where she is tasked with overseeing the restoration of diplomatic ties with Venezuela. While Dogu has conveyed US support for closer relations, she has reiterated US support for an eventual transition. On February 2, she met with Rodríguez, and afterward posted on X that in the meeting she reiterated “the three phases that Secretary Rubio has outlined for Venezuela: stabilization, economic recovery and reconciliation, and transition.”

In the wake of the Organic Hydrocarbons Law reform, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a series of general licenses allowing US and other Western companies to produce, refine, transport, and sell oil without seeking individual exemptions, effectively lifting sanctions that had previously restricted these activities (see Appendix A). These OFAC licenses mandate that any authorized transactions with Venezuela's government or state energy company PDVSA must follow US laws (with disputes being resolved in the US), and that payments to the Venezuelan government or any other Venezuelan sanctioned entity be made into a US-overseen fund. US support for energy investment in Venezuela was emphasized from February 11 to 12, when US Energy Secretary Chris Wright led a delegation to Caracas to meet with Rodríguez, becoming the highest-ranking US official to visit Venezuela in years.

Figure 2: US Energy Secretary Chris Wright examining crude oil at a PDVSA project site with Rodríguez (Source: Social Media)

Internal and External Threats Confronting Acting President Rodríguez

Since Acting President Rodríguez took over from Maduro in the immediate aftermath of the US operation on January 3, she has voiced support for cooperation with Washington — but her incentives to cooperate fully are very likely limited. Rodríguez is aware of Washington’s “three point plan” for Venezuela and is likely supportive of US plans to stabilize the country, lift sanctions, and promote investment. However, she is almost certainly seeking to preserve her rule and a government led by the PSUV, and will very likely resist any attempt to preside over a transition of power to an opposition-led government. Her ability to do so will very likely depend on her ability to consolidate power and manage potential spoilers within her own coalition, as well as her ability to deepen cooperation with US interests and demonstrate utility to the White House. In doing so, she faces a number of internal and external threats to her rule, which include challenges by rivals inside the ruling PSUV over the next six to twelve months, and pressure by Washington to hold new elections over the next twelve to twenty-four months.

Internal Threats to Rodríguez’s Rule

The main internal threat to Rodríguez’s power in the short term is other members of the ruling elite. She has steadily worked to consolidate power and secure the support of the military and intelligence services, but her support among the country’s political and economic sectors is far from settled. There are almost certainly key figures in the security forces, the business community, and in the ruling party who view Rodríguez, and her relationship with the US, as a challenge to the previous status quo and its associated privileges, economic arrangements, and patronage schemes. They may be concerned about their future influence, immunity

As Rodríguez continues to establish her rule, some of these individuals may seek to oppose her, either by seeking to derail or sabotage her rapprochement with Washington or by openly rebelling against her. In this context, an attempted palace coup cannot be ruled out. Her primary rivals include the following figures and networks, each of whom has a distinct power base and incentive to view Rodríguez as an adversary or rival:

• Diosdado Cabello, Minister of Interior, Justice and Peace. Cabello is a senior power broker within the ruling party and has been the PSUV’s Secretary General since 2011. He has deep connections to the security services and hardline enforcement networks, including to pro-government armed paramilitary organizations known as “colectivos” (see Figure 3). State media has sought to downplay reported tensions between Cabello and Rodríguez, but Cabello’s incentives to undermine her are straightforward: Her consolidation of power threatens his influence over the party, the security apparatus, and his networks. He is also the only current cabinet member who was named in the unsealed drug trafficking indictment US prosecutors issued to capture Maduro, and he likely suspects that Rodríguez may eventually hand him over to the US.
• General Vladimir Padrino López, former Minister of Defense. Padrino’s Lopez’s likely core incentive is to preserve the influence he accumulated after over a decade as the institutional head of the FANB, and to preserve the patronage networks he developed as the country’s longest-serving defense minister. He also likely seeks to protect himself and senior officers loyal to him from eventual prosecution for corrupt activities or involvement in repression, and therefore very likely views Rodríguez’s government as a challenge to longstanding FANB impunity. While there is no public evidence of any cracks between Padrino López and Rodríguez, it is very likely that he will resist meaningful reforms inside the armed forces
• Major General Alexis Rodríguez Cabello, Director of the Servicio Bolivariano de Inteligencia Nacional (SEBIN). Cabello is a cousin of Diosdado Cabello and is believed to be close to him. As head of the primary intelligence service, Rodríguez Cabello has strong incentives to resist reforms that would expose him or his network to prosecution, and to preempt any purge that might impact him or his network.
• Major General Iván Rafael Hernández Dala, former director of the General Directorate of Military Counterintelligence (DGCIM). Hernández Dala, a close confidant of Maduro, was head of DGCIM until replaced by Rodríguez in January 2026. He is also believed to be a longstanding opponent of both Rodríguez and Cabello, and of their respective factions in the PSUV. Even if sidelined from formal command, Hernández Dala likely retains networks inside the intelligence and security apparatus. He likely has incentives to undermine Rodríguez if he anticipates facing prosecution for past abuses, loss of status, or exclusion from any protection or economic deals between Washington and Caracas.
• Business and Political Elites Tied to Maduro. Maduro and Flores dominated Venezuelan politics for nearly thirteen years. During that time, they cultivated a vast network of well-connected economic, military, and political elites that helped them sustain power. Many of them are not overtly tied to the Rodríguez siblings, and instead may be willing to ally themselves with rival factions to advance their own interests. Possible figures in this category include:
  • Tarek William Saab, Acting Ombudsman. Until his resignation in February 2026, Saab served as attorney general since 2017 and held significant influence over how the repressive apparatus was deployed, overseeing detentions and prisoner releases. Saab’s resignation was very likely forced, and he has clear incentives to resist any reform process that reduces his discretion or creates a credible path to independent investigations into past repression or corruption.
  • Nicolas Maduro Guerra, also known as “Nicolasito.” A member of the National Assembly and son of Maduro and Flores, Maduro Guerra is not one of the top PSUV powerbrokers in his own right but has played a crucial role in securing continuity by appearing publicly with Rodríguez and claiming she has his parents’ full support. Given lingering questions over internal Chavista involvement in the January 3 operation, he has leverage to complicate Rodríguez’s narrative and may seek to use it if he feels that his interests are threatened by the Rodríguez administration.
  • Alex Saab. Saab played a crucial role in facilitating sanctions evasion networks until his arrest by US law enforcement in 2020. Saab was later returned to Venezuela in a 2023 prisoner swap, and Maduro rewarded him by making him Minister of Industry and National Production. Rodríguez replaced him in January 2026, likely understanding that Saab was not palatable for US business interests, but Saab likely retains enough social capital within Venezuela’s private sector to pose a challenge to Rodríguez. This is the likely reason why Saab was reportedly detained by Venezuelan intelligence in February 2026, although his lawyer has maintained that he is not under arrest.

Figure 3: Illustration of key internal rivals of Venezuelan Acting President Delcy Rodríguez (Source: Recorded Future)

External Threats to Rodríguez’s Rule

US Pressure to Box Out Geopolitical Adversaries

In the short term, the most significant external threat that Rodríguez faces is a reversal of United States policy — either via renewed military or intelligence operations intended to force her removal, or through a more indirect pressure campaign meant to trigger a domestic fracture. A second US special forces operation to depose her outright is unlikely, but it remains a scenario Rodríguez and her circle will have to treat seriously, given the direct and disproportionate leverage that Washington currently holds over Caracas. More likely than further military action is the prospect of renewed pressure: the US can calibrate sanctions relief, revoke OFAC licences, and facilitate or block diplomatic recognition in ways that shape incentives and perceptions of the regime’s survivability among Venezuelan elites. Recent reporting suggests Washington is simultaneously pursuing deepened energy engagement while remaining skeptical about whether Rodríguez will fully align with US strategic demands, which increases the possibility of an abrupt shift away from Rodríguez if she does not deliver on US priorities.

A major fault line in the US-Venezuela relationship is Venezuela’s ongoing relationships with US geopolitical adversaries, namely China, Russia, Iran, and Cuba, even as the US has increasingly sought to box them out of Venezuela. US officials publicly demanded that Venezuela cut ties with adversary nations and have actively moved to push them out. The US has successfully pressured Venezuela to end fuel shipments to Cuba, and OFAC general licenses intended to facilitate Venezuelan oil and gas activity explicitly do not authorize transactions involving Russian, Chinese, or Iranian entities. In spite of this, Rodríguez has sought to publicly demonstrate an interest in retaining these partnerships.

Opposition Efforts to Limit US-Venezuela Engagement

Another short-term external threat to Rodríguez is opposition figure María Corina Machado. While she remains the most popular opposition figure in Venezuela, and her faction has a demonstrated capacity to organize protests on the ground, these have so far not presented a significant threat to stability or to PSUV governance. Her presence in Washington since December 2025, however, has provided her with a major platform to directly shape the US foreign policy debate over Venezuela. With Machado and close advisors operating from Washington, she has advanced a narrative publicly supportive of the US agenda while privately calling on allies in Congress and in the international community to press for a clearer timetable for new elections and the ouster of the PSUV. She has also used her platform to promise she will return soon, and to highlight perceived inconsistencies between Rodríguez’s actions and her rhetoric, noting, for instance, the gap between the government’s claimed political prisoner release numbers and the figures cited by independent rights organizations.

Figure 4: Photo of Venezuelan opposition leader Maria Corina Machado at a rally ahead of the 2024 presidential election (Source: Reuters)

Machado has received strong support from bipartisan lawmakers in the US House and Senate, who have questioned US engagement with Rodríguez. While Machado’s efforts to raise the political cost of engagement with the Rodríguez government have earned her support from some allies in Washington, the White House has reportedly expressed frustration with her criticism, with officials claiming it undermines US policy. These efforts very likely represent a lesser threat to Rodríguez’s hold on power, given White House insistence on working with Rodríguez, but introduce persistent uncertainty into the sustainability of US support for her.

Calls for a Competitive Election

Beyond these immediate pressures, the most important mid-term threat to Rodríguez and to future PSUV rule is the election timeline reportedly being promoted by the Trump administration. While the US has refrained from presenting a specific timetable, officials ranging from Chargé d’Affaires Dogu to Secretaries Rubio and Wright have increasingly signaled publicly that the US expects to see new elections in the next eighteen to twenty-four months. The specifics of these elections, like whether they would be only presidential or include broader general elections (to replace the PSUV-dominated National Assembly), have not been disclosed, but the US insistence on elections in some form very likely forces Rodríguez to reconcile her approach to coalition management with a desire to seek electoral legitimacy on a compressed timeline.

At the moment, Rodríguez, her inner circle, and PSUV elites almost certainly view a competitive presidential election as an existential threat. Polls have repeatedly demonstrated that the PSUV is unpopular. While Rodríguez is the most popular figure in the PSUV, she would very likely lose a presidential race with Machado by a two-to-one margin, and Machado would very likely defeat any PSUV candidate absent a significant shift in public opinion. Maduro’s removal has not automatically revived grassroots loyalty to the ruling party, with local PSUV leaders describing fractures, demobilization, and severe drops in participation inside local party structures since January 2026.

Given the PSUV’s lack of legitimacy, US support for elections will likely become a flash point in the relationship with Rodriguez. These tensions will also very likely be exacerbated by opposition mobilization inside the country and Machado’s efforts to marshal support in Washington. While US authorities have not yet demanded that Machado be allowed to return to Venezuela (and has reportedly asked her to delay any plans to this effect), her return is almost certain to occur well in advance of an election as she has openly said she will run. The temporary re-arrest of opposition figure Juan Pablo Guanipa in February after he began organizing anti-government rallies suggests the ruling party will likely seek to use the repressive apparatus to restrict Machado’s campaigning efforts, elevating the likelihood of pre-election instability. Even if a competitive election is held under the PSUV, the experience of the July 2024 election suggests that the ruling party is unlikely to recognize the results if the opposition wins, raising the likelihood of post-election instability, protests, and violence.

Delcy Rodríguez’s Origins and Principles of Her Approach to Decisionmaking

Before her emergence in recent years as the face of relative economic pragmatism in Chavismo, Delcy Rodríguez’s background was not well-known internationally. But her rise to power reveals a number of factors that likely inform her approach to governance and likely impact the prospect for political and economic stability moving forward. These include:

• Familiarity with Venezuela’s Intelligence and Repressive Apparatus: In addition to her reputation as an economic reformer, Rodríguez likely has a deep familiarity with intelligence work that, according to state media, goes back to the Chávez years. In 2002-2003, she reportedly worked with the SEBIN’s predecessor agency, the Dirección General Sectorial de los Servicios de Inteligencia y Prevención (DISIP), on undisclosed counterintelligence work involving “geopolitical reports” with former DISIP head Eliezer Otaiza. From the time she rose to the office of Executive Vice President in 2018 until 2021, the SEBIN technically fell under her office. While there is no publicly available evidence that she explicitly directed SEBIN-led repression of dissidents, her role likely afforded her a deep familiarity with the main Venezuelan intelligence agency’s response during the government’s crackdown on the post-2018 election protests and the 2019 protest wave led by opposition figure Juan Guaidó. It is likely that she was, at a minimum, aware of acts of torture, extrajudicial executions, arbitrary detentions, and other alleged human rights violations and crimes against humanity since 2014 that have been credibly documented by the Independent International Fact-Finding Mission on Venezuela created by the United Nations (UN) Human Rights Council.
• Identity Shaped by Revolutionary Politics: Rodríguez was born in Caracas in 1969 and grew up in a politically active left-wing family. Her father, Jorge Antonio Rodríguez, founded an armed urban guerrilla group and was killed in police custody in 1976, allegedly under interrogation. His death made him a martyr among the Venezuelan left, which cemented the revolutionary identities of Rodríguez and her older brother Jorge from an early age. Rodríguez has framed her decision to study law as an effort to “do justice for her father’s case,” and both she and her brother routinely cite his death as a justification for their support for Hugo Chávez and the movement he founded. In public, Rodríguez has repeatedly expressed strong support for the ruling party’s socialist ideology. In a September 2019 address to the United Nations General Assembly, she criticized “capitalist supremacism” and ended with a call to “save the world from capitalist violence.”
• Willingness to Break from Ideological Purity: In practice, Rodríguez’s rise demonstrates that she is open to abandoning ideological purity in order to accomplish her objectives. Unlike Maduro and other ruling party figures who developed close personal ties to Chávez, she had a notoriously poor relationship with the former leader and spent significant time outside Venezuela in her formative years. Rodríguez studied law at the Central University of Venezuela, but later pursued postgraduate studies abroad in labor law in London and Paris, and reportedly spent time in the United States. She speaks English and French. Rodríguez returned to Venezuela after an opposition-led failed coup attempt against Chávez in 2002, and first worked as an advisor in the Foreign Ministry, and then as Deputy Minister for European Affairs before ending up as Chávez’s Minister for Presidential Affairs. She did not last long in this position, however, and was abruptly dismissed after she reportedly argued with and insulted him during a presidential visit to Moscow. Rodríguez then adopted a lower profile in Venezuelan political life until Maduro took power, who made her his foreign minister in 2014. As foreign minister (2014-2017), president of the pro-government National Constituent Assembly (2017-2018), and then as executive vice president (2018-2026), she developed a reputation as a shrewd political operator and staunch Maduro ally.
• Interest in Addressing PSUV’s Declining Popularity: Although Rodríguez was and arguably remains a Maduro ally, she has demonstrated a clear awareness of how the PSUV’s economic mismanagement has led to its declining popularity and has shown an interest in reversing it. Ahead of the 2018 presidential election, she briefly led a satellite party of the PSUV called the Movimiento Somos Venezuela (“We Are Venezuela Movement”) and served as its leader in a likely attempt to “rebrand” Chavismo and connect with a younger generation of Venezuelans. She was officially reincorporated into the PSUV’s leadership in late 2018 after her party failed to account for more than six percent of Maduro’s reelection vote. When Maduro made Rodríguez his Minister of Economy in 2020, she began to advance an agenda of relative economic liberalization, and brought on a team of Ecuadorean advisors to impose tighter fiscal discipline and stabilize the exchange rate, eventually promoting the de facto dollarization of the economy. The success of the policies contributed to a modest but important economic rebound and led Maduro to appoint her in 2024 as Energy Minister as well, a post she technically still occupies. In overseeing this economic agenda, she began to cultivate a reputation for herself as less of an ideologue and more of a pragmatist, and began to pursue closer relationships with major energy companies and other investors. This reputation almost certainly contributed to the US decision to engage with her government after removing Maduro.
• Calculating Operator with Sense of Persecution: Rodríguez has a history of keeping track of past instances where she has been slighted, even referring to her support of Chavismo and of its revolution as her and her brother’s “personal revenge” for the death of their father. Rodríguez herself has alluded to this trait on state media. In a 2024 appearance on the Con Maduro Podcast, she recalled running into former Argentine President Mauricio Macri, a vocal critic of the Venezuelan government, at the 2022 World Cup in Qatar. Macri had recently been made the Executive Chairman of the FIFA Foundation, and, according to Rodríguez, she shook his hand and told him: "Did you see where you are now, and where we are? We're with the Venezuelan people. And you? You're here picking up balls.” Rodríguez is also a savvy operator, and her rise to prominence reflects not only her ability to deliver on economic policy objectives but also her ability to outmaneuver rivals. The best-known instance of this is her leadership of an anti-corruption campaign in 2024, which resulted in the imprisonment of former vice president, oil minister, and longtime rival Tareck El Aissami.
• Openness to Dialogue with Washington: Even before the current rapprochement between Washington and Caracas, Rodríguez was known for consistently favoring a deeper diplomatic relationship with Washington — albeit one built on mutual respect. During the 2022 phase of exploratory talks in which the two countries negotiated sanctions relief in exchange for holding presidential elections in 2024, Rodríguez publicly maintained that the relationship “cannot be conditioned,” saying that Venezuela’s doors were open to any country that arrived “with respect” and treated it as an equal under international law. During this period, she specifically centered the importance of discussing US oil and gas interests in bilateral diplomacy, saying that Venezuela was willing to pursue “energy dialogue” with US firms, indicating a view of energy cooperation as a channel for de-escalating tensions.

A Framework for Anticipating Delcy Rodríguez’s Policy Decisions

When Delcy Rodríguez faces policy decisions that impact economic and political stability in Venezuela in the coming months, her approach is likely informed by the pillars described above: her revolutionary identity, tactical pragmatism, openness to US engagement, an interest in restoring popular support for the PSUV, a long memory for slights, and familiarity with the security apparatus, as well as the internal and external short- and mid-term threats to her rule. Given these factors, Insikt Group assesses that she is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while likely cooperating with the US in ways that preserve her credibility inside the ruling coalition. This matters for prospective investors because it suggests the Venezuelan government is likely to seek to maintain a pragmatic economic policy environment focused on short-term macroeconomic stability. At the same time, companies seeking to invest will almost certainly continue to face elevated sanctions compliance risks and potential policy reversals depending on the evolving Washington-Caracas relationship, making it critical to closely monitor Rodríguez’s evolving policy decisions and internal relationships.

Coalition Management over Open Confrontation with Rivals

Rodríguez will likely prioritize maintaining and reconfiguring her coalition over seeking conflict with internal rivals, because the external pressure she faces makes internal rupture more risky than compromise. Her main rival, Diosdado Cabello, has significant sway over the repressive apparatus and over pro-government armed “colectivos” loyal to him, and his removal could therefore provoke unrest and destabilizing violence. This is precisely the kind of chaos Washington has sought to avoid, and very likely why it opted to keep Rodríguez in place as interim president in the first place. She therefore likely assesses that purging, detaining, or otherwise sidelining Cabello or other top PSUV rivals could risk calling into question her ability to maintain order, and would undermine her position with Washington as a lynchpin of relative calm and continuity.

This is likely the reason that Rodríguez has sought to balance the ruling coalition since taking power rather than immediately shaping it to align with her preferences. Although she elevated her allies to higher positions in her government early in her tenure — such as appointing Calixto Ortega as Vice President of Economy — she has largely kept the ruling apparatus in place. Not only has she left a number of other figures close to Cabello in their positions, but she has also promoted figures in Cabello’s network. Just three days after Maduro’s capture, she named Gustavo González López, believed to be a Cabello ally, to lead both the Presidential Honor Guard and the Directorate General of Military Counterintelligence (DGCIM). On March 18, she also named González López to be her Defense Minister, replacing Padrino López. She also appointed Cabello’s daughter, Daniella Cabello, to be Minister of Tourism — a significant post that will afford her a direct role in reopening Venezuela to international commercial activity. These moves were likely taken out of a desire to effectively secure Cabello’s support for her economic normalization agenda.

Face-Saving Cooperation with Washington

Rodríguez will likely continue to cooperate with Washington’s energy priorities, but she will very likely pair this compliance with visible signaling aimed at saving face with PSUV loyalists. This is likely why, even as she has received high-level US officials in Caracas and even spoken with Trump over the phone, she has publicly demonstrated support for retaining partnerships with US adversaries. On January 8, for instance, Cuban Foreign Minister Bruno Rodríguez traveled to Caracas and accompanied the interim president to speak at a commemoration event at Venezuela’s Military Academy for the Cuban and Venezuelan casualties from the January 3 US operation to capture Maduro. This was Rodríguez’s first event in which she officially presided over a military ceremony as commander in chief of the armed forces. On the same day, state-run media reported that Rodríguez held a meeting with Chinese Ambassador to Venezuela Lan Hu, in which she thanked China for its support for Venezuelan sovereignty and described the encounter as “cordial.” The ambassadors of China, Russia, and Iran were given front row seats to Rodríguez’s January 5 swearing-in ceremony, and state TV broadcast images of the Venezuelan leader greeting them affectionately.

Figure 5: Screenshot of Venezuelan state TV broadcast showing Chinese ambassador Lan Hu, Russian ambassador Sergey Mélik-Bagdasárov, and Iranian ambassador Ali Chegueni were prominently seated at Venezuelan Acting President Delcy Rodríguez’s January 5, 2025, swearing-in ceremony (Source: Telesur)

Such gestures will very likely continue as they offer Rodríguez a way to preserve credibility among PSUV elites and everyday party faithful. She can claim that her rapidly evolving relationship with Washington is a sovereign decision that improves stability and living conditions, rather than a relationship that is shaped by a drastically uneven playing field. As part of presenting an image of mixed compliance with Washington’s demands for Venezuelan audiences, she will almost certainly continue insisting that Maduro remains the legitimate president and demand his return, even as she works to consolidate her own power.

Leveraging Hardliners to Justify Non-Compliance

The internal rivalries identified above represent significant threats to Rodríguez’s legitimacy inside the PSUV and her claim to power, and attempting to balance her coalition while consolidating her control will almost certainly be a major challenge for Rodríguez. However, it is likely that Rodríguez will, over time, point to alleged hardliners to justify selective non-compliance with US aims, credibly or otherwise. Ultimately, it may be useful for Rodríguez to be able to point to ongoing tensions in her coalition or the prospect of instability as a way of warding off US pressure for an eventual transition or for competitive elections to be held. This justification is likely to lose credibility over time if she continues to consolidate administrative control and accumulate legitimacy, especially if she presides over significant economic gains amid US sanctions relief. Ultimately, the very steps that allow her to consolidate her rule may eventually be used by Washington to justify accelerating the end of it.

Resistance to Elections if Seen as an Existential Threat

Rodríguez’s past political experience and the PSUV’s record across more than 25 years of governing suggest the Venezuelan government will very likely seek to maximize political gain from any economic growth resulting from US sanctions relief and economic normalization. And while US officials have routinely conveyed that they expect elections to be held in the next two years, the Venezuelan government is almost certain to resist or sabotage elections unless it perceives that economic improvement has boosted the PSUV’s chances of winning a competitive election. Even then, the PSUV will very likely seek to use its control of government to activate patronage networks, divert public resources to politicized social programs, and attempt to present legal obstacles to opposition campaigning — just as it did in the lead-up to the 2024 presidential election.

Ultimately, this logic is consistent with how Chavista elites have historically conceptualized elections: In multiple instances of US-backed talks meant to offer sanctions relief in exchange for competitive elections, Venezuelan government negotiators routinely argued that elections can be considered “fair” only if voters can judge the government without the distorting economic effects of sanctions. If economic growth does not translate into a boost in popular support for the ruling party, Rodríguez will likely come under increasing pressure from rivals to resist a US-backed transition. It is therefore likely that democratization in Venezuela will be phased and gradual, not immediate, and will likely depend in large part on whether elements of the ruling elite see a viable future for themselves in the country as a possible outcome after alternating power.

Outlook

Over the coming months, Delcy Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while still finding ways to cooperate with the United States that preserve her rule and credibility inside the ruling PSUV coalition. In the short- to mid-term, the main challenge she faces is the threat posed by internal rivals who may feel threatened by her reforms. This makes her cabinet changes, and evidence of backlash among political and economic elites, crucial variables to watch. In confronting internal threats to her rule, she will likely pursue a strategy of coalition management over one of open confrontation. Even as Rodríguez continues to consolidate power and tries to keep hardline rivals contained, she will likely avoid high-risk moves that could fracture elite support and risk threatening her relationship with Washington.

In the short and mid terms, the main flashpoints will be US pressure to end Caracas’s relationships with Moscow, Beijing, and other US adversaries, as well as US pressure to hold competitive elections in the next two years and eventually to advance a political transition. Rodríguez and PSUV elites likely view a genuinely competitive presidential vote as an existential threat. As a result, the government is almost certain to resist or sabotage competitive elections unless economic improvement significantly boosts the PSUV’s electoral odds. Even then, it would likely use patronage, politicized social programs, and legal obstacles to constrain opposition campaigning and preserve an institutional advantage. This raises the prospect of instability both in the lead-up and in the aftermath of any elections, given the likelihood of opposition protests and an associated crackdown. Given these dynamics, any transition is more likely to be phased and gradual than immediate, with stability hinging on whether Rodríguez is able to consolidate support among the ruling elite and whether the broader Chavista coalition can see a viable future for itself under any eventual alternation of power.


Appendix A: 2026 OFAC Licenses Issued for Venezuela

Table 1: A list of OFAC general licenses issued since the passage of the Venezuela hydrocarbons law(source: US Office of Foreign Assets Control)

Read the Full Video Transcript:

I’m Kyle Kohler. I’m a product manager over the integration strategy at Recorded Future.

Recorded Future is the world’s largest threat intelligence provider. We are covering all sorts of domains of intelligence. It’s geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.

As a product manager, it’s funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, you’re starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, you’ve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, you’re very strategically figuring out what to stamp out, what to stoke. And as an educator, you’re also teaching others how to start fires and put out fires. So, you’re constantly going from one thing to the next and keeping all of these moving pieces going. There’s no one project that you just shepherd along and that’s the only thing you work on. You’re constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.

At Recorded Future, we’re a global organization and I’m based on the west coast of California. So I wake up in the morning and the first thing I’ve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and they’ve got some questions that maybe I can answer or they’re looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and I’m answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and that’s the whole day is you’re really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.

Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organization’s current mission. So I really was attracted by the fact that we are helping organizations secure the world. We’re able to do that by securing the world with intelligence, but it’s so multi-domain that you’re just never going to get bored. There’s always something new. There’s always something to track. There’s always some new threat. There’s always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with what’s next in the market, what’s next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.

Original content: https://venturefizz.com/insights/what-i-do-at-recorded-future-senior-product-manager/

This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable.

Key Findings

• Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region.
• Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions.
• In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year.
• Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials.
• Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2.

Background

In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today.

According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their country’s preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce and the resources to sustainably harden their environments. Many LAC government networks hold large amounts of sensitive data but are deficient in their security best practices, leaving their systems vulnerable to cyberattacks. Large breaches are routinely circulated, recycled, and resold on dark web marketplaces, enabling identity theft, synthetic identity fraud, SIM swaps, and account takeovers, among other types of cybercriminality to flourish at a larger scale.

Although the LAC region has made significant technological advancements, particularly in the financial services sector, innovations are creating new challenges. The financial technology industry has introduced mobile banking applications, digital wallets, and instant payment systems. LAC countries face rising levels of cyber-enabled fraud in the financial sector because real-time payment rails have weaker identity verification controls, rendering social engineering attempts more effective. Instant payment systems, such as Brazil’s PIX and similar mobile banking platforms, have often been targeted by threat actors. With faster transaction speeds at higher volumes, detection and recovery efforts have become increasingly complex, making scams significantly more profitable and scalable.

The LAC region has the world's fastest-growing rate of disclosed cyber incidents, though many remain unreported. Only seven LAC countries have plans to protect their critical infrastructure from cyberattacks, and only twenty have Computer Security Incident Response Teams (CSIRTs). Despite 31 LAC countries having some form of legislation addressing cybercrime, many face skills shortages, creating barriers to enforcement. Limited law enforcement resources and unreliable interstate cooperation further delay investigation and prosecution, enabling threat actors to operate across jurisdictions with relative ease. A cultural perception that cybercrime carries low risk and offers high reward undermines the deterrent effect that reliable law enforcement action would otherwise have. This incentive structure, coupled with reduced stigma, encourages repeat offenses and recruitment, as reflected in the cybercriminal trends observed by Insikt Group in 2025.

Cybercriminal Activities in LAC

Throughout 2025, Insikt Group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. Cybercriminals routinely leveraged phishing for initial access, and among the most common methods seen was the search and collection of sensitive information directly from a compromised host's file system or databases. This technique is often a critical pre-exfiltration step used to obtain financial records, passwords, and other forms of personally identifiable information (PII), likely to conduct account takeovers or fraud. Insikt Group research found that cybercriminals have also begun evolving their TTPs to exploit near-field communications (NFC) to commit financial fraud and are using malware to target cryptocurrency wallets. Insikt Group intelligence indicates that cybercriminals are primarily interested in selling compromised databases and access methods, as well as participating in hacktivist collectives. In some instances, advanced persistent threats (APTs) have also begun to overlap their activities with cybercrime when targeting the region.

Cybercriminal Sources

Threat actors operating in or targeting the LAC region continued to rely on the infrastructure of established English- and Russian-speaking forums throughout 2025 (see Appendix A). Insikt Group identified Spanish- and Portuguese-language postings on several established dark web and special-access forums. Even though these sources are predominantly English- and Russian-speaking, these posts likely indicate a preference among threat actors targeting LAC to seek more established, traditional platforms for conducting business. Research showed that low to moderate-tier forums are most commonly used by threat actors based in or targeting LAC countries, possibly suggesting lower levels of sophistication, as higher-tier forums often require vouching, payment, demonstration of knowledge or technical abilities, and sometimes private invitation to gain access.

Insikt Group assesses that most communications between threat actors likely occur on encrypted messaging platforms such as Telegram, WhatsApp, and Signal due to speed, ease of access, and higher levels of trust among group members. Given the privacy-enhancing features of many of these platforms, collection efforts can become significantly more constrained. Telegram is predominantly used because it offers larger channel and group capacities, account creation is simple, it enables threat actors to leverage bot automation and support for their malicious activities, and content moderation is typically less stringent than on other platforms. By offering a path of least resistance, threat actors enjoy the added privacy that end-to-end encrypted messaging platforms provide without delaying their operations.

Financially motivated threat actors often advertise a variety of data types, including PII, financial data, login credentials, system access credentials, exploits and vulnerabilities, malware, ransomware, and hacking tutorials. In some instances, Insikt Group observed threat actors selling customer relationship management (CRM) access, virtual private network (VPN) access with domain user privileges and local administrator rights on a database server, and command-and-control (C2) access to LAC-based entities in 2025. Leveraging this access to information, cybercriminals may facilitate further crimes, including but not limited to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. Insikt Group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively low levels of sophistication, and are sought after by other cybercriminals.

Threat actors often target government systems because they contain highly sensitive data that can be profitable for scams, identity theft, or extortion. For instance, shortly after a tense general election, Ecuador’s legislature, the National Assembly, reported it had suffered two cyberattacks aimed at accessing confidential data and disrupting the availability of information services. In another example, threat actors exposed sensitive data on millions of Paraguayan citizens on the dark web; among the alleged exfiltrated data are national ID numbers, dates of birth, physical addresses, and health service records.

DarkForums was the primary dark web and special-access forum where Insikt Group recorded the most posts relating to cybercrime-related events in Spanish and Portuguese in 2025. This forum is an English-language, low-tier forum operated by English-speaking administrators, launched in March 2023, and is accessible via a clearnet domain. Additionally, DarkForums was observed hosting leaked databases and data breaches involving Spanish-speaking countries, with posts describing the compromise of thousands of records and credentials. Other forums, such as XSS, Exploit, RehubcomPro, Cracked, BreachForums 2, ProCrd, and CrdPro, were also among the top forums to contain posts in Spanish and Portuguese. Appendix A presents a sample of Spanish and Portuguese forum threads from these sources.

Cybercriminal Tactics and Attack Vectors

The LAC region has a long history of financially motivated cybercrime; as a result, Insikt Group observed in this analysis that threat actors continue to heavily target the financial sector. Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments. Threat actors deliver lures via malicious links that redirect to fake login pages and contain malicious attachments with embedded links. Many of these techniques are effective when targeting entities in the LAC region due to an overwhelming reliance on email and messaging applications for business, as well as a general strong trust in branded communications. Artificial intelligence (AI) has introduced more sophisticated methods into the cybercriminal ecosystem in LAC, lowering the barrier to entry for threat actors and significantly increasing the scalability of attacks through automation. AI helps threat actors create more effective phishing messages that could be generated in native Spanish or Portuguese, rendering them more convincing to the local target audience. The advent of agentic AI also presents new opportunities and attack vectors for cybercriminal groups to exploit and greatly facilitates cybercrime-as-a-service. Organized criminal groups have integrated AI into their operations to assist with drug smuggling, money laundering, cyber-enabled fraud, and malware development.

Throughout 2025, Insikt Group observed threat actors targeting the LAC region by compromising remote desktop protocol (RDP), VPNs, and web admin panels, and obtaining credentials from prior infostealer infections, password reuse, brute-force attacks, and other initial access points. Based on data within the Recorded Future Intelligence Operations Platform, there are approximately 29,000 references to exposed LAC-related credentials on Russian Market. These exposed credentials are from domains belonging to the top organizations (by revenue) in the healthcare, government, and financial sectors across the five largest economies in LAC. Russian Market is one of the leading dark web marketplaces for the sale and distribution of infostealer logs. Most of these logs were from LummaC2 and then Acreed Stealer, consistent with what Insikt Group observed in its review of additional infostealer logs. It should be noted that many of the 29,000 exposed credentials are likely customers of these organizations and not necessarily employees, as Recorded Future does not have access to internal-facing employee domain addresses to search for exposed credentials; however, those can be added by an end user. Insikt Group assesses that these attack vectors were likely effective for infiltrating the systems of targets in the LAC region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. Insikt Group observed threat actors advertising carding tools, bulk SMS/Email blasting, SIM swapping, hacking assistance, and other similar services on Telegram channels.

In 2025, Insikt Group observed a rise in novel types of malware that actively leverage and exploit NFC. First identified by Threat Fabric, PhantomCard is an Android trojan, notably a variant of China-origin NFC relay malware-as-a-service (MaaS), primarily targeting banking customers in Brazil. PhantomCard enables relay attacks by obtaining NFC data from a victim's banking card and transmitting it to a threat actor's device to perform transactions at point-of-sale (POS) systems or ATMs. PhantomCard is distributed via malicious webpages that impersonate legitimate applications, prompting victims to tap their cards and enter their personal identification numbers (PINs) for authentication. Once credentials are fraudulently obtained, they are relayed to attackers.
Similarly, in late 2025, threat actors deployed RelayNFC, a mobile malware that targets contactless payment cards, in a phishing campaign targeting Brazilian users. This evolution in TTPs parallels the shift by threat actors from skimming magnetic stripe data to “shimming” Europay, Mastercard, and Visa (EMV) chip data in the payment fraud ecosystem, since unique cybercriminal solutions typically follow new security innovations.

Per the 2025 Cybercriminal Cryptocurrency Annual Activity Report, Insikt Group consistently observed activity in which cryptocurrency wallets were targeted by various forms of malware, such as drainers, clippers, and miners, to steal funds. Given the persistent lag in cybersecurity measures in LAC and the rapid growth of the cryptocurrency market in the LAC region, its users may become attractive targets for cybercriminals. The top five countries in the LAC region that dominate the cryptocurrency ecosystem are Brazil, Argentina, Mexico, Venezuela, and Colombia. However, Brazil is the clear leader, accounting for a third of overall cryptocurrency activity. Insikt Group assesses that, as the mainstream adoption of cryptocurrency continues, threat actors will likely seek targets in these countries, as knowledge and security practices among the user base in these regions will likely be lacking. Additionally, as with threat actors in other regions of the world, those targeting LAC will almost certainly leverage this medium of exchange to transact and launder illicit funds. As countries continue to adopt new regulations and introduce new forms of cryptocurrency, we expect threat actors to identify new vectors for exploitation. As of 2025, Argentina, Brazil, Colombia, Ecuador, Paraguay, Trinidad and Tobago, Uruguay, and Venezuela are participating in INTERPOL’s inaugural pilot phase for the new Silver Notice, which will be published to “help trace and recover criminal assets, combat transnational organized crime and enhance international police cooperation,” likely including cryptocurrency assets if linked to criminal proceeds.

Advanced Persistent Threats (APTs) and Cybercrime

Throughout 2025, Insikt Group observed a rise in APT activity targeting the LAC region using traditional cybercriminal methods, such as phishing and ransomware. This suggests some APT groups may also have financial motivations extending beyond seeking strategic geopolitical influence. Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing. TAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs) in campaigns blending espionage and financial motives.

Insikt Group assesses that some Chinese state-sponsored activity is likely aimed at protecting economic investments in the region, such as the Belt and Road Initiative (BRI), sovereign loans, and widespread commercial interests. In addition to the above APT groups, Chinese state-sponsored groups are also targeting entities in LAC countries. TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile. Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions. This activity may signal that China is seeking to retain influence in the LAC region through cybercriminal means or is interested in financial gain.

Hacktivism

The LAC region has repeatedly experienced periods of complex political and social unrest fueled by debates regarding economic reforms, corruption, and inequality. Unlike financially motivated cybercrime, hacktivism tends to be political or ideological, and these tense conditions can create an environment where hacktivism spikes. In late 2025, Insikt Group noticed increased activity from Chronus Team, a hacktivist group known for defacement attacks and data leaks aimed at exposing security vulnerabilities, primarily targeting organizations in Mexico. The threat group leverages Telegram channels for communication and propaganda. It has loosely aligned with other hacktivist and cybercriminals groups, such as Elite 6-27 and Sociedad Privada 157, to gain attention and increase its reputation. Insikt Group observed another trend where several hacktivist groups began transitioning to ransomware-as-a-service (RaaS) for financial gain. One such hacktivist group, “FiveFamilies”, functions as a collective of several groups; some of their targeted entities included those located in Cuba and Brazil.

Figure 1: Chronus Team hack and web defacement of the website for the budget transparency for the municipality of Hermosillo, Sonora, Mexico (Source: Social Media)

Malware Trends

In 2025, Insikt Group observed elevated ransomware activity targeting organizations in the LAC region. Additionally, banking trojans also remained a prominent issue affecting LAC countries, with Insikt Group noting an uptick in campaigns specifically leveraging WhatsApp for delivery. Infostealers remained a popular initial access enabler in the LAC region. Botnets have grown in the region largely due to small office/home office (SOHO) devices, such as routers and other internet-of-things (IoT) appliances with weak security, outdated firmware, and a reliance on default credentials. Botnet activity can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential IP addresses, and the enabling of distributed denial-of-service (DDoS) attacks. Insikt Group also observed threat actors targeting payment terminals in 2025 with ATM and POS malware.

Ransomware

In 2025, Recorded Future’s Global Ransomware Landscape Dashboard recorded 452 ransomware incidents impacting the LAC region out of 7,346 total globally, based on all publicly known ransomware victims listed on associated ransomware blogs. Attacks on entities in the LAC region constituted just over 6% of all global ransomware attacks in 2025. The top five industries most impacted by ransomware in the LAC region in 2025 were Healthcare (36 attacks), Manufacturing (49 attacks), Government (28 attacks), Information Technology (21 attacks), and Education (20 attacks), as demonstrated in Figure 3. Insikt Group research on ransomware in the LAC region covers 27 of the 33 constituent countries. Insikt Group did not obtain ransomware data from Antigua and Barbuda, Belize, Cuba, Saint Kitts and Nevis, Saint Lucia, or Suriname in 2025.

Figure 2: Global Ransomware Landscape Dashboard view of attack metrics for the top five ransomware groups impacting LAC in 2025 (Source: Recorded Future)

Figure 3: Global Ransomware Landscape Dashboard view of attack metrics for the top five most impacted industries in LAC in 2025 (Source: Recorded Future)

Insikt Group observed an increase in ransomware activity across all major industries in LAC compared to the prior year. Insikt Group specifically examined ransomware attacks against financial, government, and healthcare entities across the LAC region and identified the following: 16 attacks targeting the finance sector, 28 attacks targeting the government sector, and 36 attacks targeting the healthcare sector. Appendix C highlights a sample of these ransomware attacks.

Regarding LAC countries, the top five countries most impacted by ransomware in the LAC region in 2025 were Brazil (128 attacks), Mexico (78 attacks), Argentina (63 attacks), Colombia (51 attacks), and Peru (27 attacks). These countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. Insikt Group found that the majority of ransomware groups leverage double extortion. This extortion technique involves encrypting a victim’s data, exfiltrating the data, and then threatening to publicly leak the data on the ransomware group’s name-and-shame blog if a ransom is not paid. Recorded Future assesses countries by network intrusion and ransomware targeting risk every quarter to provide awareness and help organizations assess risk exposure. Takeaways from the top five impacted countries based on metrics and analysis from Recorded Future include:

• Brazil’s network intrusion risk score increased from Medium to Very High, and Brazil’s ransomware targeting risk score remained Medium by the end of 2025. Brazil was the most targeted country in LAC and among the top ten countries worldwide impacted by ransomware in 2025, with a total of 130 victims.
• Mexico’s network intrusion risk score increased from Very Low to Low, and Mexico’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Notably, data was leaked relating to a Mexican government entity on the dark web name-and-shame extortion website, Tekir Apt Data Leak Site.
• Argentina’s network intrusion risk score increased from Very Low to Low, and Argentina’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Insikt Group observed that Argentina was targeted by a new rust-based ransomware “RALord”.
• Colombia’s network intrusion risk score increased from Low to High, and Colombia’s ransomware targeting risk score remained low with no observed changes at the end of 2025. Colombia’s financial sector was impacted by the ransomware group Crypto24, which posted victims' names on its blog.
• Peru’s network intrusion risk score increased from Very Low to Low, and Peru’s ransomware targeting risk score was low with no observed changes at the end of 2025. A pharmaceutical company headquartered in Peru was named as a victim on the Dire Wolf Blog.

Figure 4: Global Ransomware Landscape Dashboard view of the most affected countries in LAC in 2025 (Source: Recorded Future)

Banking Trojans

According to the Global System for Mobile Communications Association (GSMA), in 2024, approximately 64% of the LAC population used mobile internet; it is projected that this will increase to nearly three-quarters by 2030. Increasing internet penetration and high cell phone subscription rates in LAC signify a rising reliance on mobile devices, likely making them more appealing targets for threat actors. Android remains the predominant operating system (OS) of mobile devices in South America with an 84.59% market share. Android devices may support more sideloaded applications (links and Android application packages [APKs] from social media or third-party stores) than Apple iOS, which typically has tighter ecosystem controls, and Android users may be running older OS versions, thereby making Android devices attractive targets for cybercriminals. The Android ecosystem grants developers more freedom to list apps within the Google Play Store, and the vetting and verification process is less stringent, allowing malicious APK domain mirrors to go undetected. In LAC, users may rely on mobile phones as their primary or only computing device, making them desirable initial access points for threat actors to deploy Android-based malware. According to the World Bank's Global Findex 2025 report, 37% of adults in the LAC region had a mobile money account as of 2024. Mobile banking, digital wallets, and QR payments are commonplace in the area. Based on the World Bank’s findings, Insikt Group assesses that persistent mobile banking malware targeting LAC is likely driven by rapid digital banking integration that has outpaced security controls and the expansion of MaaS ecosystems. Sophisticated localized social engineering attacks and disproportionate regional enforcement capacity are further accelerating this trend within LAC’s ever-evolving mobile financial landscape.

Insikt Group research reflected an increase in banking trojans targeting the WhatsApp platform in 2025. Brazilian authorities have, in recent years, focused their attention on disrupting banking trojans. A significant amount of crimeware in LAC consists of mobile banking trojans, though similar in many ways, they are not a monolith and differ in unique ways. Insikt Group analysis from 2025 reflects that, despite some law enforcement disruptions, banking trojans are still a prominent issue in the LAC region and will likely continue to be in 2026. Appendix D highlights the most active banking trojans across the LAC region in 2025.

Infostealers

Infostealers pose a persistent threat worldwide, and the LAC region is no exception. Insikt Group analyzed a small sample of the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors across the top five largest economies in LAC. Analysis showed that the most prominent infostealer threats observed in 2025 were LummaC2, Vidar, Rhadamanthys, RedLine, and Nexus. This is despite multiple law enforcement operations under Operation Endgame conducting takedowns impacting Rhadamanthys and LummaC2.

Figure 5: Infostealers infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

LummaC2 was undoubtedly the most active infostealer targeting entities in the LAC region despite being targeted by law enforcement. LummaC2 has been discussed in several news sources and Telegram chatter as targeting users in Argentina, Paraguay, and Mexico. Cybercriminals deploy LummaC2 to obtain victim credentials to carry out financial fraud and cryptocurrency theft. Insikt Group conducted research into LummaC2 affiliates and identified a likely Mexico-based threat actor operating under multiple aliases linked to Lumma build ID “re0gvc”. In mid-2025, law enforcement took measures to disrupt LummaC2; the operation effectively led to the takedown of approximately 2,300 malicious domains integral to LummaC2’s infrastructure, Lumma’s central command, and associated criminal marketplaces. Shortly after this operation, it appears LummaC2 still had infected victims in several countries, including Brazil and Colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. More complete remediation would require patching and malware removal on affected systems, which is challenging to implement at scale when infected devices are spread across the world. However, Insikt Group observed a significant decrease in credentials exposed by LummaC2 in the second half of 2025, likely due to the success of the joint Microsoft and law enforcement operation, as well as the main threat actor being banned from Exploit.

Figure 6: LummaC2 infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

In the wake of the LummaC2 operation, Recorded Future detected an increase in Vidar infections during the latter half of 2025. This increase highlights threat actors’ ability to migrate between infostealers to facilitate their criminality despite disruptions.

Figure 7: Vidar Infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

Botnets

Botnet activity has grown steadily in the LAC region, enabling financial fraud, spam distribution, credential harvesting, initial access for ransomware and large-scale DDoS attacks targeting financial and government institutions. Botnets remained a priority for international law enforcement in 2025. For example, the ongoing Operation Endgame aims to hinder threat actors' remote-control capabilities by dismantling ransomware and other malware infrastructure. Emerging in late 2025, Kimwolf, also known as AISURU, is a botnet that targets compromised streaming devices. News reporting and dark web chatter indicate many of the devices infected with Kimwolf are based in Brazil, India, the US, and Argentina. Additional reporting suggests a threat actor involved with the AISURU botnet is likely based in Brazil. Horabot is a malware family and type of botnet first identified in June 2023, targeting Spanish-speaking users in six LAC countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. Horabot uses invoice-themed phishing emails to gain initial access to victims' systems.

Payment Terminal Malware

Threat actors also continued to target payment infrastructure for financial gain. ATM malware activity has continued to rise in LAC, with some experts noting ATM malware attacks have spiked by 46% across LAC in 2025. For instance, Ploutus is a sophisticated malware family first detected in Mexico in 2013, which compromises ATMs by issuing unauthorized commands to their cash dispensing modules. In December 2025, the US Department of Justice indicted 54 individuals associated with the Venezuelan gang Tren de Aragua (TDA) for participation in a massive ATM jackpotting scheme that exploited Ploutus malware. Moreover, the POS malware MajikPOS, designed to infiltrate systems connected to POS terminals and extract magnetic stripe payment data from bank cards, remained an active threat to companies operating in Brazil.

Mitigations

• Use Recorded Future’s Global Ransomware Landscape Dashboard: Recorded Future customers can proactively mitigate this threat by operationalizing the Recorded Future Global Ransomware Landscape Dashboard and leveraging the victimology tab to filter based on ransomware group, country, and industry of interest. Recorded Future customers can customize their own ransomware risk profile and establish alerts that align with their risk priorities.
• Use Recorded Future’s Threat and Third-Party Risk Monitoring: Configure alerts in the Recorded Future Intelligence Cloud to track activity across Telegram channels, darkweb forums, and other platforms for proactive awareness. Use the Third-Party Intelligence module to assess risk exposure for current and future partnerships.
• Update Legacy Systems: Threat actors, whether opportunistic or financially motivated, or both, often seek to exploit vulnerable systems. Organizations that rely on outdated technology stacks leave themselves exposed to preventable cyber threats and attacks.
• Engage in Public-Private Information Sharing: To bolster regional collaboration and establish standardized best practices, coordinate with law enforcement, and create intelligence-sharing channels to enhance investigations and decrease incident response times.
• Generate Awareness through Education: Advocating for digital literacy through university partnerships and scholarship in the LAC region will encourage good cyber hygiene and prepare for a stronger, more competent workforce. Enterprises can implement mandatory cybersecurity training during new hire onboarding and establish routine drills to ensure protocols are followed.

Outlook

Insikt Group has highlighted the most salient cybercriminal trends and methods observed throughout the LAC region in 2025. Threat actors conducted phishing and credential theft to gain and sell initial access to LAC organizations while often relying on dark web forums and end-to-end encrypted messaging platforms to communicate and monetize compromised data and access methods. Cybercriminals carried out elevated ransomware attacks against the healthcare, government, finance, and other critical sectors. Banking trojan and infostealer activity persisted throughout LAC despite law enforcement disruption attempts. Cybercriminals have proven to be adaptive and resilient, often capitalizing on immature or emerging businesses that lack the skills, tools, and personnel to prevent attacks. Small and medium-sized enterprises (SMEs) constitute over 95% of all businesses in LAC. SMEs are desirable targets for cybercriminals because they typically have limited resources and expertise, lack robust infrastructure, and have a high overreliance on third-party platforms. Insikt Group trend analysis supports these findings.

Absent regional harmonization of cybersecurity policies and best practices, LAC countries will likely continue to use fragmented incident response approaches, complicating cross-border cooperation and collaboration. For effective and sustainable protection of systems and information against cyber threats, LAC countries should focus on working together to establish standardized risk assessments and reporting mechanisms, protocols for information sharing to bolster timely remediation, and implement proactive “secure by design” principles. Possible approaches to accomplishing this may include increased investment in workforce development, participation in public-private partnerships, and the establishment of centralized cybersecurity management systems. Despite the lack of prominent Spanish- and Portuguese-language forums, it is likely that threat actors will continue to leverage traditional platforms and methods similar to those used by the English- and Russian-speaking cybercriminal underground. Based on current and historical data, we anticipate these trends will continue, and LAC will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026.

Appendix A: Sample Listing of Posts Targeting Entities in LAC Countries on Dark Web and Special Access Forums

(Source: Recorded Future)

Appendix B: Sample Metrics of the Top Five Ransomware Groups Impacting LAC in 2025

(Source: Recorded Future)

Appendix C: Sample Data of Ransomware Incidents Impacting Healthcare, Government, and Financial Sectors in LAC Countries in 2025

(Source: Recorded Future)

Appendix D: Trends from the Most Active Banking Trojans in LAC in 2025

(Source: Recorded Future)

Este informe brinda un resumen de las tendencias y los desarrollos en el ecosistema cibercriminal de América Latina y el Caribe (LAC) en 2025. Insikt Group identificó que los actores maliciosos que operan en la región de LAC o que la tienen como objetivo utilizan principalmente aplicaciones cliente-servidor y plataformas de mensajería con cifrado de extremo a extremo como Telegram, así como foros de la dark web y de acceso especial en inglés o ruso, para comunicarse y llevar a cabo sus actividades. Los actores maliciosos demuestran una mayor sofisticación en sus operaciones, ya que adaptan sus tácticas, técnicas y procedimientos (TTP) con el tiempo, pero siguen apoyándose principalmente en métodos tradicionales como el phishing y la ingeniería social, la distribución de malware, y el ransomware. A partir de nuestros análisis, determinamos que Brasil, México y Argentina son los países más atacados por cibercriminales financieros, probablemente porque son las economías más grandes de la región de LAC. Además, a partir de esta investigación, Insikt Group determinó que los actores maliciosos a menudo atacan industrias críticas, como las de salud, finanzas y gobierno, porque poseen datos de alto valor, afrontan urgencias operativas y, a veces, utilizan sistemas antiguos que pueden ser vulnerables.

Principales hallazgos

• Insikt Group estima que el foro criminal DarkForums y la plataforma de mensajería Telegram son los principales medios de acceso especial utilizados por los actores maliciosos que operan en la región LAC o que la tienen como objetivo.
• Los actores maliciosos que operan en la región LAC o que la tienen como objetivo suelen estar impulsados por motivos financieros y, a menudo, utilizan la ingeniería social, el ransomware y diferentes formas de malware móvil para obtener acceso inicial a las instituciones gubernamentales, de salud o financieras.
• En 2025, Insikt Group registró 452 incidentes de ransomware que afectaron la región de LAC. Las cinco principales industrias afectadas fueron las de salud, fabricación, gobierno, tecnología de la información y educación; todas ellas observaron un aumento notable en los ataques en comparación con el año anterior.
• Insikt Group identificó que los actores maliciosos usan troyanos bancarios, especialmente las variantes más establecidas. En particular, estos actores usaron troyanos bancarios en campañas de smishing dirigidas a usuarios de WhatsApp con el objetivo de acceder a datos financieros y robar credenciales.
• Insikt Group identificó a LummaC2 como el ladrón de información (infostealer) más prolífico que afectó a organizaciones de la región LAC en el primer semestre de 2025, y a Vidar en el segundo semestre, tras la intervención de las fuerzas del orden contra LummaC2

Este relatório apresenta uma visão geral das tendências e desenvolvimentos no ecossistema do cibercrime na América Latina e Caribe (LAC) em 2025. O Insikt Group descobriu que os agentes de ameaças que operam na região da América Latina e Caribe (LAC) ou que a têm como alvo usam predominantemente aplicações cliente-servidor e plataformas de mensagens criptografadas de ponta a ponta, como o Telegram, bem como a dark web estabelecida em inglês ou russo e fóruns de acesso restrito, para se comunicarem e realizarem atividades. Os agentes de ameaças demonstram crescente sofisticação nas operações, adaptando táticas, técnicas e procedimentos (TTPs) ao longo do tempo, embora ainda dependam principalmente de métodos tradicionais, como phishing e engenharia social, distribuição de malware e ransomware. Com base na nossa análise, determinamos que Brasil, México e Argentina foram os países mais visados por cibercriminosos com motivação financeira, provavelmente por serem as maiores economias da América Latina e Caribe. Além disso, com base nesta pesquisa, o Insikt Group descobriu que os agentes de ameaças frequentemente visavam a setores críticos, como saúde, finanças e governo, pois esses setores detêm dados valiosos, enfrentam urgências operacionais e, às vezes, dependem de sistemas legados que podem ser vulneráveis.

Principais descobertas

• O Insikt Group avalia que o fórum criminoso DarkForums e a plataforma de mensagens Telegram são os principais fóruns de acesso restrito e plataformas de comunicação usados por agentes maliciosos que operam na região da América Latina e Caribe ou que têm essa região como alvo.
• Os agentes de ameaça que operam na América Latina e Caribe (LAC) ou que têm como alvo a região são geralmente motivados por interesses financeiros e frequentemente adotam engenharia social, ransomware e várias formas de malware em aparelhos móveis, a fim de terem acesso inicial a instituições governamentais, financeiras e de saúde.
• Em 2025, o Insikt Group registrou 452 incidentes de ransomware que afetaram a região da América Latina e Caribe. Os cinco setores mais afetados foram saúde, manufatura, governo, tecnologia da informação e educação, que registraram um aumento considerável nos ataques em comparação ao ano anterior.
• O Insikt Group continuou a identificar trojans bancários sendo usados por agentes de ameaças; os mais usados são as variantes já estabelecidas. Especificamente, os agentes maliciosos usaram trojans bancários em campanhas de smishing direcionadas a usuários do WhatsApp para terem acesso a dados financeiros e roubarem credenciais.
• O Insikt Group identificou o LummaC2 como o ladrão de informações (infostealer) mais prolífico, afetando organizações na América Latina e Caribe no primeiro semestre de 2025; e o Vidar no segundo semestre, após a desarticulação das atividades do LummaC2 pelas autoridades policiais.

It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.

According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical advances and increasingly professionalized support services.

The Magecart e-skimmer supply chain is the clearest example. Full-stack e-skimmer kits and Malware-as-a-Service (MaaS) offerings have made large-scale compromise of ecommerce websites accessible to less technically capable threat actors.

The "Sniffer by Fleras" kit, responsible for 26% of all e-skimmer infections observed in 2025, includes a web-based portal for generating malicious scripts and a management server for stolen data. The result was more than 10,500 unique Magecart infections active at some point during the year, likely compromising more than 23 million transactions.

Additionally, the "AcceptCar" e-skimmer, discovered in H2 2025, illustrates how far the service model has matured. Operators handle installation and operation on compromised e-commerce sites; in return, threat actors pay 50% of proceeds from card data sales or 70% of raw data intake. Using services like AcceptCar, fraud threat actors can participate in large-scale compromise operations without owning or managing any underlying infrastructure.

Figure 1: Line graph showing Magecart e-skimmer infections in 2025, by different groups, kits, and techniques. (Source: Recorded Future)

Purchase scam operations reflect a similar dynamic. Recorded Future Payment Fraud Intelligence identified more than 3,600 scam merchant accounts in 2025, up 2.5x from 2024, spanning at least 40 countries and 230 acquirers.

Recurring patterns in merchant registration data indicate that scam operators have standardized their merchant acquisition workflows, standing up fraudulent payment infrastructure at scale through repeatable, low-friction processes.

Card testing operates on the same service-economy logic. Telegram-based card testing services validated at least 27 million card records in 2025 through public-facing card generation and testing channels that any threat actor can access.

Among dark web checker services, over 1,350 legitimate merchant accounts were abused for card testing, with 94% not observed prior to 2025, suggesting systematic rotation to stay ahead of detection.

Figure 2: Graphic illustrating the purchase scam attack chain. (Source: Recorded Future)

The Ecosystem Is Concentrated Upstream

Notably, each of these industrialized attack vectors sits upstream of the fraudulent transaction. E-skimmer infections and scam merchants compromise card data during online purchases. Card testing validates that stolen data before it’s monetized.

"Fraud outcomes are visible, but the pathways that enable them are often not."

This industrialized scale across these attack vectors requires standardization, and standardization produces detectable patterns.

When 26% of e-skimmer infections trace back to a single kit, when scam operators reuse merchant registration patterns across hundreds of acquirers, when card testers rotate through predictable BIN attack workflows, the convergence that makes fraud scalable also makes it mappable. As that standardization deepens, a single indicator of compromise reaches further across the threat landscape.

That standardization creates something concrete: a window.

Magecart infections are active and identifiable before stolen card data is harvested.
Scam merchants often display detectable signals, including recent domain registration, merchant rotation, and merchant category code mismatches.

Card testing activity reveals when a monetization attempt is likely to occur.

Each stage represents an opportunity to act before fraud registers as a financial loss.

Transaction Monitoring Looks at the Wrong End of the Lifecycle

Transaction monitoring and behavioral fraud models are built to detect anomalies at the point of payment, like unusual spend patterns, velocity, and geographic inconsistencies. They do what they were designed to, but provide no visibility into the increasingly industrialized, pre-monetization stages that were built to avoid detection by these traditional processes.

Purchase scams are explicitly designed to circumvent transaction-based controls by manipulating cardholders into authorizing the fraudulent transaction themselves, making the payment appear legitimate by design.

Card testers cycle through new merchants specifically because historical tester merchants get flagged (94% of tester merchants identified in 2025 were not previously observed). A detection approach built around transaction signals will always be working with information that arrives after the upstream infrastructure has already done its job.

As the upstream ecosystem industrializes, the volume of activity that transaction monitoring cannot see has grown. With purchase scam detections more than quadrupling year-over-year and Magecart infections having likely compromised more than 23 million transactions in 2025 alone, the cost of that blind spot compounds.

Maintaining an effective fraud posture will increasingly require financial institutions to complement reactive account monitoring with proactive, intelligence-informed defenses.

How Recorded Future Payment Fraud Intelligence Addresses This

Recorded Future Payment Fraud Intelligence monitors each of the upstream stages discussed in this post.

With daily monitoring of Magecart-infected sites and enriched merchant data that integrates with transaction monitoring, Payment Fraud Intelligence can enable detection of high-risk merchants months before stolen card data appears for sale.

Additionally, the Scam Merchants dataset can identify fraudulent merchant accounts and their associated domains before customers are defrauded and before downstream card data reaches criminal markets.

Tester merchant monitoring surfaces card testing activity as an early signal of which portfolios are being targeted ahead of any monetization attempt.

Because Payment Fraud Intelligence monitors the sources, kits, and infrastructure that threat actors have increasingly standardized around, a single identified indicator can surface exposure across a portfolio at scale.

According to Recorded Future data, 75% of compromised cards are identified before fraud occurs, and 90% of compromised card assets are identified within hours of a breach.

The pre-monetization window will not narrow as the fraud ecosystem matures — if anything, the report's data suggests it will widen as standardization deepens. Financial institutions with visibility into that window can act before losses occur. Those without it will continue to respond after the fact.

Read the full Annual Payment Fraud Intelligence Report: 2025 to explore this year's findings in depth.

What is Quantum Geopolitics?

A useful analogy comes from physics.

Classical systems produce predictable outcomes. Quantum systems behave probabilistically, where interactions in one place can produce distant effects.

International politics increasingly resembles the latter.

The assumptions that shaped corporate strategy for decades—durable alliances, expanding globalization, and broadly coherent regulation—are weakening. Geopolitical shocks now move rapidly through tightly interconnected systems.

Four dynamics define how this system now behaves.

🌓 Superposition: Friends, Rivals, and Everything in Between

Countries can no longer be neatly categorised “ally” or “adversary.” They exist in overlapping states, with true alignment revealed only in moments of crisis.

States balance security partnerships with the West while maintaining economic ties with rivals. Turkey supports Ukraine diplomatically while sustaining trade flows that benefit Russia. India deepens defence ties with the United States even as it increases purchases of Russian oil.

Public statements offer limited guidance. Trade flows, enforcement patterns, and technology controls are more reliable indicators of intent.

For multinational firms, geopolitical positioning is no longer fixed. It is fluid.

🌀 The End of Guarantees: Promises Now Come with Caveats

Security commitments, trade access, and regulatory stability have shifted from certainties to probabilities.

Export controls can reroute supply chains within months. Sanctions regimes expand or unwind quickly. Even long-standing alliances depend on political will at the moment they are tested.

For businesses, this means long-term investments now carry elevated policy risk.

Leaders must plan for variance.

🧬 Quantum Entanglement: Local Conflicts Are Not Local

Global systems—financial, technological, logistical—are tightly coupled. Regional conflicts now generate immediate global effects.

Threats to Gulf commercial hubs disrupt international banking. Instability in the Strait of Hormuz drives energy price volatility and strains global shipping insurance. Cyber campaigns tied to the conflict target companies far beyond the region.

Disruption is rarely contained. Risk can no longer be managed by geography or function alone.

🔬 The Observer Effect: Whoever Sets the Rules First Wins

Influence increasingly derives from shaping rules rather than operating within them.

States that move early to establish standards in artificial intelligence, semiconductors, digital infrastructure, and financial regulation compel others to adapt.

Waiting for clarity can therefore be a strategic liability in itself.
If you do not shape the agenda, you become subject to it.

Why This Moment Feels Different

These dynamics are most visible in cyberspace, where geopolitical competition unfolds continuously below the threshold of open conflict.

State-sponsored actors operate inside corporate networks without triggering overt confrontation. Criminal groups, proxies, and intelligence services overlap, complicating attribution and response.

The boundary between geopolitical conflict and corporate exposure is now thin. A single breach can trigger regulatory scrutiny, customer loss, market volatility, and diplomatic tension at once.

Cybersecurity is no longer a technical function. It is a core enterprise risk.

How Security Leaders Should Respond

In a system governed by probabilities rather than predictability, security leaders must adapt how they think, allocate resources, and position their organizations.

1. Mindset Shift: Scenarios, Not Forecasts

Replace long planning horizons and static risk assessments with continuous scenario planning. Tools such as the Cone of Plausibility can stress-test responses to sanctions escalation, maritime disruption, regulatory fragmentation, or supply chain shocks.

Evaluate decision speed, cross-functional coordination, and response thresholds under pressure.
Adaptability matters more than accuracy.

2. Spending Shift: Invest in Resilience, Not Just Efficiency

Systems optimized solely for efficiency often lack resilience.

Diversifying suppliers, strengthening sanctions compliance, improving cybersecurity, and increasing visibility into third-party exposure can reduce vulnerability to geopolitical shocks.

Resilience is not a defensive expense; it is operational insurance.

3. Communication Shift: From Reporting to Action

Security leaders must translate geopolitical developments into clear decision frameworks before crises materialize.

This requires close coordination across legal, finance, and operations, as well as proactive engagement with regulators and industry partners.

Speed and clarity determine whether the organization shapes outcomes or reacts to them.

Final Thoughts

The Iran conflict offers a preview of what comes next. Alliances are conditional. Economic pressure, cyber activity, and regulatory responses unfold simultaneously.

Quantum geopolitics does not eliminate strategy. It demands a different kind—one built on scenario readiness, structural resilience, and faster decision cycles.

Leaders who wait for clarity will move too late.

Those who organize for uncertainty will operate ahead of it.

To access the latest Insikt Group® research click here.

Insikt Group® helps Recorded Future secure our world with threat intelligence. With deep experience in government, law enforcement, military, and intelligence agencies, we power the Recorded Future Platform with analyst-validated data, analytics, along with cyber and geopolitical intelligence. This enables our customers to reduce risk and prevent disruption.

Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure.

The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFix’s core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.

This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups.

To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets.

Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands.

Key Findings

• Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors.
• While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).
• ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system shells living-off-the-land binaries (LOLBins), remote ingress from threat actor-controlled infrastructure, and immediate in-memory execution. This methodology allows threat actors to stage and run remote code with limited and short-lived forensic artifacts on the host system.

Background

First documented in late 2023, ClickFix has transitioned from a niche social engineering tactic to a cornerstone of the global cybercriminal ecosystem. ClickFix is a social engineering methodology that lures victims into manually executing malicious commands by masquerading as a necessary technical resolution for fabricated system errors or human-verification prompts. This technique represents an evolutionary shift from the FakeUpdates (SocGholish) model, prioritizing manual user intervention to evade the increasingly robust security features of modern web browsers and automated endpoint detection systems. In this context, the methodology embodies a "think smart, not hard" approach. The simplicity of relying on a manual user action makes it a potent defensive evasion tactic: bypassing typical browser-based security makes it difficult to detect, while the high number of threat actors using it makes it difficult to track across a fragmented threat landscape.

The technical core of the methodology relies primarily on pastejacking, where background JavaScript populates a victim's clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent reCAPTCHA or Cloudflare Turnstile overlays. In some instances, malicious commands are not automatically pasted into the victim’s clipboard, but rather, victims are manipulated into copying and running the command manually. By leveraging a living-off-the-land (LotL) approach, threat actors manipulate users into executing these commands directly within trusted system tools like the Windows Run dialog box, PowerShell, or the macOS Terminal. This user-assisted execution allows malicious scripts to execute silently and bypass traditional browser and endpoint security perimeters.

ClickFix has been weaponized by a diverse spectrum of threat actors, ranging from high-volume initial access brokers (IABs) to sophisticated state-sponsored groups such as BlueDelta (aka APT28) and the North Korean group PurpleBravo. The methodology enables a repeatable and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like Lumma Stealer and Vidar, or remote access trojans (RATs) such as NetSupport RAT and Odyssey Stealer. These operations are frequently supported by highly adaptive, disposable infrastructure designed to maintain operational continuity even as individual domains are identified and blocked.

Technical Analysis

Insikt Group identified and tracked five emerging ClickFix clusters by leveraging the Recorded Future HTML Content Analysis dataset, which enables the systematic monitoring of embedded web artifacts. By pivoting on unique technical identifiers, including specific Document Object Model (DOM) hashes, hard-coded image source tags, and unique page titles, Insikt Group mapped ClickFix’s infrastructure and identified new malicious domains and infrastructure, facilitating the discovery of active domains and near real-time monitoring of cluster evolution.

Across the analyzed clusters, Insikt Group detailed the ClickFix commands victims were manipulated into executing on their systems. These commands relied heavily on LOLBins to achieve operational goals. By using LOLBins, threat actors leveraged native, legitimately signed executables to download malicious payloads to a victim's machine. Depending on the security implementation of personal machines or corporate endpoints, this methodology can effectively evade standard detections and foundational security principles.

ClickFix Clusters

Insikt Group identified five clusters (see Figure 1) that exhibited significant operational variance despite a shared reliance on the ClickFix social engineering technique. These clusters were defined by their infrastructure patterns and targeting approaches, ranging from logistics-themed lures to dual-platform selection logic. This indicates that the ClickFix methodology is being deployed across a fragmented ecosystem of threat actors, each tailoring the technique to suit their own delivery requirements and victim profiles.

These clusters were grouped based on observable patterns in infrastructure reuse, lure formatting, platform targeting, and operational adjustments over time. While core technical elements and delivery mechanisms overlap, each cluster maintained a distinct footprint within the broader landscape. Insikt Group categorized the activity into the following five clusters:

• Intuit QuickBooks: Targeted impersonation of accounting software, often leveraging aged domains to bypass security filters
• Booking.com: Used fraudulent domains to present fake verification portals
• Birdeye: A large-scale cluster that lures users of the AI marketing company Birdeye by spoofing domains and manipulating victims to use a malicious command to deliver NetSupport RAT.
• Dual-Platform Selection: Used operating system detection to deliver platform-tailored lures and malware
• macOS Storage Cleaning: Used counterfeit prompts mimicking macOS system optimization to trick users into executing encoded terminal commands

Figure 1: Overview of ClickFix and associated clusters (Source: Recorded Future)

Cluster 1: Intuit QuickBooks

Cluster 1 was observed operating from January 2026 to the time of writing, primarily targeting organizations through social engineering lures impersonating the accounting software Intuit QuickBooks. QuickBooks is widely used for tax preparation in the United States; given the campaign's active window coincides with the US tax season (typically January through April 15), Insikt Group assesses with moderate confidence that the timing was a calculated effort to target entities engaged in financial reporting. Although this cluster recently pivoted to targeting users of the US real estate marketplace Zillow, QuickBooks-related artifacts and brand-specific imagery remain deeply embedded throughout the Document Object Model (DOM) of the malicious landing pages.

Cluster 1 Profile

Figure 2: Overview of ClickFix Cluster 1 — Intuit QuickBooks (Source: Recorded Future)

Table 1: PowerShell commands observed across Cluster 1

Cluster 1 Infection Chain

The infection chain begins when a victim lands on a ClickFix landing page. The page presents a fraudulent human-verification interface (see Figure 3) that instructs the victim to complete specific "verification" steps.

Figure 3: Intuit QuickBooks-themed ClickFix page (Source: Recorded Future Web Scans)

By interacting with the page, the victim unknowingly copies a malicious command to their system clipboard. The technique often results in execution through native system utilities, such as Windows Run dialog and PowerShell, leveraging LOLBins to evade traditional browser and endpoint-based security controls.

Upon pasting the command, an obfuscated PowerShell script (Figure 4) executes in a hidden window. This stager uses self-referential function names to dynamically construct and invoke Invoke-RestMethod to the domain nobovcs[.]com.

Figure 4: Obfuscated PowerShell command executed in a hidden window, dynamically reconstructing and invoking code via iex (Source: Recorded Future)

This request triggers the retrieval of a short PowerShell stager (see Figure 5) that downloads a second-stage payload, bibi.php, saving it to the %TEMP% directory as script.ps1. This stager is the initial execution step that kicks off the NetSupport RAT installation.

Figure 5: Stager script to download second-stage script, bibi.php (Source: Recorded Future)

The bibi.php script is essential for the final deployment phase and for obfuscating on-disk artifacts. It contains a function called Get-RomanticName, which selects and combines strings from a thematic wordlist, including terms such as "Heart", "Soul", and "Desire", to generate a randomized folder name under %LOCALAPPDATA%, where the staging files are placed.

The script retrieves four primary files from nobovcs[.]com, detailed in Table 2.

Table 2: Filenames and SHA256 hashes of the files downloaded from nobovcs[.]com (Source: Recorded Future)

The script uses 7z.exe to extract at.7z (protected by the password “pppp”), which contains the NetSupport RAT binary, neservice.exe. Persistence is established by hijacking Startup shortcuts; if no existing shortcut is detected, the script extracts lnk.7z to the Startup folder to ensure the payload launches automatically upon system reboot.

Following successful execution, the binary neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command-and-control (C2) communications. gologpoint[.]com resolves to the IP address 62[.]164[.]177[.]230.

Cluster 2: Booking.com

Cluster 2 was observed operating from February 2026 to the time of writing, impersonating the travel agency Booking.com. Insikt Group tracked the cluster by pivoting on a unique DOM hash made possible by the threat actor’s repeated use of a unique HTML title and consistent image files. Indicators of compromise (IoCs) tagged in this cluster can be seen in the Recorded Future HTML Content Analysis. The landing pages for this cluster use a counterfeit reCAPTCHA v2 challenge, requiring victims to select all photos containing a "bucket" (Figure 6). Insikt Group observed that the same challenge photos are presented in the same order across all analyzed pages.

Cluster 2 Profile

Figure 7: Overview of ClickFix Cluster 2 — Booking.com (Source: Recorded Future)

Table 3: PowerShell commands observed across Cluster 2

Cluster 2 Infection Chain

The process begins when a victim interacts with the fake challenge. Upon completing the challenge, the victim is redirected to a verification page where a malicious PowerShell command (see Figure 8) is copied to the system clipboard. Instructions on the verification page manipulate the victim into opening the Windows Run dialog box and entering the command. Executing this malicious command starts the infection chain for NetSupport RAT.

Figure 8: Command from the booking campaign that reaches out to the payload server (Source: Recorded Future)

The PowerShell command provided in script.ps1 (see Figure 9) executes with the -NoProfile and -ExecutionPolicy Bypass flags to evade standard logging and security restrictions. Following execution, the system pulls four staging files to a directory named DesireSpark Serenade. This directory naming convention is functionally identical to the "romantic" naming methodology observed in Cluster 1.

Figure 9: DOM file from checkpulse[.]com that details the command to be run on the victim machine, suppressing the protections normally in place to pull down the PowerShell command and execute it (Source: Recorded Future)

The primary staging mechanism relies on script.ps1 to pull secondary payloads from the staging server. In one analyzed instance, scripts originating from thestayreserve[.]com reached out to checkpulses[.]com to retrieve the files detailed in Table 4.

Table 4: Filenames and SHA256 hashes of the files downloaded from checkpulses[.]com (Source: Recorded Future)

The 7z.exe utility is used to extract at.7z, which contains the NetSupport RAT binary neservice.exe. Persistence is established by adding a link to the system Startup folder.

The domains observed across this cluster use a similar PowerShell command pattern. However, once the command is executed, the infection chain varies slightly with the staging infrastructure being called. In the cases of sign-in-op-token[.]com and the thestayreserve[.]com domains, the malicious command is identical in terms of pattern and organization, but the hard-coded dropper domain is bkng-updt[.]com and checkpulses[.]com, respectively.

While staging domains vary, the final payloads across this cluster converge on the same NetSupport RAT C2 infrastructure (Table 5).

Table 5: IoCs observed in the Booking.com infection chain (Source: Recorded Future)

Following installation, the malware from thestayreserve[.]com initiates communication (Figure 10) with chrm-srv[.]com and ms-scedg[.]com, both of which resolve to 152[.]89[.]244[.]70. The domain hotelupdatesys[.]com , resolves to the same IP address as the NetSupport RAT C2 for sign-in-op-token[.]com.

Figure 10: POST Request from sign-in-op-token[.]com showing NetSupport interaction (Source: Recorded Future)

Cluster 3: Birdeye

Cluster 3 was observed operating from May 2024 until the time of writing. Previously reported on by Insikt Group, this cluster uses infrastructure centered on domains incorporating the keyword "bird" to deliver its ClickFix lure pages, trackable in Recorded Future’s HTML Content Analysis. These lures spoof Birdeye, an AI marketing company, to manipulate victims into executing malicious commands.

Cluster 3 Profile

Figure 11: Overview of ClickFix Cluster 3 — Birdeye (Source: Recorded Future)

Table 6: PowerShell command observed across Cluster 3

Cluster 3 Infection Chain

The infection chain begins when a victim visits a compromised site and is presented with a Cloudflare-style CAPTCHA challenge. Upon interacting with the page, the victim is prompted to run a command in the Windows Run dialog box. Insikt Group identified this cluster by pivoting on unique technical identifiers within the HTML artifacts, including a consistent and unique page title and a static image used across the infrastructure.

The command the victim is manipulated into running causes the victim’s device to reach out to alababababa[.]cloud to download a payload from hxxps[://]alababababa[.]cloud/cVGvQio6[.]txt. To further reduce suspicion, once the malicious command is executed, the victim is redirected to the legitimate birdeye.com website (see Figure 12).

Figure 12: The redirect to the legitimate Birdeye website (Source: Recorded Future)

Analysis of the JavaScript within the DOM for this cluster, provided in Appendix F, revealed insights into the threat actor's methods. A notable portion of the script uses seven obfuscated lines that are concatenated into a single string to be attached to the victim's clipboard. The developer left comments within the code that detail the deobfuscated purpose of each line. For example, one comment explicitly identifies the portion of the command calling PowerShell with specific flags (Figure 13).

Figure 13: Portion of JavaScript containing threat actor comments (Source: Recorded Future)

Furthermore, a comment written in Cyrillic at the beginning of the script translates to, "This should help bypass Cloudflare static analysis". This internal documentation suggests the threat actor is purposefully detailing their actions to refine bypass techniques against security scanners.

Historically, alababababa[.]cloud has been associated with the delivery of multiple malware strains, including Lumma Stealer and RedLine Stealer. The large volume of domains identified in this cluster, exceeding 40 unique entries, highlights the scale of the "run and repeat" model used to sustain this activity.

Cluster 4: Dual-Platform Selection

Cluster 4 was observed operating from March 2025 to the time of writing. This cluster is unique for its use of operating system detection to deliver tailored ClickFix lures for both Windows and macOS users. Unlike standard ClickFix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided staging payload. One of the ClickFix pages used to analyze this behavior was macosapp-apple[.]com, hosted at IP address 45[.]144[.]233[.]192.

Cluster 4 Profile

Figure 14: Overview of ClickFix Cluster 4 — Dual-Platform Selection (Source: Recorded Future)

Table 7: Encoded commands observed across Cluster 4

Cluster 4 Infection Chain

The infection chain begins when a victim lands on a ClickFix page that instructs them to verify they are human (Figure 15).

Figure 15: ClickFix page identified in Cluster 4 (Source: Recorded Future Web Scans)

Figure 23: Landing page for mac-os-helper[.]com (Source: Recorded Future)

Once the Terminal is open, the victim is prompted to execute a multi-stage command that purportedly "finds and removes temporary system files".

In reality, these commands (see Table 9) use different encoding layers to hide their true intent; the first example decodes a hexadecimal string to reveal a Base64-encoded client URL (curl) instruction, while the second directly decodes a Base64 string to run an executable command. Both methods ultimately bypass simple pattern matching by obfuscating the malicious payload until execution.

Table 9: Encoded and obfuscated ClickFix commands for macOS (Source: Recorded Future)

As shown in Table 10, the revealed curl instruction uses a compound set of arguments, in this cluster, -kfsSL, to facilitate silent delivery. These flags ensure that Transport Layer Security (TLS) certificate checks are bypassed, server-side errors are suppressed, and the process remains hidden from the user's view while following redirections to reach the final payload domain.

Table 10: Decoded and deobfuscated ClickFix commands for macOS (Source: Recorded Future)

Based on historic evidence (1, 2) and forensic patterns, Insikt Group assesses with high confidence that the information stealer MacSync was the primary payload used to infect victims in this cluster. The malicious commands on these pages caused the infected systems to reach out to a specific set of staging and C2 infrastructure, detailed in Table 11. Notably, while the domains varied, they were frequently observed behind Cloudflare to complicate network-level blocking.

Table 11: C2 servers identified for the macOS cleaner campaign (Source: Recorded Future)

Copy Command Analysis

Insikt Group analyzed commands across the five clusters identified in this research. While the visual lures and impersonated brands vary between groups like Cluster 1 (Intuit QuickBooks) and Cluster 5 (macOS Storage Cleaning), the underlying execution logic remains consistent. This "run and repeat" methodology relies on a narrow set of trusted LOLBins and lightweight obfuscation to stage remote code with minimal forensic artifacts.

The technical implementation of ClickFix follows a standardized four-stage pattern across all target operating systems, as summarized in Table 12.

Table 12: Standardized four-stage ClickFix execution pattern (Source: Recorded Future)

Insikt Group identified two primary command styles used in macOS-centric campaigns, such as Cluster 4 and Cluster 5, which are detailed in Table 13.

Table 13: Observed tactics, techniques, and procedures (TTPs) for macOS and Linux (zsh and bash) commands (Source: Recorded Future)

Windows-based commands, particularly those observed in Cluster 1 and Cluster 2, exhibit a higher degree of sophistication through "Command Swizzling" and case randomization, as shown in Table 14.

Table 14: Observed TTPs for Windows (PowerShell) commands (Source: Recorded Future)

Mitigations

To mitigate the threats posed by ClickFix social engineering and related living-off-the-land (LotL) techniques, Insikt Group recommends a defense-in-depth approach that combines proactive intelligence monitoring with aggressive hardening of native system utilities.

• Operationalize HTML Content Analysis: Recorded Future customers should use the HTML Content Analysis source to monitor for impersonations of their brand, which are leveraged to deliver ClickFix. Leverage the Recorded Future Intelligence Operations Platform to monitor for unique web artifacts, such as specific Document Object Model (DOM) hashes and page titles, to identify new ClickFix domains in real time.
• Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this threat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by leveraging continuously updated Risk Lists and by blocklisting IP addresses and domains associated with ClickFix to block communication with malicious infrastructure.
• Monitor Malicious Infrastructure Risk Lists: Continuously update security information and event management (SIEM) and endpoint detection and response (EDR) tools with Recorded Future Risk Lists to block traffic to identified staging and command-and-control (C2) domains.
• Use Malware Intelligence: Leverage the Recorded Future Intelligence Operations Platform to hunt for indicators of compromise (IoCs) associated with payloads identified in this report, such as NetSupport RAT, Odyssey Stealer, and Lumma Stealer.
• Leverage Network Intelligence: Use Recorded Future Network Intelligence to detect exfiltration events early (such as those linked to NetSupport RAT), which can help prevent intrusions before they escalate. This approach relies on comprehensive, proactive infrastructure discovery provided by Insikt Group and the analysis of vast amounts of network traffic.
• Use Identity Module: Recorded Future customers should leverage the Identity Module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers.
• Disable Windows Run Dialog via Group Policy Objects (GPOs): For corporate environments, disable the Win+R keyboard shortcut and the Run command in the Start menu via Group Policy Objects (GPOs). This significantly hinders the ClickFix execution chain, as victims are typically instructed to paste malicious commands directly into this dialog box.
• Restrict Terminal and PowerShell Execution: Implement PowerShell Constrained Language Mode (CLM) and use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts and the misuse of living-off-the-land binaries (LOLBins). On macOS, restrict Terminal and other shell interpreters (for example, zsh and bash) using application control policies enforced via mobile device management (MDM), and leverage System Integrity Protection (SIP) and endpoint security controls to limit unauthorized script execution and abuse of native command-line utilities.
• User Awareness and Training: Conduct targeted social engineering simulations that specifically educate users on the dangers of "manual verification" prompts that require copying and pasting commands into system utilities.

Outlook

The identification of five parallel operational clusters targeting diverse sectors, including accounting, travel, real estate, and legal services, indicates that the ClickFix methodology has transitioned from a niche technique to a standardized template within the cybercriminal ecosystem. This standardized "run and repeat" model is facilitating broader adoption by both lower-tier "traffers" and sophisticated advanced persistent threat (APT) groups. Threat actors are able to maintain operational continuity even when individual domains are blocked due to the availability of disposable infrastructure and shared technical templates.

Insikt Group assesses with high confidence that the ClickFix methodology will very likely remain a heavily used initial access vector throughout 2026. The continued success of ClickFix is driven by its ability to bypass advanced browser-based security controls by shifting the point of exploitation to user-assisted manual actions. As long as native system utilities such as PowerShell and Terminal remain accessible to end-users, ClickFix will continue to offer threat actors a high-return, low-complexity alternative to traditional exploit kits.

Looking ahead, ClickFix lures will likely become increasingly technically adaptive. Future iterations are expected to incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware, geographic location, or organizational profile. Furthermore, since threat actors are already purposefully documenting bypass techniques for static analysis engines within their code, Insikt Group anticipates a long-term trend toward more resilient and obfuscated staging environments. This convergence of sophisticated social engineering and LotL techniques necessitates a shift in defensive strategy, moving away from simple indicator blocking toward aggressive behavioral hardening of the system utilities that ClickFix relies upon.

Appendix A: Indicators of Compromise

Appendix B: Cluster 1 — Intuit QuickBooks Indicators

Appendix C: bibi.php Script

Appendix D: Cluster 2 — Booking.com Indicators

Appendix E: Cluster 3 — Birdeye Indicators

Appendix F: Birdeye Cluster Javascript

Appendix G: Cluster 4 — Dual-Platform Selection Indicators

In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening
coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strike’s dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025.

For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors.

Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance.

As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The “as-a-service” ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystem’s underlying economic and operational logic is expected to remain

intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law enforcement actions targeting malicious infrastructure, including coordinated takedowns and other disruption efforts.

Key Findings

• Infostealers remained the primary infection vector in 2025, with malware-as-a-service (MaaS)offerings dominating. Vidar outperformed competitors, Lumma proved resilient despite law enforcement and doxxing pressure, and the wider ecosystem remained highly volatile.
• Cobalt Strike retained clear dominance in OST detections (~50%) despite declining share, while Metasploit and Mythic held their positions. RedGuard, Ligolo, and Supershell expanded notably, and jQuery again led as the most prevalent malleable C2 profile by detections and geographic reach.
• The malware ecosystem remained anchored in MaaS and open-source tooling across desktop and mobile, with AsyncRAT and Quasar RAT leading the RAT landscape, DcRAT and REMCOS RAT gaining share, and families such as XWorm, SectopRAT, and GOSAR entering the top tier, while Android dominated mobile activity (nine of the top ten families) amid rising use of mercenary spyware.
• Droppers, loaders, and TDS remained dynamic but resilient in 2025, with high loader turnover following Operation Endgame 2024, driven by Latrodectus expansion and the rise of MintsLoader and GrayBravo’s CastleLoader, alongside sustained and widespread TDS activity linked to TAG-124, GrayCharlie, and other threat actors.
• Lastly, in 2025, Insikt Group pivoted to identifying TAEs via the Threat Density List, highlighting high-risk networks such as Virtualine Technologies, often transiting via aurologic GmbH, that sustained operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions and law enforcement pressure.

Background

Insikt Group proactively identifies and monitors infrastructure linked to hundreds of malware families,threat actors, and related artifacts, including phishing kits, scanners, and relay networks. Through daily,automated validation using proprietary methods, Insikt Group delivers accurate risk representation,enabling Recorded Future customers to strengthen their detection and defense capabilities.

Building on Insikt Group’s annual malicious infrastructure reports from 2022, 2023, and 2024, this year’s report delivers a concise, data-driven overview of malicious infrastructure observed throughout 2025. While the percentages presented throughout the report are intended to provide insight into trends and the state of malicious infrastructure in 2025, it is important to note that Insikt Group continuously adds new detections for both existing and emerging families, which makes year-over-year comparisons imperfect.

This year, the focus continues to be on the synergy between passive infrastructure detection,
higher-tier infrastructure insights powered by Recorded Future Network Intelligence, and victim
identification. It also expands to examine trends across the ecosystem of TAEs that underpin cyber threats, including how sanctions against selected entities have reshaped that landscape. Overall, this report is intended for anyone interested in malicious infrastructure, providing a high-level overview of its current state along with summaries of key findings to support informed decision-making and offer a broad perspective on this rapidly evolving landscape.

Recognizing the challenge of categorizing malware types in a mutually exclusive manner due to their overlapping functionalities, this report establishes a set of malware categories to facilitate analysis, as detailed in Appendix A, with brief definitions for each. Notably, certain malware categories, such as crypters, have been intentionally excluded because they typically lack network artifacts.

Beyond examining malicious infrastructure through the lens of malware categories, Insikt Group also monitors it by type, assigning each a distinct risk score within the Recorded Future Intelligence Operations Platform®. This differentiation reflects varying levels of severity. For instance, network traffic to or from a C2 server in a corporate network may indicate a higher risk compared to the presence of a management panel, as the former typically implies active malicious activity. The infrastructure types defined by Insikt Group are detailed in Appendix B.

Download the full report

Credential theft is the dominant initial access vector for enterprise breaches. In 2025, Recorded Future detected:

• 1.95 billion malware combo list credential exposures
• 36 million database combo list credential exposures
• 24 million database dump credential exposures
• 892 million malware log credential exposures

Five findings stand out from the data:

1. Credential theft accelerated as the year progressed. Recorded Future identified 50% more credentials in the second half of 2025 than in the first half of the year. 90% more credentials were identified in the last three months of the year than in the first three months
2. Stolen credentials are targeted, not random. Of the 7 million credentials indexed with identifiable authorization URLs, 63.2% were tied to authentication systems. VPNs, RMM tools, cloud platforms, and detection software also featured prominently — meaning attackers are often going directly for the systems that provide the broadest access and, in some cases, the ability to blind security teams entirely.
3. Infostealer malware is outpacing traditional breach detection. Each compromised device yielded an average of 87 stolen credentials. The scale and precision of modern infostealers means a single infected endpoint — including a personal device used to access corporate systems — can expose an entire organization.
4. MFA alone is no longer sufficient protection. 276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely. This represents 31% of all malware-sourced credentials.
5. Detection speed is the decisive advantage. Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours. Organizations that act on intelligence quickly can intervene before stolen credentials are exploited.

The Scale of the Problem: Compromised Credentials in 2025

Volume Grew Throughout the Year

Credential compromise from malware logs was not a static risk in 2025 — it compounded. Recorded Future observed a consistent upward trend throughout the year, with the second half producing 50% more indexed credentials than the first.

The final three months of the year were particularly active: They saw 90% more volume than the first three months, reflecting both the continued proliferation of infostealer malware-as-a-service (MaaS) and the disruption and reformation of major malware families mid-year (covered in detail in the malware section below).

CHART 1: Monthly credential volume from malware logs, full year 2025 (Source: Recorded Future)

What this means for security teams: Seasonal or quarterly threat reviews are insufficient. The volume and pace of credential exposure in 2025 demands continuous monitoring — not periodic audits.

What do Those Credentials Actually Unlock?

CHART 2: Top authorization URL categories, 2025 (Source: Recorded Future)

More credentials exposed means more doors open to attackers. The authorization URL data from 2025 reveals exactly which doors they're targeting — and the picture is stark.

Of the 7 million credentials with high-risk authorization URLs indexed in 2025, 63.2% were tied to authentication systems. The next largest categories were web content management (9.95%) and cloud computing (7.58%), followed by remote monitoring and management tools (6.19%) and email infrastructure (3.87%).

This is not a random distribution. Authentication systems, cloud platforms, and remote access tools — VPNs at 2.4% and RMM tools at 6.19% — are precisely the systems that give attackers the broadest foothold inside an organization. A single stolen credential for an authentication portal or VPN can serve as the entry point for lateral movement, privilege escalation, and ultimately a full breach.

The presence of detection and response software (1.17%) and SIEM platforms (0.06%) in this list is particularly notable. Credentials for the tools organizations rely on to detect attacks are themselves being stolen — giving attackers the ability to blind security teams before they strike.

What this means for security teams: The value of a stolen credential is determined by what it unlocks. Prioritize monitoring and rapid response for credentials tied to authentication systems, remote access tools, cloud infrastructure, and security platforms — these can represent the highest-leverage targets for attackers operating with stolen credentials.

A Global Problem With Regional Concentration

Compromised credentials were indexed from organizations across the globe. The ten countries with the highest credential volume in 2025 were:

Table 1: Credentials indexed by country (Source: Recorded Future)

MAP 1: Credentials indexed by country (Source: Recorded Future)

The breadth of this data underscores that credential theft is not concentrated in a single region or industry — it is a universal risk. Organizations with global workforces, multinational supply chains, or international customer bases face exposure across multiple geographies simultaneously.

The Anatomy of a Compromise: What Attackers Actually Steal

87 Credentials Per Device

When an employee's device is infected with infostealer malware, the damage rarely stops at one account. In 2025, the average compromised device yielded 87 stolen credentials — spanning corporate applications, personal accounts, and cloud services accessed from the same machine.

Recorded Future's Compromised Host Incident Reports surface the full scope of each device-level infection, including the malware family responsible, file paths, IP addresses, and infection timelines. This context is what separates actionable intelligence from a list of leaked passwords.

Image 1: Incident Report results in Recorded Future Identity Intelligence

What this means for security teams: A single alert should trigger a device-level incident response, not just a password reset. Understanding what else was on that machine — and what else may have been exfiltrated — is essential to containing the full extent of the exposure.

The Cookie Problem: Why MFA Isn't Enough

One of the most significant findings from 2025 is the volume of credentials that included active session cookies alongside stolen passwords. Recorded Future indexed 276 million credentials with cookies — 31% of all malware-sourced credentials — a figure that grew 30% from the first half of the year to the second half.

Session cookies allow attackers to authenticate as a user without entering a password or completing an MFA challenge. They effectively render secondary authentication controls irrelevant for as long as the session remains active.

December was the single highest month for cookie-bearing credential exposure, indexing 18% more than the next highest month (November).

CHART 3: Monthly volume of credentials with cookies, 2025 (Source: Recorded Future)

What this means for security teams: MFA enrollment is necessary but not sufficient. Organizations should monitor for session cookie theft specifically, enforce shorter session token lifespans for high-risk applications, and treat any credential exposure from an infostealer log as a potential authentication bypass — not just a password reset trigger.

The Infostealer Ecosystem: How the Malware Landscape Shifted in 2025

LummaC2: The Year's Dominant Threat

LummaStealer emerged as the most widely deployed infostealer of 2025. Operating under a malware-as-a-service model since late 2022, it matured significantly over the past year, targeting Windows systems to harvest browser credentials, session cookies, cryptocurrency wallets, and two-factor authentication tokens.

Its distribution relied heavily on social engineering — fake software downloads and "ClickFix" techniques that trick users into executing malicious commands disguised as CAPTCHA challenges. Recent campaigns used CastleLoader for delivery, running obfuscated payloads in memory to evade detection.

In May 2025, a coordinated law enforcement action neutralized more than 2,300 LummaC2 command-and-control domains. The disruption was significant — but not fatal. LummaStealer operators migrated to bulletproof hosting services and employed sophisticated sandbox evasion techniques, including trigonometric analysis of mouse movements to avoid automated detection environments. Activity continued under private, select-affiliate operations through the remainder of the year.

How the Rest of the Ecosystem Responded

The 2025 infostealer landscape was shaped as much by law enforcement disruption as by attacker innovation. Each takedown created a vacuum that other malware families quickly filled.

Early 2025: The late-2024 law enforcement actions against RedLine and META pushed users toward emerging MaaS alternatives, consolidating volume around LummaC2 and accelerating its dominance through Q2.

Mid-2025: Following the LummaC2 disruption in May, established families — Rhadamanthys, Vidar, and StealC — absorbed the displaced activity. Rhadamanthys led through the summer until its own infrastructure was taken down by law enforcement in November 2025. Vidar stepped into the lead position thereafter.

Rebranding as a survival strategy: Disruption prompted reinvention. StealC relaunched as StealC v2. Vidar operators attempted a similar rebrand. These moves reflect a deliberate effort by malware developers to obscure continuity and frustrate attribution.

macOS: Atomic macOS Stealer (AMOS) dominated the macOS market through most of 2025, disappearing in October before returning in February 2026. MacSync (formerly Mac.C) emerged as the primary commodity macOS infostealer by year end.

Private operations grew: Increased law enforcement pressure on publicly accessible MaaS tools pushed sophisticated threat actors toward private infostealers with restricted affiliate access. Acreed (also known as ACR Stealer) and Odyssey Stealer represented the most significant private-operation families of 2025. Private Lumma operations also continued post-disruption.

What this means for security teams: Malware family names change. Takedowns create temporary disruption, not permanent resolution. Organizations that track exposure by malware family rather than only by leaked credential volume will be better positioned to understand the true source and scope of each incident.

Recommendations for Security Teams

The 2025 data points to four areas where security teams can meaningfully reduce their exposure to credential-based attacks.

1. Extend monitoring to personal devices. The majority of infostealer infections occur on personal devices used to access corporate systems — a risk that endpoint detection tools and traditional perimeter controls cannot address. Monitoring infostealer malware logs directly provides visibility into these exposures before they are weaponized.

One large automotive parts distributor found that Recorded Future surfaced stolen credentials tied to an employee's personal device — an exposure their existing tools had no visibility into and would likely never have caught.

2. Treat session cookie exposure as a critical-severity event. With 276 million credentials carrying active cookies in 2025, any infostealer-sourced credential exposure should trigger immediate session invalidation in addition to a password reset. MFA bypass via stolen cookies is not a theoretical threat — it is an observed, frequent attack pattern.

3. Automate response workflows to close the detection-to-remediation gap. The data shows that most credentials are indexed within days of theft. Organizations that have pre-built response playbooks — automatically checking Active Directory, clearing sessions, forcing resets, and notifying managers — respond in minutes rather than hours.

"We created a custom SOAR playbook using the Identity Intelligence module. This playbook takes the information of compromised corporate user accounts, runs an Active Directory check for the credentials, clears user sessions and resets the password if the account is found to be compromised. It also notifies the user's manager for email response. To date, we have processed over 330 different identity alerts. " — Bryan Cassidy, Lead Cyber Defense Engineer, 7-Eleven (UserEvidence)

4. Monitor your entire domain footprint — including subsidiaries and third parties. Some of the most consequential exposures in 2025 involved obscure subsidiaries and supply chain partners, not core corporate domains. Attackers do not limit themselves to obvious targets. Security teams shouldn't limit their monitoring to obvious domains either.

One large international financial services firm detected an infostealer on a third-party service provider's machine through Recorded Future — surfacing a supply chain exposure that would have been invisible through traditional monitoring alone.

The Recorded Future Advantage: Detection Speed – From Exfiltration to Alert in Hours

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Most organizations discover compromised credentials days or weeks after the fact — through a public breach disclosure, a tip from law enforcement, or an incident that's already underway.

Recorded Future closes that gap. In 2025, 36.4% of all indexed credentials were detected within 24 hours of exfiltration, and 52.9% within one week. By the time stolen credentials are being traded or weaponized, Recorded Future customers have already been alerted.

Table 2: Exfiltration freshness breakdown (Source: Recorded Future)

Speed matters because attackers move fast. Infostealer logs are often listed for sale within hours of collection. Every day between exfiltration and detection is a day an attacker may already have access. The 15.3% of credentials not detected within a month illustrate what happens when that window stays open — extended attacker dwell time, lateral movement, and incidents that escalate into major breaches.

For Recorded Future customers, early detection is only half the equation. Pre-built integrations with Okta, Microsoft Entra ID, and SOAR platforms like XSOAR mean that when a credential alert fires, automated workflows can clear sessions, force password resets, and notify managers — without waiting for an analyst to pick up the ticket.

A large international financial services firm's Team Lead described a recent credential leak: identified and escalated in under 24 hours, triggering immediate automated remediation — exactly the outcome their team had built toward.

Appendix: Notable Passwords from 2025 Credential Exposures

The following passwords appeared most frequently across credentials indexed by Recorded Future in 2025. Their prevalence reflects the continued gap between password policies and actual user behavior — and the reason why credential monitoring cannot rely on password complexity alone as a proxy for risk.

About This Report

This report is based on data indexed by Recorded Future's Identity Intelligence Module across the full calendar year 2025. Recorded Future monitors credentials across open web, dark web, paste sites, Telegram channels, and infostealer malware logs sourced from 30+ malware families. All credential data can be processed and analyzed without storing plaintext passwords in customer-facing systems.

Find out What’s Already Exposed in Your Environment

The data in this report reflects the broader threat landscape. The question is how much of it applies to your organization specifically.

Recorded Future's complimentary Identity Exposure Assessment pulls directly from the Recorded Future Intelligence Graph to show you the volume, recency, and severity of your organization's credential exposure over the past year — including compromised employee credentials, infostealer-sourced data, and how your exposure has trended over time.

There's no commitment required. Just a clear picture of where your organization stands.

Get your complimentary Identity Exposure Assessment →

What security teams need to know:

• Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
• Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
• APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
• Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale

Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.

Quick Reference: February 2026 Vulnerability Table

All 13 vulnerabilities below were actively exploited in February 2026.

Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future)

Key Trends: February 2026

Vendors Most Affected

• Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
• BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
• Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
• Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for most common)
• CWE-693 – Protection Mechanism Failure (tied for most common)
• CWE-476 – NULL Pointer Dereference
• CWE-843 – Type Confusion
• CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Exploitation Activity

Vulnerabilities associated with malware campaigns:

• Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
• APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
• UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

Long-running exploitation activity:

• UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-15556 | Notepad++

Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026

Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.

Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)

Immediate actions:

• Update to Notepad++ version 8.9.1, released January 26, 2026
• Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
• Monitor for GUP.exe spawning unexpected child processes
• Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
• Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
• Block or alert on curl.exe uploading files to temp[.]sh

Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0

Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2025-15556 in Recorded Future (Source: Recorded Future)

• Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
• Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
• Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
• Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
• Join our upcoming webinar to learn what proactive intelligence looks like for your region.
  Understanding the Dark Covenant, Its Evolution, and Impact

Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen funds—addressing a critical gap as scams increasingly become banks' most pressing fraud challenge.

The Growing Threat of Authorized Push Payment Fraud

Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.

Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.

Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.

Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.

Detecting mule accounts is fundamentally difficult. They’re designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.

CYBERA's Approach to Mule Intelligence

The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.

Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.

Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.

CYBERA supports two core use cases:

• On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bank’s accountholders.
• Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.

Large financial institutions have already prevented multiple six-figure losses by embedding CYBERA’s intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.

How Money Mule Intelligence Expands Payment Fraud Intelligence

Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.

As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.

PFI users that purchase this capability, can now act on both sides of the transaction—compromised payment instruments and scam-linked receiving accounts—with evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.

What security teams need to know:

• APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
• Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
• Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
• Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

• Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509
• SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE
• Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager
• Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
• Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

• CWE-94 – Code Injection
• CWE-288 – Authentication Bypass Using an Alternate Path or Channel
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

• Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
• Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
• Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
• Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Active exploitation by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.

Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)

Immediate actions:

• Install Microsoft's out-of-band update released January 26, 2026
• Search email systems for RTF attachments with embedded malicious droppers
• Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
• Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
• Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
• Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
• Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me

Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

• Upgrade to build 9511 or later immediately
• Review administrator account activity logs for unauthorized password resets
• Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
• Review administrator access patterns and session logs
• Audit system for unauthorized changes made with compromised admin access

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

• Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
• Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
• Monitor for unusual Apache RewriteMap activity
• Review logs for crafted HTTP parameters to app store retrieval routes
• Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:

• Initial delivery – Specially-crafted RTF file exploits CVE-2026-21509
• Server-side evasion – Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
• Dropper variants – Two distinct infection paths deployed based on targeting:
  • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
  • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:

• Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
• /api/modular-connector/login flow grants access based on site connector enrollment state
• If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
• CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

• 45[.]11[.]89[.]19
• 185[.]196[.]0[.]11
• 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

• 62[.]60[.]131[.]161
• 185[.]102[.]115[.]27
• backup[@]wordpress[.]com
• backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

• ForceResetPassword controller attribute explicitly permits unauthenticated access
• Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
• System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
• Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

• CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
• CVE-2026-23760 (SmarterMail) - Authentication bypass validation

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize based on active exploitation data, including APT28 targeting
• Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets
• Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.

Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW). Putin will likely use this campaign to degrade NATO political unity and defense capabilities, reinforce Russia’s network of overt and covert assets across NATO, and optimize the physical and political environment, should Putin decide to launch a military incursion into NATO territory.

In a full-scale NGW campaign in NATO territory, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is more intentionally planned and aims to project Russian power and weaken European defenses on a systemic level. An NGW campaign would very likely involve Russia using the same tactics it is currently using, including sabotage operations, influence operations, territorial waters and airspace violations, and exploitation of some NATO states’ dependence on Russian oil and gas. The primary differences between Russia’s current operations in Europe and an NGW campaign would include greater geographic breadth of those operations; greater frequency of operations; and Russia likely using tactics simultaneously and in coordinated ways. For example, likely Russia-directed threat actors might use a drone to violate the airspace over a NATO state’s airport, forcing the temporary closure of that airport, coupled with a distributed denial-of-service attack on the airport’s internal communications system. Russia might then post a video of the incidents through one of its overt or covert propaganda outlets, arguing that they show NATO cannot adequately protect its aviation network.

An NGW campaign in NATO territory would very likely have significant implications for private and public sector entities, including degradation of critical infrastructure, reputational risk for individuals and companies named in Russian influence operation campaigns, and reduced public confidence in the government’s ability to ensure their safety.

Over the next three to five years, Putin will likely evaluate the feasibility of moving from an NGW-like campaign in Europe to a kinetic military incursion. Factors Putin would likely weigh when making such a decision include NATO military capabilities, the likelihood that the US would defend a NATO state if it were attacked, and Russian military capabilities. However, even if the necessary conditions for such an operation emerge, the probability of a proactive Russian military operation into NATO territory very likely remains low.

Key Findings

• Russia’s hybrid warfare campaign in NATO territory between February 2022 and January 2026 has been increasingly aggressive, but likely opportunistic and not reflective of Russia’s full cyber, influence operations, and sabotage capabilities.
• Putin likely views the next two years as an opportunity to test NATO’s defensive capabilities and prepare the physical and psychological environment, should he decide to launch a military incursion. Putin likely assesses that the 2028 US presidential election could lead to a US president more willing to commit US resources to NATO. As such, Putin likely views the next two years as an opportunity to exploit existing US-NATO tensions to weaken NATO’s unity and ability to defend itself.
• Russia’s escalated aggression against NATO over the next two years is likely to have the hallmarks of a Russian military doctrine called New Generation Warfare (NGW), which combines sabotage operations, cyberattacks, influence operations, and other non-military actions to undermine the enemy’s confidence and prepare the physical and psychological environment, should Russia elect to escalate into a kinetic military campaign.
• A full-scale NGW campaign would likely involve an intensified campaign of tactics Russia has used against NATO in the last few years, including sabotage operations, influence operations, violations of NATO airspace with drones and jets, violations of NATO states’ territorial waters, targeting of undersea cables, and exploitation of some NATO states’ dependence on Russian gas and oil. Russia would likely deploy these tactics more frequently, across more states simultaneously, and would likely use tactics simultaneously in an attempt to strain NATO resources.
• A full-scale NGW campaign would have significant implications for private and public sector entities operating in NATO territory, including disruption to critical services, reputational risk for individuals and firms named in influence campaigns, supply chain disruptions, and reduced public trust in the government’s ability to safeguard critical infrastructure. The fact that most of the critical infrastructure in NATO territory is privately owned means public-private partnerships will be essential in mitigating the impact of escalated Russian aggression.

Russia Likely to Escalate into New Generation Warfare Campaign in Europe Over Next Two Years

Since Russia’s full-scale invasion of Ukraine in February 2022, it has waged what Insikt Group assesses is largely opportunistic, though increasingly aggressive, hybrid warfare in Europe. These actions, though destructive, have very likely not leveraged Russia’s full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Nonetheless, Russian president Vladimir Putin very likely still prioritizes weakening European unity and defensive capabilities in service to his overarching foreign policy goal of replacing the US-led international system with a multipolar world in which Russia, the US, and China are relatively equal in terms of geopolitical influence. Putin very likely judges that uneven US assistance to European defensive efforts creates a window of opportunity for Russia to weaken Europe’s ability to resist Russian aggression. Putin likely views recent US-NATO tensions, such as the US’s articulated intention to control Greenland, as an opportunity to exacerbate the strategic distance between the US and NATO, thereby weakening the transatlantic partnership that has formed the core of the US-led, post-World War II security architecture. Putin also likely views the next two years as an opportunity to optimize the physical and informational environment in Europe, should he decide to launch a kinetic military attack against Europe.

Putin very likely views this window of opportunity as finite. He likely recognizes that the 2028 US presidential election could result in a US president more willing to commit US military and political resources to amplifying Europe’s defensive capabilities. As such, over the next two years, Putin will likely escalate Russia’s hybrid warfare against Europe into an expanded campaign that is likely consistent with the principles of Russian New Generation Warfare (NGW) –– a warfare doctrine espoused by senior Russian military officials emphasizing control of the information and psychological spaces, as well as the use of undeclared special forces, to weaken an enemy prior to using traditional military forces.

Europe’s efforts to bolster its defenses against current levels of Russian hybrid warfare likely reinforce Putin’s perception that Europe is motivated to weaken Russia, thereby likely making him more motivated to target Europe. Putin’s perception that Europe’s defensive efforts are actually a threat to Russia is likely rooted in his calculus that NATO is fundamentally an anti-Russia bloc. Putin has substantiated this assessment by pointing to actions such as NATO’s expansion to include former Warsaw Pact countries and its decision to install missile defense systems in Poland.¹

New Generation Warfare Origins and Principles

Insikt Group assesses that much of Russia’s aggressive foreign policy actions since the annexation of Crimea in March 2014 –– which marked the beginning of Putin’s more assertive efforts to push back against perceived Western efforts to weaken Russia –– have been consistent with NGW, a Russian doctrine in which the state aims to bring about political change in another country primarily by using overt and covert influence tools, as opposed to conventional military force. These tools can include influence operations, sabotage operations, and exploiting economic leverage.

New Generation Warfare is typically associated with Chief of the General Staff Valery Gerasimov’s 2013 article in the Russian journal Military-Industrial Kurier, though NGW is essentially a modern version of Soviet active measures. “Active measures” (aktivnye meropriyatiya) was a term used by the Soviet Union from the 1950s onwards to describe covert influence and subversion operations, including establishing front organizations, backing pro-Soviet political movements abroad, and attempting to orchestrate regime change in foreign countries. Active measures declined during the 1980s and 1990s, but Putin revived its use in the early 2000s. Indeed, in 2007, retired major-general Alexander Vladimirov alluded to that revival when he stated that “modern wars are waged on the level of consciousness and ideas” and that “modern humanity exists in a state of permanent war” in which it is “eternally oscillating between phases of actual armed struggle and constant preparation for it.”²

Despite the long history of Russia using active measures, Gerasimov’s 2013 article provides the most comprehensive account of how current Russian military leaders likely view this doctrine. Gerasimov’s article suggests that he views NGW both as the reality of modern warfare and as a preferred way of weakening enemies. Gerasimov argued that the Arab Spring demonstrated that modern wars are not declared conflicts between traditional militaries, but instead depend more on a combination of declared military force and tactics such as domination of the information space, targeting of critical enemy facilities, “asymmetric and indirect operations,” and the use of unofficial special forces. He argued that “the very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has grown and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”

The following table, taken from a translation of the article, shows Gerasimov’s view of traditional warfare as opposed to New Generation Warfare:

Figure 1: New Generation Warfare and traditional warfare forms and methods (Source: Military Review)

We assess that Russia’s campaign in Ukraine, starting with the annexation of Crimea in March 2014 and extending to its ongoing full-scale military operation, bears many of the hallmarks of NGW. Russia’s military operations more closely aligned with NGW principles from 2014 through 2021; after Russia’s full-scale invasion of Ukraine in February 2022, the Russian military transitioned to more traditional operations. Russia’s exploitation of influence operations and asymmetric warfare has been a feature of its operations since 2014, and since 2022, Russia has expanded asymmetric and sabotage operations in Europe likely as part of a multi-faceted strategy to use power exertion in Ukraine and Europe to weaken the Western geopolitical system.

This does not mean that Russian military leadership have consciously used NGW as their guiding principle in Ukraine at all times; indeed, we lack the insight into Russian military leadership thinking to assess with high confidence the principles they are employing. Rather, the combination of Gerasimov’s writings and observation of Russian operations in Ukraine means we can assess with medium confidence that Russia’s Ukraine operations prior to 2022 often reflected NGW principles. As such, we assess that NGW is a useful framework for understanding Russian military operations.

Table 1: New Generation Warfare principles (Source: Recorded Future)

New Generation Warfare Toolkit

In a full-scale New Generation Warfare campaign in Europe, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is both proactive and reactive. It would likely involve the same tactics Russia has used against NATO states for the past few years. The difference would likely be that Russia would deploy these tactics more frequently and across a greater number of states at once. A full NGW campaign would likely also involve using some operational methods simultaneously and in ways that amplify one another.

Even in a full-scale NGW campaign, Russia would very likely aim to keep destruction below the threshold that risks NATO invoking Article 5. NATO officials have not specified precisely what the Article 5 threshold is; indeed, former NATO Secretary General Jens Stoltenberg stated that the grounds for invoking Article 5 “must remain purposefully vague.” However, it is likely that it would include a mass casualty event or the use of a chemical or biological weapon. The text of Article 5 specifies that the threshold involves “an armed attack.” NATO officials said in 2022 that a cyberattack could constitute grounds for invoking Article 5, though they did not specify what kind of cyberattack would qualify.

Russia is likely to face few downsides during an NGW campaign, due to minimal risk of Russian casualties and the campaign’s tactical flexibility. Unlike a conventional military campaign, which risks a high level of casualties that can cause domestic public dissatisfaction, an NGW campaign very likely would involve minimal risk to Russian citizens. In addition, an NGW campaign inherently offers significant tactical flexibility, as it is not a declared campaign in which Russia needs to articulate goals to justify the campaign to the Russian public and elites. As such, Putin would likely have the option to draw down tactics that are proving less effective and increase the use of more effective tactics, without needing to justify tactical failures. This flexibility would likely allow Putin to continue at least aspects of an NGW campaign in the likely event that Europe responds to an NGW campaign with escalated efforts to counter Moscow.

Influence Operations and Propaganda

Russian “active measures” serve as a force multiplier for Moscow’s broader political warfare, integrating influence operations, propaganda, and sabotage. In Europe, these efforts aim to weaken transatlantic cohesion, erode public and political support for Ukrainian sovereignty and assistance to Kyiv, and exacerbate internal societal divisions, economic uncertainty, and other challenges. By cultivating sanctions fatigue and encouraging selective bilateral re-engagement with Russia through active measures, Moscow seeks to mitigate its international isolation and undermine the rules-based international order, thereby advancing a Russia-favored multipolar system characterized by exclusive spheres of influence. Notably, these activities also include angles of domestic preservation by portraying the West as chaotic, corrupt, and immoral, and thereby discouraging the expansion of liberal democracies elsewhere, particularly from within.

Since Russia’s full-scale invasion of Ukraine in 2022, Insikt Group has observed concentrated Russian influence operations targeting the domestic audiences of what Moscow likely views as Kyiv’s core European supporters: the UK, France, Germany, and Poland. Insikt Group investigations, in addition to public reporting, have previously identified multiple influence operations targeting the above-mentioned major European allies, including Doppelgänger, Operation Overload, Operation Undercut, and CopyCop. These influence operations have commonly impersonated national and pan-European media outlets to disseminate messages aligned with Kremlin propaganda, including anti-Ukraine themes and content that denigrates pro-European political figures. Elsewhere, Russian influence operations have sought to use fear and physical demonstrations to manipulate public opinion. In France, for example, Russia-linked physical intimidation very likely intended to provoke public anxiety and societal unrest included the Star of David and red hand graffiti, as well as the placement of caskets near the Eiffel Tower ahead of the 2024 Paris Olympic Games. Similar efforts have also appeared elsewhere in Europe, including the emergence of pro-Russian billboards in Italy and the "Children of War, Alley of Angels" exhibit in Germany.

Russian influence efforts have also leveraged illicit financing and alleged bribery to attempt to favorably reshape European politics. For example, in spring 2024, Czech authorities attributed the Voice of Europe, an organization linked to Viktor Medvedchuk, to paying politicians in several EU countries to spread anti-Ukraine messages. In September and October 2024, Moldovan police reported that a Russia-linked network, allegedly run by fugitive oligarch Ilan Shor, channeled tens of millions of dollars to buy votes ahead of Moldova’s October 20, 2024, presidential election and EU referendum. In December 2024, Romanian prosecutors conducted raids and opened probes into alleged illegal campaign financing and payments to TikTok users and influencers associated with the then-annulled presidential vote. More recently, former UK Member of the European Parliament (MEP) Nathan Gill was sentenced on November 21, 2025, after pleading guilty for accepting bribes to make pro-Russian statements.

Insikt Group assesses Russia’s NGW against Europe will likely consist of aggressive influence operations targeting Europe that aim to erode European unity and advance Russia’s quest for a multipolar world order. NGW will very likely continue supporting Moscow’s core objectives of eroding political and public support for Ukrainian sovereignty and assistance to Kyiv, accelerate sanctions fatigue, and exploit domestic political crises and election cycles to fracture European cohesiveness and transatlantic cooperation. Moscow will likely expand its reliance on access to third parties and intermediaries, including sympathetic socio-political organizations and fringe movements, to launder Kremlin-aligned messages into the European information environment.

Across Europe, Russia will almost certainly continue to attempt to delegitimize existing democratic institutions and Europe’s information ecosystem by continuing to foster distrust in elections, mainstream media, the EU, and pro-European government figures. In a post-war environment, assuming European sanctions on Russian media enterprises are lifted, Russia will very likely attempt to reestablish its state media presence while also hardening itself to withstand future disruptions, legal restrictions, and platform or government takedowns in the event of a kinetic conflict with Europe.

New Generation Warfare operations against Europe will very likely incorporate much of Russia’s current-era influence tradecraft, including social media influence via human and automated networks, media impersonation and covert media outlet brands, illicit financing and bribery, and cyber-enabled influence such as hack-and-leak narratives. Further, Insikt Group assesses Moscow will very likely continue attempting to cultivate sympathetic allies through covertly funded fringe socio-political organizations, using these entities to astroturf “grassroots” support, amplify Kremlin-aligned narratives, and catalyze or intensify domestic unrest across Europe. We assess that Russia will also adapt emerging technologies, particularly AI, to scale the production, localization, and quality of influence content, increase dissemination efficiency, and optimize targeting. Continued advances in generative AI will almost certainly improve the realism of propaganda images and fabricated reporting, forged documents and correspondence, and synthetic impersonations of public figures, including audio and video deepfakes.

Airspace Incursions by Drones and Jets

Beginning in September 2025, suspected violations of NATO airspace by Russia-directed drone operators or Russian jets increased to unprecedented levels, as Russia likely sought to project power across NATO territory and test NATO resolve while maintaining plausible deniability. Insikt Group tracked 30 suspected or confirmed violations between September 2025 and January 2026, compared to 23 suspected or confirmed violations between March 2022 and August 2025. The most commonly targeted countries since March 2022 have been Poland and Romania; however, suspected Russian violations of NATO airspace have occurred outside of Russia’s historic sphere of influence, including in Germany, UK, Denmark and Norway. Violations have most frequently targeted critical infrastructure, such as military bases and airports.

In a full-scale New Generation Warfare-like campaign in Europe, Russia likely would escalate the frequency and level of aggressiveness of these violations. Russia’s targeting would likely continue to focus on critical infrastructure, but violations would very likely significantly increase in frequency. Russia would also likely use drones to fly closer to targets and perhaps hover over them for extended periods of time, in a likely effort to test NATO’s willingness to shoot down drones and perhaps collect intelligence on critical infrastructure facilities. Indeed, in September 2025, Polish authorities said they shot down Russian drones that violated Poland’s airspace.

Other ways Russia would likely escalate the aggressiveness of its airspace violations include timing those violations with major NATO events, such as military exercises and summits. Russia could escalate its use of drones as electronic warfare mechanisms, perhaps to disrupt NATO military exercises or the functioning of critical infrastructure facilities.

Russia would likely also use its drones to amplify its psychological warfare as a way of projecting power and demonstrating to the public that Moscow can disrupt everyday life in NATO countries. Russia could do this via tactics such as hovering drones over civilian transportation infrastructure, like railways or airports, which have already been forced to temporarily close. Russia could also launch drones over facilities hosting political summits, such as the annual NATO Summit, or over polling places during elections to stoke public fear. In a full-scale NGW campaign that involves coordination of multiple tactics, Russian propaganda outlets might release footage of these incidents to propagate a narrative that NATO states cannot protect their infrastructure. Russia could also combine drone or jet violations with sabotage operations to further sow public panic and force NATO governments into a defensive posture.

Russia would very likely seek to maintain some level of deniability and would avoid airstrikes and mass casualty events, which would almost certainly guarantee an Article 5 declaration.

Territorial Waters Violations and Targeting of Undersea Cables

Insikt Group assesses that, since February 2022, Russia has increasingly used violations of NATO states’ territorial waters⁴ and targeting of undersea cables to test the alliance’s resilience, collect intelligence, keep NATO in a reactive, defensive posture, and attempt to deter NATO from undermining Russian strategic interests. In June 2023, Deputy Chairman of the Security Council Dmitriy Medvedev stated that, “if we proceed from the proven complicity of Western countries in blowing up the Nord Streams, then we have no constraints — even moral — left to prevent us from destroying the ocean-floor cable communications of our enemies.” Medvedev’s comments were likely purposefully hyperbolic; however, they likely reflect a Kremlin perception that NATO is targeting Russian strategic interests, thereby justifying retaliatory action.

Examples of Russia likely targeting undersea cables and maritime assets include an April 2025 incident in which the UK identified Russian sensors attempting to collect intelligence on UK nuclear submarines and other underwater critical infrastructure; the Russian Yantar surveillance ship sailing near cables carrying data for Google and Microsoft under the Irish Sea in November 2024; and reports suggesting that the Russian Eagle S ship accused of damaging multiple undersea cables in December 2024 carried spy equipment to monitor naval activity.

Russian ships have also violated NATO states’ territorial waters, likely to test NATO resilience, force NATO into a defensive posture, and project power. Examples include a July 2025 incident in which a Russian border guard vessel entered Estonian territorial waters without permission; a July 2024 incident in which a Russian naval vessel entered Finnish territorial waters without authorization; and frequent encounters between NATO states and Russia-linked “shadow fleet” vessels. These vessels are tankers sailing under other flags, which often refuse inspection or orders from local navies.

During a full-scale New Generation Warfare campaign against NATO, Russia likely would escalate its targeting of undersea cables and violations of territorial waters. This could include more frequent cable targeting, likely to cause minor but persistent damage to undersea critical infrastructure that tests NATO resilience and Russian destructive capabilities without provoking an Article 5 declaration. Russia could also conduct electronic jamming operations during cable repairs to inhibit communications and use Russian ships to harass those conducting repairs.

Russia would also likely attempt longer and more provocative territorial waters violations, including placing Russian ships near NATO vessels and expanding these activities into areas such as the Mediterranean; conducting concurrent hybrid activity such as GPS jamming and automatic identification system (AIS) spoofing; refusing escort out of territorial waters; and combining territorial waters violations with airspace violations by Russian aircraft or targeting of undersea infrastructure.

Russia would likely aim to overwhelm NATO’s existing efforts to prevent sabotage of undersea infrastructure. In January 2025, Allied Joint Force Command Brunssum (JFCBS) launched Baltic Sentry — a campaign that uses tools such as frigates, maritime patrol assets, and naval drones to deter sabotage of undersea infrastructure. Since the launch of Baltic Sentry, the Baltic Sea has experienced very few undersea sabotage efforts; however, it is not clear whether this is the result of Baltic Sentry or a lack of planned operations.

Sabotage Operations

We assess Russia has escalated its use of sabotage operations in NATO territory since its full-scale invasion of Ukraine in 2022, likely to test the resilience particularly of NATO states’ critical infrastructure; propagate a narrative that Western states cannot protect their populations from threats; harm NATO’s ability to collectively respond to Russian aggression by forcing NATO into a reactive, defensive posture; and degrade NATO states’ ability to provide material support to Ukraine. Sabotage operations are loosely defined, but typically consist of targeting civilian or dual-use infrastructure with physical security attacks by deniable entities.

Particularly since 2022, Russia-linked entities have focused sabotage operations on critical infrastructure in NATO states, exploiting vulnerabilities wrought from deferred maintenance and lack of sufficient public or private investment in upkeep. Within critical infrastructure, the most frequently targeted sectors include undersea telecommunication and power cables; water supply and distribution; transportation; military; healthcare; and telecommunications. The number of Russian sabotage operations has quadrupled from 2023 to 2024, and in 2025, it was likely at levels consistent with 2024. Operations have occurred across NATO, as opposed to being focused in Russia’s historic sphere of influence. That said, the most commonly targeted states between January 2018 and June 2025 were Germany, Estonia, Latvia, Lithuania, and Poland.

In a New Generation Warfare-like campaign targeting NATO territory, Moscow would likely move from what we assess has thus far been largely opportunistic sabotage to operations with more consistency and geographic breadth, and that complement other tactics.

Russia would likely still focus its sabotage operations on critical infrastructure, but would likely place a premium on damaging the critical infrastructure of NATO states that either would be probable targets of a Russian military incursion — such as Poland or the Baltic states — or would lend significant assistance to those states, such as the UK, Germany, or France. This is because in an NGW campaign, Russia would likely view sabotage operations as, in part, a way to test the resilience of potential victim states and their allies. Russia’s sabotage operations against those targets would likely be more frequent and could coincide with significant events such as elections or military exercises. Russia would likely pair sabotage operations with other tactics, such as offensive cyber operations or airspace violations, to augment the destructive impact of the operations and try to strain NATO states’ capacity by forcing them to respond to multiple disruptions at once, while still staying below the threshold that would risk an Article 5 declaration.

Offensive Cyber Operations for Disruption and Counterintelligence

Russian cyber activity directed at European targets has consistently emphasized access-oriented operations, including attacks on internet-facing firewalls, virtual private networks (VPNs), email services, and web portals. This activity aligns with documented Russian cyber practices focused on enabling intelligence collection, operational reach, and long-term flexibility rather than immediate disruptive effects. Recent Insikt Group reporting highlights BlueEcho activity targeting perimeter infrastructure to establish footholds and enable follow-on credential capture and lateral movement, while BlueDelta campaigns demonstrate sustained credential harvesting at scale using impersonated Microsoft Outlook Web App (OWA), Sophos VPN, and Google login workflows. This tradecraft is low-cost, repeatable, and consistent with long-term counterintelligence targeting of government, defense, and research entities.

Russian cyber activity affecting Europe has been broad in scope, with targeting observed across multiple regions and sectors. If cyber operations were used for more overtly disruptive purposes, effects would likely be more pronounced in states with weaker cybersecurity maturity or slower coordinated response mechanisms, such as fragmented local-government IT environments or limited national incident response surge capacity. This does not preclude activity against major NATO states, where Russian cyber operations have historically focused more heavily on intelligence collection and access. BlueDelta’s targeting of NATO-aligned and defense-related organizations reflects continued Russian interest in strategically valuable European targets aligned with GRU intelligence requirements.

Observed Russian cyber activity also provides insight into how operations could escalate if strategic conditions were to change and Russia were to launch a full-scale NGW campaign. Russian threat actors have demonstrated the ability to establish and maintain access over time, including through persistent connections and tunneling, which could be repurposed to degrade remote access services, manipulate edge-device configurations, or cause temporary service disruption. In Ukraine, cyber activity has been observed alongside influence operations and physical sabotage, including Recorded Future–tracked influence campaigns such as CopyCop, which leveraged automated content replication and spoofed media infrastructure to amplify pro-Russian narratives in parallel with other forms of hybrid activity. If applied elsewhere, similar coordination could increase pressure on incident response capabilities and undermine public confidence in the reliability of essential services. Credential-harvesting operations further provide pathways beyond inbox access, including potential compromise of identity providers, VPN portals, and privileged administrative portals.

Russian cyber operations have historically involved establishing and maintaining access to targeted networks over extended periods, a pattern also documented in prior campaigns in Ukraine. However, there is no public evidence demonstrating that the access currently observed in European networks is intended for future disruptive operations. If a kinetic conflict were to escalate in Europe, Russia would likely seek to expand or prioritize access within relevant networks to support intelligence collection, operational coordination, or potential disruption. Russia also has a documented history of tolerating or leveraging cybercriminal activity alongside state-directed operations, including overlap with criminal infrastructure and access brokers, which may allow operators to expand scale, complicate attribution, and generate disruptive effects without overtly exposing state-linked capabilities. Collectively, activity associated with BlueAlpha, BlueDelta, BlueEcho, Sandworm, and Dragonfly illustrates Russia’s ability to scale cyber operations from access and intelligence collection toward disruption if strategic conditions were to change, consistent with broader hybrid and New Generation Warfare practices.

Exploitation of European Dependence on Russian Oil and Natural Gas

Russia has long exploited other states’ dependence on its natural gas and oil to exercise leverage over them, typically by strategically decreasing supply flows, particularly during high-demand periods, such as winter. For example, in 2006, Georgia accused Russia of intentionally cutting gas supplies during an unusually cold period to increase political pressure on Tbilisi. In the run-up to Russia’s full-scale invasion of Ukraine in February 2022, Russian state gas company Gazprom reduced natural gas deliveries to Europe, likely in an effort to pressure Europe into abandoning a unified stance on supporting Ukraine.

Since 2022, many NATO states have sought to reduce their dependence on Russian natural gas and oil; however, several states remain dependent, including Slovakia, Hungary, and Türkiye. In a full-scale New Generation Warfare campaign in Europe, Russia would very likely escalate its exploitation of those states’ dependence on Russian energy imports to demonstrate Moscow’s ability to degrade European critical infrastructure, undermine NATO unity, gauge the resilience of these states’ critical infrastructure, and test Russia’s ability to handicap critical infrastructure, should Putin decide to launch a military incursion into NATO territory.

Moscow’s willingness to exploit these states’ dependence on Russian energy likely varies by state. Moscow is less likely to exploit Hungary’s dependence on Russian oil and gas, given Budapest’s strong relations with Russia. Slovakia is a more likely target, as it seeks a positive relationship with Moscow, but is likely of less strategic importance to Russia than Hungary. Moscow’s relations with Türkiye have fluctuated between positive and adversarial; the likelihood of exploiting Türkiye’s dependence on Russian energy imports would likely depend, in part, on how positive the overall Russia-Türkiye relationship is at that time.

Escalation of economic critical infrastructure targeting would likely take the form of both more frequent and more geographically broad operations, particularly during high-demand periods such as the winter and perhaps during NATO military exercises or elections. Russia could also escalate its use of pricing manipulation to punish states that work against Russia’s strategic priorities in Ukraine, and reward pro-Russia states such as Hungary.

Russia would also likely combine supply cuts with sabotage operations. For example, in 2006, Moscow cut gas supplies in Georgia at the same time it sabotaged an electricity line. Following a successful operation, pro-Russia propaganda outlets would likely amplify narratives that claim European critical infrastructure is weak and vulnerable, and that this demonstrates the inadequacy of democracy and the Western political system writ large at fulfilling basic public needs.

In a New Generation Warfare campaign against Europe, Russia would be unlikely to seek permanent damage to European critical infrastructure or mass civilian harm from disruption of energy flows. Russia would also likely avoid long-term disruption of oil and gas deliveries to limit the financial impact, since oil and gas revenues comprise roughly 25% of Russia’s annual federal revenue.

Indicators of NGW Campaign in Europe, Implications for Public and Private Sectors, and Recommended Mitigations

Tactic: Influence Operations

Indicators of NGW Campaign

• Increased convergence of narratives across propaganda outlets, including state media, inauthentic social media accounts, and so on
• Parallel narratives tailored to each country or region

Implications for Public and Private Sectors

• Public Sector: more pronounced political polarization; reduced public trust in government competence
• Private Sector: brand damage if firms are targeted in influence operation (IO) campaigns; employee or executive harassment or doxxing

Recommended Mitigations

• Ensure communication response protocols are in place, such as rapid rebuttal measures
• Ensure information environment monitoring is attuned to Russia-nexus narratives so inauthentic behavior can be detected quickly

Tactic: Airspace Incursions by Drones and Jets

Indicators of an NGW Campaign

• More frequent incursions that last longer and target strategic sites such as military training grounds, critical infrastructure nodes, and so on
• Incursions are conducted at lower altitudes, with transponders turned off
• Violations are clustered around NATO decisions or major military exercises

Implications for Public and Private Sectors

• Public: forced closures of critical infrastructure sites during airspace violations, thereby disrupting operations, as well as likely escalation of public alarm and potential decrease in public confidence in the government’s ability to keep critical infrastructure safe
• Private: business operation disruptions due to critical infrastructure closures

Recommended Mitigations

• Strengthen counter-measures against unmanned aircraft systems (UASs) around critical sites
• Ensure joint civil-military air incident protocols are in place, including aviation alerts and Notice to Airmen (NOTAM) coordination
• Improve GPS resilience

Tactic: Territorial Waters Violations and Targeting of Undersea Cables

Indicators of an NGW Campaign

• More frequent territorial waters violations
• Violations by state-linked vessels
• Non-compliance with escort or hails; risky maneuvering around NATO state vessels, perhaps to provoke potential collisions
• Increased loitering of suspicious vessels near cable routes and landing areas
• Repeated “anchor drag” incidents
• Interference with repair ships
• Simultaneous cyber activity against telecommunications and energy operators

Implications for Public and Private Sectors

• Public: intermittent communications degradation; potential harm to energy infrastructure
• Private: major potential operational losses for telecommunications, finance, and other key sectors; potential increases in insurance costs for shipping companies, should territorial waters violations at ports become common

Recommended Mitigations

• Consider mapping alternative sea routes in case primary routes are disrupted; consider rapid reroute contracts
• Ensure sufficient port and state coordination
• Ensure physical hardening at cable landing sites
• Expand Baltic Sentry efforts to other locations

Tactic: Sabotage Operations

Indicators of an NGW Campaign

• More frequent operations, including arson, vandalism, explosions, and rail disruptions
• Targeting of high-priority sites, such as military logistics hubs, defense suppliers, and so on
• Targeting of civilian sites, such as shopping malls or residential neighborhoods
• Concurrent operations in multiple geographic regions, suggesting intentional planning
• Combined sabotage operations and airspace or territorial waters violations

Implications for Public and Private Sectors

• Public: potential reduction in public confidence in government’s ability to protect critical infrastructure and residential areas; in the event of significant escalation in sabotage operations, emergency services could be strained
• Private: facility damage or loss; threat to worker safety; supply chain interruption; business interruption; reputational liability

Recommended Mitigations

• Expand insider threat and contractor vetting at critical infrastructure sites
• Ensure physical security measures are in place, including perimeter detection, anti-drone measures, camera coverage, and access control
• Enhance public-private partnerships, as most of the critical infrastructure NATO relies upon is commercially owned
• Ensure rapid liaison channels with law enforcement and intelligence services

Tactic: Offensive Cyber Operations

Indicators of an NGW Campaign

• Campaigns that target strategic pressure points, such as logistics and transportation hubs, defense supply chains, and local government entities
• Intrusion and distributed denial-of-service (DDoS) activity spikes at politically significant moments, including elections, military exercises, or geopolitical summits
• Campaigns that blend state and proxy activity, such as hacktivist DDoS campaigns that amplify Kremlin-aligned narratives
• Coupling of multiple tactics, such as cyber and influence operation hybrid campaigns

Implications for Public and Private Sectors

• Public: DDoS and ransomware campaigns can undermine public confidence in the reliability of institutions; compromise of government narratives can result in less public confidence in the truth of government messaging; even attempted election manipulation can reduce confidence in voting systems
• Private: elevated risk of disruption of key logistics, transport, rail, and aviation systems; hack and leak operations pose risk to reputation, personally identifiable information, and intellectual property rights; targeting of critical infrastructure can result in operational disruption

Recommended Mitigations

• Enforce phishing-resistant multi-factor authentication
• Implement conditional network access based on geopolitical and risk factors
• Patch for commonly exploited software
• Reduce exposure (lock down admin portals; restrict by IP address; remove unused services)
• Use DDoS protection, autoscaling
• Coordinate with the national computer emergency response team (CERT) and National Counterintelligence and Security Center (NCSC), as well as upstream providers; rehearse continuity plans
• Require multi-factor authentication (MFA) and logging parity from third-party providers; segment privileged access; monitor for abnormal remote management activity

Tactic: Leveraging Economic Dependence

Indicators of an NGW Campaign

• Supply manipulation, including threats or actions to raise price volatility
• Exploitation of legal measures, including sudden contract disputes or claims of force majeure
• More frequent cessation of oil and gas supplies, especially during high-demand periods such as winter

Implications for Public and Private Sectors

• Public: higher energy bills and supply disruption, potentially leading to public dissatisfaction
• Private: price shocks, supply uncertainty, costs related to resolving alleged contract disputes

Recommended Mitigations

• Diversify suppliers and routes
• Ensure on-site backup generation where feasible

Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:

• Exploitation and Misconfiguration
• Cloud Abuse
• Cloud Ransomware
• Credential Abuse, Account Takeover, and Unauthorized Access
• Third-Party Compromise

Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateways, and enterprise resource planning (ERP) platforms — as well as stolen or weakly governed credentials sourced from public leaks, compromised developer workstations, and socially engineered helpdesk workflows. Once inside a targeted environment, threat actors systematically pivot through hybrid identity and virtual private network (VPN) infrastructure, targeting directory-synchronized accounts, non-human and executive identities, and privileged cloud roles to gain tenant-wide administrative control.

Post-compromise activity is characterized by heavy use of built-in cloud and SaaS functionality: enumerating and exfiltrating data via native storage and backup services, destroying or encrypting cloud backups and snapshots for impact, manipulating static frontends and continuous integration/continuous deployment (CI/CD) pipelines to subvert trust in applications and repositories, and using mainstream platforms such as calendar services as covert command-and-control (C2) channels.

In comparison to its previous iteration, the majority of the events discussed in this report indicate that threat actors are engaging in similar threat behaviors; however, there are three specific trends that appear to have emerged since the most recent iteration:

• Cloud threat actors are registering their own legitimate cloud resources for use in attack chains.
• DDOS attacks are becoming less effective when targeting cloud environments, even in instances of record-breaking throughput, due to increased cloud-native capabilities for mitigating these threats.
• Cloud threat actors are increasingly diversifying the types of services that they target in victim environments during an attack chain, with a notable focus on LLM and other AI-powered services hosted in cloud environments.

The trends associated with abuse indicate a shift in threat actor perception, demonstrating that threat actors are exploring the broader benefits that compromised cloud services can provide.

Download Cloud Threat Landscape: Executive Insights

Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider.

To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).

Key Findings

• GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
• Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations.
• Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025.

Background

GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware.

In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.

GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors.

Threat Analysis

Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly deploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures (TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets organizations worldwide, with a particular focus on the US. The following sections provide a detailed examination of GrayCharlie’s operational infrastructure and its two primary attack chains.

Infrastructure Analysis

NetSupport RAT Clusters

Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition, Insikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are not currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are further described below.

Figure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)

Cluster 1

Cluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming pattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025. Notably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license key DCVTTTUUEEW23 and serial number NSM896597, before shifting to the license key EVALUSION and serial number NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.

Table 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)

Notably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously described, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate with the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June 30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was created only 20 seconds later.

Cluster 2

Cluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with two or more repetitions of “s”, followed by an “i” and a number (so “sssi3”, for example). NetSupport RAT samples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008. The NetSupport RAT C2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with this cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single batch on June 17, 2025.

Table 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)

Of note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name 23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key (EVALUSION) and serial number (NSM165348) previously observed in Cluster 1.

Other NetSupport RAT C2 Servers

Insikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a distinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with NetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.

Table 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)

Staging Infrastructure

Once GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the payload is typically fetched from the attacker-controlled infrastructure and injected into the compromised WordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by different website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”

Type 1: “Wiser University”

The IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser University” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education website template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian intermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP addresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by AS202015 (HZ Hosting Ltd).

Figure 2: Website impersonating “Wiser University” (Source: Recorded Future)

Suspected Testing Infrastructure

Although most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as shown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same websites (see Table 4). On average, approximately one such IP address appears to be established each month. Notably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused within the same timeframe.

Table 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)

Type 2: “Activitar”

Insikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this cluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced elsewhere and is not unique to GrayCharlie.

Figure 3: Website impersonating “Activitar” (Source: Recorded Future)

A subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP addresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5, filmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.

Table 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)

Compromised Infrastructure

GrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised WordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity: some URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others call a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?abje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A lists a subset of WordPress websites infected by GrayCharlie.

Although the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via malware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter remains the most frequent cause of all WordPress compromises.

Suspected Compromise of “Law Firm Acceleration Company” SMB Team

While the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare instances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more targeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed loading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).

Insikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these websites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing law firm acceleration company,” which has supported thousands of firms across North America, according to its website, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4). Notably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced around the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests that the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate, compromised credentials.

Table 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)

Notably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have exploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous compromise of all affected websites.

In some instances, the same compromised WordPress sites are compromised by multiple threat actors simultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as LandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.

Higher-Tier Analysis

GrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently. The group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that GrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed browsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be Russian-speaking.

Attack-Chain Analysis

GrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses compromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a command to fetch and install the RAT. Both culminate in NetSupport execution from %AppData%, Registry Run key persistence, and C2 connectivity; the technical details are expanded below.

Attack Chain 1: Fake Browser Update Leading to NetSupport RAT

According to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser updates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group observed a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack Chain 1.

Figure 5: Attack Chain 1 (Source: Recorded Future)

1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts that render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update” package containing a primary JavaScript file alongside decoy .dat files.
2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign browser component to reduce suspicion while silently initiating the next stage of the attack.
3. PowerShell staging via WScript. The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking.
4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs.
5. File deployment and execution. The archive is extracted under the user profile (for example, %AppData%\Roaming\...). client32.exe is started in the background to minimize visible indicators to the user.
6. Persistence establishment. A Windows Run registry key is created to automatically launch client32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring further user interaction.
7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to establish command-and-control connectivity with the attacker's infrastructure.

Attack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT

As early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry reporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides an overview of Attack Chain 2.

Figure 6: Attack Chain 2 (Source: Recorded Future)

1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages that embed attacker JavaScript.
2. Background script and profiling. A background script loads when the site is visited, injects an iframe, and profiles the environment (such as the operating system and browser) to deliver the next stage.
3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social engineering into user-assisted execution (see Figure 7).

Figure 7: Fake Captcha (Source: Elastic)

1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing NetSupport RAT and uses PowerShell to extract it into %AppData%\Roaming\ (see Figure 8).

Figure 8: PowerShell command (Source: Cybereason)

1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry key to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the endpoint.
2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system, perform reconnaissance (for example, domain group membership queries), transfer files, execute additional commands, and potentially move laterally using access acquired from the host.

Observed Operator Activity

In October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server 5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately three hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then executed group and account reconnaissance commands. The same actor returned three days later and repeated the previously observed reconnaissance commands (see Figure 9).